Microsoft Defender for Endpoint
Microsoft Defender for Endpoint API provides a security solution that helps to detect and investigate security incidents across networks.
Supported Actions and Example Prompts
Action Name | Description | Prompt Example |
|---|---|---|
Get All Alerts | This action retrieves a list of all the alerts in Microsoft ATP. For more information, see Action: Get All Alerts. | Get the list of alerts from Microsoft Defender. |
Get Domain Related Alerts | This action retrieves alerts related to a domain. For more information, see Action: Get Domain Related Alerts. | Get alerts related to the example domain from Microsoft Defender. |
Get File Related Alerts | This action retrieves all the alerts related to a file. For more information, see Action: Get File Related Alerts. | Get alerts related to the file 2aae6c35c94fcfb415dbe95f408b9ce91 from Microsoft Defender. |
Get IP Related Alerts | This action retrieves alerts related to an IP address. For more information, see Action: Get IP Related Alerts. | Get alerts related to the IP address 1.1.1.1 from Microsoft Defender. |
Get Machine Related Alerts | This action retrieves machine-related alerts. For more information, see Action: Get Machine Related Alerts. | Get alerts related to the machine 111e6dd8c231ec1b19adaf497b625 from Microsoft Defender. |
Get User Related Alerts | This action retrieves all user-related alerts. For more information, see Action: Get User Related Alerts. | Get alerts related to the user John Doe from Microsoft Defender. |
Isolate a Machine | This action isolates a machine. For more information, see Action: Isolate a Machine. | Isolate the machine 111e6dd8c83ec1b19adaf497b625 with isolation type full in Microsoft Defender. |
Remove Machine from Isolation | This action removes a machine from isolation. For more information, see Action: Remove Machine from Isolation. | Remove the machine 111e6dd8231ec1b19adaf497b625 from isolation with a comment detected malware removed in Microsoft Defender. |
Submit Indicator | This action submits an indicator. NoteYou must have ti.readwrite and ti.readwrite.all permissions to perform this action. For more information, see Action: Submit Indicator. | Submit an indication with indicator value 220e7d15b011d7fac48f022197f7f with action type alert and indicator type filesha1 in Microsoft Defender. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure you have the API token to authenticate with the Microsoft Defender app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select Microsoft Defender and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Application ID: Enter the application ID of the user’s app instance.
Client Secret: Enter the client's secret key for authentication.
Tenant ID: Enter the tenant ID to authenticate.
Base URL: Enter the base URL to access Microsoft Defender. For example, https://api.securitycenter.windows.com
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Get All Alerts
This action retrieves all the alerts.
Note
You must have Alert.Read.All (Read all alerts) to perform this action.
Action Input Parameters
This action does not require any input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.id | String | ID of the application instance. Example: "da637472900382838869_1364969609". |
app_instance.incidentId | Number | ID of the incident. Example: 1126093. |
app_instance.investigationId | Null | Investigation ID. Example: null. |
app_instance.assignedTo | Null | Assigned user or group. Example: null. |
app_instance.severity | String | Severity level of the incident. Example: "Low". |
app_instance.status | String | Status of the incident. Example: "New". |
app_instance.classification | Null | Classification of the incident. Example: null. |
app_instance.determination | Null | Determination of the incident. Example: null. |
app_instance.investigationState | String | State of the investigation. Example: "Queued". |
app_instance.detectionSource | String | Source of detection. Example: "WindowsDefenderAtp". |
app_instance.detectorId | String | ID of the detector. Example: "17e10bbc-3a68-474a-8aad-faef14d43952". |
app_instance.category | String | Category of the incident. Example: "Execution". |
app_instance.threatFamilyName | Null | Name of the threat family. Example: null. |
app_instance.title | String | Title of the incident. Example: "Low-reputation arbitrary code executed by signed executable". |
app_instance.description | String | Description of the incident. Example: "Binaries signed by Microsoft can be used to run low-reputation arbitrary code...". |
app_instance.alertCreationTime | String | Timestamp when the alert was created. Example: "2021-01-26T20:33:57.7220239Z". |
