Skip to main content

Microsoft Defender for Endpoint Integration Guide

Overview

The Microsoft Defender for Endpoint (MDE) integration connects your NINA workflows to the Microsoft Defender for Endpoint REST API, enabling comprehensive endpoint security operations. This integration lets you manage security alerts, investigate endpoint threats, query vulnerability and software inventory, trigger live response actions on devices, and manage custom threat intelligence indicators — all directly from your workflows.

Microsoft Defender for Endpoint is Microsoft's enterprise endpoint security platform offering preventative protection, post-breach detection, automated investigation, and response capabilities across Windows, macOS, Linux, Android, and iOS devices.

Status

We currently support 13 resources across the full MDE API surface:

  • Alert Management: List, retrieve, update, and batch-update security alerts with OData filtering, severity and status shortcuts, and evidence expansion
  • Machine (Device) Management: Query the managed device inventory, retrieve logon users, installed software, vulnerabilities, and recommendations per device; add/remove tags individually or in bulk; find devices by IP address or tag
  • Machine Actions: Trigger and track response actions — network isolation, antivirus scans, forensic package collection, code-execution restriction, and file quarantine
  • Vulnerability Management (TVM): Query CVEs across the organization, retrieve devices and software affected by a specific CVE, and list all vulnerabilities grouped by machine and software
  • Software Inventory (TVM): Query the organization's software inventory, retrieve version distributions, affected devices, exposed vulnerabilities, and missing KBs per software
  • Security Recommendations (TVM): List and retrieve security recommendations, find affected devices and related vulnerabilities, and get recommendations per device
  • Remediation Tasks (TVM): List, retrieve, update, and find devices for remediation activities
  • Threat Intelligence Indicators (IoC): Create, list, retrieve, update, and delete custom file hash, IP, domain, URL, and certificate indicators
  • File: Retrieve file metadata, prevalence statistics, related alerts, and machines that observed a file hash
  • IP Address: Retrieve alerts and prevalence statistics for a given IP
  • Domain: Retrieve alerts, related machines, and statistics for a domain
  • User: Retrieve alerts and related machines for a user account
  • Score: Retrieve the organizational exposure score, device secure score, and exposure score breakdown by device group

Credential Configuration

Before using the Microsoft Defender for Endpoint integration in your workflows, you need to configure OAuth2 credentials through an Azure App Registration. The integration uses the OAuth2 client credentials flow (no user interaction required) against the Azure AD v1.0 token endpoint and the MDE Security Center API.

Authentication Method

OAuth2 Client Credentials

FieldDescriptionExample
Tenant IDDirectory (tenant) ID from Azure portal87654321-4321-4321-4321-fedcba987654
Client IDApplication (client) ID from Azure App Registration12345678-1234-1234-1234-123456789abc
Client SecretClient secret value from Azure App Registrationabcd1234~efgh5678ijklMNOP9012qrst.UV
Base URLMDE API base URL. Change only for sovereign cloud environments.https://api.securitycenter.microsoft.com

How to create an Azure App Registration:

  1. Sign in to the Azure portal
  2. Navigate to Microsoft Entra ID > App registrations
  3. Click New registration
  4. Provide a name (e.g., "NINA MDE Integration")
  5. Select Accounts in this organizational directory only
  6. Click Register
  7. Note the Application (client) ID and Directory (tenant) ID shown on the overview page
  8. Go to Certificates & secrets > Client secrets > New client secret
  9. Enter a description and expiration period, then click Add
  10. Copy the Value immediately — it will not be shown again

Required API Permissions (Application permissions on WindowsDefenderATP):

Grant the following application permissions and click Grant admin consent:

PermissionRequired for
Alert.Read.AllReading alerts
Alert.ReadWrite.AllUpdating and batch-updating alerts
Machine.Read.AllReading device inventory, logon users, and device-related data
Machine.ReadWrite.AllTriggering machine actions (isolate, scan, etc.) and managing tags
Vulnerability.Read.AllQuerying CVEs and TVM vulnerability data
Software.Read.AllQuerying software inventory
Score.Read.AllRetrieving exposure and secure scores
Ti.ReadWriteCreating, updating, and deleting custom IoC indicators
Ti.Read.AllListing and reading custom IoC indicators
RemediationTasks.Read.AllReading remediation tasks
RemediationTasks.ReadWrite.AllUpdating remediation tasks

Note: WindowsDefenderATP is the Azure AD resource display name for the Microsoft Defender for Endpoint API. In the Azure portal, search for "WindowsDefenderATP" when adding API permissions, or use the resource URI https://api.securitycenter.microsoft.com/.

