Skip to main content

Workflow Template: Initial MS Defender Alert Case Creation from Data Connector

Natively create Torq Cases from Microsoft Defender XDR alerts via a data connector trigger.

The "Initial MS Defender Alert Case Creation from Data Connector" workflow template is designed to streamline security case management by automatically generating Torq cases from Microsoft Defender alerts. This workflow is triggered by the MS Defender Alerts Data Connector and processes alerts by extracting MITRE techniques, IOCs, users, and device evidence. It filters and normalizes IOCs, then branches based on the product name to create product-specific field mappings for Endpoint, Identity, Office 365, Cloud Apps, or Cloud. This ensures that each alert is accurately categorized and documented, enhancing incident response efficiency.

Take Me to the Template

Trigger

Use Cases

Case Management

Workflow Breakdown

  1. Triggered by the Microsoft Defender Alerts data connector.

  2. Extract MITRE techniques, IOCs, users, and device evidence

  3. Filter and normalize IOCs (remove hostnames and localhost)

  4. Branch on productName - build product-specific field mapping JSON (Endpoint / Identity / Office 365 / Cloud Apps / Cloud / fallback)

Vendors

Utils, Torq Cases

Workflow Output

Branch on productName - build product-specific field mapping JSON (Endpoint / Identity / Office 365 / Cloud Apps / Cloud / fallback)

Related Articles
Workflow Template: Initial Microsoft Defender for Endpoint Case Creation
Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases
Workflow Template: Microsoft Defender for Endpoint Triage HyperAgent
Microsoft Defender Data Connector
Workflow Template: Initial MS Defender Incident Case Creation from DataConnector
Did this answer your question?