Microsoft Defender website screenshot

Microsoft Defender

Collection of Microsoft Defender security APIs for threat protection, endpoint security, and security operations.

8 APIs 0 Features

APIs

Microsoft Defender for Endpoint API

API for endpoint detection and response, threat and vulnerability management, and automated investigation and remediation.

Microsoft Defender for Cloud Apps API

Cloud Access Security Broker (CASB) API for discovering, investigating, and governing cloud apps.

Microsoft Defender Threat Intelligence API

Access threat intelligence data, indicators of compromise (IOCs), and threat analytics.

Microsoft Graph Security API

Unified API for Microsoft security products including Defender alerts, secure scores, and security actions.

Microsoft Defender for Office 365 API

API for email and collaboration protection including anti-phishing, anti-malware, and safe attachments.

Microsoft Defender XDR API

Unified extended detection and response API for automating workflows based on shared incident and advanced hunting tables across Microsoft security products.

Microsoft Defender for Cloud REST API

REST API for unified security management and advanced threat protection across hybrid cloud workloads in Azure, other clouds, and on-premises.

Microsoft Defender for Identity API

API for identity-based attack detection and investigation across on-premises Active Directory and hybrid environments, with sensor management via Microsoft Graph.

Collections

Pricing Plans

Rate Limits

Microsoft Defender Rate Limits

6 limits

RATE LIMITS

FinOps

Semantic Vocabularies

Microsoft Defender Context

0 classes · 5 properties

JSON-LD

JSON Structure

Microsoft Defender Structure

0 properties

JSON STRUCTURE

Resources

👥
GitHubOrganization
GitHubOrganization
🌐
Portal
Portal
🔗
Documentation Hub
Documentation Hub
🟢
StatusPage
StatusPage
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
📄
Developer Changelog
Developer Changelog
📰
Security Blog
Security Blog
🔗
Microsoft Graph Explorer
Microsoft Graph Explorer
🔑
Authentication Overview
Authentication Overview
💰
Security Pricing Overview
Security Pricing Overview

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Microsoft Defender for Endpoint API
  version: 1.0.0
request:
  auth:
    type: oauth2
    flow: client_credentials
    accessTokenUrl: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
    credentials:
      clientId: '{{clientId}}'
      clientSecret: '{{clientSecret}}'
items:
- info:
    name: Alerts
    type: folder
  items:
  - info:
      name: Microsoft Defender List alerts
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/alerts
      params:
      - name: $filter
        value: severity eq 'High' and status eq 'New'
        type: query
        description: OData filter expression. Filterable properties include alertCreationTime, lastUpdateTime, incidentId,
          investigationId, id, assignedTo, detectionSource, lastEventTime, status, severity, and category.
      - name: $top
        value: '10'
        type: query
        description: Maximum number of results to return (max 10,000).
      - name: $skip
        value: ''
        type: query
        description: Number of results to skip for pagination.
      - name: $expand
        value: ''
        type: query
        description: Expand related entities. Supports expanding evidence.
    docs: Retrieves a collection of alerts. Supports OData V4 query parameters including $filter, $top (max 10,000), $skip,
      and $expand for evidence. Rate limited to 100 calls per minute and 1,500 calls per hour.
  - info:
      name: Microsoft Defender Get alert by ID
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/alerts/:alertId
      params:
      - name: alertId
        value: da637472900382838869_1364969609
        type: path
        description: The unique identifier of the alert.
    docs: Retrieves a specific alert by its alert ID.
  - info:
      name: Microsoft Defender Update alert
      type: http
    http:
      method: PATCH
      url: https://api.security.microsoft.com/api/alerts/:alertId
      params:
      - name: alertId
        value: da637472900382838869_1364969609
        type: path
        description: The unique identifier of the alert to update.
      body:
        type: json
        data: '{}'
    docs: Updates properties of an existing alert. Updatable properties are status, determination, classification, and assignedTo.
      A comment can be submitted with or without updating properties.
  - info:
      name: Microsoft Defender List alerts for a machine
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/machines/:machineId/alerts
      params:
      - name: machineId
        value: 1e5bc9d7e413ddd7902c2932e418702b84d0cc07
        type: path
        description: The device ID of the machine.
    docs: Retrieves a collection of alerts related to a specific machine.
- info:
    name: Machines
    type: folder
  items:
  - info:
      name: Microsoft Defender List machines
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/machines
      params:
      - name: $filter
        value: healthStatus eq 'Active' and riskScore eq 'High'
        type: query
        description: OData filter expression. Filterable properties include computerDnsName, id, version, deviceValue, aadDeviceId,
          machineTags, lastSeen, exposureLevel, onboardingStatus, lastIpAddress, healthStatus, osPlatform, riskScore, and
          rbacGroupId.
      - name: $top
        value: '50'
        type: query
        description: Maximum number of results to return (max 10,000).
      - name: $skip
        value: ''
        type: query
        description: Number of results to skip for pagination.
    docs: Retrieves a collection of machines that have communicated with Microsoft Defender for Endpoint. Supports OData V4
      query parameters including $filter, $top (max 10,000), and $skip. Rate limited to 100 calls per minute and 1,500 calls
      per hour.
  - info:
      name: Microsoft Defender Get machine by ID
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/machines/:machineId
      params:
      - name: machineId
        value: 1e5bc9d7e413ddd7902c2932e418702b84d0cc07
        type: path
        description: The device ID or computer name of the machine.
    docs: Retrieves a specific machine by its device ID or computer name.
  - info:
      name: Microsoft Defender List vulnerabilities for a machine
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/machines/:machineId/vulnerabilities
      params:
      - name: machineId
        value: 1e5bc9d7e413ddd7902c2932e418702b84d0cc07
        type: path
        description: The device ID of the machine.
    docs: Retrieves a collection of discovered vulnerabilities related to a specific machine.
  - info:
      name: Microsoft Defender List machines affected by a vulnerability
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/vulnerabilities/:vulnerabilityId/machineReferences
      params:
      - name: vulnerabilityId
        value: CVE-2024-7256
        type: path
        description: The CVE identifier of the vulnerability.
    docs: Retrieves a list of machines affected by a specific vulnerability.
- info:
    name: Vulnerabilities
    type: folder
  items:
  - info:
      name: Microsoft Defender List all vulnerabilities
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/vulnerabilities
      params:
      - name: $filter
        value: severity eq 'Critical'
        type: query
        description: OData filter expression. Filterable properties include id, name, description, cvssV3, publishedOn, severity,
          and updatedOn.
      - name: $top
        value: '50'
        type: query
        description: Maximum number of results to return (max 8,000).
      - name: $skip
        value: ''
        type: query
        description: Number of results to skip for pagination.
    docs: Retrieves a list of all vulnerabilities affecting the organization. Supports OData V4 query parameters including
      $filter, $top (max 8,000), and $skip.
  - info:
      name: Microsoft Defender Get vulnerability by ID
      type: http
    http:
      method: GET
      url: https://api.security.microsoft.com/api/vulnerabilities/:vulnerabilityId
      params:
      - name: vulnerabilityId
        value: CVE-2024-7256
        type: path
        description: The CVE identifier of the vulnerability.
    docs: Retrieves a specific vulnerability by its CVE ID.
bundled: true