A typical enterprise deploys multiple solutions to address its security needs and run its day-to-day operations. Security operations teams develop their own custom automation to automate procedures, integrate data, and orchestrate actions to effectively operate and respond to threats.

Microsoft Defender ATP offers a rich and complete set of APIs geared to fulfill those needs and enable interoperability with enterprise security applications and automation. In our previous blogs we’ve announced the Microsoft Defender ATP layered API model that is exposed through a standard Azure AD (AAD) based authentication and authorization model allowing access in the context of users or SaaS applications.

In this publication, we are announcing the Public Preview of the new API Explorer and Connected applications
that demonstrate our commitment to making the Microsoft Defender ATP platform more extensible – helping security operation teams easily develop and track their connected solutions and workflows. You can now try them out straight from the Microsoft Defender Security Center console.

So, let gets started…. 

Try out the API Explorer

The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.  
With the API Explorer, you can: 

  • Execute requests for any method and see responses in real-time. 
  • Browse quickly through the API samples and learn what parameters they support. 
  • Make API calls with ease; no need to authenticate beyond the management portal sign-in. 

Follow these steps to try it out: 

  1. Sign into Microsoft Defender Security Center and go to Partners & APIs -> API Explorer 
  2. In the left pane, there is a list of sample requests that you can use. Follow the links and click on "Run query."


Note that some of the samples may require specifying a parameter in the URL, for example, {machine- id}


API Explorer is designed to support all the APIs offered by Microsoft Defender ATP, enabling

customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. The list of supported APIs is available in the APIs documentation. 


Authentication and authorization 

Credentials to access an API are not needed since the API Explorer uses the logged-in user credentials to access data on your behalf. Additionally, accessing Microsoft Defender ATP APIs is granted in accordance with the user’s permissions model and RBAC rules. For example, a request to Isolate machine is by default limited to roles having Active remediation actions permissions


Try out Connected applications 

Power BI, Microsoft Flow, and custom applications created by your organization or a third-party partner, all connect to Microsoft Defender ATP APIs via AAD applications. The Connected application page helps you track various Azure Active directory apps that integrates with the Microsoft Defender ATP platform in your organization 
Follow these steps to see it in action:

  1. If you haven’t created an AAD app yet, set up an appusing the instructions described in the Hello world blog.  
  2. Sign into Microsoft Defender Security Center and go to Partners & APIs -> Connected applications. 


3. You can review the usage of the connected application: Last seen, Number of requests in the past 24 hours, Request trend (30 days). 



4. Selecting the Open application settings link opens the corresponding AAD application management page in the Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected app. 



We will continue to bring security operations teams more tools and APIs to enable automation of workflowsinnovation and create “better-together” integrations based on Microsoft Defender ATP capabilities.  


We welcome and appreciate your feedback. 

@Efrat KligerProgram Manager, Windows Defender ATP 

@Ben Alfasi, @Zvi Avidor Software engineers, Windows Defender ATP


Senior Member


when will the API's for threat & vulnerability management be added?





Hi @Raf Cox , The API's for threat and vulnerabilities will be available for private preview in the coming week, I invite you to try them out and provide feedback. 

Established Member

Hello, I'm looking for a complete CreateAlertByReference example.  What is an advanced query example that will return the required reportid for the CreateAlertByReference request body?




eventTimeDateTime(UTC)The time of the event, as obtained from the advanced query. Required.
reportIdStringThe reportId, as obtained from the advanced query. Required.


Thank You!

Occasional Visitor


Will there be an API for managing Incidents as well as Alerts, and the relations between them?





@Tessem1337 We have it in our roadmap to expose Indicators API.
In the meanwhile, the Alert API response includes the Incident Identifier ('incidentId'). Tou can use this to perform correlations.

@baddeacs , every advanced hunting query returns report id, event time & machine-id.
You will need to extract them from the Advanced Hunting response and put them in the body as in the example in the docs.