// MCP TOOL REFERENCE

RESPONSE MCP SERVER TOOLS

23 tools from the Response MCP Server MCP Server, categorised by risk level.

// ALL 23 RESPONSE MCP SERVER TOOLS

READ 4 tools

Read get_investigation_package_uri Get download URL (SAS URI) for a completed investigation package. Returns a temporary download link valid f... Read get_machine_actions List recent machine actions (response actions) from Microsoft Defender. Can filter by device, action type, ... Read get_machine_by_name Find a machine/device in Microsoft Defender by hostname. Returns device details including health status, ri... Read echo Test connectivity with the Response MCP server

WRITE 8 tools

Write add_incident_comment Add a comment to a security incident for documentation and collaboration. Write add_incident_tags Add custom tags to an incident for categorization and tracking. Write assign_incident Assign a security incident to an analyst or remove assignment. Write classify_incident Set the classification and determination for a security incident. Use this during or after investigation to... Write confirm_user_compromised Mark an Entra ID user as compromised in Identity Protection. Sets the user Write confirm_user_safe Dismiss user risk in Identity Protection (mark as safe). Sets the user Write enable_ad_account Re-enable a previously disabled Active Directory user account through Microsoft Defender for Identity. Use ... Write update_incident_status Update the status of a security incident. Use this to mark incidents as active, resolved, or redirected.

DESTRUCTIVE 1 tools

Destructive disable_ad_account Disable an Active Directory user account through Microsoft Defender for Identity. Use when credentials are ...

EXECUTE 10 tools

Execute force_ad_password_reset Force an Active Directory user to change their password at next logon through Microsoft Defender for Identi... Execute remove_code_restriction Remove code execution restrictions from a device, allowing all applications to run again. Execute revoke_entra_sessions Revoke all Entra ID (Azure AD) sign-in sessions and refresh tokens for a user. Forces re-authentication on ... Execute run_antivirus_scan Initiate a Microsoft Defender Antivirus scan on a device. Quick scan checks common malware locations, Full ... Execute stop_and_quarantine Stop a running process and quarantine the associated file on a device. Requires the SHA1 hash of the file. Execute isolate_multiple Isolate multiple devices from the network in a single operation. Provide a comma-separated list of device n... Execute collect_investigation_package Collect a forensic investigation package from a device containing system information, logs, and diagnostic ... Execute isolate_device Isolate a device from the network to prevent lateral movement. Use Full isolation to block all connections,... Execute release_device Release a previously isolated device from network isolation, restoring full connectivity. Execute restrict_code_execution Restrict code execution on a device to only allow Microsoft-signed applications.

// FAQ

How many tools does the Response MCP Server MCP server have? +

The Response MCP Server MCP server exposes 23 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on Response MCP Server tools? +

Route the Response MCP Server server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do Response MCP Server tools fall into? +

Response MCP Server tools are categorised as Read (4), Write (8), Destructive (1), Execute (10). Each category has a recommended default policy.

Enforce policy on every Response MCP Server tool call.

Start from Response MCP Server, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.

CHECK YOUR STACK →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.