Register an Entra ID application, grant it WindowsDefenderATP > AdvancedQuery.Read.All application permission, and obtain a client-credentials bearer token for the audience https://api.securitycenter.microsoft.com.
Submit a Kusto Query Language (KQL) query with POST https://api.securitycenter.microsoft.com/api/advancedqueries/run, with body {"Query": "YOUR_KQL_QUERY"} and Authorization: Bearer YOUR_TOKEN.
Parse the JSON response; results are returned in the Results array (up to 100,000 rows) with schema defined by the columns returned from the query — no separate schema endpoint is needed.
Respect API quotas: up to 45 calls per minute and 1,500 calls per hour per tenant; queries are limited to data from the last 30 days and have a maximum execution time of 200 seconds.
For broader table coverage (including Microsoft Sentinel and Defender XDR tables), use the Microsoft Graph security API advanced hunting endpoint at https://graph.microsoft.com/v1.0/security/runHuntingQuery instead, which is the recommended current approach.
Known gotchas
The Defender for Endpoint advanced hunting API only surfaces MDE tables; for cross-workload hunting (Identity, CloudApp, Office365), use the Defender XDR/Microsoft Graph security API hunting endpoint which queries all unified tables.
Query results are capped at 100,000 rows and 50 MB; queries that would exceed these limits return a truncated result without an error flag — add explicit KQL limits (take, summarize) to queries that may exceed thresholds.
The 200-second query execution timeout is hard; complex queries on high-data-volume time ranges fail with a timeout error rather than returning partial results — test and optimize KQL before scheduling automated runs.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp