Microsoft Defender for Endpoint provides protection against spyware and other malicious software, with advanced threat detection.
Torq enables quick and easy integration with Microsoft Defender for Endpoint, so you can automate anything and everything within moments. Torq's public Microsoft Defender for Endpoint steps include:
Add or Update Indicator
Create Session
Delete Indicator
Execute Live Response
Get a File from Endpoint
+35 more...
If you don't see a step you need, you can create your own in various ways, such as using the Send an HTTP Request step or Torq’s Step Builder, and share it across your organization.
Look here if you want to use Microsoft Defender steps in a workflow.
Use Microsoft Defender for Endpoint Steps in a Torq Workflow
Step One: Create an App in Azure (Without a User)
Create New App: Sign in to the Azure portal and navigate to Microsoft Entra ID > App registrations > New registration.
Choose a name for your application (such as Torq Defender Endpoint).
Under Supported account types select Accounts in this organizational directory only.
There is no need to add a redirect URL.
Click Register.
Add Permissions: Go to Manage > API Permissions and click Add a Permission.
Select APIs my organization uses and search for
WindowsDefenderATP.
Click on WindowsDefenderATP and click Application Permissions.
Add all the permissions you want your Torq integration to access. For example, if you wish to use the Isolate Machine step in Torq, you must add the Machine.Isolate permission.
To use Read Only steps in your workflows, you should enable the following permissions:
Alert.Read.All
AdvancedQuery.Read.All
Machine.Read.All
User.Read.All
Vulnerability.Read.All
File.Read.All
Machine.CollectForensics
SecurityRecommendation.Read.AllSteps that take Response or Remediation actions in your workflows require the following permissions:
Alert.ReadWrite.All
Machine.ReadWrite.All
Machine.CollectForensics
Machine.Isolate
Machine.RestrictExecution
Machine.Scan
Machine.Offboard
Machine.StopAndQuarantine
Machine.LiveResponse
Ti.ReadWrite.All
Apply Permissions: Click Add Permissions and then click Grant Admin Consent.
Note that if you return later to grant more permissions to your Torq app, you must click Grant Consent again. Otherwise, your changes will not be saved, and the permissions will not be given to the Torq app.
Add Secret: Go to Manage > Certificates & secrets and click New Client Secret.
Give the secret a meaningful name.
Give the secret an appropriate expiration time.
Click Add.
Copy the secret ID in a secure place, as you cannot access it again.
Collect Final Details: Go to the Overview page and copy the application (client) ID and the directory (tenant) ID, which will be used in Torq later.
We suggest saving the directory (tenant) ID in Torq as a workspace variable for easier access in steps later.
Step Two: Create a Microsoft Defender for Endpoint Step Integration in Torq
Navigate to Integration: Go to Build > Integrations > Steps > Microsoft Defender for Endpoint and click Add.
Give the integration a unique and meaningful name.
Paste the Client ID (application ID) created earlier.
Paste the Client Secret created earlier.
Finalize: Click Add.
FAQs
Using Microsoft Defender for Endpoint Steps in a Torq Workflow
To use Microsoft Defender for Endpoint steps within a Torq workflow, you must first use the Create Session step under the Microsoft Defender for Endpoint. The created session will then be used with the rest of the workflow's steps to access Microsoft Defender for Endpoint.
To activate the Create Session step, you must insert your app's tenant ID. This is why we suggested saving it as a workspace variable (step 9.a) in Torq for easier access across all workflows.
Templates
Now that you've added your integrations check out these specially crafted templates by Torq's security experts. Visit Torq's template library for more.