Skip to main content

Workflow Template: Create Case from Microsoft XDR Incident

Creates a parent incident case while each alert generates its own separate case.

Updated over a week ago

The "Create Case from Microsoft XDR Incident" workflow template is designed to streamline incident management by automating the creation and closure of cases based on Microsoft XDR incidents. This workflow efficiently processes incidents by creating Torq cases from Microsoft Sentinel alerts, ensuring that all related alerts are parsed and managed effectively. It automatically updates the status of alert cases when incidents are resolved, enhancing the incident response process. This template is ideal for organizations using Microsoft Defender and Sentinel, aiming to improve their incident management and response efficiency.

Take Me to the Template

Trigger

Microsoft Sentinel

Use Cases

Case Management

Workflow Breakdown

  1. Creates an incident case as a parent case and passes the alerts to a nested workflow to create one case per alert.

  2. Parent case is closed to not clutter the analyst view since all actions are taken in each alert case.

  3. If all the incident is received as Resolved, a nested workflow updates the alert cases to close them.

Vendors

Utils, HTTP, Microsoft 365 Defender, Microsoft 365, Torq, Torq Cases, Data Transformation

Related Articles
Workflow Template: Create Cases from SentinelOne Events found in Azure Sentinel
Workflow Template: Initial Microsoft Defender for Endpoint Case Creation
Workflow Template: Create Case from Microsoft Sentinel Incident
Workflow Template: Synchronize Torq Case Tags to Microsoft Sentinel Incidents
Workflow Template: Synchronize Torq Case Assignee to Microsoft Sentinel Incidents
Did this answer your question?