Hello, this track seems correct to me, not tested.
Access Endpoint and Vulnerability Management in Microsoft Defender XDR via SOAR

1. Register an App in Entra ID (Azure AD)

The SOAR platform must be represented by an app registration in Entra ID. This app will authenticate and call Microsoft Defender APIs.

2. Assign API Permissions

While 'Vulnerability.Read.All' does not exist, the app should be granted the following permissions:

- SecurityIncident.Read.All (Microsoft Graph API)
- SecurityAlert.Read.All (Microsoft Graph API)
- Device.Read.All (Defender for Endpoint API)
- Access to /api/vulnerabilities (Defender for Endpoint API)

These permissions must be admin-consented in Entra ID.

3. Use Defender XDR Unified RBAC

Microsoft Defender XDR uses a centralized RBAC model. You must create or assign a custom role with the following permissions:

- Vulnerability management (read/write)
- Endpoint security settings (read/write)
- Incident read access

Assign this role to the service principal of your SOAR app.

4. Use Defender for Endpoint API Endpoints

To retrieve vulnerability and endpoint data, use the following endpoints:

- GET /api/machines
- GET /api/machines/{id}/vulnerabilities
- GET /api/vulnerabilities

These endpoints are part of the Defender for Endpoint API, not Microsoft Graph.