Automate provides support for Microsoft Defender for Endpoint, that addresses user devices (laptops, phones, tablets, PCs) and network devices (access points, routers, firewalls).

The administrator interface provides dashboards for the view and management of data:

Incidents

Related device model: device/msgraphsecurity/Incident

Automate provides an Incidents list view showing such headings as the incident Status and Severity at a hierarchy (Located At), and allows for the examination of the Details of an incident, including for example the Incident Web URL at security.microsoft.com.

Details example in JSON:

{
    "id": "5",
    "tenantId": "f372af60-59d5-4e03-a849-9e46a432aac0",
    "status": "redirected",
    "incidentWebUrl": "https://security.microsoft.com/incident2/5/overview?tid=...",
    "redirectIncidentId": "1",
    "displayName": "[Test Alert] Suspicious Powershell commandline",
    "createdDateTime": "2025-05-07T13:12:59.9233333Z",
    "lastUpdateDateTime": "2025-05-07T13:13:12.24Z",
    "classification": "unknown",
    "determination": "unknown",
    "severity": "informational",
    "customTags": [],
    "systemTags": [],
    "lastModifiedBy": "Microsoft 365 Defender-AlertCorrelation",
    "comments": []
}

Alerts

Related device model: device/msgraphsecurity/Alerts

Automate provides an Alerts list view showing such headings as the incident Title, Status, Severity, Description and Device at a hierarchy (Located At), and allows for the Details of an instance to be viewed and managed.

Managing an alert

Administrators can manage the following alert properties:

Status
Classification
Determination
Assigned To

Details snippet in JSON:

"category": "Execution",
"status": "resolved",
"severity": "informational",
"classification": "falsePositive",
"determination": "malware",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "microsoftDefenderForEndpoint",
"createdDateTime": "2025-05-06T14:13:19.0633333Z",
"lastUpdateDateTime": "2025-08-21T02:47:29.24Z",
"resolvedDateTime": "2025-08-21T02:47:29.17Z",
"firstActivityDateTime": "2025-05-06T14:06:51.7300174Z",
"lastActivityDateTime": "2025-05-06T21:45:13.6345713Z",
"deviceEvidence": {
...
},
"userEvidence": {
...
},
"productName": "Microsoft Defender for Endpoint",
"deviceDnsName": "windows-endpoint",
"deviceTags": [
...
],
"userAccountName": "defender-admin",
"userSid": "..."

Device Actions

Model Details: device/mssecurity/Machine

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title			Description	Details
Machine ID			machine identity	Field Name: id Type: String
Computer DNS Name			machine fully qualified name	Field Name: computerDnsName Type: String
First Seen			First date and time where the machine was observed by Microsoft Defender for Endpoint	Field Name: firstSeen Type: String Format: date-time
Last Seen			Time and date of the last received full device report. A device typically sends a full report every 24 hours	Field Name: lastSeen Type: String Format: date-time
OS Platform			Operating system platform	Field Name: osPlatform Type: String
OS Version			Operating system Version	Field Name: version Type: String
OS Build			Operating system build number	Field Name: osBuild Type: ["Integer", "Null"]
Last IP Address			Last IP on local NIC on the machine	Field Name: lastIpAddress Type: String
Last External IP Address			Last IP through which the machine accessed the internet	Field Name: lastExternalIpAddress Type: String
Health Status			machine health status	Field Name: healthStatus Type: String
RBAC Group Name			Machine group Name	Field Name: rbacGroupName Type: String
RBAC Group ID			Machine group ID	Field Name: rbacGroupId Type: String
Risk Score			Risk score as evaluated by Microsoft Defender for Endpoint	Field Name: riskScore Type: ["String", "Null"]
AAD Device ID			Microsoft Entra Device ID (when machine is Microsoft Entra joined)	Field Name: aadDeviceId Type: ["String", "Null"]
	Machine Tags		Set of machine tags	Field Name: machineTags.[n] Type: Array
Exposure Level			Exposure level as evaluated by Microsoft Defender for Endpoint	Field Name: exposureLevel Type: ["String", "Null"]
Device Value			The value of the device	Field Name: deviceValue Type: ["String", "Null"]
Onboarding Status			Status of machine onboarding	Field Name: onboardingStatus Type: String
OS Architecture			Operating system architecture	Field Name: osArchitecture Type: String
Managed By				Field Name: managedBy Type: String
	IP Addresses		Set of IpAddress objects	Field Name: ipAddresses.[n] Type: Array
		IP Address		Field Name: ipAddresses.[n].ipAddress Type: String
		MAC Address		Field Name: ipAddresses.[n].macAddress Type: ["String", "Null"]
		Type		Field Name: ipAddresses.[n].type Type: String
		Operational Status		Field Name: ipAddresses.[n].operationalStatus Type: String
VM Metadata				Field Name: vmMetadata Type: Object
	VM ID			Field Name: vmMetadata.vmId Type: String
	Cloud Provider			Field Name: vmMetadata.cloudProvider Type: String
	Resource ID			Field Name: vmMetadata.resourceId Type: String
	Subscription ID			Field Name: vmMetadata.subscriptionId Type: String

Model: device/mssecurity/Machine

Incidents

Incidents

Alerts

View Devices

Bulk Actions

Machine Action

Model Details: device/mssecurity/Machine