Forum Discussion
Re: Unable to add Endpoints and Vulnerability management in XDR Permissions
Any ideas anyone? Really could use some help here.
2 Replies
Hello, this track seems correct to me, not tested.
Access Endpoint and Vulnerability Management in Microsoft Defender XDR via SOAR1. Register an App in Entra ID (Azure AD)
The SOAR platform must be represented by an app registration in Entra ID. This app will authenticate and call Microsoft Defender APIs.
2. Assign API Permissions
While 'Vulnerability.Read.All' does not exist, the app should be granted the following permissions:
- SecurityIncident.Read.All (Microsoft Graph API)
- SecurityAlert.Read.All (Microsoft Graph API)
- Device.Read.All (Defender for Endpoint API)
- Access to /api/vulnerabilities (Defender for Endpoint API)These permissions must be admin-consented in Entra ID.
3. Use Defender XDR Unified RBAC
Microsoft Defender XDR uses a centralized RBAC model. You must create or assign a custom role with the following permissions:
- Vulnerability management (read/write)
- Endpoint security settings (read/write)
- Incident read accessAssign this role to the service principal of your SOAR app.
4. Use Defender for Endpoint API Endpoints
To retrieve vulnerability and endpoint data, use the following endpoints:
- GET /api/machines
- GET /api/machines/{id}/vulnerabilities
- GET /api/vulnerabilitiesThese endpoints are part of the Defender for Endpoint API, not Microsoft Graph.
Hi, We already have an app registration in Entra for the SOAR. And alerts are coming through fine into that.
The alerts come from DFE into Sentinel, then through to SOAR. If the analyst cannot determine enough information from the alert directly and needs to investigate, they will go to Sentinel and click "Investigate in Defender XDR" But that button then throws an error and says permissions are not granted.