Sovereign Cloud Environments

If your organization uses a government or sovereign cloud, override the Base URL credential field with the appropriate endpoint:

CloudBase URL
Commercial (default)https://api.securitycenter.microsoft.com
US Government GCChttps://api.securitycenter.microsoft.us
US Government GCC Highhttps://api-gcc.securitycenter.microsoft.us

Creating a Microsoft Defender for Endpoint Credential

  1. Navigate to the Credentials section in NINA
  2. Click Add New Credential
  3. Fill in the credential details:
    • Name: A descriptive name (e.g., "MDE Production")
    • Description: Optional details about the credential's purpose
    • Integration Service: Select "Microsoft Defender for Endpoint"
    • Auth Type: Select "OAuth2"
    • Tenant ID: Enter your Directory (tenant) ID
    • Client ID: Enter your Application (client) ID
    • Client Secret: Enter your client secret value
    • Base URL: Leave blank for commercial cloud (defaults to https://api.securitycenter.microsoft.com)
  4. Click Test Connection to verify credentials — this acquires an OAuth token from Azure AD to confirm the credentials are valid
  5. Click Save to store the credential

Supported Resources and Operations

Alert

Manage MDE security alerts. Supports OData v4 $filter, $top (max 10,000), $skip, $orderby, and $expand.

OperationNameDescription
listList AlertsRetrieve a collection of alerts with optional OData filtering, sorting, and severity/status shortcuts
getGet AlertRetrieve a single alert by its ID
updateUpdate AlertUpdate status, classification, determination, assignee, or add a comment to an alert
batchUpdateBatch Update AlertsUpdate multiple alerts at once (up to rate limit: 10 calls/min, 500 calls/hr)

Key parameters for list:

  • $filter — OData filter expression (e.g., severity eq 'High' and status eq 'New')
  • $top — number of alerts to return (default: 100, max: 10,000)
  • $skip — number of alerts to skip for pagination
  • $orderby — sort expression (e.g., alertCreationTime desc)
  • $expand — set to evidence to include evidence entities inline
  • severity — shortcut filter: UnSpecified, Informational, Low, Medium, High
  • status — shortcut filter: Unknown, New, InProgress, Resolved
  • alertCreationTimeGte — shortcut filter: only alerts created at or after this RFC3339 timestamp

Key parameters for update:

  • alertId (required) — the alert ID
  • updateFields.statusNew, InProgress, Resolved
  • updateFields.assignedTo — analyst email address
  • updateFields.classificationTruePositive, InformationalExpectedActivity, FalsePositive
  • updateFields.determination — see determination values below
  • updateFields.comment — comment text to append

Key parameters for batchUpdate:

  • alertIds (required) — array of alert IDs
  • updateFields — same fields as update

Machine (Device)

Query the managed endpoint inventory and perform per-device data retrieval and tagging operations.

OperationNameDescription
listList DevicesRetrieve managed devices with OData filtering and health/risk shortcut filters
listLogonUsersList Logon UsersRetrieve logged-on users for a specific device
listAlertsList Alerts by DeviceRetrieve all alerts related to a device
listSoftwareList Installed SoftwareRetrieve installed software on a specific device
listVulnerabilitiesList Vulnerabilities by DeviceRetrieve discovered CVEs on a specific device
listRecommendationsList Recommendations by DeviceRetrieve TVM security recommendations for a device
listMissingKBsList Missing KBs by DeviceRetrieve missing security updates for a device
addOrRemoveTagsAdd or Remove TagAdd or remove a single tag on a device
bulkAddOrRemoveTagsBulk Add or Remove TagsAdd or remove a tag across up to 500 devices
findByIPFind Devices by IP (15-min window)Find devices seen with the given IP within 15 minutes of a timestamp
findByInternalIPFind Device by Internal IPFind a device by internal IP at a specific timestamp
findByTagFind Devices by TagFind all devices that have a specific tag

Key parameters for list:

  • $filter — OData filter (fields: id, computerDnsName, lastSeen, lastIpAddress, healthStatus, onboardingStatus, riskScore, rbacGroupId, rbacGroupName, osPlatform, machineTags)
  • $top — max devices to return (default: 100, max: 10,000)
  • $skip — pagination offset
  • $orderby — sort expression (e.g., lastSeen desc)
  • healthStatus — shortcut filter: Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, Unknown
  • onboardingStatus — shortcut filter: onboarded, CanBeOnboarded, Unsupported, InsufficientInfo
  • riskScore — shortcut filter: None, Informational, Low, Medium, High

Key parameters for addOrRemoveTags / bulkAddOrRemoveTags:

  • id (single) / machineIds (bulk) — device identifier(s)
  • actionAdd or Remove
  • value — tag name

Machine Action

Trigger and monitor remote response actions on managed endpoints. Every action returns a MachineAction object with a status that can be polled.

