Skip to main content
All CollectionsIntegrate Everything
Microsoft 365 Defender
Microsoft 365 Defender

Use Microsoft XDR (Microsoft 365 Defender) steps in your Torq automated workflows.

Updated over a month ago

Microsoft 365 Defender is an integrated security solution that provides advanced threat protection, detection, investigation, and response across Microsoft 365 services to safeguard identities, endpoints, email, and applications. Microsoft 365 Defender steps within Torq include:

  • Create session

  • Get a list of all incidents

  • Get details of a single incident

  • Update a single incident

and, as always, you can easily create your own custom steps.

Look here if you want to use Microsoft 365 Defender steps in a workflow.

Use Microsoft 365 Steps in a Torq Workflow

Create an Application in Azure for Microsoft 365 Defender

  1. Go to your Azure platform and navigate to Microsoft Entra ID > App Registrations > New Registration.

  2. Choose a unique and meaningful name for your app and click Register.

  3. Select API Permissions > Add permission > APIs my organization uses > type Microsoft Threat Protection and select Microsoft Threat Protection.

    1. This enables you to access Microsoft Defender XDR.

      The organization's APIs usage tab in the Microsoft Defender portal

  4. Select Application Permissions. Choose the relevant permissions and then click Add Permissions.

    1. For use with read-only steps such as Get a list of all incidents or Get details of a single incident, select the following permissions: 

      AdvancedHunting.Read.All
      Incident.Read.All

    2. For use with writing steps, such as Update a single incident, select the above permissions as well as the following:

      Incident.ReadWrite.All

  5. Select Grand admin consent. You must select Grant admin consent whenever you add permissions to save the changes.

    The consent grant-related pane in the Microsoft Defender portal

  6. Go to Certificates and Secrets, give the secret a meaningful description such as "Torq Secret" and click Add.

    1. Save the secret in a safe location for later use in Torq.

  7. Copy your Application ID and Tennant ID and save them somewhere safe for use later in Torq.

    1. We suggest saving your Tennant ID as a workspace variable in the relevant workspace within Torq, for ease of use in later workflows.

      The Overview pane in the Microsoft Defender portal

Create a Steps Integration in Torq

  1. Go to Build > Steps > Microsoft 365 Defender and click Add.

  2. Give the integration a unique and meaningful name.

  3. In Client ID, enter the Application ID you copied earlier in step 7.

  4. In Client Secret, enter the secret you created earlier in step 6.

  5. Click Add to save.

Using Microsoft 365 Defender Steps in a Torq Workflow

To use Microsoft Defender for Endpoint steps within a Torq workflow, you must first use the Create Session step under the Microsoft 365 Defender category. The created session will then be used with the rest of the workflow's steps to access Microsoft 365 Defender.

To activate the Create Session step, you must insert your app's tenant ID. This is why we suggested saving it as a workspace variable (step 7a) in Torq for easier access across all workflows.

Related Articles
Microsoft 365 Delegated Access
Microsoft 365 Adaptive Card Email Conversation - Workflow Template
Microsoft Graph
Microsoft Forms
Microsoft Defender for Endpoint
Did this answer your question?