WatchGuard · Capability

WatchGuard Endpoint Threat Response

Unified threat response capability combining WatchGuard Cloud Platform account management with Endpoint Security device management, security event monitoring, and risk assessment. Designed for security operations teams responding to endpoint threats, managing device isolation, and reviewing security posture.

Run with Naftiko WatchGuardEndpoint SecurityThreat ResponseDevice ManagementRisk Assessment

What You Can Do

GET
Get account — Get WatchGuard Cloud account details.
/v1/accounts/{accountId}
GET
Get managed accounts — List all managed sub-accounts.
/v1/accounts/{accountId}/managed-accounts
GET
List devices — List all managed endpoint devices.
/v1/devices
GET
Get devices protection status — Get protection status for all endpoint devices.
/v1/devices/protection-status
POST
Isolate devices — Isolate devices from the network.
/v1/devices/isolation
POST
Remove device isolation — Remove network isolation.
/v1/devices/remove-isolation
POST
Start immediate scan — Start an immediate malware scan.
/v1/devices/scan
GET
Get security overview — Get security overview summary.
/v1/security/overview/{period}
GET
Get company risk summary — Get risk summary by severity level.
/v1/risk/summary
GET
Get detected risks — Get detected risks by type.
/v1/risk/detected
POST
Activate device or license — Activate hardware devices or software licenses.
/v1/activations
GET
Get operators — List operators for an account.
/v1/operators
POST
Create operators — Create new operator users.
/v1/operators

MCP Tools

get-account

Get WatchGuard Cloud account information and status.

read-only
get-managed-accounts

List all managed sub-accounts in WatchGuard Cloud.

read-only
list-devices

List all WatchGuard managed endpoint devices with protection status.

read-only
get-devices-protection-status

Get the protection status of all WatchGuard managed endpoint devices.

read-only
isolate-devices

Isolate compromised WatchGuard endpoint devices from the network.

remove-device-isolation

Remove network isolation from WatchGuard endpoint devices after remediation.

idempotent
start-immediate-scan

Start an immediate malware scan on WatchGuard endpoint devices.

get-security-overview

Get a WatchGuard endpoint security overview for 1, 7, or 30 days.

read-only
get-company-risk-summary

Get company-wide endpoint security risk summary by severity level.

read-only
get-detected-risks

Get WatchGuard endpoint detected risks broken down by type and device.

read-only
activate-device-or-license

Activate WatchGuard hardware devices or software license keys.

get-recent-activations

Get recent WatchGuard device and license activation history.

read-only
get-operators

List WatchGuard Cloud operator users for an account.

read-only
create-operators

Create new WatchGuard Cloud operator users.

APIs Used

wg-platform wg-endpoint

Capability Spec

endpoint-threat-response.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "WatchGuard Endpoint Threat Response"
  description: >-
    Unified threat response capability combining WatchGuard Cloud Platform account
    management with Endpoint Security device management, security event monitoring,
    and risk assessment. Designed for security operations teams responding to
    endpoint threats, managing device isolation, and reviewing security posture.
  tags:
    - WatchGuard
    - Endpoint Security
    - Threat Response
    - Device Management
    - Risk Assessment
  created: "2026-05-03"
  modified: "2026-05-03"

binds:
  - namespace: env
    keys:
      WATCHGUARD_ACCESS_TOKEN: WATCHGUARD_ACCESS_TOKEN
      WATCHGUARD_API_KEY: WATCHGUARD_API_KEY