OperationNameDescription
listList Machine ActionsRetrieve history of response actions with OData filtering
getGet Machine ActionRetrieve status and details of a specific action by ID
isolateIsolate MachineDisconnect a device from the network (Defender traffic preserved)
unisolateUnisolate MachineRestore full network connectivity to an isolated device
runAntivirusScanRun Antivirus ScanInitiate a Quick or Full Microsoft Defender Antivirus scan
collectInvestigationPackageCollect Investigation PackageCollect a forensic ZIP package (logs and data) from the device
restrictCodeExecutionRestrict Code ExecutionRestrict all application execution to Microsoft-signed binaries only
unrestrictCodeExecutionRemove Code Execution RestrictionLift code-execution restriction
stopAndQuarantineFileStop and Quarantine FileKill a process and delete a file by SHA1 hash

Common parameters for machine actions:

  • id (required) — machine ID of the target device
  • comment (required) — justification comment recorded with the action

Additional parameters for isolate:

  • isolationTypeFull (blocks all traffic), Selective (restricts limited apps), UnManagedDevice

Additional parameters for runAntivirusScan:

  • scanType (required) — Quick or Full

Additional parameters for stopAndQuarantineFile:

  • sha1 (required) — SHA1 hash of the file to stop and quarantine

Vulnerability

Query CVE vulnerabilities detected across the organization via Threat and Vulnerability Management.

OperationNameDescription
listList VulnerabilitiesRetrieve CVEs with OData filtering (max 8,000 per page)
getGet Vulnerability by IDRetrieve details for a specific CVE
listMachinesList Devices by VulnerabilityRetrieve devices affected by a specific CVE
listByMachineAndSoftwareList Vulnerabilities by Machine and SoftwareRetrieve all vulnerabilities grouped by machine and software

Key parameters for list:

  • $filter — OData filter (fields: id, name, description, cvssV3, publishedOn, severity, updatedOn)
  • $top — max records (default: 100, max: 8,000)
  • $skip — pagination offset

Key parameters for listByMachineAndSoftware:

  • $filter — OData filter (fields: id, cveId, machineId, fixingKbId, productName, productVersion, severity, productVendor)
  • $top — max records (default: 100, max: 10,000)

Software

Query the software inventory of managed endpoints.

OperationNameDescription
listList SoftwareRetrieve the organization's software inventory
getGet Software by IDRetrieve details of a specific software entry
listVersionDistributionList Software Version DistributionRetrieve version distribution for a software entry
listMachinesList Devices by SoftwareRetrieve devices that have the software installed
listVulnerabilitiesList Vulnerabilities by SoftwareRetrieve vulnerabilities exposed by the software
listMissingKBsList Missing KBs by SoftwareRetrieve missing security updates for the software

Key parameters for list:

  • $filter — OData filter (fields: id, name, vendor)
  • $top — max records (default: 100, max: 10,000)
  • $skip — pagination offset

Note: Software IDs follow the pattern vendor-_-productname (e.g., microsoft-_-edge).


Recommendation

Query TVM security recommendations for the organization.

OperationNameDescription
listList Security RecommendationsRetrieve recommendations with OData filtering
getGet Recommendation by IDRetrieve a specific recommendation
listMachinesList Devices by RecommendationRetrieve devices associated with a recommendation
listVulnerabilitiesList Vulnerabilities by RecommendationRetrieve vulnerabilities associated with a recommendation
listSoftwareList Software by RecommendationRetrieve software associated with a recommendation
listByMachineList Recommendations by DeviceRetrieve recommendations for a specific device

Key parameters for list:

  • $filter — OData filter (fields: id, productName, vendor, recommendedVersion, recommendationCategory, subCategory, severityScore, remediationType, status)
  • $top — max records (default: 100, max: 10,000)

Note: Recommendation IDs follow the pattern va-_-vendor-_-product (e.g., va-_-google-_-chrome).


