Skip to main content

Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases

Automatically pull new Microsoft Defender for Endpoint alerts on a schedule, then create cases with a field mapper.

Updated today

The "Poll for New Microsoft Defender for Endpoint Events for Cases" workflow template is designed to streamline case management by automatically retrieving new alerts from Microsoft Defender for Endpoint on a scheduled basis. This workflow establishes a checkpoint to ensure accurate tracking of alert times, maps alert fields to a predefined case layout, and creates a case for each new alert. It is ideal for businesses focused on Endpoint Detection and Response (EDR) and threat hunting, enhancing efficiency in incident response and case management.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR) , Threat Hunting

Workflow Breakdown

  1. Establish a checkpoint to mark accurate beginning and end times.

  2. Pull new alerts from Microsoft Defender API.

  3. Map alert fields to a predefined case layout.

  4. Create a case for each new alert.

Vendors

Utils, Microsoft Defender for Endpoint, Torq, Torq Cases

Workflow Output

A case is created for each new alert.

Tips

Related Articles
Workflow Template: Initial Microsoft Defender for Endpoint Case Creation
Workflow Template: Poll Microsoft Outlook on a Schedule for New Messages for Cases
Workflow Template: Poll for new SentinelOne Threats and Open a Torq Case
Workflow Template: Poll for new CrowdStrike Alerts and Open a Torq Case
Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint
Did this answer your question?