Security & Compliance

List Defender State

get

Retrieves the status of Microsoft Defender across devices

Query parameters

tenantFilterstringRequired

The tenant to filter by

Responses

200

Defender state retrieved successfully

application/json

deviceNamestringOptional

The name of the device

400

Bad request

401

Unauthorized

500

Internal server error

get

/ListDefenderState

GET /api/ListDefenderState?tenantFilter=text HTTP/1.1
Accept: */*

[
  {
    "deviceName": "text",
    "windowsProtectionState": {
      "malwareProtectionEnabled": true,
      "realTimeProtectionEnabled": true,
      "networkInspectionSystemEnabled": true,
      "deviceState": "text",
      "quickScanOverdue": true,
      "fullScanOverdue": true,
      "signatureUpdateOverdue": true,
      "rebootRequired": true,
      "lastReportedDateTime": "2026-02-22T06:04:18.339Z"
    }
  }
]

List Defender Threat & Vulnerability Management

get

Retrieves software vulnerabilities detected by Microsoft Defender

Query parameters

tenantFilterstringRequired

The tenant to filter by

Responses

200

Defender TVM data retrieved successfully

application/json

affectedDevicesCountintegerOptional

The number of affected devices

affectedDevicesstring[]Optional

The list of affected devices

osPlatformstringOptional

The OS platform

softwareVendorstringOptional

The software vendor

softwareNamestringOptional

The software name

vulnerabilitySeverityLevelstringOptional

The severity level of the vulnerability

cvssScorenumberOptional

The CVSS score

securityUpdateAvailablebooleanOptional

Whether a security update is available

exploitabilityLevelstringOptional

The exploitability level

cveIdstringOptional

The CVE ID

400

Bad request

401

Unauthorized

500

Internal server error

get

/ListDefenderTVM

GET /api/ListDefenderTVM?tenantFilter=text HTTP/1.1
Accept: */*

[
  {
    "affectedDevicesCount": 1,
    "affectedDevices": [
      "text"
    ],
    "osPlatform": "text",
    "softwareVendor": "text",
    "softwareName": "text",
    "vulnerabilitySeverityLevel": "text",
    "cvssScore": 1,
    "securityUpdateAvailable": true,
    "exploitabilityLevel": "text",
    "cveId": "text"
  }
]

Add Defender Deployment

post

Deploys Microsoft Defender policies to selected tenants

Body

Responses

200

Defender deployment added successfully

application/json

ResultsobjectOptional

The results of the operation

400

Bad request

401

Unauthorized

500

Internal server error

post

/AddDefenderDeployment

POST /api/AddDefenderDeployment HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 1158

{
  "selectedTenants": [
    {
      "value": "text",
      "label": "text"
    }
  ],
  "Compliance": {
    "AllowMEMEnforceCompliance": true,
    "ConnectIosCompliance": true,
    "ConnectAndroidCompliance": true,
    "ConnectWindows": true,
    "AppSync": true,
    "BlockunsupportedOS": true,
    "ConnectAndroid": true,
    "ConnectIos": true
  },
  "EDR": {
    "Telemetry": true,
    "Config": true,
    "SampleSharing": true
  },
  "Policy": {
    "ScanArchives": true,
    "AllowBehavior": true,
    "AllowCloudProtection": true,
    "AllowEmailScanning": true,
    "AllowFullScanNetwork": true,
    "AllowFullScanRemovable": true,
    "AllowScriptScan": true,
    "AllowIPS": true,
    "LowCPU": true,
    "AllowDownloadable": true,
    "AllowRealTime": true,
    "AllowNetwork": true,
    "AllowUI": true,
    "NetworkProtectionBlock": true,
    "NetworkProtectionAudit": true,
    "CheckSigs": true,
    "DisableCatchupFullScan": true,
    "DisableCatchupQuickScan": true,
    "AssignTo": "none"
  },
  "ASR": {
    "BlockAdobeChild": true,
    "BlockWin32Macro": true,
    "BlockCredentialStealing": true,
    "BlockPSExec": true,
    "WMIPersistence": true,
    "BlockOfficeExes": true,
    "BlockOfficeApps": true,
    "BlockYoungExe": true,
    "blockJSVB": true,
    "blockOfficeComChild": true,
    "blockOfficeChild": true,
    "BlockUntrustedUSB": true,
    "EnableRansomwareVac": true,
    "BlockExesMail": true,
    "BlockUnsignedDrivers": true,
    "AssignTo": "none"
  }
}