Remediation Task

Query and update TVM remediation activities created in the Microsoft 365 Defender portal.

OperationNameDescription
listList Remediation TasksRetrieve remediation activities with OData filtering
getGet Remediation TaskRetrieve a specific remediation task
updateUpdate Remediation TaskUpdate the status of a remediation task
listMachinesList Devices by Remediation TaskRetrieve devices associated with a remediation task

Key parameters for list:

  • $filter — OData filter (fields: createdon, status)
  • $top — max records (default: 100, max: 10,000)
  • status — shortcut filter: Active or Completed

Key parameters for update:

  • id (required) — remediation task ID
  • updateFields.statusActive, Completed, or Canceled

Indicator

Manage custom threat intelligence indicators (IoCs) in Microsoft Defender for Endpoint.

OperationNameDescription
listList IndicatorsRetrieve indicators with OData filtering and shortcut filters
createCreate IndicatorSubmit a new IoC indicator
getGet IndicatorRetrieve a specific indicator by ID
updateUpdate IndicatorUpdate an existing indicator
deleteDelete IndicatorDelete an indicator by ID

Key parameters for list:

  • $filter — OData filter (fields: application, createdByDisplayName, expirationTime, generateAlert, title, indicatorValue, indicatorType, creationTimeDateTimeUtc, createdBy, action, severity)
  • $top — max records (default: 100, max: 10,000)
  • indicatorType — shortcut filter: FileSha1, FileSha256, FileMd5, CertificateThumbprint, IpAddress, DomainName, Url
  • action — shortcut filter: Alert, Warn, Block, Audit, BlockAndRemediate, AlertAndBlock, Allowed
  • severity — shortcut filter: Informational, Low, Medium, High

Key parameters for create:

  • indicatorValue (required) — the IoC value (file hash, IP, domain, or URL)
  • indicatorType (required) — type of indicator
  • action (required) — action to take on match
  • title (required) — short title
  • description (required) — description of the indicator
  • expirationTime — ISO 8601 expiration (e.g., 2025-12-31T00:00:00Z)
  • severityInformational, Low, Medium, High
  • recommendedActions — free-text recommended actions
  • rbacGroupNames — array of RBAC group names to scope the indicator
  • generateAlert — boolean; whether to generate an alert on match
  • educateUrl — end-user education URL (applicable when action is Warn)

File

Retrieve file metadata and prevalence data using a SHA1 or SHA256 hash.

OperationNameDescription
getGet File InformationRetrieve file metadata (prevalence, publisher, signer, determination) by hash
listAlertsList Alerts by FileRetrieve alerts related to a file hash (SHA1 only)
listMachinesList Machines by FileRetrieve machines that observed the file (SHA1 only)
getStatsGet File StatisticsRetrieve prevalence statistics for a file (SHA1 only)

Key parameters:

  • id (required) — SHA1 or SHA256 hash of the file
  • lookBackHours (for getStats) — hours to look back (max 720, defaults to 30 days)

IP Address

Retrieve security data for a specific IP address observed by managed endpoints.

OperationNameDescription
listAlertsList Alerts by IPRetrieve alerts related to an IP address
getStatsGet IP StatisticsRetrieve prevalence statistics for an IP address

Key parameters:

  • ip (required) — IP address (e.g., 10.209.67.177)
  • lookBackHours (for getStats) — hours to look back (max 720)

Domain

Retrieve security data for a domain observed by managed endpoints.

OperationNameDescription
listAlertsList Alerts by DomainRetrieve alerts related to a domain
listMachinesList Machines by DomainRetrieve machines that communicated with the domain
getStatsGet Domain StatisticsRetrieve prevalence statistics for a domain

Key parameters:

  • domain (required) — domain name (e.g., example.com)
  • lookBackHours (for getStats) — hours to look back (max 720)

User

Retrieve alerts and related machines for a user account.

OperationNameDescription
listAlertsList Alerts by UserRetrieve alerts related to a user
listMachinesList Machines by UserRetrieve machines related to a user

Key parameters:

  • id (required) — the username only, not the full UPN (e.g., use jdoe not [email protected])

Score

Retrieve organizational security posture scores from Threat and Vulnerability Management.

