Supported Microsoft Defender for Endpoint APIs
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
Important
Advanced hunting capabilities are not included in Defender for Business.
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Endpoint URI and versioning
Endpoint URI
The service base URI is: https://api.security.microsoft.com
The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.security.microsoft.com/api/alerts
Versioning
The API supports versioning.
The current version is V1.0. To use a specific version, use this format:
https://api.security.microsoft.com/api/{Version}. For example:https://api.security.microsoft.com/api/v1.0/alertsIf you don't specify any version (e.g.
https://api.security.microsoft.com/api/alerts) you will get to the latest version.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
- ina.api.security.microsoft.com
Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
In this section
| Topic | Description |
|---|---|
| Advanced Hunting methods | Run queries from API. |
| Alert methods and properties | Run API calls such as - get alerts, create alert, update alert and more. |
| Export Assessment per-device methods and properties | Run API calls to gather vulnerability assessments on a per-device basis, such as: - export secure configuration assessment, export software inventory assessment, export software vulnerabilities assessment, and delta export software vulnerabilities assessment. |
| Automated investigation methods and properties | Run API calls such as - get collection of Investigation. |
| Export device health methods and properties | Run API Calls such as - GET /api/public/avdeviceshealth. |
| Domain-related alerts | Run API calls such as - get domain-related devices, domain statistics and more. |
| File methods and properties | Run API calls such as - get file information, file related alerts, file related devices, and file statistics. |
| Indicators methods and properties | Run API call such as - get Indicators, create Indicator, and delete Indicators. |
| IP-related alerts | Run API calls such as - get IP-related alerts and get IP statistics. |
| Machine methods and properties | Run API calls such as - get devices, get devices by ID, information about logged on users, edit tags and more. |
| Machine Action methods and properties | Run API call such as - Isolation, Run anti-virus scan and more. |
| Recommendation methods and properties | Run API calls such as - get recommendation by ID. |
| Remediation activity methods and properties | Run API call such as - get all remediation tasks, get exposed devices remediation task and get one remediation task by id. |
| Score methods and properties | Run API calls such as - get exposure score or get device secure score. |
| Software methods and properties | Run API calls such as - list vulnerabilities by software. |
| User methods and properties | Run API calls such as - get user-related alerts and user-related devices. |
| Vulnerability methods and properties | Run API calls such as - list devices by vulnerability. |
See also
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.