{
  "Results": {}
}

List Security Alerts

get

Retrieves a list of security alerts

Query parameters

tenantFilterstringRequired

The tenant to filter by

Responses

200

Security alerts retrieved successfully

application/json

400

Bad request

401

Unauthorized

500

Internal server error

get

/ExecAlertsList

GET /api/ExecAlertsList?tenantFilter=text HTTP/1.1
Accept: */*

{
  "Results": {
    "MSResults": [
      {
        "EventDateTime": "2026-02-22T06:04:18.339Z",
        "Status": "text",
        "Title": "text",
        "Severity": "text",
        "Category": "text",
        "Tenant": "text",
        "InvolvedUsers": [
          "text"
        ],
        "Id": "text",
        "RawResult": {
          "vendorInformation": {
            "vendor": "text",
            "provider": "text"
          }
        }
      }
    ]
  }
}

Set Security Alert Status

post

Updates the status of a security alert

Body

GUIDstringRequired

The ID of the alert

Statusstring · enumRequired

The new status of the alert

Possible values:

VendorstringRequired

The vendor name

ProviderstringRequired

The provider name

Responses

200

Security alert status updated successfully

application/json

ResultsobjectOptional

The results of the operation

400

Bad request

401

Unauthorized

500

Internal server error

post

/ExecSetSecurityAlert

POST /api/ExecSetSecurityAlert HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 72

{
  "GUID": "text",
  "Status": "!inProgress",
  "Vendor": "text",
  "Provider": "text"
}

{
  "Results": {}
}

List Security Incidents

get

Retrieves a list of security incidents

Query parameters

tenantFilterstringRequired

The tenant to filter by

Responses

200

Security incidents retrieved successfully

application/json

400

Bad request

401

Unauthorized

500

Internal server error

get

/ExecIncidentsList

GET /api/ExecIncidentsList?tenantFilter=text HTTP/1.1
Accept: */*

{
  "Results": [
    {
      "Created": "2026-02-22T06:04:18.339Z",
      "Updated": "2026-02-22T06:04:18.339Z",
      "Tenant": "text",
      "Id": "text",
      "RedirectId": "text",
      "DisplayName": "text",
      "Status": "text",
      "Severity": "text",
      "AssignedTo": "text",
      "Classification": "text",
      "Determination": "text",
      "IncidentUrl": "text",
      "Tags": [
        "text"
      ]
    }
  ]
}

Set Security Incident Status

post

Updates the status of a security incident or assigns it to a user

Body

GUIDstringRequired

The ID of the incident

Statusstring · enumOptional

The new status of the incident

Possible values:

AssignedstringOptional

The user assigned to the incident

Responses

200

Security incident updated successfully

application/json

ResultsobjectOptional

The results of the operation

400

Bad request

401

Unauthorized

500

Internal server error

post

/ExecSetSecurityIncident

POST /api/ExecSetSecurityIncident HTTP/1.1
Content-Type: application/json
Accept: */*
Content-Length: 52

{
  "GUID": "text",
  "Status": "!active",
  "Assigned": "text"
}

{
  "Results": {}
}

List Graph Request

get

Retrieves data from a Graph API request

Query parameters

tenantFilterstringRequired

The tenant to filter by

endpointstringRequired

The Graph API endpoint

$topstringOptional

Number of records to return

Responses

200

Graph request data retrieved successfully

application/json

Resultsobject[]Optional

400

Bad request

401

Unauthorized

500

Internal server error

get

/ListGraphRequest

GET /api/ListGraphRequest?tenantFilter=text&endpoint=text HTTP/1.1
Accept: */*

{
  "Results": [
    {}
  ]
}

PreviousTenant Administration NextIntune

Last updated 7 months ago

Was this helpful?

hashtagList Defender State

hashtagList Defender Threat & Vulnerability Management

hashtagAdd Defender Deployment

hashtagList Security Alerts

hashtagSet Security Alert Status

hashtagList Security Incidents

hashtagSet Security Incident Status

hashtagList Graph Request

List Defender State

List Defender Threat & Vulnerability Management

Add Defender Deployment

List Security Alerts

Set Security Alert Status

List Security Incidents

Set Security Incident Status

List Graph Request