OperationNameDescription
getExposureScoreGet Exposure ScoreRetrieve the organizational TVM exposure score
getDeviceSecureScoreGet Device Secure ScoreRetrieve the Microsoft Secure Score for Devices
listByDeviceGroupList Exposure Score by Device GroupRetrieve exposure score broken down by device group

No additional parameters are required for score operations.


Parameter Merging and Templating

The Microsoft Defender for Endpoint integration takes full advantage of NINA's parameter merging and templating capabilities:

Parameter Sources (in order of precedence)

  1. Node Parameters: Parameters configured directly in the MDE Integration Node
  2. Extracted Parameters: Parameters automatically extracted from the input data
  3. Input Data: The complete input data from upstream nodes

When an MDE Integration Node executes:

  • It combines parameters from all sources
  • Node parameters take precedence over extracted parameters
  • Template variables within parameters are processed using {{variable_name}} syntax
  • The combined parameters are used to execute the MDE operation

OData Filter Shortcuts vs. Raw Filters

Several list operations provide shortcut filter parameters (e.g., severity, status on alert.list) that are automatically converted to OData $filter expressions. When you provide a raw $filter parameter, the shortcut parameters are ignored and the raw filter takes full precedence.

BehaviorWhen to use
Shortcut filters (severity, status, etc.)Simple, single-field filters — no OData syntax needed
Raw $filterComplex expressions with multiple clauses, or logic, or functions

Example: Managing Security Alerts

Listing Alerts by Severity and Status

{
"integration_service": "microsoft-defender-endpoint",
"resource": "alert",
"operation": "list",
"parameters": {
"severity": "High",
"status": "New",
"$top": 50,
"$orderby": "alertCreationTime desc"
}
}

Listing Alerts with a Raw OData Filter

{
"integration_service": "microsoft-defender-endpoint",
"resource": "alert",
"operation": "list",
"parameters": {
"$filter": "severity eq 'High' and status eq 'New' and alertCreationTime ge 2026-01-01T00:00:00Z",
"$top": 100,
"$orderby": "alertCreationTime desc",
"$expand": "evidence"
}
}

Getting a Specific Alert

{
"integration_service": "microsoft-defender-endpoint",
"resource": "alert",
"operation": "get",
"parameters": {
"alertId": "{{alert_id}}"
}
}

Updating an Alert Status with Template Variables

Input Data from Previous Node:

{
"alert_id": "da637773775833477842_-2109939563",
"analyst": "[email protected]",
"verdict": "true_positive"
}

Node Configuration:

{
"integration_service": "microsoft-defender-endpoint",
"resource": "alert",
"operation": "update",
"parameters": {
"alertId": "{{alert_id}}",
"updateFields": {
"status": "Resolved",
"assignedTo": "{{analyst}}",
"classification": "TruePositive",
"determination": "Malware",
"comment": "Investigated and confirmed as malware — remediation completed by {{analyst}}"
}
}
}

Batch Updating Multiple Alerts

{
"integration_service": "microsoft-defender-endpoint",
"resource": "alert",
"operation": "batchUpdate",
"parameters": {
"alertIds": ["{{alert_id_1}}", "{{alert_id_2}}", "{{alert_id_3}}"],
"updateFields": {
"status": "InProgress",
"assignedTo": "[email protected]",
"comment": "Triaged and assigned to SOC for investigation"
}
}
}

Example: Device Management

Listing High-Risk Active Devices

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machine",
"operation": "list",
"parameters": {
"healthStatus": "Active",
"riskScore": "High",
"$top": 200,
"$orderby": "lastSeen desc"
}
}

Finding a Device by Internal IP

Input Data:

{
"suspicious_ip": "10.10.5.42",
"event_timestamp": "2026-05-10T14:30:00Z"
}

Node Configuration:

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machine",
"operation": "findByIP",
"parameters": {
"ip": "{{suspicious_ip}}",
"timestamp": "{{event_timestamp}}"
}
}

Adding a Tag to a Device

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machine",
"operation": "addOrRemoveTags",
"parameters": {
"id": "{{machine_id}}",
"action": "Add",
"value": "incident-2026-042"
}
}

Bulk Tagging Multiple Devices

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machine",
"operation": "bulkAddOrRemoveTags",
"parameters": {
"machineIds": ["{{machine_id_1}}", "{{machine_id_2}}", "{{machine_id_3}}"],
"action": "Add",
"value": "quarantine-candidate"
}
}

Example: Endpoint Response Actions

Isolating a Compromised Device

Input Data:

