Microsoft Defender · Capability

Microsoft Defender for Endpoint API — Machines

Microsoft Defender for Endpoint API — Machines. 5 operations. Lead operation: Microsoft Defender List machines. Self-contained Naftiko capability covering one Microsoft Defender business surface.

Run with Naftiko Microsoft DefenderMachines

What You Can Do

GET
Listmachines — Microsoft Defender List machines
/v1/machines
GET
Getmachine — Microsoft Defender Get machine by ID
/v1/machines/{machineid}
GET
Listmachinealerts — Microsoft Defender List alerts for a machine
/v1/machines/{machineid}/alerts
GET
Listmachinevulnerabilities — Microsoft Defender List vulnerabilities for a machine
/v1/machines/{machineid}/vulnerabilities
GET
Listvulnerabilitymachinereferences — Microsoft Defender List machines affected by a vulnerability
/v1/vulnerabilities/{vulnerabilityid}/machinereferences

MCP Tools

microsoft-defender-list-machines

Microsoft Defender List machines

read-only idempotent
microsoft-defender-get-machine-id

Microsoft Defender Get machine by ID

read-only idempotent
microsoft-defender-list-alerts-machine

Microsoft Defender List alerts for a machine

read-only idempotent
microsoft-defender-list-vulnerabilities-machine

Microsoft Defender List vulnerabilities for a machine

read-only idempotent
microsoft-defender-list-machines-affected

Microsoft Defender List machines affected by a vulnerability

read-only idempotent

Capability Spec

for-endpoint-machines.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Microsoft Defender for Endpoint API — Machines
  description: 'Microsoft Defender for Endpoint API — Machines. 5 operations. Lead operation: Microsoft Defender List machines.
    Self-contained Naftiko capability covering one Microsoft Defender business surface.'
  tags:
  - Microsoft Defender
  - Machines
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    MICROSOFT_DEFENDER_API_KEY: MICROSOFT_DEFENDER_API_KEY
capability:
  consumes:
  - type: http
    namespace: for-endpoint-machines
    baseUri: https://api.security.microsoft.com/api
    description: Microsoft Defender for Endpoint API — Machines business capability. Self-contained, no shared references.
    resources:
    - name: machines
      path: /machines
      operations:
      - name: listmachines
        method: GET
        description: Microsoft Defender List machines
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: $filter
          in: query
          type: string
          description: OData filter expression. Filterable properties include computerDnsName, id, version, deviceValue, aadDeviceId,
            machineTags, lastSeen, exposureLevel, onboardingS
        - name: $top
          in: query
          type: integer
          description: Maximum number of results to return (max 10,000).
        - name: $skip
          in: query
          type: integer
          description: Number of results to skip for pagination.
    - name: machines-machineId
      path: /machines/{machineId}
      operations:
      - name: getmachine
        method: GET
        description: Microsoft Defender Get machine by ID
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: machineId
          in: path
          type: string
          description: The device ID or computer name of the machine.
          required: true
    - name: machines-machineId-alerts
      path: /machines/{machineId}/alerts
      operations:
      - name: listmachinealerts
        method: GET
        description: Microsoft Defender List alerts for a machine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: machineId
          in: path
          type: string
          description: The device ID of the machine.
          required: true
    - name: machines-machineId-vulnerabilities
      path: /machines/{machineId}/vulnerabilities
      operations:
      - name: listmachinevulnerabilities
        method: GET
        description: Microsoft Defender List vulnerabilities for a machine
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: machineId
          in: path
          type: string
          description: The device ID of the machine.
          required: true
    - name: vulnerabilities-vulnerabilityId-machineReferences
      path: /vulnerabilities/{vulnerabilityId}/machineReferences
      operations:
      - name: listvulnerabilitymachinereferences
        method: GET
        description: Microsoft Defender List machines affected by a vulnerability
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: vulnerabilityId
          in: path
          type: string
          description: The CVE identifier of the vulnerability.
          required: true
    authentication:
      type: bearer
      token: '{{env.MICROSOFT_DEFENDER_API_KEY}}'
  exposes:
  - type: rest
    namespace: for-endpoint-machines-rest
    port: 8080
    description: REST adapter for Microsoft Defender for Endpoint API — Machines. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/machines
      name: machines
      description: REST surface for machines.
      operations:
      - method: GET
        name: listmachines
        description: Microsoft Defender List machines
        call: for-endpoint-machines.listmachines
        with:
          $filter: rest.$filter
          $top: rest.$top
          $skip: rest.$skip
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/machines/{machineid}
      name: machines-machineid
      description: REST surface for machines-machineId.
      operations:
      - method: GET
        name: getmachine
        description: Microsoft Defender Get machine by ID
        call: for-endpoint-machines.getmachine
        with:
          machineId: rest.machineId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/machines/{machineid}/alerts
      name: machines-machineid-alerts
      description: REST surface for machines-machineId-alerts.
      operations:
      - method: GET
        name: listmachinealerts
        description: Microsoft Defender List alerts for a machine
        call: for-endpoint-machines.listmachinealerts
        with:
          machineId: rest.machineId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/machines/{machineid}/vulnerabilities
      name: machines-machineid-vulnerabilities
      description: REST surface for machines-machineId-vulnerabilities.
      operations:
      - method: GET
        name: listmachinevulnerabilities
        description: Microsoft Defender List vulnerabilities for a machine
        call: for-endpoint-machines.listmachinevulnerabilities
        with:
          machineId: rest.machineId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/vulnerabilities/{vulnerabilityid}/machinereferences
      name: vulnerabilities-vulnerabilityid-machinereferences
      description: REST surface for vulnerabilities-vulnerabilityId-machineReferences.
      operations:
      - method: GET
        name: listvulnerabilitymachinereferences
        description: Microsoft Defender List machines affected by a vulnerability
        call: for-endpoint-machines.listvulnerabilitymachinereferences
        with:
          vulnerabilityId: rest.vulnerabilityId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: for-endpoint-machines-mcp
    port: 9090
    transport: http
    description: MCP adapter for Microsoft Defender for Endpoint API — Machines. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: microsoft-defender-list-machines
      description: Microsoft Defender List machines
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-machines.listmachines
      with:
        $filter: tools.$filter
        $top: tools.$top
        $skip: tools.$skip
      outputParameters:
      - type: object
        mapping: $.
    - name: microsoft-defender-get-machine-id
      description: Microsoft Defender Get machine by ID
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-machines.getmachine
      with:
        machineId: tools.machineId
      outputParameters:
      - type: object
        mapping: $.
    - name: microsoft-defender-list-alerts-machine
      description: Microsoft Defender List alerts for a machine
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-machines.listmachinealerts
      with:
        machineId: tools.machineId
      outputParameters:
      - type: object
        mapping: $.
    - name: microsoft-defender-list-vulnerabilities-machine
      description: Microsoft Defender List vulnerabilities for a machine
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-machines.listmachinevulnerabilities
      with:
        machineId: tools.machineId
      outputParameters:
      - type: object
        mapping: $.
    - name: microsoft-defender-list-machines-affected
      description: Microsoft Defender List machines affected by a vulnerability
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: for-endpoint-machines.listvulnerabilitymachinereferences
      with:
        vulnerabilityId: tools.vulnerabilityId
      outputParameters:
      - type: object
        mapping: $.