capability:
  consumes:
    - import: wg-platform
      location: ./shared/cloud-platform.yaml
    - import: wg-endpoint
      location: ./shared/endpoint-security.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: wg-threat-response-api
      description: "Unified REST API for WatchGuard endpoint threat response workflows."
      resources:
        - path: /v1/accounts/{accountId}
          name: account
          description: "WatchGuard Cloud account information."
          operations:
            - method: GET
              name: get-account
              description: "Get WatchGuard Cloud account details."
              call: "wg-platform.get-account"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/accounts/{accountId}/managed-accounts
          name: managed-accounts
          description: "Sub-accounts managed by a service provider."
          operations:
            - method: GET
              name: get-managed-accounts
              description: "List all managed sub-accounts."
              call: "wg-platform.get-managed-accounts"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/devices
          name: devices
          description: "Managed endpoint devices."
          operations:
            - method: GET
              name: list-devices
              description: "List all managed endpoint devices."
              call: "wg-endpoint.list-devices"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/devices/protection-status
          name: device-protection-status
          description: "Protection status for all managed devices."
          operations:
            - method: GET
              name: get-devices-protection-status
              description: "Get protection status for all endpoint devices."
              call: "wg-endpoint.get-devices-protection-status"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/devices/isolation
          name: device-isolation
          description: "Isolate or release endpoint devices."
          operations:
            - method: POST
              name: isolate-devices
              description: "Isolate devices from the network."
              call: "wg-endpoint.isolate-devices"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/devices/remove-isolation
          name: device-remove-isolation
          description: "Remove network isolation from devices."
          operations:
            - method: POST
              name: remove-device-isolation
              description: "Remove network isolation."
              call: "wg-endpoint.remove-device-isolation"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/devices/scan
          name: device-scan
          description: "Initiate immediate security scans."
          operations:
            - method: POST
              name: start-immediate-scan
              description: "Start an immediate malware scan."
              call: "wg-endpoint.start-immediate-scan"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/security/overview/{period}
          name: security-overview
          description: "Security posture overview."
          operations:
            - method: GET
              name: get-security-overview
              description: "Get security overview summary."
              call: "wg-endpoint.get-security-overview"
              with:
                accountId: "rest.accountId"
                period: "rest.period"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/risk/summary
          name: risk-summary
          description: "Company-wide risk summary."
          operations:
            - method: GET
              name: get-company-risk-summary
              description: "Get risk summary by severity level."
              call: "wg-endpoint.get-company-risk-summary"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/risk/detected
          name: detected-risks
          description: "Detected risk details."
          operations:
            - method: GET
              name: get-detected-risks
              description: "Get detected risks by type."
              call: "wg-endpoint.get-detected-risks"
              with:
                accountId: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/activations
          name: activations
          description: "Device and license activation."
          operations:
            - method: POST
              name: activate-device-or-license
              description: "Activate hardware devices or software licenses."
              call: "wg-platform.activate-device-or-license"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/operators
          name: operators
          description: "WatchGuard Cloud operator management."
          operations:
            - method: GET
              name: get-operators
              description: "List operators for an account."
              call: "wg-platform.get-operators-by-account"
              with:
                account_id: "rest.accountId"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-operators
              description: "Create new operator users."
              call: "wg-platform.create-operators"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: wg-threat-response-mcp
      transport: http
      description: "MCP server for AI-assisted WatchGuard endpoint threat response."
      tools:
        - name: get-account
          description: "Get WatchGuard Cloud account information and status."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-platform.get-account"
          with:
            accountId: "tools.accountId"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-managed-accounts
          description: "List all managed sub-accounts in WatchGuard Cloud."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-platform.get-managed-accounts"
          with:
            accountId: "tools.accountId"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-devices
          description: "List all WatchGuard managed endpoint devices with protection status."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-endpoint.list-devices"
          with:
            accountId: "tools.accountId"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-devices-protection-status
          description: "Get the protection status of all WatchGuard managed endpoint devices."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-endpoint.get-devices-protection-status"
          with:
            accountId: "tools.accountId"
          outputParameters:
            - type: object
              mapping: "$."

        - name: isolate-devices
          description: "Isolate compromised WatchGuard endpoint devices from the network."
          hints:
            readOnly: false
            destructive: true
          call: "wg-endpoint.isolate-devices"
          with:
            accountId: "tools.accountId"
            device_ids: "tools.device_ids"
            customized_message: "tools.customized_message"
          outputParameters:
            - type: object
              mapping: "$."

        - name: remove-device-isolation
          description: "Remove network isolation from WatchGuard endpoint devices after remediation."
          hints:
            readOnly: false
            idempotent: true
          call: "wg-endpoint.remove-device-isolation"
          with:
            accountId: "tools.accountId"
            device_ids: "tools.device_ids"
          outputParameters:
            - type: object
              mapping: "$."

        - name: start-immediate-scan
          description: "Start an immediate malware scan on WatchGuard endpoint devices."
          hints:
            readOnly: false
          call: "wg-endpoint.start-immediate-scan"
          with:
            accountId: "tools.accountId"
            device_ids: "tools.device_ids"
            task_name: "tools.task_name"
            scan_scope: "tools.scan_scope"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-security-overview
          description: "Get a WatchGuard endpoint security overview for 1, 7, or 30 days."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-endpoint.get-security-overview"
          with:
            accountId: "tools.accountId"
            period: "tools.period"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-company-risk-summary
          description: "Get company-wide endpoint security risk summary by severity level."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-endpoint.get-company-risk-summary"
          with:
            accountId: "tools.accountId"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-detected-risks
          description: "Get WatchGuard endpoint detected risks broken down by type and device."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-endpoint.get-detected-risks"
          with:
            accountId: "tools.accountId"
          outputParameters:
            - type: object
              mapping: "$."

        - name: activate-device-or-license
          description: "Activate WatchGuard hardware devices or software license keys."
          hints:
            readOnly: false
          call: "wg-platform.activate-device-or-license"
          with:
            activations: "tools.activations"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-recent-activations
          description: "Get recent WatchGuard device and license activation history."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-platform.get-recent-activations"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-operators
          description: "List WatchGuard Cloud operator users for an account."
          hints:
            readOnly: true
            openWorld: true
          call: "wg-platform.get-operators-by-account"
          with:
            account_id: "tools.accountId"
          outputParameters:
            - type: object
              mapping: "$."

        - name: create-operators
          description: "Create new WatchGuard Cloud operator users."
          hints:
            readOnly: false
          call: "wg-platform.create-operators"
          with:
            username: "tools.username"
            accountId: "tools.accountId"
            firstName: "tools.firstName"
            lastName: "tools.lastName"
            email: "tools.email"
            phone: "tools.phone"
            role: "tools.role"
          outputParameters:
            - type: object
              mapping: "$."