{
"machine_id": "4a5f3a3b2c1d0e9f8a7b6c5d4e3f2a1b",
"incident_id": "INC-2026-0042",
"analyst": "[email protected]"
}

Node Configuration:

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machineAction",
"operation": "isolate",
"parameters": {
"id": "{{machine_id}}",
"comment": "Isolating device as part of incident {{incident_id}} investigation — authorized by {{analyst}}",
"isolationType": "Full"
}
}

Running an Antivirus Scan

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machineAction",
"operation": "runAntivirusScan",
"parameters": {
"id": "{{machine_id}}",
"comment": "Full AV scan triggered as part of malware investigation",
"scanType": "Full"
}
}

Collecting a Forensic Investigation Package

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machineAction",
"operation": "collectInvestigationPackage",
"parameters": {
"id": "{{machine_id}}",
"comment": "Collecting forensic package for incident {{incident_id}} evidence"
}
}

Stopping and Quarantining a Malicious File

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machineAction",
"operation": "stopAndQuarantineFile",
"parameters": {
"id": "{{machine_id}}",
"comment": "Stopping and quarantining confirmed malware identified in threat intel feed",
"sha1": "{{malware_sha1}}"
}
}

Polling a Machine Action Status

After triggering a machine action, poll its status using the returned action ID:

{
"integration_service": "microsoft-defender-endpoint",
"resource": "machineAction",
"operation": "get",
"parameters": {
"id": "{{machine_action_id}}"
}
}

Example: Threat Intelligence Indicators

Creating a Malicious Domain Indicator

{
"integration_service": "microsoft-defender-endpoint",
"resource": "indicator",
"operation": "create",
"parameters": {
"indicatorValue": "malicious-c2.example.com",
"indicatorType": "DomainName",
"action": "Block",
"title": "APT29 C2 Domain",
"description": "Command-and-control domain attributed to APT29 campaign",
"severity": "High",
"expirationTime": "2026-12-31T00:00:00Z",
"recommendedActions": "Block all network traffic to this domain and investigate any prior connections",
"generateAlert": true
}
}

Creating a File Hash Indicator with Dynamic Input

Input Data:

{
"file_sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"malware_family": "TrickBot",
"threat_actor": "TA505",
"expiry": "2026-06-30T00:00:00Z"
}

Node Configuration:

{
"integration_service": "microsoft-defender-endpoint",
"resource": "indicator",
"operation": "create",
"parameters": {
"indicatorValue": "{{file_sha256}}",
"indicatorType": "FileSha256",
"action": "BlockAndRemediate",
"title": "{{malware_family}} malware — {{threat_actor}}",
"description": "Confirmed {{malware_family}} sample attributed to {{threat_actor}}",
"severity": "High",
"expirationTime": "{{expiry}}",
"recommendedActions": "Block and quarantine the file; investigate systems with prior execution",
"generateAlert": true
}
}

Listing Active Block Indicators

{
"integration_service": "microsoft-defender-endpoint",
"resource": "indicator",
"operation": "list",
"parameters": {
"action": "Block",
"$top": 200,
"$orderby": "creationTimeDateTimeUtc desc"
}
}

Example: Vulnerability and TVM Queries

Listing High-Severity CVEs

{
"integration_service": "microsoft-defender-endpoint",
"resource": "vulnerability",
"operation": "list",
"parameters": {
"$filter": "severity eq 'High'",
"$top": 200,
"$orderby": "cvssV3 desc"
}
}

Finding All Devices Affected by a CVE

{
"integration_service": "microsoft-defender-endpoint",
"resource": "vulnerability",
"operation": "listMachines",
"parameters": {
"cveId": "{{cve_id}}"
}
}

Getting the Organization Exposure Score

{
"integration_service": "microsoft-defender-endpoint",
"resource": "score",
"operation": "getExposureScore",
"parameters": {}
}

Listing Active Security Recommendations

{
"integration_service": "microsoft-defender-endpoint",
"resource": "recommendation",
"operation": "list",
"parameters": {
"$filter": "status eq 'Active'",
"$top": 100,
"$orderby": "severityScore desc"
}
}

Marking a Remediation Task as Completed

{
"integration_service": "microsoft-defender-endpoint",
"resource": "remediationTask",
"operation": "update",
"parameters": {
"id": "{{task_id}}",
"updateFields": {
"status": "Completed"
}
}
}

