naftiko: 1.0.0-alpha2 info: label: WatchGuard Endpoint Threat Response description: Unified threat response capability combining WatchGuard Cloud Platform account management with Endpoint Security device management, security event monitoring, and risk assessment. Designed for security operations teams responding to endpoint threats, managing device isolation, and reviewing security posture. tags: - WatchGuard - Endpoint Security - Threat Response - Device Management - Risk Assessment created: '2026-05-03' modified: '2026-05-06' binds: - namespace: env keys: WATCHGUARD_ACCESS_TOKEN: WATCHGUARD_ACCESS_TOKEN WATCHGUARD_API_KEY: WATCHGUARD_API_KEY capability: consumes: - type: http namespace: wg-platform baseUri: https://api.usa.cloud.watchguard.com/rest description: WatchGuard Cloud Platform API. authentication: type: bearer token: '{{WATCHGUARD_ACCESS_TOKEN}}' resources: - name: accounts path: /platform/accounts/v1/accounts/{accountId} description: WatchGuard Cloud account management. operations: - name: get-account method: GET description: Get account information. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-account method: POST description: Create a new managed account. inputParameters: - name: accountId in: path type: string required: true description: Parent account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: type: '{{tools.type}}' name: '{{tools.name}}' firstName: '{{tools.firstName}}' lastName: '{{tools.lastName}}' email: '{{tools.email}}' - name: delete-account method: DELETE description: Delete a managed account. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. - name: force in: query type: boolean required: false description: Also delete all sub-accounts. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: managed-accounts path: /platform/accounts/v1/accounts/{accountId}/children description: Managed sub-accounts. operations: - name: get-managed-accounts method: GET description: List managed accounts under the specified account. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. - name: type in: query type: integer required: false description: Filter by account type. - name: offset in: query type: integer required: false description: Pagination offset. - name: limit in: query type: integer required: false description: Records per page. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: authorization path: /platform/authorization/v1/audiences description: Get audience tokens for managed account API access. operations: - name: get-audience method: POST description: Get audience token to access a managed account's APIs. inputParameters: [] outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: accountId: '{{tools.accountId}}' - name: activations path: /platform/activation/v1/activate description: Activate hardware devices and software licenses. operations: - name: activate-device-or-license method: POST description: Activate one or more devices or license keys. inputParameters: [] outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: activations: '{{tools.activations}}' - name: recent-activations path: /platform/activation/v1/recentactivations description: Recent activation history. operations: - name: get-recent-activations method: GET description: Get recent activation batch history. inputParameters: - name: offset in: query type: integer required: false description: Pagination offset. - name: limit in: query type: integer required: false description: Records per page. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: operators path: /platform/operator-mgmt/v1/operators description: WatchGuard Cloud operator management. operations: - name: create-operators method: POST description: Create new operator users. inputParameters: [] outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: username: '{{tools.username}}' accountId: '{{tools.accountId}}' firstName: '{{tools.firstName}}' lastName: '{{tools.lastName}}' email: '{{tools.email}}' phone: '{{tools.phone}}' role: '{{tools.role}}' - name: get-operators-by-account method: GET description: List all operators for an account. inputParameters: - name: account_id in: query type: string required: true description: WatchGuard Cloud account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. - type: http namespace: wg-endpoint baseUri: https://api.usa.cloud.watchguard.com/rest/endpoint-security/management/api/v1 description: WatchGuard Endpoint Security Management API. authentication: type: bearer token: '{{WATCHGUARD_ACCESS_TOKEN}}' resources: - name: devices path: /accounts/{accountId}/devices description: Managed endpoint devices. operations: - name: list-devices method: GET description: List all managed endpoint devices. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. - name: $top in: query type: integer required: false description: Number of records to return. - name: $skip in: query type: integer required: false description: Records to skip. - name: $search in: query type: string required: false description: Text search. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: device-protection-status path: /accounts/{accountId}/devicesprotectionstatus description: Protection status for all devices. operations: - name: get-devices-protection-status method: GET description: Get protection status for all managed devices. