Microsoft Defender · Capability
Microsoft Defender for Endpoint API
API for endpoint detection and response, threat and vulnerability management, and automated investigation and remediation. Provides programmatic access to alerts, machines, and vulnerabilities managed by Microsoft Defender for Endpoint.
What You Can Do
GET
Listalerts
— Microsoft Defender List alerts
/alerts
GET
Getalert
— Microsoft Defender Get alert by ID
/alerts/{alertId}
PATCH
Updatealert
— Microsoft Defender Update alert
/alerts/{alertId}
GET
Listmachines
— Microsoft Defender List machines
/machines
GET
Getmachine
— Microsoft Defender Get machine by ID
/machines/{machineId}
GET
Listmachinealerts
— Microsoft Defender List alerts for a machine
/machines/{machineId}/alerts
GET
Listmachinevulnerabilities
— Microsoft Defender List vulnerabilities for a machine
/machines/{machineId}/vulnerabilities
GET
Listvulnerabilities
— Microsoft Defender List all vulnerabilities
/vulnerabilities
GET
Getvulnerability
— Microsoft Defender Get vulnerability by ID
/vulnerabilities/{vulnerabilityId}
GET
Listvulnerabilitymachinereferences
— Microsoft Defender List machines affected by a vulnerability
/vulnerabilities/{vulnerabilityId}/machineReferences
MCP Tools
listalerts
Microsoft Defender List alerts
read-only
idempotent
getalert
Microsoft Defender Get alert by ID
read-only
idempotent
updatealert
Microsoft Defender Update alert
listmachines
Microsoft Defender List machines
read-only
idempotent
getmachine
Microsoft Defender Get machine by ID
read-only
idempotent
listmachinealerts
Microsoft Defender List alerts for a machine
read-only
idempotent
listmachinevulnerabilities
Microsoft Defender List vulnerabilities for a machine
read-only
idempotent
listvulnerabilities
Microsoft Defender List all vulnerabilities
read-only
idempotent
getvulnerability
Microsoft Defender Get vulnerability by ID
read-only
idempotent
listvulnerabilitymachinereferences
Microsoft Defender List machines affected by a vulnerability
read-only
idempotent
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Microsoft Defender for Endpoint API
description: API for endpoint detection and response, threat and vulnerability management, and automated investigation and
remediation. Provides programmatic access to alerts, machines, and vulnerabilities managed by Microsoft Defender for Endpoint.
tags:
- Microsoft
- Defender
- API
created: '2026-05-06'
modified: '2026-05-06'
capability:
consumes:
- type: http
namespace: microsoft-defender
baseUri: https://api.security.microsoft.com/api
description: Microsoft Defender for Endpoint API HTTP API.
authentication:
type: bearer
token: '{{MICROSOFT_DEFENDER_TOKEN}}'
resources:
- name: alerts
path: /alerts
operations:
- name: listalerts
method: GET
description: Microsoft Defender List alerts
inputParameters:
- name: $filter
in: query
type: string
description: OData filter expression. Filterable properties include alertCreationTime, lastUpdateTime, incidentId,
investigationId, id, assignedTo, detectionSource, lastEven
- name: $top
in: query
type: integer
description: Maximum number of results to return (max 10,000).
- name: $skip
in: query
type: integer
description: Number of results to skip for pagination.
- name: $expand
in: query
type: string
description: Expand related entities. Supports expanding evidence.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: alerts-alertid
path: /alerts/{alertId}
operations:
- name: getalert
method: GET
description: Microsoft Defender Get alert by ID
inputParameters:
- name: alertId
in: path
type: string
required: true
description: The unique identifier of the alert.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: updatealert
method: PATCH
description: Microsoft Defender Update alert
inputParameters:
- name: alertId
in: path
type: string
required: true
description: The unique identifier of the alert to update.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: machines
path: /machines
operations:
- name: listmachines
method: GET
description: Microsoft Defender List machines
inputParameters:
- name: $filter
in: query
type: string
description: OData filter expression. Filterable properties include computerDnsName, id, version, deviceValue, aadDeviceId,
machineTags, lastSeen, exposureLevel, onboardingS
- name: $top
in: query
type: integer
description: Maximum number of results to return (max 10,000).