Example: File, IP, and Domain Investigation

Investigating a Suspicious File Hash

{
"integration_service": "microsoft-defender-endpoint",
"resource": "file",
"operation": "get",
"parameters": {
"id": "{{file_sha256}}"
}
}

Getting Alerts for a Suspicious IP

{
"integration_service": "microsoft-defender-endpoint",
"resource": "ip",
"operation": "listAlerts",
"parameters": {
"ip": "{{suspicious_ip}}"
}
}

Getting Alerts and Machines for a Suspicious Domain

{
"integration_service": "microsoft-defender-endpoint",
"resource": "domain",
"operation": "listAlerts",
"parameters": {
"domain": "{{suspicious_domain}}"
}
}
{
"integration_service": "microsoft-defender-endpoint",
"resource": "domain",
"operation": "listMachines",
"parameters": {
"domain": "{{suspicious_domain}}"
}
}

Alert Field Reference

Alert Status Values

ValueDescription
NewNewly detected alert not yet reviewed
InProgressAlert is actively being investigated
ResolvedAlert investigation completed

Alert Classification Values

ValueLabel
TruePositiveTrue Positive
InformationalExpectedActivityInformational / Expected Activity
FalsePositiveFalse Positive

Alert Determination Values

ValueLabel
MultiStagedAttackMultistage Attack
MaliciousUserActivityMalicious User Activity
CompromisedUserCompromised Account
MalwareMalware
PhishingPhishing
UnwantedSoftwareUnwanted Software
OtherOther
SecurityTestingSecurity Test
LineOfBusinessApplicationLine-of-Business Application
ConfirmedActivityConfirmed Activity
NotMaliciousNot Malicious
InsufficientDataNot Enough Data to Validate

Note: Determination must be consistent with the chosen classification. For example, Malware and Phishing are only valid determinations for TruePositive alerts.

Indicator Action Values

ValueDescription
AlertGenerate an alert when matched
WarnWarn the end user and allow them to bypass
BlockBlock the action
AuditLog the event without blocking
BlockAndRemediateBlock and automatically remediate
AlertAndBlockGenerate an alert and block
AllowedExplicitly allow the indicator

Common Workflow Patterns

Incident Response — Device Isolation

  1. alert.list — retrieve new high-severity alerts
  2. alert.get — retrieve evidence and machine details from the alert
  3. machine.list — verify device health and risk score
  4. machineAction.isolate — isolate the device from the network
  5. machineAction.collectInvestigationPackage — collect forensic data
  6. alert.update — assign alert to analyst and set status to InProgress
  7. machineAction.get — poll until isolation action status is Succeeded

Threat Intelligence Enrichment

  1. Receive a suspicious indicator (IP, domain, file hash) from an upstream node
  2. ip.listAlerts / domain.listAlerts / file.listAlerts — check existing alerts
  3. ip.getStats / domain.getStats / file.getStats — retrieve prevalence statistics
  4. machine.list / file.listMachines / domain.listMachines — identify affected devices
  5. indicator.create — create a blocking IoC if confirmed malicious
  6. alert.update — update related alerts with investigation findings

Vulnerability Prioritization

  1. score.getExposureScore — check current organizational exposure
  2. vulnerability.list with $filter: severity eq 'High' — enumerate high-severity CVEs
  3. vulnerability.listMachines — per CVE, identify affected devices
  4. recommendation.list — retrieve actionable TVM recommendations
  5. remediationTask.list — check existing remediation activities

Automated Alert Triage

  1. alert.list with status=New and severity=High — retrieve new high-priority alerts
  2. file.get / ip.listAlerts / domain.listAlerts — enrich alert IOCs
  3. Based on enrichment outcome, alert.batchUpdate — bulk-classify and assign alerts