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: device-isolation path: /accounts/{accountId}/devices/isolation description: Isolate devices from network communication. operations: - name: isolate-devices method: POST description: Isolate specified devices from the network. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: device_ids: '{{tools.device_ids}}' customized_message: '{{tools.customized_message}}' - name: device-no-isolation path: /accounts/{accountId}/devices/noisolation description: Remove device isolation. operations: - name: remove-device-isolation method: POST description: Remove network isolation from devices. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: device_ids: '{{tools.device_ids}}' - name: security-overview path: /accounts/{accountId}/securityoverview/{period} description: Security overview summary. operations: - name: get-security-overview method: GET description: Get security overview for 1, 7, or 30 days. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. - name: period in: path type: integer required: true description: Period in days (1, 7, or 30). outputRawFormat: json outputParameters: - name: result type: object value: $. - name: risk-summary path: /accounts/{accountId}/riskassessment/companyrisksummary description: Company-wide risk assessment summary. operations: - name: get-company-risk-summary method: GET description: Get company risk summary by severity. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: detected-risks path: /accounts/{accountId}/riskassessment/detectedrisks description: Detected risk counts by type. operations: - name: get-detected-risks method: GET description: Get detected risks with optional OS and device type filters. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. - name: $filter in: query type: string required: false description: OData filter expression. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: immediate-scan path: /accounts/{accountId}/immediatescan description: Start an immediate security scan. operations: - name: start-immediate-scan method: POST description: Initiate an immediate malware scan on specified devices. inputParameters: - name: accountId in: path type: string required: true description: WatchGuard Cloud account ID. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: device_ids: '{{tools.device_ids}}' task_name: '{{tools.task_name}}' scan_scope: '{{tools.scan_scope}}' exposes: - type: rest port: 8080 namespace: wg-threat-response-api description: Unified REST API for WatchGuard endpoint threat response workflows. resources: - path: /v1/accounts/{accountId} name: account description: WatchGuard Cloud account information. operations: - method: GET name: get-account description: Get WatchGuard Cloud account details. call: wg-platform.get-account with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/accounts/{accountId}/managed-accounts name: managed-accounts description: Sub-accounts managed by a service provider. operations: - method: GET name: get-managed-accounts description: List all managed sub-accounts. call: wg-platform.get-managed-accounts with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/devices name: devices description: Managed endpoint devices. operations: - method: GET name: list-devices description: List all managed endpoint devices. call: wg-endpoint.list-devices with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/devices/protection-status name: device-protection-status description: Protection status for all managed devices. operations: - method: GET name: get-devices-protection-status description: Get protection status for all endpoint devices. call: wg-endpoint.get-devices-protection-status with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/devices/isolation name: device-isolation description: Isolate or release endpoint devices. operations: - method: POST name: isolate-devices description: Isolate devices from the network. call: wg-endpoint.isolate-devices with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/devices/remove-isolation name: device-remove-isolation description: Remove network isolation from devices. operations: - method: POST name: remove-device-isolation description: Remove network isolation. call: wg-endpoint.remove-device-isolation with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/devices/scan name: device-scan description: Initiate immediate security scans. operations: - method: POST name: start-immediate-scan description: Start an immediate malware scan. call: wg-endpoint.start-immediate-scan with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/security/overview/{period} name: security-overview description: Security posture overview. operations: - method: GET name: get-security-overview description: Get security overview summary. call: wg-endpoint.get-security-overview with: accountId: rest.accountId period: rest.period outputParameters: - type: object mapping: $. - path: /v1/risk/summary name: risk-summary description: Company-wide risk summary. operations: - method: GET name: get-company-risk-summary description: