Microsoft 365 Defender is an integrated security solution that provides advanced threat protection, detection, investigation, and response across Microsoft 365 services to safeguard identities, endpoints, email, and applications. Microsoft 365 Defender steps within Torq include:
Create session
Get a list of all incidents
Get details of a single incident
Update a single incident
If you don't see a step you need, you can create your own in various ways, such as using the Send an HTTP Request step or Torq’s Step Builder, and share it across your organization.
Note that the Microsoft 365 Defender steps use the Microsoft Defender XDR API, which the Microsoft Graph API is replacing. The best practice may be to create a Microsoft 365 steps integration using the Graph API for steps such as Run Graph API Query, Get Email Threat Submission Details, Get URL Threat Submission Details, Run Threat Hunting Query, and more.
Look here if you want to use Microsoft 365 Defender steps in a workflow.
Look here if you want to use Microsoft Defender for Endpoint steps in a workflow.
Use Microsoft 365 Defender Steps in a Torq Workflow
Step One: Create an Application in Azure for Microsoft 365 Defender
In Azure Platform: Go to your Azure platform and navigate to Microsoft Entra ID > App Registrations > New Registration.
Fill in Details: Choose a unique and meaningful name for your app and click Register.
API Permissions: Select API Permissions > Add permission > APIs my organization uses > type Microsoft Threat Protection and select Microsoft Threat Protection.
This enables you to access Microsoft Defender XDR.
Application Permissions: Select Application Permissions. Choose the relevant permissions and then click Add Permissions.
For use with read-only steps such as Get a list of all incidents or Get details of a single incident, select the following permissions:
AdvancedHunting.Read.All
Incident.Read.AllFor use with writing steps, such as Update a single incident, select the above permissions as well as the following:
Incident.ReadWrite.All
Admin Consent: Select Grand admin consent.
You must select Grant admin consent whenever you add permissions to save the changes.
Get Secret: Go to Certificates and Secrets, give the secret a meaningful description such as "Torq Secret", and click Add.
Save the secret in a safe location for later use in Torq.
Save Details: Copy your Application ID and Tennant ID and save them somewhere safe for use later in Torq.
We suggest saving your Tennant ID as a workspace variable in the relevant workspace within Torq for ease of use in later workflows.
Step Two: Create a Microsoft 365 Defender Steps Integration in Torq
Add Integration: Go to Build > Steps > Microsoft 365 Defender and click Add.
Fill in Details:
Give the integration a unique and meaningful name.
In Client ID, enter the Application ID you copied earlier in step 7.
In Client Secret, enter the secret you created earlier in step 6.
Finalize: Click Add to save.
FAQs
Using Microsoft 365 Defender Steps in a Torq Workflow
To use Microsoft Defender for Endpoint steps within a Torq workflow, you must first use the Create Session step under the Microsoft 365 Defender category. The created session will then be used with the rest of the workflow's steps to access Microsoft 365 Defender.
To activate the Create Session step, you must insert your app's tenant ID. This is why we suggested saving it as a workspace variable (step 7a) in Torq for easier access across all workflows within the workspace.
Templates
Now that you've added your integrations check out these specially crafted templates by Torq's security experts. Visit Torq's template library for more.