Microsoft Defender for Endpoint provides protection against spyware and other malicious software, with advanced threat detection. Microsoft Defender for Endpoint steps within Torq include:
Add or Update Indicator
Cancel Machine Action
Collect Investigation Package from Machine
Create Session
Delete Indicator
Download Live Response Result
Execute Live Response
Execute Live Response Script
Get a File from Endpoint
Get Alert
+30 more...
Create an App in Microsoft Defender for Endpoint (Without a User)
Sign in to the Azure portal and navigate to Microsoft Entra ID > App registrations > New registration.
Choose a name for your application (such as Torq Defender Endpoint) and click Register.
Assign the Read all alerts permissions.
Note that according to the official Microsoft documentation, you should add the WindowsDefenderATP permission.
Go to Application permissions > Alert.Read.All and select Add permissions.
Add all the permissions you want your Torq integration to access. For example, if you wish to use the Isolate Machine step in Torq, you must add the Machine.Isolate permission.
Further examples of desired permissions:
To use Read Only steps in your workflows, you should enable the following permissions:
Alert.Read.All
AdvancedQuery.Read.All
Machine.Read.All
User.Read.All
Vulnerability.Read.All
File.Read.All
Machine.CollectForensics
SecurityRecommendation.Read.AllSteps take Response or Remediation actions in your workflows require the following permissions:
Alert.ReadWrite.All
Machine.ReadWrite.All
Machine.CollectForensics
Machine.Isolate
Machine.RestrictExecution
Machine.Scan
Machine.Offboard
Machine.StopAndQuarantine
Machine.LiveResponse
Ti.ReadWrite.All
Select Grant Consent.
Note that if you return later to grant more permissions to your Torq app, you must click Grant Consent again. Otherwise, your changes will not be saved, and the permissions will not be given to the Torq app.
Add a secret to the application by clicking Certificates & secrets > Add.
Copy the secret in a secure place, as you cannot access it again.
Go to the Overview page and copy the application ID and the tenant ID, which will be used in Torq later.
We suggest saving the tenant ID in Torq as a workspace variable for easier access in steps later.
Create a Microsoft Defender for Endpoint Step Integration in Torq
Go to Build > Integrations > Steps > Microsoft Defender for Endpoint and click Add.
Give the integration a unique and meaningful name.
Paste the Client ID created earlier.
Paste the Client Secret created earlier.
Click Add.
Using Microsoft Defender for Endpoint Steps in a Torq Workflow
To use Microsoft Defender for Endpoint steps within a Torq workflow, you must first use the Create Session step under the Microsoft Defender for Endpoint. The created session will then be used with the rest of the workflow's steps to access Microsoft Defender for Endpoint.
To activate the Create Session step, you must insert your app's tenant ID. This is why we suggested saving it as a workspace variable (step 9.a) in Torq for easier access across all workflows.