Microsoft Defender for Endpoint security management and policies#

Microsoft

Overview#

Automate provides support for Microsoft Defender for Endpoint, which addresses user devices (laptops, phones, tablets, PCs) and network devices (access points, routers, firewalls).

Note

Microsoft Defender for Endpoint dashboards#

The admin GUI provides dashboards for viewing and managing Microsoft Defender for Endpoint data:

The Microsoft Defender for Endpoint dashboards display default counters for data totals, and quick actions for viewing and managing this data:

  • Defender for Endpoint Overview dashboard

    Displays counters, charts, and tables showing total count details for alerts and devices visible from the admin’s hierarchy. For example, the total number of alerts under investigation, active alerts, high severity alerts, devices, unhealthy devices, and high risk devices. This dashboard also displays data showing percentage secure score trends, daily alerts trend, alert severity metrics, a count of devices per platform, a count of devices by device group, and alerts and devices.

  • Defender for Endpoint Actions dashboard displays:

    • Top ten action counts by machine (machines with the highest action counts)

    • Device count by exposure (count of machines by exposure level)

    • Device count by status (machine actions by type of action)

    • Action count by type (machine actions by type of action )

    Quick actions on this dashboard allow you to:

    • View alerts and incidents

    • View devices

    • Perform bulk actions

    • Manage isolation of devices

    • Manage code execution on devices

    • Stop and quarantine files on devices

    • View and manage machine actions

    • Initiate scans on devices

    • Offboard devices

    • Collect investigation data from devices

Customizing Microsoft Defender for Endpoint dashboards

The system allows you to customize dashboards:

  • See: Introduction to VOSS dashboards.

  • Resources are available to dashboard widgets where Data Source is Automate Analyzed. For example:

    • Defender Actions, Shows Microsoft Defender actions, device/mssecurity/MachineAction

    • Defender Alerts,Shows Microsoft Defender alerts, device/msgraphsecurity/Alert

    • Defender Devices,Shows onboarded Microsoft Defender devices, device/mssecurity/Machine

    • Defender Exposure Score by Device Group,Shows Microsoft Defender exposure score by device group, device/mssecurity/ExposureScoreByMachineGroups

    • Defender Incidents,Shows Microsoft Defender incidents, device/msgraphsecurity/Incident

    • Defender Secure Score,Shows Microsoft Defender Secure Score, device/msgraphsecurity/SecureScore

../../_images/ms-defender-endpoint-dashboard-overview.png

Incident and Alert Actions#

This panel provides access to quick actions for Microsoft Defender incidents and alerts.

  • View Incidents: Link to a summary list view of Microsoft security incidents in the system and their details (device/msgraphsecurity/Incident)

  • View Alerts: Link to a summary list view of Microsoft security alerts in the system for the selected hierarchy their details (device/msgraphsecurity/Alert)

View incidents#

  1. Go to Defender for Endpoint Actions.

  2. Click View Incidents.

  3. View the summary list of incidents, providing the following details for each incident:

    • Display name

    • Status

    • Severity

    • Created date time

    • Last update date time

    • Located at (hierarchy)

  4. Click on an incident in the list view for further details, including, for example, the Incident Web URL at security.microsoft.com.

    Details example in JSON:

    {
    "id": "5",
    "tenantId": "f372af60-59d5-4e03-a849-9e46a432aac0",
    "status": "redirected",
    "incidentWebUrl": "https://security.microsoft.com/incident2/5/overview?tid=...",
    "redirectIncidentId": "1",
    "displayName": "[Test Alert] Suspicious Powershell commandline",
    "createdDateTime": "2025-05-07T13:12:59.9233333Z",
    "lastUpdateDateTime": "2025-05-07T13:13:12.24Z",
    "classification": "unknown",
    "determination": "unknown",
    "severity": "informational",
    "customTags": [],
    "systemTags": [],
    "lastModifiedBy": "Microsoft 365 Defender-AlertCorrelation",
    "comments": []
}

View alerts#

  1. Go to Defender for Endpoint Actions.

  2. Click View Alerts.

  3. View the summary list of alerts, providing the following details for each incident:

    • Title

    • Device tags

    • Severity

    • Status

    • Category

    • Detection source

    • Created date time

    • Last update date time

    • Classification

    • Determination

    • Assigned to

    • Description

    • Located at (hierarchy)

