Microsoft Defender for Endpoint app icon

Microsoft Defender for Endpoint

This app integrates with Microsoft Defender for Endpoint to execute various containment, corrective, generic, and investigative actions

Built by
soar product badge
Latest Version 4.0.3
September 5, 2025
Compatibility
SOAR On-Prem, SOAR Cloud
Platform Version: 8.4, 8.0, 7.2, 7.1, 7.0, 6.4, 6.3, 6.2
Rating

2

(2)

Log in to rate this app
Support
Microsoft Defender for Endpoint support icon
Splunk Supported connector
Ranking

#6

in Endpoint
This app integrates with Microsoft Defender for Endpoint to execute various containment, corrective, generic, and investigative actions

Supported Actions

  • test connectivity: Validate the asset configuration for connectivity using the supplied configuration
  • on poll: Callback action for the on_poll ingest functionality for Defender for Endpoint
  • quarantine device: Quarantine the device
  • unquarantine device: Unquarantine the device
  • get status: Get status of the event on a machine
  • scan device: Scan a device for virus
  • quarantine file: Quarantine a file
  • get active users: Get active users on a device
  • list devices: List of recently seen devices
  • list alerts: List all alerts of a given type
  • list sessions: List all logged in users on a machine
  • list software: Retrieve the organization's software inventory
  • list software versions: Retrieve a list of organization's software version distribution
  • list software devices: Retrieve a list of devices that have a specific software installed
  • list software vulnerabilities: Retrieve vulnerabilities associated with a specific software
  • list device vulnerabilities: Retrieve vulnerabilities affecting devices or software in organization
  • list vulnerabilities: Retrieve a list of vulnerabilities based on filters
  • get alert: Retrieve specific Alert by its ID
  • get alert user: Retrieve user for specific Alert from its ID
  • get alert files: Retrieve files for specific Alert from its ID
  • get alert ips: Retrieve IP addresses for a specific Alert from its ID
  • get alert domains: Retrieve domains for a specific Alert from its ID
  • create alert: Create a new alert in Defender for Endpoint
  • update alert: Update properties of existing Alert
  • domain prevalence: Return statistics for the specified domain
  • ip prevalence: Return statistics for the specified IP
  • file prevalence: Return statistics for the specified file
  • get file info: Retrieve a File information by identifier SHA1, or SHA256
  • get file devices: Retrieve a collection of devices related to a given file hash (SHA1)
  • get user devices: Retrieve a collection of devices related to a given user ID
  • get installed software: Retrieve a collection of installed software related to a given device ID
  • restrict app execution: Restrict execution of all applications on the device except a predefined set
  • list indicators: Retrieve a collection of all active Indicators
  • collect investigation package: Collect an investigation package from a device by its device ID
  • get investigation uri: Retrieve a URI for downloading an investigation package by its action ID
  • get device details: Retrieve details for multiple devices by their device IDs
  • get affected devices: Retrieve a list of devices affected by a vulnerability using CVE IDs
  • get indicator: Retrieve an Indicator entity by its ID
  • submit indicator: Submit or Update new Indicator entity
  • update indicator: Update an existing Indicator entity
  • update indicator batch: Update or create a batch of Indicator entities
  • get file alerts: Retrieve alerts related to a specific file hash
  • get device alerts: Retrieve all alerts related to a specific device
  • get user alerts: Retrieve alerts related to a specific user
  • get domain alerts: Retrieve alerts related to a specific domain address
  • delete indicator: Delete an Indicator entity by ID
  • run query: An advanced search query
  • get domain devices: Retrieve a collection of devices that have communicated to or from a given domain address
  • update device tag: Add or remove a tag from a given device (Maximum: 200 characters)
  • get discovered vulnerabilities: Retrieve a collection of discovered vulnerabilities related to a given device ID
  • remove app restriction: Enable execution of any application on the device
  • get exposure score: Retrieve the organizational exposure score
  • get secure score: Retrieve your Microsoft Secure Score for devices
  • get file: Download a file from a device using live response
  • put file: Put a file from the library to a device using live response
  • cancel live response: Cancel a live response action
  • run script: Run a script from the library on a device using live response
  • get missing kbs: Retrieve missing KBs (security updates) by given device ID

Categories

Endpoint

Created By

Splunk LLC

Source Code

GitHub(Opens new window)

Type

connector

Downloads

30,184

Licensing

Apache License 2.0(Opens new window)

Splunk Answers

Ask a question about this app listing(Opens new window)

Resources

Log in to report this app listing