Automate provides support for Microsoft Defender for Endpoint, which addresses user devices (laptops, phones, tablets, PCs) and network devices (access points, routers, firewalls).

The admin GUI provides dashboards for viewing and managing Microsoft Defender for Endpoint data:

Security Management - Defender for Endpoint Overview Security Management - Defender for Endpoint Actions

The Microsoft Defender for Endpoint dashboards display default counters for data totals, and quick actions for viewing and managing this data:

This panel provides access to quick actions for Microsoft Defender incidents and alerts.

View incidents

Go to Defender for Endpoint Actions.
Click View Incidents.
View the summary list of incidents, providing the following details for each incident:
- Display name
- Status
- Severity
- Created date time
- Last update date time
- Located at (hierarchy)

Click on an incident in the list view for further details, including, for example, the Incident Web URL at security.microsoft.com.

Details example in JSON:

{
    "id": "5",
    "tenantId": "f372af60-59d5-4e03-a849-9e46a432aac0",
    "status": "redirected",
    "incidentWebUrl": "https://security.microsoft.com/incident2/5/overview?tid=...",
    "redirectIncidentId": "1",
    "displayName": "[Test Alert] Suspicious Powershell commandline",
    "createdDateTime": "2025-05-07T13:12:59.9233333Z",
    "lastUpdateDateTime": "2025-05-07T13:13:12.24Z",
    "classification": "unknown",
    "determination": "unknown",
    "severity": "informational",
    "customTags": [],
    "systemTags": [],
    "lastModifiedBy": "Microsoft 365 Defender-AlertCorrelation",
    "comments": []
}

View alerts

Go to Defender for Endpoint Actions.
Click View Alerts.
View the summary list of alerts, providing the following details for each incident:
- Title
- Device tags
- Severity
- Status
- Category
- Detection source
- Created date time
- Last update date time
- Classification
- Determination
- Assigned to
- Description
- Located at (hierarchy)

Click on an alert to view and manage the alert instance. The following alert properties can be managed:

Status
Classification
Determination
Assigned to

Details example (JSON):

"category": "Execution",
"status": "resolved",
"severity": "informational",
"classification": "falsePositive",
"determination": "malware",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "microsoftDefenderForEndpoint",
"createdDateTime": "2025-05-06T14:13:19.0633333Z",
"lastUpdateDateTime": "2025-08-21T02:47:29.24Z",
"resolvedDateTime": "2025-08-21T02:47:29.17Z",
"firstActivityDateTime": "2025-05-06T14:06:51.7300174Z",
"lastActivityDateTime": "2025-05-06T21:45:13.6345713Z",
"deviceEvidence": {
...
},
"userEvidence": {
...
},
"productName": "Microsoft Defender for Endpoint",
"deviceDnsName": "windows-endpoint",
"deviceTags": [
...
],
"userAccountName": "defender-admin",
"userSid": "..."

Device Actions

This panel provides access to quick actions for Microsoft Defender devices.

View devices: Link to view device information for a selected hierarchy as reported by the Microsoft security machine objects (device/mssecurity/Machine)
View and Manage Machine Actions: Link to a list of actions initiated and status for devices (relation/MachineAction)
Bulk Actions: Link to perform bulk actions on Defender devices (view/DefenderBulkActions)
Initiate Scan on Device(s): Link to a form for initiating a scan on one or more devices with the associated type (view/DefenderBulkActions)
Manage Isolation of Device(s): Link to a form where you can choose to isolate or unisolate on one or more devices with the associated type (view/DefenderBulkActions)
Offboard Device(s): Link to a form where you can initiate offboarding of one or more devices from the system (view/DefenderBulkActions)
Manage code execution on device(s): Link to a form where you can restrict or unrestrict code execution on one or more devices (view/DefenderBulkActions)
Collect investigation from device(s): Link to a form for collecting investigation package from one or more devices (view/DefenderBulkActions)
Stop and Quarantine File on device(s): Link to a form where you can stop and quarantine a file on a device (view/DefenderBulkActions)

View devices

The Microsoft Defender View Devices list view displays device details, including the device's Last IP Address, Health Status, Exposure Level, and the device located at hierarchy.

View and manage machine actions

The relation/MachineAction model is available to allow for the execution of Cancel action. (This action sends a request to device/mssecurity/MachineActionCancel.)

Bulk device actions

Automate provides several interfaces to perform bulk actions on one or more devices:

Go to Defender for Endpoint Actions.
Choose the relevant site.
Choose a bulk action, either of the following:
- Bulk Actions
- Initiate scan on devices
- Manage isolation of devices
- Offboard devices
- Manage code execution on devices
- Collect investigation from devices
- Stop and quarantine file on devices
(Optional). Select a device filter (by operating system), either all, Windows, macOS, Linux, Android, or iOS.
(Mandatory). Select an operation, either of the following: Scan, Isolate, Un-isolate, Offboard, Restrict code execution, Unrestrict code execution
(Optional). Provide a comment to explain the action.
(Optional). Select type, either Full or Quick.
At Target Defender Devices transfer boxes, select relevant devices (one or more) from the Available field then click the single or double arrow to move these devices to the Selected field.
Click Save.

Initiate scan on devices

Manage isolation of devices

Offboard devices

Manage code execution on devices

Collect investigation from devices

Stop and quarantine file on devices

Related topics

Microsoft Defender setup, sync and overbuild
Microsoft Defender for Office security management and policies

Model Details: device/msgraphsecurity/Incident

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title		Details
Id		Field Name: id Type: String MaxLength: 1024
Tenant ID		Field Name: tenantId Type: String MaxLength: 1024
Status		Field Name: status Type: String MaxLength: 1024
Incident Web URL		Field Name: incidentWebUrl Type: String MaxLength: 1024
Redirect Incident ID		Field Name: redirectIncidentId Type: String MaxLength: 1024
Display Name		Field Name: displayName Type: String MaxLength: 1024
Created DateTime		Field Name: createdDateTime Type: String MaxLength: 1024 Format: date-time
Last Update DateTime		Field Name: lastUpdateDateTime Type: String MaxLength: 1024 Format: date-time
Assigned To		Field Name: assignedTo Type: String MaxLength: 1024
Classification		Field Name: classification Type: String MaxLength: 1024
Determination		Field Name: determination Type: String MaxLength: 1024
Severity		Field Name: severity Type: String MaxLength: 1024
	Custom Tags	Field Name: customTags.[n] Type: Array
	System Tags	Field Name: systemTags.[n] Type: Array
Description		Field Name: description Type: String MaxLength: 1024
Last Modified By		Field Name: lastModifiedBy Type: String MaxLength: 1024
Resolving Comment		Field Name: resolvingComment Type: String MaxLength: 1024
Summary		Field Name: summary Type: String MaxLength: 1024
	Comments	Field Name: comments.[n] Type: Array

Model: device/msgraphsecurity/Incident

Incidents

View incidents

View alerts

View devices

View and manage machine actions

Bulk device actions

Model Details: device/msgraphsecurity/Incident