  4. Click on an alert to view and manage the alert instance. The following alert properties can be managed:

    • Status

    • Classification

    • Determination

    • Assigned to

    Details example (JSON):

    "category": "Execution",
"status": "resolved",
"severity": "informational",
"classification": "falsePositive",
"determination": "malware",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "microsoftDefenderForEndpoint",
"createdDateTime": "2025-05-06T14:13:19.0633333Z",
"lastUpdateDateTime": "2025-08-21T02:47:29.24Z",
"resolvedDateTime": "2025-08-21T02:47:29.17Z",
"firstActivityDateTime": "2025-05-06T14:06:51.7300174Z",
"lastActivityDateTime": "2025-05-06T21:45:13.6345713Z",
"deviceEvidence": {
...
},
"userEvidence": {
...
},
"productName": "Microsoft Defender for Endpoint",
"deviceDnsName": "windows-endpoint",
"deviceTags": [
...
],
"userAccountName": "defender-admin",
"userSid": "..."

Device Actions#

This panel provides access to quick actions for Microsoft Defender devices.

  • View devices: Link to view device information for a selected hierarchy as reported by the Microsoft security machine objects (device/mssecurity/Machine)

  • View and Manage Machine Actions: Link to a list of actions initiated and status for devices (relation/MachineAction)

  • Bulk Actions: Link to perform bulk actions on Defender devices (view/DefenderBulkActions)

  • Initiate Scan on Device(s): Link to a form for initiating a scan on one or more devices with the associated type (view/DefenderBulkActions)

  • Manage Isolation of Device(s): Link to a form where you can choose to isolate or unisolate on one or more devices with the associated type (view/DefenderBulkActions)

  • Offboard Device(s): Link to a form where you can initiate offboarding of one or more devices from the system (view/DefenderBulkActions)

  • Manage code execution on device(s): Link to a form where you can restrict or unrestrict code execution on one or more devices (view/DefenderBulkActions)

  • Collect investigation from device(s): Link to a form for collecting investigation package from one or more devices (view/DefenderBulkActions)

  • Stop and Quarantine File on device(s): Link to a form where you can stop and quarantine a file on a device (view/DefenderBulkActions)

View devices#

The Microsoft Defender View Devices list view displays device details, including the device’s Last IP Address, Health Status, Exposure Level, and the device located at hierarchy.

View and manage machine actions#

The relation/MachineAction model is available to allow for the execution of Cancel action. (This action sends a request to device/mssecurity/MachineActionCancel.)

../../_images/ms-defender-machine-action.png

Bulk device actions#

Automate provides several interfaces to perform bulk actions on one or more devices:

  1. Go to Defender for Endpoint Actions.

  2. Choose the relevant site.

  3. Choose a bulk action, either of the following:

    • Bulk Actions

    • Initiate scan on devices

    • Manage isolation of devices

    • Offboard devices

    • Manage code execution on devices

    • Collect investigation from devices

    • Stop and quarantine file on devices

  4. (Optional). Select a device filter (by operating system), either all, Windows, macOS, Linux, Android, or iOS.

  5. (Mandatory). Select an operation, either of the following: Scan, Isolate, Un-isolate, Offboard, Restrict code execution, Unrestrict code execution

  6. (Optional). Provide a comment to explain the action.

  7. (Optional). Select type, either Full or Quick.

  8. At Target Defender Devices transfer boxes, select relevant devices (one or more) from the Available field then click the single or double arrow to move these devices to the Selected field.

  9. Click Save.

../../_images/ms-defender-bulk-actions.png

Initiate scan on devices

../../_images/ms-defender-for-endpoint-initiate-scan-on-devices.png

Manage isolation of devices

../../_images/ms-defender-for-endpoint-manage-isolation-of-devices.png

Offboard devices

../../_images/ms-defender-for-endpoint-offboard-devices.png

Manage code execution on devices

../../_images/ms-defender-for-endpoint-manage-code-execution-on-devices.png

Collect investigation from devices

../../_images/ms-defender-for-endpoint-collect-investigation-from-devices.png

Stop and quarantine file on devices

../../_images/ms-defender-for-endpoint-stop-and-quarantine-file-on-devices.png

Related topics