Get risk summary by severity level. call: wg-endpoint.get-company-risk-summary with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/risk/detected name: detected-risks description: Detected risk details. operations: - method: GET name: get-detected-risks description: Get detected risks by type. call: wg-endpoint.get-detected-risks with: accountId: rest.accountId outputParameters: - type: object mapping: $. - path: /v1/activations name: activations description: Device and license activation. operations: - method: POST name: activate-device-or-license description: Activate hardware devices or software licenses. call: wg-platform.activate-device-or-license outputParameters: - type: object mapping: $. - path: /v1/operators name: operators description: WatchGuard Cloud operator management. operations: - method: GET name: get-operators description: List operators for an account. call: wg-platform.get-operators-by-account with: account_id: rest.accountId outputParameters: - type: object mapping: $. - method: POST name: create-operators description: Create new operator users. call: wg-platform.create-operators outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: wg-threat-response-mcp transport: http description: MCP server for AI-assisted WatchGuard endpoint threat response. tools: - name: get-account description: Get WatchGuard Cloud account information and status. hints: readOnly: true openWorld: true call: wg-platform.get-account with: accountId: tools.accountId outputParameters: - type: object mapping: $. - name: get-managed-accounts description: List all managed sub-accounts in WatchGuard Cloud. hints: readOnly: true openWorld: true call: wg-platform.get-managed-accounts with: accountId: tools.accountId outputParameters: - type: object mapping: $. - name: list-devices description: List all WatchGuard managed endpoint devices with protection status. hints: readOnly: true openWorld: true call: wg-endpoint.list-devices with: accountId: tools.accountId outputParameters: - type: object mapping: $. - name: get-devices-protection-status description: Get the protection status of all WatchGuard managed endpoint devices. hints: readOnly: true openWorld: true call: wg-endpoint.get-devices-protection-status with: accountId: tools.accountId outputParameters: - type: object mapping: $. - name: isolate-devices description: Isolate compromised WatchGuard endpoint devices from the network. hints: readOnly: false destructive: true call: wg-endpoint.isolate-devices with: accountId: tools.accountId device_ids: tools.device_ids customized_message: tools.customized_message outputParameters: - type: object mapping: $. - name: remove-device-isolation description: Remove network isolation from WatchGuard endpoint devices after remediation. hints: readOnly: false idempotent: true call: wg-endpoint.remove-device-isolation with: accountId: tools.accountId device_ids: tools.device_ids outputParameters: - type: object mapping: $. - name: start-immediate-scan description: Start an immediate malware scan on WatchGuard endpoint devices. hints: readOnly: false call: wg-endpoint.start-immediate-scan with: accountId: tools.accountId device_ids: tools.device_ids task_name: tools.task_name scan_scope: tools.scan_scope outputParameters: - type: object mapping: $. - name: get-security-overview description: Get a WatchGuard endpoint security overview for 1, 7, or 30 days. hints: readOnly: true openWorld: true call: wg-endpoint.get-security-overview with: accountId: tools.accountId period: tools.period outputParameters: - type: object mapping: $. - name: get-company-risk-summary description: Get company-wide endpoint security risk summary by severity level. hints: readOnly: true openWorld: true call: wg-endpoint.get-company-risk-summary with: accountId: tools.accountId outputParameters: - type: object mapping: $. - name: get-detected-risks description: Get WatchGuard endpoint detected risks broken down by type and device. hints: readOnly: true openWorld: true call: wg-endpoint.get-detected-risks with: accountId: tools.accountId outputParameters: - type: object mapping: $. - name: activate-device-or-license description: Activate WatchGuard hardware devices or software license keys. hints: readOnly: false call: wg-platform.activate-device-or-license with: activations: tools.activations outputParameters: - type: object mapping: $. - name: get-recent-activations description: Get recent WatchGuard device and license activation history. hints: readOnly: true openWorld: true call: wg-platform.get-recent-activations outputParameters: - type: object mapping: $. - name: get-operators description: List WatchGuard Cloud operator users for an account. hints: readOnly: true openWorld: true call: wg-platform.get-operators-by-account with: account_id: tools.accountId outputParameters: - type: object mapping: $. - name: create-operators description: Create new WatchGuard Cloud operator users. hints: readOnly: false call: wg-platform.create-operators with: username: tools.username accountId: tools.accountId firstName: tools.firstName lastName: tools.lastName email: tools.email phone: tools.phone role: tools.role outputParameters: - type: object mapping: $.