- name: $skip
in: query
type: integer
description: Number of results to skip for pagination.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: machines-machineid
path: /machines/{machineId}
operations:
- name: getmachine
method: GET
description: Microsoft Defender Get machine by ID
inputParameters:
- name: machineId
in: path
type: string
required: true
description: The device ID or computer name of the machine.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: machines-machineid-alerts
path: /machines/{machineId}/alerts
operations:
- name: listmachinealerts
method: GET
description: Microsoft Defender List alerts for a machine
inputParameters:
- name: machineId
in: path
type: string
required: true
description: The device ID of the machine.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: machines-machineid-vulnerabilities
path: /machines/{machineId}/vulnerabilities
operations:
- name: listmachinevulnerabilities
method: GET
description: Microsoft Defender List vulnerabilities for a machine
inputParameters:
- name: machineId
in: path
type: string
required: true
description: The device ID of the machine.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: vulnerabilities
path: /vulnerabilities
operations:
- name: listvulnerabilities
method: GET
description: Microsoft Defender List all vulnerabilities
inputParameters:
- name: $filter
in: query
type: string
description: OData filter expression. Filterable properties include id, name, description, cvssV3, publishedOn,
severity, and updatedOn.
- name: $top
in: query
type: integer
description: Maximum number of results to return (max 8,000).
- name: $skip
in: query
type: integer
description: Number of results to skip for pagination.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: vulnerabilities-vulnerabilityid
path: /vulnerabilities/{vulnerabilityId}
operations:
- name: getvulnerability
method: GET
description: Microsoft Defender Get vulnerability by ID
inputParameters:
- name: vulnerabilityId
in: path
type: string
required: true
description: The CVE identifier of the vulnerability.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: vulnerabilities-vulnerabilityid-machinereference
path: /vulnerabilities/{vulnerabilityId}/machineReferences
operations:
- name: listvulnerabilitymachinereferences
method: GET
description: Microsoft Defender List machines affected by a vulnerability
inputParameters:
- name: vulnerabilityId
in: path
type: string
required: true
description: The CVE identifier of the vulnerability.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
exposes:
- type: rest
port: 8080
namespace: microsoft-defender-rest
description: REST adapter for Microsoft Defender for Endpoint API.
resources:
- path: /alerts
name: listalerts
operations:
- method: GET
name: listalerts
description: Microsoft Defender List alerts
call: microsoft-defender.listalerts
outputParameters:
- type: object
mapping: $.
- path: /alerts/{alertId}
name: getalert
operations:
- method: GET
name: getalert
description: Microsoft Defender Get alert by ID
call: microsoft-defender.getalert
with:
alertId: rest.alertId
outputParameters:
- type: object
mapping: $.
- path: /alerts/{alertId}
name: updatealert
operations:
- method: PATCH
name: updatealert
description: Microsoft Defender Update alert
call: microsoft-defender.updatealert
with:
alertId: rest.alertId
outputParameters:
- type: object
mapping: $.
- path: /machines
name: listmachines
operations:
- method: GET
name: listmachines
description: Microsoft Defender List machines
call: microsoft-defender.listmachines
outputParameters:
- type: object
mapping: $.
- path: /machines/{machineId}
name: getmachine
operations:
- method: GET
name: getmachine
description: Microsoft Defender Get machine by ID
call: microsoft-defender.getmachine
with:
machineId: rest.machineId
outputParameters:
- type: object
mapping: $.
- path: /machines/{machineId}/alerts
name: listmachinealerts
operations:
- method: GET
name: listmachinealerts
description: Microsoft Defender List alerts for a machine
call: microsoft-defender.listmachinealerts
with:
machineId: rest.machineId
outputParameters:
- type: object
mapping: $.
- path: /machines/{machineId}/vulnerabilities
name: listmachinevulnerabilities
operations:
- method: GET
name: listmachinevulnerabilities
description: Microsoft Defender List vulnerabilities for a machine
call: microsoft-defender.listmachinevulnerabilities
with:
machineId: rest.machineId
outputParameters:
- type: object
mapping: $.
- path: /vulnerabilities
name: listvulnerabilities
operations:
- method: GET
name: listvulnerabilities
description: Microsoft Defender List all vulnerabilities
call: microsoft-defender.listvulnerabilities
outputParameters:
- type: object
mapping: $.
- path: /vulnerabilities/{vulnerabilityId}
name: getvulnerability
operations:
- method: GET
name: getvulnerability
description: Microsoft Defender Get vulnerability by ID
call: microsoft-defender.getvulnerability
with:
vulnerabilityId: rest.vulnerabilityId
outputParameters:
- type: object
mapping: $.
