Microsoft Defender
Collection of Microsoft Defender security APIs for threat protection, endpoint security, and security operations.
8 APIs
0 Features
API for endpoint detection and response, threat and vulnerability management, and automated investigation and remediation.
Cloud Access Security Broker (CASB) API for discovering, investigating, and governing cloud apps.
Access threat intelligence data, indicators of compromise (IOCs), and threat analytics.
Unified API for Microsoft security products including Defender alerts, secure scores, and security actions.
API for email and collaboration protection including anti-phishing, anti-malware, and safe attachments.
Unified extended detection and response API for automating workflows based on shared incident and advanced hunting tables across Microsoft security products.
REST API for unified security management and advanced threat protection across hybrid cloud workloads in Azure, other clouds, and on-premises.
API for identity-based attack detection and investigation across on-premises Active Directory and hybrid environments, with sensor management via Microsoft Graph.
opencollection: 1.0.0
info:
name: Microsoft Defender for Endpoint API
version: 1.0.0
request:
auth:
type: oauth2
flow: client_credentials
accessTokenUrl: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
credentials:
clientId: '{{clientId}}'
clientSecret: '{{clientSecret}}'
items:
- info:
name: Alerts
type: folder
items:
- info:
name: Microsoft Defender List alerts
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/alerts
params:
- name: $filter
value: severity eq 'High' and status eq 'New'
type: query
description: OData filter expression. Filterable properties include alertCreationTime, lastUpdateTime, incidentId,
investigationId, id, assignedTo, detectionSource, lastEventTime, status, severity, and category.
- name: $top
value: '10'
type: query
description: Maximum number of results to return (max 10,000).
- name: $skip
value: ''
type: query
description: Number of results to skip for pagination.
- name: $expand
value: ''
type: query
description: Expand related entities. Supports expanding evidence.
docs: Retrieves a collection of alerts. Supports OData V4 query parameters including $filter, $top (max 10,000), $skip,
and $expand for evidence. Rate limited to 100 calls per minute and 1,500 calls per hour.
- info:
name: Microsoft Defender Get alert by ID
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/alerts/:alertId
params:
- name: alertId
value: da637472900382838869_1364969609
type: path
description: The unique identifier of the alert.
docs: Retrieves a specific alert by its alert ID.
- info:
name: Microsoft Defender Update alert
type: http
http:
method: PATCH
url: https://api.security.microsoft.com/api/alerts/:alertId
params:
- name: alertId
value: da637472900382838869_1364969609
type: path
description: The unique identifier of the alert to update.
body:
type: json
data: '{}'
docs: Updates properties of an existing alert. Updatable properties are status, determination, classification, and assignedTo.
A comment can be submitted with or without updating properties.
- info:
name: Microsoft Defender List alerts for a machine
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/machines/:machineId/alerts
params:
- name: machineId
value: 1e5bc9d7e413ddd7902c2932e418702b84d0cc07
type: path
description: The device ID of the machine.
docs: Retrieves a collection of alerts related to a specific machine.
- info:
name: Machines
type: folder
items:
- info:
name: Microsoft Defender List machines
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/machines
params:
- name: $filter
value: healthStatus eq 'Active' and riskScore eq 'High'
type: query
description: OData filter expression. Filterable properties include computerDnsName, id, version, deviceValue, aadDeviceId,
machineTags, lastSeen, exposureLevel, onboardingStatus, lastIpAddress, healthStatus, osPlatform, riskScore, and
rbacGroupId.
- name: $top
value: '50'
type: query
description: Maximum number of results to return (max 10,000).
- name: $skip
value: ''
type: query
description: Number of results to skip for pagination.
docs: Retrieves a collection of machines that have communicated with Microsoft Defender for Endpoint. Supports OData V4
query parameters including $filter, $top (max 10,000), and $skip. Rate limited to 100 calls per minute and 1,500 calls
per hour.
- info:
name: Microsoft Defender Get machine by ID
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/machines/:machineId
params:
- name: machineId
value: 1e5bc9d7e413ddd7902c2932e418702b84d0cc07
type: path
description: The device ID or computer name of the machine.
docs: Retrieves a specific machine by its device ID or computer name.
- info:
name: Microsoft Defender List vulnerabilities for a machine
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/machines/:machineId/vulnerabilities
params:
- name: machineId
value: 1e5bc9d7e413ddd7902c2932e418702b84d0cc07
type: path
description: The device ID of the machine.
docs: Retrieves a collection of discovered vulnerabilities related to a specific machine.
- info:
name: Microsoft Defender List machines affected by a vulnerability
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/vulnerabilities/:vulnerabilityId/machineReferences
params:
- name: vulnerabilityId
value: CVE-2024-7256
type: path
description: The CVE identifier of the vulnerability.
docs: Retrieves a list of machines affected by a specific vulnerability.
- info:
name: Vulnerabilities
type: folder
items:
- info:
name: Microsoft Defender List all vulnerabilities
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/vulnerabilities
params:
- name: $filter
value: severity eq 'Critical'
type: query
description: OData filter expression. Filterable properties include id, name, description, cvssV3, publishedOn, severity,
and updatedOn.
- name: $top
value: '50'
type: query
description: Maximum number of results to return (max 8,000).
- name: $skip
value: ''
type: query
description: Number of results to skip for pagination.
docs: Retrieves a list of all vulnerabilities affecting the organization. Supports OData V4 query parameters including
$filter, $top (max 8,000), and $skip.
- info:
name: Microsoft Defender Get vulnerability by ID
type: http
http:
method: GET
url: https://api.security.microsoft.com/api/vulnerabilities/:vulnerabilityId
params:
- name: vulnerabilityId
value: CVE-2024-7256
type: path
description: The CVE identifier of the vulnerability.
docs: Retrieves a specific vulnerability by its CVE ID.
bundled: true