Endpoint Security - Microsoft Defender for Endpoint
API capability pack for bounded Microsoft Defender for Endpoint operations against https://api.security.microsoft.com. Enroll a Microsoft Defender for Endpoint OAuth bearer connection named microsoft-defender with least-privilege WindowsDefenderATP API permissions for the installed operations. The pack reads alerts, machines, machine-related alerts, logon users, machine actions, exposure score, security recommendations, and vulnerability information for endpoint security triage, vulnerability review, and incident response context. It bundles a scheduled endpoint security digest, an AI-assisted machine investigation brief, and approval-gated workflows for isolating one machine, releasing one machine from isolation, or updating one alert. The pack intentionally excludes advanced hunting query passthrough, live response, offboarding, antivirus scan actions, file quarantine/stop actions, package collection, cancel action, machine tag mutation, indicator creation/deletion, alert creation, bulk alert update, raw tenant export/download endpoints, arbitrary Defender API passthrough, and credential-bearing fields in operation arguments.
What this pack installs
- Microsoft Defender endpoint security digest Recipe
- Microsoft Defender machine investigation brief Recipe
- Isolate a Microsoft Defender endpoint machine Recipe
- Release a Microsoft Defender endpoint machine from isolation Recipe
- Update a Microsoft Defender endpoint alert Recipe
- microsoft-defender-endpoint Ingredient
Trust & control
What installing this whole pack would let it do. Recued grants these permissions at install — review them there before approving.