- path: /vulnerabilities/{vulnerabilityId}/machineReferences
name: listvulnerabilitymachinereferences
operations:
- method: GET
name: listvulnerabilitymachinereferences
description: Microsoft Defender List machines affected by a vulnerability
call: microsoft-defender.listvulnerabilitymachinereferences
with:
vulnerabilityId: rest.vulnerabilityId
outputParameters:
- type: object
mapping: $.
- type: mcp
port: 9090
namespace: microsoft-defender-mcp
transport: http
description: MCP adapter for Microsoft Defender for Endpoint API for AI agent use.
tools:
- name: listalerts
description: Microsoft Defender List alerts
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.listalerts
with:
$filter: tools.$filter
$top: tools.$top
$skip: tools.$skip
$expand: tools.$expand
inputParameters:
- name: $filter
type: string
description: OData filter expression. Filterable properties include alertCreationTime, lastUpdateTime, incidentId,
investigationId, id, assignedTo, detectionSource, lastEven
- name: $top
type: integer
description: Maximum number of results to return (max 10,000).
- name: $skip
type: integer
description: Number of results to skip for pagination.
- name: $expand
type: string
description: Expand related entities. Supports expanding evidence.
outputParameters:
- type: object
mapping: $.
- name: getalert
description: Microsoft Defender Get alert by ID
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.getalert
with:
alertId: tools.alertId
inputParameters:
- name: alertId
type: string
description: The unique identifier of the alert.
required: true
outputParameters:
- type: object
mapping: $.
- name: updatealert
description: Microsoft Defender Update alert
hints:
readOnly: false
destructive: false
idempotent: false
call: microsoft-defender.updatealert
with:
alertId: tools.alertId
inputParameters:
- name: alertId
type: string
description: The unique identifier of the alert to update.
required: true
outputParameters:
- type: object
mapping: $.
- name: listmachines
description: Microsoft Defender List machines
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.listmachines
with:
$filter: tools.$filter
$top: tools.$top
$skip: tools.$skip
inputParameters:
- name: $filter
type: string
description: OData filter expression. Filterable properties include computerDnsName, id, version, deviceValue, aadDeviceId,
machineTags, lastSeen, exposureLevel, onboardingS
- name: $top
type: integer
description: Maximum number of results to return (max 10,000).
- name: $skip
type: integer
description: Number of results to skip for pagination.
outputParameters:
- type: object
mapping: $.
- name: getmachine
description: Microsoft Defender Get machine by ID
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.getmachine
with:
machineId: tools.machineId
inputParameters:
- name: machineId
type: string
description: The device ID or computer name of the machine.
required: true
outputParameters:
- type: object
mapping: $.
- name: listmachinealerts
description: Microsoft Defender List alerts for a machine
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.listmachinealerts
with:
machineId: tools.machineId
inputParameters:
- name: machineId
type: string
description: The device ID of the machine.
required: true
outputParameters:
- type: object
mapping: $.
- name: listmachinevulnerabilities
description: Microsoft Defender List vulnerabilities for a machine
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.listmachinevulnerabilities
with:
machineId: tools.machineId
inputParameters:
- name: machineId
type: string
description: The device ID of the machine.
required: true
outputParameters:
- type: object
mapping: $.
- name: listvulnerabilities
description: Microsoft Defender List all vulnerabilities
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.listvulnerabilities
with:
$filter: tools.$filter
$top: tools.$top
$skip: tools.$skip
inputParameters:
- name: $filter
type: string
description: OData filter expression. Filterable properties include id, name, description, cvssV3, publishedOn, severity,
and updatedOn.
- name: $top
type: integer
description: Maximum number of results to return (max 8,000).
- name: $skip
type: integer
description: Number of results to skip for pagination.
outputParameters:
- type: object
mapping: $.
- name: getvulnerability
description: Microsoft Defender Get vulnerability by ID
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.getvulnerability
with:
vulnerabilityId: tools.vulnerabilityId
inputParameters:
- name: vulnerabilityId
type: string
description: The CVE identifier of the vulnerability.
required: true
outputParameters:
- type: object
mapping: $.
- name: listvulnerabilitymachinereferences
description: Microsoft Defender List machines affected by a vulnerability
hints:
readOnly: true
destructive: false
idempotent: true
call: microsoft-defender.listvulnerabilitymachinereferences
with:
vulnerabilityId: tools.vulnerabilityId
inputParameters:
- name: vulnerabilityId
type: string
description: The CVE identifier of the vulnerability.
required: true
outputParameters:
- type: object
mapping: $.
binds:
- namespace: env
keys:
MICROSOFT_DEFENDER_TOKEN: MICROSOFT_DEFENDER_TOKEN