Skip to main content

Workflow Template: Create Case from Microsoft XDR Incident

Creates a parent incident case while each alert generates its own separate case.

Updated over 2 weeks ago

The "Create Case from Microsoft XDR Incident" workflow template is designed to streamline case management by automating the creation and closure of cases based on Microsoft XDR incidents. When an incident is marked as resolved, the workflow automatically updates and closes related alert cases, ensuring efficient incident resolution. This template integrates with Microsoft Sentinel and utilizes nested workflows to manage alerts, extract observables, and transform data, enhancing the overall incident response process.

Take Me to the Template

Trigger

Microsoft Sentinel

Use Cases

Case Management

Workflow Breakdown

  1. Creates an incident case as a parent case and passes the alerts to a nested workflow to create one case per alert.

  2. Parent case is closed to not clutter the analyst view since all actions are taken in each alert case.

  3. If all the incident is received as Resolved, a nested workflow updates the alert cases to close them.

Vendors

Utils, HTTP, Microsoft 365 Defender, Microsoft 365, Torq, Torq Cases, Data Transformation

Related Articles
Workflow Template: Create Cases from SentinelOne Events found in Azure Sentinel
Workflow Template: Create Case from Microsoft Sentinel Incident
Workflow Template: Synchronize Torq Case Tags to Microsoft Sentinel Incidents
Workflow Template: Synchronize Torq Case Severity to Microsoft Sentinel Incidents
Workflow Template: Synchronize Torq Case Assignee to Microsoft Sentinel Incidents
Did this answer your question?