Defender Response MCP - VS Code Extension
A VS Code extension that provides Microsoft Defender XDR response action tools for GitHub Copilot. Execute incident response actions directly from Copilot chat using natural language.
Overview
This extension exposes Microsoft Defender XDR capabilities as Language Model tools for GitHub Copilot. Security analysts use natural language to manage incidents, isolate compromised devices, run antivirus scans, collect forensic packages, and execute identity response actions.
Example interactions:
- "Check the status of device WORKSTATION-01"
- "Isolate the compromised laptop immediately"
- "Run a full antivirus scan on the server"
- "Show me high severity incidents"
- "Disable the compromised user account"
Architecture
┌─────────────────┐ VS Code LM Tools API ┌──────────────────────┐
│ VS Code + │◀────────────────────────────▶│ Extension │
│ GitHub Copilot │ │ (This Extension) │
└─────────────────┘ └──────────────────────┘
│
│ Client Credentials
│ (Service Principal)
│
┌───────────────────────────────┴───────────────────┐
▼ ▼
┌─────────────────────────────┐ ┌─────────────────────────────┐
│ Microsoft Defender │ │ Microsoft Graph API │
│ for Endpoint │ │ - Incident management │
│ - Device response actions │ │ - Identity actions (MDI) │
│ - Investigation packages │ │ - Entra ID risk management │
└─────────────────────────────┘ └─────────────────────────────┘
Key Difference from Response MCP Server: This extension runs locally in VS Code and communicates directly with Microsoft APIs. No cloud server required - credentials are stored securely in VS Code's secret storage.
Device Response Actions (Defender for Endpoint)
| Tool |
Description |
defender_echo |
Test server connectivity |
defender_get_machine_by_name |
Find device by hostname |
defender_get_machine_actions |
List response action history |
defender_isolate_device |
Isolate device from network |
defender_isolate_multiple |
Bulk isolate multiple devices |
defender_release_device |
Release device from isolation |
defender_run_antivirus_scan |
Initiate Quick or Full AV scan |
defender_stop_and_quarantine |
Stop process and quarantine file |
defender_restrict_code_execution |
Block unsigned applications |
defender_remove_code_restriction |
Remove code restrictions |
defender_collect_investigation_package |
Collect forensic data |
defender_get_investigation_package_uri |
Get download URL for investigation package |
Identity Response Actions (Defender for Identity & Entra ID)
| Tool |
Description |
Provider |
defender_disable_ad_account |
Disable Active Directory account |
Active Directory |
defender_enable_ad_account |
Re-enable Active Directory account |
Active Directory |
defender_force_ad_password_reset |
Force user to change password at next logon |
Active Directory |
defender_revoke_entra_sessions |
Revoke all Entra ID sessions and refresh tokens |
Entra ID |
defender_confirm_user_compromised |
Mark user as compromised in Identity Protection |
Entra ID |
defender_confirm_user_safe |
Dismiss user risk (mark as safe) in Identity Protection |
Entra ID |
Incident Management
| Tool |
Description |
defender_update_incident_status |
Mark incident as active/resolved |
defender_assign_incident |
Assign incident to analyst |
defender_classify_incident |
Set classification (TP/FP) and determination |
defender_add_incident_tags |
Add custom tags for categorization |
defender_add_incident_comment |
Add investigation comments |
Note: For listing and retrieving incident details, use Microsoft's Sentinel MCP-Triage server which provides richer filtering, search, and pagination capabilities.
Prerequisites
Entra ID App Registration
Steps:
- Navigate to Azure Portal > Entra ID > App Registrations > New registration
- Name:
Defender Response VS Code (or your preferred name)
- Supported account types: Accounts in this organizational directory only
- Click Register
- Save these values (needed for configuration):
- Application (client) ID
- Directory (tenant) ID
- Create a client secret:
- Go to Certificates & secrets > New client secret
- Description:
VS Code Extension Secret
- Expires: Choose expiration period
- Click Add
- Copy the secret value immediately (shown only once)
- Add API permissions:
- Go to API permissions > Add a permission
- Add the permissions listed below
- Grant admin consent for all permissions
Required Permissions
WindowsDefenderATP (Defender for Endpoint)
| Permission |
Type |
Description |
Machine.ReadWrite.All |
Application |
Read machine actions and get investigation package URIs |
Machine.Isolate |
Application |
Isolate/release machines |
Machine.Scan |
Application |
Run antivirus scans |
Machine.StopAndQuarantine |
Application |
Stop and quarantine files |
Machine.RestrictExecution |
Application |
Restrict/unrestrict code execution |
Machine.CollectForensics |
Application |
Collect investigation packages |
Microsoft Graph API
| Permission |
Type |
Description |
SecurityAlert.ReadWrite.All |
Application |
Read and update security alerts |
SecurityIdentitiesAccount.Read.All |
Application |
Read identity accounts from MDI |
SecurityIdentitiesActions.ReadWrite.All |
Application |
Invoke actions on identity accounts |
SecurityIncident.ReadWrite.All |
Application |
Read and update security incidents |
User.Read.All |
Application |
Resolve UPNs to user IDs |
User.RevokeSessions.All |
Application |
Revoke user sessions |
IdentityRiskyUser.ReadWrite.All |
Application |
Mark users as compromised in Identity Protection |
Installation
From VSIX
code --install-extension defender-response-mcp-0.1.0.vsix
From Source
# Clone and install
git clone <this-repo>
npm install
# Compile
npm run compile
# Package as VSIX
npm run package
# Install
code --install-extension defender-response-mcp-0.1.0.vsix
Development
Press F5 in VS Code to launch Extension Development Host.
Configuration
- After installing, run command: Defender MCP: Sign In (Ctrl+Shift+P)
- Enter your Tenant ID, Client ID, and Client Secret when prompted
- Credentials are stored securely in VS Code's encrypted secret storage
Usage
Open Copilot Chat (Ctrl+Alt+I) and ask Copilot to perform Defender actions:
Find the machine named DESKTOP-ABC123
Isolate device my-server with comment "Incident 12345 - malware detected"
Run a quick antivirus scan on workstation-01
List high severity active incidents
Disable AD account for compromised.user@contoso.com
Release device my-server from isolation
Commands
| Command |
Description |
Defender MCP: Sign In |
Configure credentials |
Defender MCP: Sign Out |
Clear saved credentials |
Defender MCP: Show Logs |
View extension logs |
Project Structure
src/
├── extension.ts # Extension entry point
├── auth/
│ └── clientCredentials.ts # OAuth 2.0 client credentials flow
├── defender/
│ └── client.ts # Defender & Graph API clients
└── tools/
└── handlers.ts # LM Tool implementations
Security Notes
- Credentials are stored in VS Code's encrypted secret storage (OS keychain)
- Client credentials flow is used (application permissions, no user login)
- All actions are logged in the Defender portal
- Extension runs locally - no cloud infrastructure required
- Never share your client secret or commit it to source control
Troubleshooting
"Not signed in" error:
- Run Defender MCP: Sign In and enter credentials
- Verify credentials are correct (tenant ID, client ID, secret)
Permission denied errors:
- Verify app registration has required permissions
- Ensure admin consent was granted
- Check client secret hasn't expired
Device not found:
- Verify device name is correct (case-insensitive)
- Ensure device is onboarded to Defender for Endpoint
Identity actions fail:
- Verify Graph API permissions are granted
- For MDI actions, ensure Defender for Identity is deployed
License
MIT