Troubleshooting

IssueResolution
Azure AD token error [invalid_client]Verify that Client ID and Client Secret are correct and that the secret has not expired
Azure AD token error [unauthorized_client]Confirm that the app registration exists in the correct tenant and that application (not delegated) permissions are configured
MDE API error [Forbidden]Ensure the required API permissions are configured and admin consent has been granted in Azure portal
MDE API error [NotFound] for alerts or machinesVerify the ID is correct and that the service principal has access to the relevant RBAC device groups
OData filter syntax errorsUse single quotes around string values (e.g., severity eq 'High'). Check supported field names for each resource — not all OData fields are filterable on all resources
Shortcut filter ignoredIf you provide both a shortcut filter (e.g., severity) and a raw $filter, the shortcut is ignored. Use one or the other
Machine action stuck in PendingCheck the device's online/health status in the MDE portal. Actions cannot be delivered to offline or isolated devices without active Defender connectivity
id is required on machine actionsMachine action operations require the machine ID (id), not the hostname or IP address. Use machine.list to look up the ID
Rate limit errors (HTTP 429)The integration retries automatically up to 3 times with exponential back-off (1 s, 2 s, 4 s). For batchUpdate, the limit is 10 calls/min and 500 calls/hr
Empty body (success: true)Some operations return HTTP 204 with no body (e.g., indicator.delete). The integration returns {"success": true} in these cases
User ID format errorsThe user resource requires the username only (e.g., jdoe), not the full UPN ([email protected])
Token expiry issuesThe integration caches tokens and refreshes them automatically with a 60-second safety buffer. Recreate the credential if persistent auth errors occur
Software ID not foundSoftware IDs follow the vendor-_-productname convention (e.g., microsoft-_-edge). Use software.list with a $filter to find the correct ID

Best Practices

  1. Grant minimum required permissions: Request only the API permissions needed for your workflow. Read-only workflows should use *.Read.All permissions only and omit *.ReadWrite.All.

  2. Rotate client secrets regularly: Azure App Registration client secrets expire. Set calendar reminders before expiry and update the NINA credential before the secret expires to avoid workflow failures.

  3. Use shortcut filters for simple queries: The severity, status, healthStatus, and similar shortcut parameters are easier to configure than raw OData and are combined automatically with and. Switch to raw $filter only when you need or logic or unsupported fields.

  4. Leverage $expand=evidence selectively: Including evidence inline in alert list calls increases response size. Use it only when you need evidence data, or fetch it separately with alert.get.

  5. Always record a comment for machine actions: The comment parameter is required by the MDE API for all machine actions and is stored in the action audit trail. Write meaningful comments that reference incident IDs for traceability.

  6. Poll machine actions to verify completion: Machine actions are asynchronous — they return a MachineAction object with a Pending or InProgress status immediately. Build polling logic using machineAction.get before assuming the action completed.

  7. Set expiration times on indicators: IoC indicators without an expiration time remain active indefinitely. Set expirationTime based on your threat intelligence confidence window and implement cleanup workflows for expired indicators.

  8. Use bulk operations where possible: batchUpdate for alerts and bulkAddOrRemoveTags for machines reduce API calls compared to per-item operations. Be mindful of rate limits (10 calls/min for batch alert updates).

  9. Paginate large result sets: Most list operations default to 100 records. Use $top and $skip to page through large datasets. For vulnerability.list the maximum is 8,000 records per page; for most other list operations it is 10,000.

  10. Scope indicators with RBAC groups: Use rbacGroupNames on indicator creation to limit the indicator's enforcement scope to specific device groups, avoiding unintended blocking across the organization.

  11. Monitor exposure scores proactively: Include score.getExposureScore and score.getDeviceSecureScore in regular reporting workflows to track the organization's security posture trend over time.

  12. Handle 204 No Content responses: Operations like indicator.delete return no body. The integration normalizes this to {"success": true} — check for this key in downstream nodes instead of parsing a full response object.

  13. Use template variables for dynamic workflows: Use {{variable_name}} syntax to pass alert IDs, machine IDs, and other values from upstream nodes dynamically, avoiding hardcoded identifiers in node configurations.

  14. Test credentials before production use: Use the Test Connection button when creating credentials. It acquires an OAuth token from Azure AD and fails fast if the tenant, client ID, or secret are incorrect — before any workflow runs.

Security Considerations

  1. Protect client secrets: Store credentials exclusively through NINA's credential manager. Never include Client IDs or secrets in workflow parameters, logs, or comments.

  2. Use dedicated service accounts: Register a dedicated Azure App for this integration rather than reusing credentials across multiple systems. This limits the blast radius if credentials are compromised.

  3. Restrict RBAC device group access: In the MDE portal, you can limit which device groups the API service principal has access to. Restrict access to only the device groups relevant to your automation workflows.

  4. Audit machine action usage: Machine actions (isolation, file quarantine, code restriction) have direct operational impact. Implement workflow-level approval gates and log all actions for audit purposes.

  5. Review indicator lifecycles: Regularly audit active IoC indicators (indicator.list) to remove stale or incorrect entries. A misconfigured block indicator can disrupt legitimate business traffic.

Updated: 2026-05-11