Microsoft Defender · Capability

Microsoft Defender for Endpoint API — Alerts

Microsoft Defender for Endpoint API — Alerts. 4 operations. Lead operation: Microsoft Defender List alerts. Self-contained Naftiko capability covering one Microsoft Defender business surface.

Run with Naftiko Microsoft DefenderAlerts

What You Can Do

GET
Listalerts — Microsoft Defender List alerts
/v1/alerts
GET
Getalert — Microsoft Defender Get alert by ID
/v1/alerts/{alertid}
PATCH
Updatealert — Microsoft Defender Update alert
/v1/alerts/{alertid}
GET
Listmachinealerts — Microsoft Defender List alerts for a machine
/v1/machines/{machineid}/alerts

MCP Tools

microsoft-defender-list-alerts

Microsoft Defender List alerts

read-only idempotent
microsoft-defender-get-alert-id

Microsoft Defender Get alert by ID

read-only idempotent
microsoft-defender-update-alert

Microsoft Defender Update alert

idempotent
microsoft-defender-list-alerts-machine

Microsoft Defender List alerts for a machine

read-only idempotent

Capability Spec

for-endpoint-alerts.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Microsoft Defender for Endpoint API — Alerts
  description: 'Microsoft Defender for Endpoint API — Alerts. 4 operations. Lead operation: Microsoft Defender List alerts.
    Self-contained Naftiko capability covering one Microsoft Defender business surface.'
  tags:
  - Microsoft Defender
  - Alerts
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    MICROSOFT_DEFENDER_API_KEY: MICROSOFT_DEFENDER_API_KEY
capability:
  consumes:
  - type: http
    namespace: for-endpoint-alerts
    baseUri: https://api.security.microsoft.com/api
    description: Microsoft Defender for Endpoint API — Alerts business capability. Self-contained, no shared references.
    resources:
    - name: alerts
      path: /alerts
      operations:
      - name: listalerts
        method: GET
        description: Microsoft Defender List alerts
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: $filter
          in: query
          type: string
          description: OData filter expression. Filterable properties include alertCreationTime, lastUpdateTime, incidentId,
            investigationId, id, assignedTo, detectionSource, lastEven
        - name: $top
          in: query
          type: integer
          description: Maximum number of results to return (max 10,000).
        - name: $skip
          in: query
          type: integer
          description: Number of results to skip for pagination.
        - name: $expand
          in: query
          type: string
          description: Expand related entities. Supports expanding evidence.
    - name: alerts-alertId
      path: /alerts/{alertId}
      operations:
      - name: getalert
        method: GET
        description: Microsoft Defender Get alert by ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: alertId
          in: path
          type: string
          description: The unique identifier of the alert.
          required: true
      - name: updatealert
        method: PATCH
        description: Microsoft Defender Update alert
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: alertId
          in: path
          type: string
          description: The unique identifier of the alert to update.
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: machines-machineId-alerts
      path: /machines/{machineId}/alerts
      operations:
      - name: listmachinealerts
        method: GET
        description: Microsoft Defender List alerts for a machine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: machineId
          in: path
          type: string
          description: The device ID of the machine.
          required: true
    authentication:
      type: bearer
      token: '{{env.MICROSOFT_DEFENDER_API_KEY}}'
  exposes:
  - type: rest
    namespace: for-endpoint-alerts-rest
    port: 8080
    description: REST adapter for Microsoft Defender for Endpoint API — Alerts. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/alerts
      name: alerts
      description: REST surface for alerts.
      operations:
      - method: GET
        name: listalerts
        description: Microsoft Defender List alerts
        call: for-endpoint-alerts.listalerts
        with:
          $filter: rest.$filter
          $top: rest.$top
          $skip: rest.$skip
          $expand: rest.$expand
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/alerts/{alertid}
      name: alerts-alertid
      description: REST surface for alerts-alertId.
      operations:
      - method: GET
        name: getalert
        description: Microsoft Defender Get alert by ID
        call: for-endpoint-alerts.getalert
        with:
          alertId: rest.alertId
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: updatealert
        description: Microsoft Defender Update alert
        call: for-endpoint-alerts.updatealert
        with:
          alertId: rest.alertId
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/machines/{machineid}/alerts
      name: machines-machineid-alerts
      description: REST surface for machines-machineId-alerts.
      operations:
      - method: GET
        name: listmachinealerts
        description: Microsoft Defender List alerts for a machine
        call: for-endpoint-alerts.listmachinealerts
        with:
          machineId: rest.machineId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: for-endpoint-alerts-mcp
    port: 9090
    transport: http
    description: MCP adapter for Microsoft Defender for Endpoint API — Alerts. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: microsoft-defender-list-alerts
      description: Microsoft Defender List alerts
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-alerts.listalerts
      with:
        $filter: tools.$filter
        $top: tools.$top
        $skip: tools.$skip
        $expand: tools.$expand
      outputParameters:
      - type: object
        mapping: $.
    - name: microsoft-defender-get-alert-id
      description: Microsoft Defender Get alert by ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-alerts.getalert
      with:
        alertId: tools.alertId
      outputParameters:
      - type: object
        mapping: $.
    - name: microsoft-defender-update-alert
      description: Microsoft Defender Update alert
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: for-endpoint-alerts.updatealert
      with:
        alertId: tools.alertId
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: microsoft-defender-list-alerts-machine
      description: Microsoft Defender List alerts for a machine
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-alerts.listmachinealerts
      with:
        machineId: tools.machineId
      outputParameters:
      - type: object
        mapping: $.