Skip to main content

Workflow Template: Create Case from Microsoft XDR Incident

Creates a parent incident case while each alert generates its own separate case.

The "Create Case from Microsoft XDR Incident" workflow template is designed to streamline incident management by automating the process of creating and managing cases from Microsoft XDR incidents. This workflow receives incidents via the Defender Incidents Data Connector Trigger and processes them to create detailed cases in Torq. If all incidents are resolved, a nested workflow automatically updates and closes the alert cases, ensuring efficient case management and resolution tracking. This template is ideal for organizations looking to enhance their incident response capabilities by integrating Microsoft XDR with Torq's case management system.

Take Me to the Template

Trigger

Use Cases

Case Management

Workflow Breakdown

  1. Receive incidents from Defender Incidents Data Connector Trigger

  2. Creates an incident case as a parent case and passes the alerts to a nested workflow to create one case per alert.

  3. Parent case is closed to not clutter the analyst view since all actions are taken in each alert case.

  4. If all the incident is received as Resolved, a nested workflow updates the alert cases to close them.

Vendors

Utils, HTTP, Microsoft 365, Torq Cases, Data Transformation

Related Articles
Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases
Workflow Template: Create Case from Microsoft Sentinel Incident
Workflow Template: Microsoft Defender for Endpoint Triage HyperAgent
Workflow Template: Initial MS Defender Incident Case Creation from Data Connector
Workflow Template: Initial MS Defender Alert Case Creation from Data Connector
Did this answer your question?