Torq

Microsoft Defender for Endpoint provides protection against spyware and other malicious software, with advanced threat detection. Microsoft Defender for Endpoint steps within Torq include: 

Collect Investigation Package from Machine

- Add or Update Indicator
- Cancel Machine Action
- Collect Investigation Package from Machine
- Create Session
- Delete Indicator
- Download Live Response Result
- Execute Live Response
- Execute Live Response Script
- Get a File from Endpoint
- Get Alert 
- +30 more...

Create an App in Microsoft Defender for Endpoint (Without a User)

Sign in to the Azure portal and navigate to Microsoft Entra ID &gt; App registrations &gt; New registration.

Choose a name for your application (such as Torq Defender Endpoint) and click Register.

Assign the Read all alerts permissions.

1. Note that according to the <a href="https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp?view=o365-worldwide" rel="nofollow noopener noreferrer" target="_blank">official Microsoft documentation</a>, you should add the WindowsDefenderATP permission.

Go to Application permissions &gt; Alert.Read.All and select Add permissions.

Add all the permissions you want your Torq integration to access. For example, if you wish to use the Isolate Machine step in Torq, you must add the Machine.Isolate permission.

Further examples of desired permissions: 

1. To use Read Only steps in your workflows, you should enable the following permissions: 
 Alert.Read.All AdvancedQuery.Read.All Machine.Read.All User.Read.All Vulnerability.Read.All File.Read.All Machine.CollectForensics SecurityRecommendation.Read.All
 
2. Steps take Response or Remediation actions in your workflows require the following permissions: 
 Alert.ReadWrite.All Machine.ReadWrite.All Machine.CollectForensics Machine.Isolate Machine.RestrictExecution Machine.Scan Machine.Offboard Machine.StopAndQuarantine Machine.LiveResponse Ti.ReadWrite.All

1. Note that if you return later to grant more permissions to your Torq app, you must click Grant Consent again. Otherwise, your changes will not be saved, and the permissions will not be given to the Torq app.

Add a secret to the application by clicking Certificates &amp; secrets &gt; Add.

1. Copy the secret in a secure place, as you cannot access it again. 

Go to the Overview page and copy the application ID and the tenant ID, which will be used in Torq later.

1. We suggest saving the tenant ID in Torq as a <a href="https://kb.torq.io/en/articles/9202852-workspace-variables-in-torq-optimal-data-management">workspace variable</a> for easier access in steps <a href="#h_29ea01c282">later</a>.

1. Sign in to the Azure portal and navigate to Microsoft Entra ID &gt; App registrations &gt; New registration. 
2. Choose a name for your application (such as Torq Defender Endpoint) and click Register. 
3. Assign the Read all alerts permissions. 
 1. Note that according to the <a href="https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp?view=o365-worldwide" rel="nofollow noopener noreferrer" target="_blank">official Microsoft documentation</a>, you should add the WindowsDefenderATP permission. 
4. Go to Application permissions &gt; Alert.Read.All and select Add permissions. 
5. Add all the permissions you want your Torq integration to access. For example, if you wish to use the Isolate Machine step in Torq, you must add the Machine.Isolate permission. 

6. Further examples of desired permissions: 
 1. To use Read Only steps in your workflows, you should enable the following permissions: 
 Alert.Read.All AdvancedQuery.Read.All Machine.Read.All User.Read.All Vulnerability.Read.All File.Read.All Machine.CollectForensics SecurityRecommendation.Read.All
 
 2. Steps take Response or Remediation actions in your workflows require the following permissions: 
 Alert.ReadWrite.All Machine.ReadWrite.All Machine.CollectForensics Machine.Isolate Machine.RestrictExecution Machine.Scan Machine.Offboard Machine.StopAndQuarantine Machine.LiveResponse Ti.ReadWrite.All
 
7. Select Grant Consent. 
 1. Note that if you return later to grant more permissions to your Torq app, you must click Grant Consent again. Otherwise, your changes will not be saved, and the permissions will not be given to the Torq app. 
8. Add a secret to the application by clicking Certificates &amp; secrets &gt; Add. 
 1. Copy the secret in a secure place, as you cannot access it again. 
9. Go to the Overview page and copy the application ID and the tenant ID, which will be used in Torq later. 
 1. We suggest saving the tenant ID in Torq as a <a href="https://kb.torq.io/en/articles/9202852-workspace-variables-in-torq-optimal-data-management">workspace variable</a> for easier access in steps <a href="#h_29ea01c282">later</a>.

Create a Microsoft Defender for Endpoint Step Integration in Torq

Go to Build &gt; Integrations &gt; Steps &gt; Microsoft Defender for Endpoint and click Add.

Give the integration a unique and meaningful name. 

Paste the Client Secret created earlier. 

1. Go to Build &gt; Integrations &gt; Steps &gt; Microsoft Defender for Endpoint and click Add. 
2. Give the integration a unique and meaningful name. 
3. Paste the Client ID created earlier. 
4. Paste the Client Secret created earlier. 
5. Click Add.

Using Microsoft Defender for Endpoint Steps in a Torq Workflow

To use Microsoft Defender for Endpoint steps within a Torq workflow, you must first use the Create Session step under the Microsoft Defender for Endpoint. The created session will then be used with the rest of the workflow's steps to access Microsoft Defender for Endpoint.

To activate the Create Session step, you must insert your app's tenant ID. This is why we suggested saving it as a workspace variable (<a href="#h_3a81c49de6">step 9.a</a>) in Torq for easier access across all workflows.