app_instance.firstEventTime | String | Timestamp of the first event related to the incident. Example: "2021-01-26T20:31:32.9562661Z". |
app_instance.lastEventTime | String | Timestamp of the last event related to the incident. Example: "2021-01-26T20:31:33.0577322Z". |
app_instance.lastUpdateTime | String | Timestamp of the last update to the incident. Example: "2021-01-26T20:33:59.2Z". |
app_instance.resolvedTime | Null | Timestamp when the incident was resolved. Example: null. |
app_instance.machineId | String | ID of the affected machine. Example: "111e6dd8c833c8a052ea231ec1b19adaf497b625". |
app_instance.computerDnsName | String | DNS name of the affected computer. Example: "temp123.middleeast.corp.microsoft.com". |
app_instance.rbacGroupName | String | RBAC group name. Example: "A". |
app_instance.aadTenantId | String | Azure Active Directory tenant ID. Example: "a839b112-1253-6432-9bf6-94542403f21c". |
app_instance.threatName | Null | Name of the threat. Example: null. |
app_instance.mitreTechniques | Array | MITRE ATTCK techniques associated with the incident. Example: ["T1064", "T1085", "T1220"]. |
app_instance.relatedUser.userName | String | Username of the related user. Example: "temp123". |
app_instance.relatedUser.domainName | String | Domain name of the related user. Example: "DOMAIN". |
app_instance.comments.comment | String | Comment associated with the incident. Example: "test comment for docs". |
app_instance.comments.createdBy | String | User who created the comment. Example: "secop123@contoso.com". |
app_instance.comments.createdTime | String | Timestamp when the comment was created. Example: "2021-01-26T01:00:37.8404534Z". |
app_instance.evidence.entityType | String | Type of entity providing evidence. Example: "User". |
app_instance.evidence.evidenceCreationTime | String | Timestamp when the evidence was created. Example: "2021-01-26T20:33:58.42Z". |
app_instance.evidence.accountName | String | Name of the account associated with the evidence. Example: "name". |
app_instance.evidence.domainName | String | Domain name associated with the evidence. Example: "DOMAIN". |
app_instance.evidence.userSid | String | User SID associated with the evidence. Example: "S-1-5-21-11111607-1111760036-109187956-75141". |
app_instance.evidence.aadUserId | String | Azure Active Directory user ID associated with the evidence. Example: "11118379-2a59-1111-ac3c-a51eb4a3c627". |
app_instance.evidence.userPrincipalName | String | User principal name associated with the evidence. Example: "temp123@microsoft.com". |
Action: Isolate a Machine
This action isolates a device from accessing external network.
Note
You must have Machine.Isolate (Isolate machine) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8c83ec1b19adaf497b625" | Text | Required | |
Isolation type | Enter the isolation type. Example: "full" | Text | Required | Allowed values:
|
Comment | Enter the comment associated with the action. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8c83ec1b19adaf497b625",
"isolation_type": "full",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#MachineActions |
app_instance.cancellationComment | Null | Comment provided when the action was canceled, if any. Example: null |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was canceled in UTC, if any. Example: null |
app_instance.cancellationRequestor | Null | User who requested the cancellation, if any. Example: null |
app_instance.commands | Array | List of commands associated with the action. Example: [] |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-05-28T05:51:04.6368462Z |
app_instance.errorHResult | Integer | Error code associated with the action, if any. Example: -2145844840 |
app_instance.externalId | Null | External identifier for the action, if any. Example: null |
app_instance.id | String | Unique identifier for the action. Example: c757f294-d3a0-4b55-9a0a-1fda7ac6da98 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-05-31T06:05:27.344646Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about related files, if any. Example: null |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing purpose |
app_instance.scope | String | Scope of the action, if any. Example: Full |
app_instance.status | String | Status of the action. Example: TimeOut |
app_instance.title | Null | Title of the action, if any. Example: null |
app_instance.troubleshootInfo | Null | Information for troubleshooting, if any. Example: null |
app_instance.type | String | Type of action performed. Example: Isolate |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200 |
Action: Remove Machine from Isolation
This action removes a machine from isolation.
