Skip to main content
All CollectionsIntegrate EverythingMicrosoft
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint

Sometimes known as Microsoft Defender for XDR

Updated over a month ago

Microsoft Defender for Endpoint provides protection against spyware and other malicious software, with advanced threat detection. Microsoft Defender for Endpoint steps within Torq include:

  • Add or Update Indicator

  • Cancel Machine Action

  • Collect Investigation Package from Machine

  • Create Session

  • Delete Indicator

  • Download Live Response Result

  • Execute Live Response

  • Execute Live Response Script

  • Get a File from Endpoint

  • Get Alert

  • +30 more...

Create an App in Microsoft Defender for Endpoint (Without a User)

  1. Sign in to the Azure portal and navigate to Microsoft Entra ID > App registrations > New registration.

  2. Choose a name for your application (such as Torq Defender Endpoint) and click Register.

  3. Assign the Read all alerts permissions.

    1. Note that according to the official Microsoft documentation, you should add the WindowsDefenderATP permission.

  4. Go to Application permissions > Alert.Read.All and select Add permissions.

  5. Add all the permissions you want your Torq integration to access. For example, if you wish to use the Isolate Machine step in Torq, you must add the Machine.Isolate permission.

  6. Further examples of desired permissions:

    1. To use Read Only steps in your workflows, you should enable the following permissions:

      Alert.Read.All 
      AdvancedQuery.Read.All
      Machine.Read.All
      User.Read.All
      Vulnerability.Read.All
      File.Read.All
      Machine.CollectForensics
      SecurityRecommendation.Read.All

    2. Steps take Response or Remediation actions in your workflows require the following permissions:

      Alert.ReadWrite.All 
      Machine.ReadWrite.All
      Machine.CollectForensics
      Machine.Isolate
      Machine.RestrictExecution
      Machine.Scan
      Machine.Offboard
      Machine.StopAndQuarantine
      Machine.LiveResponse
      Ti.ReadWrite.All

  7. Select Grant Consent.

    1. Note that if you return later to grant more permissions to your Torq app, you must click Grant Consent again. Otherwise, your changes will not be saved, and the permissions will not be given to the Torq app.

  8. Add a secret to the application by clicking Certificates & secrets > Add.

    1. Copy the secret in a secure place, as you cannot access it again.

  9. Go to the Overview page and copy the application ID and the tenant ID, which will be used in Torq later.

    1. We suggest saving the tenant ID in Torq as a workspace variable for easier access in steps later.

Create a Microsoft Defender for Endpoint Step Integration in Torq

  1. Go to Build > Integrations > Steps > Microsoft Defender for Endpoint and click Add.

  2. Give the integration a unique and meaningful name.

  3. Paste the Client ID created earlier.

  4. Paste the Client Secret created earlier.

  5. Click Add.

Using Microsoft Defender for Endpoint Steps in a Torq Workflow

To use Microsoft Defender for Endpoint steps within a Torq workflow, you must first use the Create Session step under the Microsoft Defender for Endpoint. The created session will then be used with the rest of the workflow's steps to access Microsoft Defender for Endpoint.

To activate the Create Session step, you must insert your app's tenant ID. This is why we suggested saving it as a workspace variable (step 9.a) in Torq for easier access across all workflows.

Did this answer your question?