Model: view/DefenderBulkActions

Incidents

MICROSOFT

Overview

Automate provides support for Microsoft Defender for Endpoint, that addresses user devices (laptops, phones, tablets, PCs) and network devices (access points, routers, firewalls).

Note

The following entry under Global settings, Enabled Services needs to be enabled: Enable Defender for Endpoint - see: Global Settings.
For further setup and configuration, see: Microsoft Defender setup, sync and overbuild.

Dashboards

The administrator interface provides dashboards for the view and management of data:

Dashboards:: Security Management - Defender for Endpoint Overview Security Management - Defender for Endpoint Actions

Dashboards:

By default:
- The Defender for Endpoint Overview dashboard provides the administrator with counters, charts and tables showing information on alerts and devices that are visible from the administrator's hierarchy, for example the total number of alerts and status breakdowns by site, as well as an overview of device types and platforms.
- The Defender for Endpoint Actions dashboard also provides the administrator with counters on alerts and devices, as well as quick links to view and manage incident, alert and device actions.

To customize your dashboards:

See: Automate Dashboards.
Resources have been added and are available to widgets on a dashboard where Data Source is Automate Analyzed.

For example:
- Defender Actions, Shows Microsoft Defender actions, device/mssecurity/MachineAction
- Defender Alerts,Shows Microsoft Defender alerts, device/msgraphsecurity/Alert
- Defender Devices,Shows onboarded Microsoft Defender devices, device/mssecurity/Machine
- Defender Exposure Score by Device Group,Shows Microsoft Defender exposure score by device group, device/mssecurity/ExposureScoreByMachineGroups
- Defender Incidents,Shows Microsoft Defender incidents, device/msgraphsecurity/Incident
- Defender Secure Score,Shows Microsoft Defender Secure Score, device/msgraphsecurity/SecureScore

Incident and Alert Actions

Incidents

Related device model: device/msgraphsecurity/Incident

Automate provides an Incidents list view showing such headings as the incident Status and Severity at a hierarchy (Located At), and allows for the examination of the Details of an incident, including for example the Incident Web URL at security.microsoft.com.

Details example in JSON:

{
    "id": "5",
    "tenantId": "f372af60-59d5-4e03-a849-9e46a432aac0",
    "status": "redirected",
    "incidentWebUrl": "https://security.microsoft.com/incident2/5/overview?tid=...",
    "redirectIncidentId": "1",
    "displayName": "[Test Alert] Suspicious Powershell commandline",
    "createdDateTime": "2025-05-07T13:12:59.9233333Z",
    "lastUpdateDateTime": "2025-05-07T13:13:12.24Z",
    "classification": "unknown",
    "determination": "unknown",
    "severity": "informational",
    "customTags": [],
    "systemTags": [],
    "lastModifiedBy": "Microsoft 365 Defender-AlertCorrelation",
    "comments": []
}

Alerts

Related device model: device/msgraphsecurity/Alerts

Automate provides an Alerts list view showing such headings as the incident Title, Status, Severity, Description and Device at a hierarchy (Located At), and allows for the Details of an instance to be viewed and managed.

Managing an alert

Administrators can manage the following alert properties:

Status
Classification
Determination
Assigned To

Details snippet in JSON:

"category": "Execution",
"status": "resolved",
"severity": "informational",
"classification": "falsePositive",
"determination": "malware",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "microsoftDefenderForEndpoint",
"createdDateTime": "2025-05-06T14:13:19.0633333Z",
"lastUpdateDateTime": "2025-08-21T02:47:29.24Z",
"resolvedDateTime": "2025-08-21T02:47:29.17Z",
"firstActivityDateTime": "2025-05-06T14:06:51.7300174Z",
"lastActivityDateTime": "2025-05-06T21:45:13.6345713Z",
"deviceEvidence": {
...
},
"userEvidence": {
...
},
"productName": "Microsoft Defender for Endpoint",
"deviceDnsName": "windows-endpoint",
"deviceTags": [
...
],
"userAccountName": "defender-admin",
"userSid": "..."

Device Actions

View Devices

Related device model: device/mssecurity/Machine

Automate provides an View Devices list view showing such headings as the Last IP Address, Health Status, Exposure Level and Device at a hierarchy (Located At), and allows for the examination of the Details of a device.

Bulk Actions

Automate provides an interface to carry out bulk actions on devices. For Target Defender Devices, the Available and Selected transfer boxes are available to select devices accessible from a hierarchy to carry out operations in bulk:

Device Filter: by operating system - all, Windows, macOS, Linux, Android, IOS
Operation: Scan, isolate, un-isolate, offboard, restrict code execution, unrestrict code execution
Type: full, quick

Machine Action

The relation/MachineAction model is available to allow for the execution of Cancel action. (This action sends a request to device/mssecurity/MachineActionCancel.)

Model Details: view/DefenderBulkActions

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title		Description	Details
Device Filter		Select the type of Defender for Endpoint device to list below for selection to bulk update. Default: All	Field Name: filter Type: String Default: All Choices: ["All", "Windows", "macOS", "Linux", "Android", "iOS"]
Operation *		Default: Scan	Field Name: operation Type: String Default: Scan Choices: ["Scan", "Isolate", "Unisolate", "Offboard", "Restrict Code Execution", "Unrestrict Code Execution", "Collect Investigation Package", "Stop and Quarantine File"]
Comment		A comment to be added for this device action.	Field Name: comments Type: String
Machine SHA1		SHA1 hash of the file to be quarantined.	Field Name: sha1 Type: String
Type		Select the type of scan to perform. Default: Full	Field Name: scanType Type: String Default: Full Choices: ["Full", "Quick"]
Isolation Type		Select the type of isolation to perform. Default: Full	Field Name: isolationType Type: String Default: Full Choices: ["Full", "Selective", "UnManaged Device"]
	Target Defender Devices	List of Defender for Endpoint devices that will be updated.	Field Name: targetDevices.[n] Type: Array