Skip to main content

Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases

Automatically pull new Microsoft Defender for Endpoint alerts on a schedule, then create cases with a field mapper.

Updated yesterday

The "Poll for New Microsoft Defender for Endpoint Events for Cases" workflow template is designed to enhance security operations by automating the process of case creation from Microsoft Defender alerts. It regularly retrieves new alerts from the Microsoft Defender API, maps alert fields to a predefined case layout, and generates a case for each alert. This workflow is ideal for businesses focused on efficient case management, endpoint detection and response (EDR), and threat hunting, ensuring timely and organized incident response.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR) , Threat Hunting

Workflow Breakdown

  1. Establish a checkpoint to mark accurate beginning and end times.

  2. Pull new alerts from Microsoft Defender API.

  3. Map alert fields to a predefined case layout.

  4. Create a case for each new alert.

Vendors

Utils, Microsoft Defender for Endpoint, Torq, Torq Cases

Workflow Output

A case is created for each new alert.

Tips

Related Articles
Workflow Template: Initial Microsoft Defender for Endpoint Case Creation
Workflow Template: Poll Microsoft Outlook on a Schedule for New Messages for Cases
Workflow Template: Poll for new SentinelOne Threats and Open a Torq Case
Workflow Template: Poll for new CrowdStrike Alerts and Open a Torq Case
Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint
Did this answer your question?