The "Microsoft Defender for Endpoint Triage HyperAgent" workflow template is designed to streamline the triage process for security alerts. It automates the investigation of Microsoft Defender alerts by updating case statuses and conducting a comprehensive multi-step analysis. This workflow leverages Microsoft Graph Security API and Defender API to gather incident context, assess device health, and analyze user behavior. It also performs KQL threat hunting to identify potential threats like lateral movement and ransomware. The workflow concludes by generating a detailed JSON report with a verdict and confidence score, and it can automatically apply containment actions for high-severity threats.
Use Cases
Case Management , Threat Hunting
Workflow Breakdown
Upon receiving an alert, it updates the case status and executes a multi-step investigation.
Performs Threat hunting on alert evidence and correlation between alerts and incidents.
Performs correlation between Torq Cases based on similar observables and link cases when they are related.
Vendors
Scripting, Utils, Microsoft Defender for Endpoint, Microsoft 365, Torq Cases
Workflow Output
Generates a self-contained HTML report from the triage JSON.