title: Supported Microsoft Defender for Endpoint APIs ms.reviewer: description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. ms.service: defender-endpoint ms.author: painbar author: paulinbar ms.localizationpriority: medium ms.date: 03/21/2025 manager: bagol audience: ITPro ms.collection:
- m365-security
- tier3
- must-keep
ms.topic: reference
ms.subservice: reference
ms.custom: api
search.appverid: met150
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Business
[!INCLUDE Microsoft Defender XDR rebranding]
Important
Advanced hunting capabilities are not included in Defender for Business.
The service base URI is: https://api.security.microsoft.com
The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.security.microsoft.com/api/alerts
The API supports versioning.
The current version is V1.0. To use a specific version, use this format:
https://api.security.microsoft.com/api/{Version}. For example:https://api.security.microsoft.com/api/v1.0/alertsIf you don't specify any version (e.g.
https://api.security.microsoft.com/api/alerts) you will get to the latest version.
[!INCLUDE Microsoft Defender for Endpoint API URIs for US Government]
[!INCLUDE Improve request performance]
Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
| Topic | Description |
|---|---|
| Advanced Hunting methods | Run queries from API. |
| Alert methods and properties | Run API calls such as - get alerts, create alert, update alert and more. |
| Export Assessment per-device methods and properties | Run API calls to gather vulnerability assessments on a per-device basis, such as: - export secure configuration assessment, export software inventory assessment, export software vulnerabilities assessment, and delta export software vulnerabilities assessment. |
| Automated investigation methods and properties | Run API calls such as - get collection of Investigation. |
| Export device health methods and properties | Run API Calls such as - GET /api/public/avdeviceshealth. |
| Domain-related alerts | Run API calls such as - get domain-related devices, domain statistics and more. |
| File methods and properties | Run API calls such as - get file information, file related alerts, file related devices, and file statistics. |
| Indicators methods and properties | Run API call such as - get Indicators, create Indicator, and delete Indicators. |
| IP-related alerts | Run API calls such as - get IP-related alerts and get IP statistics. |
| Machine methods and properties | Run API calls such as - get devices, get devices by ID, information about logged on users, edit tags and more. |
| Machine Action methods and properties | Run API call such as - Isolation, Run anti-virus scan and more. |
| Recommendation methods and properties | Run API calls such as - get recommendation by ID. |
| Remediation activity methods and properties | Run API call such as - get all remediation tasks, get exposed devices remediation task and get one remediation task by id. |
| Score methods and properties | Run API calls such as - get exposure score or get device secure score. |
| Software methods and properties | Run API calls such as - list vulnerabilities by software. |
| User methods and properties | Run API calls such as - get user-related alerts and user-related devices. |
| Vulnerability methods and properties | Run API calls such as - list devices by vulnerability. |