Forum Discussion

muraly005's avatar
muraly005
Copper Contributor
Mar 18, 2026

Ingest Microsoft XDR Advanced Hunting Data into Microsoft Sentinel

I had difficulty finding a guide that can query Microsoft Defender vulnerability management Advanced Hunting tables in Microsoft Sentinel for alerting and automation. As a result, I put together this guide to demonstrate how to ingest Microsoft XDR Advanced Hunting query results into Microsoft Sentinel using Azure Logic Apps and System‑Assigned Managed Identity.

The solution allows you to:

  • Run Advanced Hunting queries on a schedule
  • Collect high‑risk vulnerability data (or other hunting results)
  • Send the results to a Sentinel workspace as custom logs
  • Create alerts and automation rules based on this data

This approach avoids credential storage and follows least privilege and managed identity best practices.

Prerequisites

Before you begin, ensure you have:

  • Microsoft Defender XDR access
  • Microsoft Sentinel deployed
  • Azure Logic Apps permission
  • Application Administrator or higher in Microsoft Entra ID
  • PowerShell with Az modules installed
  • Contributor access to the Sentinel workspace

Architecture at a Glance

Logic App (Managed Identity)

   ↓

Microsoft XDR Advanced Hunting API

   ↓

Logic App

   ↓

Log Analytics Data Collector API

   ↓

Microsoft Sentinel (Custom Log)

 

Step 1: Create a Logic App

  1. In the Azure Portal, go to Logic Apps
  2. Create a new Consumption Logic App
  3. Choose the appropriate:
    • Subscription
    • Resource Group
    • Region

Step 2: Enable System‑Assigned Managed Identity

  1. Open the Logic App
  2. Navigate to Settings → Identity
  3. Enable System‑assigned managed identity
  4. Click Save
  5. Note the Object ID

 

 

This identity will later be granted permission to run Advanced Hunting queries.

Step 3: Locate the Logic App in Entra ID

  1. Go to Microsoft Entra ID → Enterprise Applications
  2. Change filter to All Applications

 

 

  1. Search for your Logic App name
  2. Select the app to confirm it exists

Step 4: Grant Advanced Hunting Permissions (PowerShell)

Advanced Hunting permissions cannot be assigned via the portal and must be done using PowerShell.

Required Permission

  • AdvancedQuery.Read.All

PowerShell Script

# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
$TenantID=”Your TenantID”
Connect-AzAccount -TenantId $TenantID
# Get the ID of the managed identity for the app.
$spID = “Your Managed Identity”
# Get the service principal for Microsoft Graph by providing the AppID of WindowsDefender ATP
$GraphServicePrincipal = Get-AzADServicePrincipal -Filter "AppId eq 'fc780465-2017-40d4-a0c5-307022471b92'" | Select-Object Id
# Extract the Advanced query ID.
$AppRole = $GraphServicePrincipal.AppRole | `
Where-Object {$_.Value -contains "AdvancedQuery.Read.All"}
# If AppRoleID comes up with blank value, it can be replaced with 93489bf5-0fbc-4f2d-b901-33f2fe08ff05
# Now add the permission to the app to read the advanced queries
New-AzADServicePrincipalAppRoleAssignment -ServicePrincipalId $spID -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id
# Or
New-AzADServicePrincipalAppRoleAssignment -ServicePrincipalId $spID -ResourceId $GraphServicePrincipal.Id -AppRoleId 93489bf5-0fbc-4f2d-b901-33f2fe08ff05

 

After successful execution, verify the permission under Enterprise Applications → Permissions.

 

 

 

Step 5: Build the Logic App Workflow

Open Logic App Designer and create the following flow:

 

Trigger

  • Recurrence (e.g., every 24 hours

Run Advanced Hunting Query

 

 

 

 

  • Connector: Microsoft Defender ATP
  • Authentication: System‑Assigned Managed Identity
  • Action: Run Advanced Hunting Query

Sample KQL Query (High‑Risk Vulnerabilities)

 

Send Data to Log Analytics (Sentinel)

On Send Data, create a new connection and provide the workspace information where the Sentinel log exists. Obtaining the Workspace Key is not straightforward, we need to retrieve using the PowerShell command.

 

Get-AzOperationalInsightsWorkspaceSharedKey `
-ResourceGroupName "<ResourceGroupName>" `
-Name "<WorkspaceName>"

 

Configuration Details

  • Workspace ID
  • Primary key
  • Log Type (example): XDRVulnerability_CL
  • Request body: Results array from Advanced Hunting

 

 

 

 

Step 6: Run the Logic app to return results

In the logic app designer select run,

 

 

If the run is successful data will be sent to sentinel workspace.

Step 7: Validate Data in Microsoft Sentinel

In Sentinel, run the query:

XDRVulnerability_CL
| where TimeGenerated > ago(24h)

 

 

 

If data appears, ingestion is successful.

Step 8: Create Alerts & Automation Rules

Use Sentinel to:

  • Create analytics rules for:
    • CVSS > 9
    • Exploit available
    • New vulnerabilities in last 24 hours
  • Trigger:
    • Email notifications
    • Incident creation
    • SOAR playbooks

Conclusion

By combining Logic Apps, Managed Identities, Microsoft XDR, and Microsoft Sentinel, you can create a powerful, secure, and scalable pipeline for ingesting hunting intelligence and triggering proactive detections.

 

alerts
analytics
detection
KQL
Log Data
playbooks
siem
No RepliesBe the first to reply