Note
You must have Machine.Isolate (Isolate machine) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Machine ID | Enter the machine ID. Example: "111e6dd8231ec1b19adaf497b625" | Text | Required | |
Comment | Enter the comment to associate with this action. Example: "Example Comment" | Text | Required |
Example Request
[
{
"machine_id": "111e6dd8231ec1b19adaf497b625",
"comment": "Example Comment"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#MachineActions |
app_instance.cancellationComment | Null | Comment provided when the action was canceled, if any. Example: null |
app_instance.cancellationDateTimeUtc | Null | Date and time when the action was canceled in UTC, if any. Example: null |
app_instance.cancellationRequestor | Null | User who requested the cancellation, if any. Example: null |
app_instance.commands | Array | List of commands associated with the action. Example: [] |
app_instance.computerDnsName | String | DNS name of the computer. Example: adserver.adtestlab.com |
app_instance.creationDateTimeUtc | String | Date and time when the action was created in UTC. Example: 2024-05-28T05:51:04.6368462Z |
app_instance.errorHResult | Integer | Error code associated with the action, if any. Example: -2145844840 |
app_instance.externalId | Null | External identifier for the action, if any. Example: null |
app_instance.id | String | Unique identifier for the action. Example: c757f294-d3a0-4b55-9a0a-1fda7ac6da98 |
app_instance.lastUpdateDateTimeUtc | String | Date and time when the action was last updated in UTC. Example: 2024-05-31T06:05:27.344646Z |
app_instance.machineId | String | Unique identifier for the machine. Example: 07196b51b2b5390a1194bcee8ae33b690a1b1bde |
app_instance.relatedFileInfo | Null | Information about related files, if any. Example: null |
app_instance.requestSource | String | Source of the request. Example: PublicApi |
app_instance.requestor | String | Person who requested the action. Example: MS-Cyware |
app_instance.requestorComment | String | Comment provided by the requestor. Example: testing purpose |
app_instance.scope | String | Scope of the action, if any. Example: Full |
app_instance.status | String | Status of the action. Example: TimeOut |
app_instance.title | Null | Title of the action, if any. Example: null |
app_instance.troubleshootInfo | Null | Information for troubleshooting, if any. Example: null |
app_instance.type | String | Type of action performed. Example: Unisolate |
app_instance.status_code | Integer | HTTP status code of the response. Example: 200 |
Action: Submit Indicator
This action submits an indicator.
Note
You must have Ti.ReadWrite (Read and write Indicators) or Ti.ReadWrite.All (Read and write All Indicators) permission to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator Value | Enter the indicator value. Example: 220e7d15b011d7fac48f022197f7f | Text | Required | |
Indicator Type | Enter the indicator type. Example: filesha1 | Text | Required | Allowed values: filesha1, filesha256, ipaddress, domainname, url |
Action to be Taken | Specify the action for the indicator if identified in the organization network. Example: block | Text | Required | Allowed values: alert, warn, block, audit, blockandremediate, alertandblock, allowed |
Indicator Title | Enter the indicator title. Example: Malicious Hash | Text | Required | |
Query Params | Enter the query parameters to make the request. | Key Value | Optional | Allowed values: application, severity, recommendedActions, generateAlert |
Example Request
[
{
"indicator_value": "220e7d15b011d7fac48f022197f7f",
"indicator_type": "filesha1",
"action": "block"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.@odata.context | String | OData metadata URL. Example: https://api.securitycenter.microsoft.com/api/$metadata#Indicators/$entity |
app_instance.action | String | Action to be taken. Example: Audit |
app_instance.category | Integer | Category of the indicator. Example: 1 |
app_instance.createdBy | String | ID of the user who created the indicator. Example: cfef9c29-4e41-463a-b1a5-77ace2dc862c |
app_instance.createdByDisplayName | String | Display name of the user who created the indicator. Example: sentinel |
app_instance.createdBySource | String | Source of the user who created the indicator. Example: PublicApi |
app_instance.creationTimeDateTimeUtc | String | Creation time of the indicator in UTC format. Example: 2022-04-06T09:43:51.0297936Z |
app_instance.description | String | Description of the indicator. Example: testing |
app_instance.generateAlert | Boolean | Flag indicating whether to generate an alert. Example: true |
app_instance.id | String | ID of the indicator. Example: 42 |
app_instance.indicatorType | String | Type of the indicator. Example: IpAddress |
app_instance.indicatorValue | String | Value of the indicator. Example: 1.1.1.1 |
app_instance.lastUpdateTime | String | Last update time of the indicator in UTC format. Example: 2024-06-14T10:31:04.4946935Z |
app_instance.lastUpdatedBy | String | ID of the user who last updated the indicator. Example: 749a678f-00c8-4214-9526-04bc9119a575 |
app_instance.severity | String | Severity level of the indicator. Example: Informational |
app_instance.title | String | Title of the indicator. Example: test |