Skip to content
Recued
Menu
← Back to recipes

Microsoft Defender machine investigation brief

by recued-core v1

Read-only investigation brief for one Microsoft Defender for Endpoint machine. It reads machine posture, related alerts, discovered vulnerabilities, observed logon users, and recent machine actions through recued-core.microsoft-defender-endpoint, then asks the AI summarizer for incident context, endpoint risk, vulnerable software signals, and next steps. It never isolates, releases isolation, updates alerts, runs live response, offboards devices, scans, quarantines files, collects packages, mutates tags, or calls arbitrary Defender APIs.

How it works 23 steps

Inspect the data fetches, transforms, gates, and output this recipe runs.

Process (23 steps)
machine_id trim
Trim whitespace from setting machine id
machine_action_filter template
Generate text from a template
machine ?
alerts_raw ?
vulnerabilities_raw ?
logon_users_raw ?
actions_raw ?
alerts default
Apply default
vulnerabilities default
Apply default
logon_users default
Apply default
actions default
Apply default
alert_count count
Count items in alerts
vulnerability_count count
Count items in vulnerabilities
logon_user_count count
Count items in logon users
action_count count
Count items in actions
summarize ?
alert_rows slice
Take a subset of
vulnerability_rows slice
Take a subset of
logon_user_rows slice
Take a subset of
alert_table to_table
Format results as a data table
vulnerability_table to_table
Format results as a data table
logon_user_table to_table
Format results as a data table
card to_summary
Format results as a summary card
Settings 5 configurable

Configurable at install. Defaults shown — change them anytime in Recued.

focus setting = Summarize this Defender for Endpoint machine's risk score, exposure level, health, OS, last seen time, related alerts, logon users, discovered vulnerabilities, recent machine actions, likely priority, and concrete next steps. Do not invent facts outside the Defender data.
row limit setting = 20
machine id setting =
max length setting = 900
microsoft defender setting =

Trust & control

What installing this recipe would let it do. Recued grants these permissions at install — review them there before approving.

Where it runs

Device + server Runs on your device (browser) or your server.

Permissions it requires

Read your Microsoft-defender connection
Declared by the recipe — Recued grants these at install, where you review them before approving.

About

Tags

microsoft-defender-endpoint microsoft-defender-endpointdefender-for-endpointendpoint-securitymachinesalertsvulnerabilitiesai-summarypack:microsoft-defender-endpoint

Details

23 steps 5 configurable settings recipe_id: microsoft-defender-endpoint-machine-brief