The "Poll for New Microsoft Defender for Endpoint Events for Cases" workflow template automates the process of monitoring and managing security alerts from Microsoft Defender for Endpoint. Scheduled to run at defined intervals, the workflow fetches new alerts via Microsoft Defender API, maps relevant alert fields to a customized case format, and creates an individual case for each detected alert. This streamlines the case management and incident response efforts, allowing businesses to swiftly identify, track, and respond to potential security threats within their network infrastructure.
Use Cases
Case Management , Endpoint Detection and Response (EDR) , Threat Hunting
Workflow Breakdown
Establish a checkpoint to mark accurate beginning and end times.
Pull new alerts from Microsoft Defender API.
Map alert fields to a predefined case layout.
Create a case for each new alert.
Vendors
Utils, Microsoft Defender for Endpoint, Torq, Torq Cases
Workflow Output
A case is created for each new alert.
Tips