Unable to add Endpoints and Vulnerability management in XDR Permissions
Hi, I have defender for endpoint running on obver 400 devices. I have 10 with Bus Premium, 5 with E5, and the rest E3. I am getting incidents for DFE, and this is being sent to my SOAR platform for analysis, but when I pivot back using client-sync, I cannot see DFE incidents. I have gone into Settings > XDR > Workload settings, and can only see the below There does not appear to be the option to grant the roles I have provided for my SOAR user the ability to see Endpoint and Vulnerability management. Really scratching my head here. Help?
Secure Score - Vulnerability Exceptions Not Registering
I have followed the guide to configure the proper permissions to manage within Defender. Device groups have been created based off tags we applied to the devices, and the device groups register the expected number of devices. We apply an exception to the vulnerability recommendation based off the device group, looking at the individual device pages we can confirm the recommendation is excluded and it all appears to work as intended up to this point. The problem starts on the vulnerability dashboard. The recommendation shows it is in partial exception status however none of the statistics or data reflect this including our secure score. I can confirm making a global exception works as expected and we can see the score adjust properly. Has anyone experienced this before or have any pointers? We have been working at this for weeks trying different things without luck, we are ensuring to leave adequate sync times.MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
Replacement for Windows Authenticated Scanning
For cost saving, we were looking at replacing our existing vulnerability scanner with Defender and using device scanning. Due to the nature of some of our systems, we can't enroll all of them in Defender and had hoped to use Windows Authenticated Scanning for the unmanaged devices. It looks like that is being deprecated, and the FAQ page indicates that there is currently no direct replacement. While the number of systems we have that can't be enrolled in relatively minimal, is there any kind of scanning I'm missing as part of the product that would allow remote scans of Windows devices as opposed to enrolling? It doesn't look like it. Seems like taking away a component that gives some kind of feature parity without another option is a bad idea, but maybe I'm just missing something.
Consistent language for description of permissions
Is there any reference that describes the permissions that can be granted in Defender XDR, and how those permissions can be granted using Entra ID roles, Defender XDR Unified RBAC roles, or through the individual Defender point products that have been integrated into XDR, using consistent, standardized language? The documentation for Entra ID describes permissions in this format: microsoft.directory/provisioningLogs/allProperties/read The documentation for Defender XDR describes them in this format: Security operations \ Security data \ Email advanced actions (manage) I'm basically looking for something that says "permissions to do n function is granted by x role in Entra ID, y role in Defender XDR, or z role in Defender for Office 365." Is this something that's not possible at a company of Microsoft's size and complexity? Kind of like how this is the Microsoft Defender XDR community forum, but there's no "Microsoft Defender XDR" label for the mandatory labeling of posts?Unified RBAC and Entra PIM
I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM. We are currently doing something similar with a custom role in Defender for Office 365 (using these instructions: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) , and my experience has been that it takes up to 50 minutes, after activating the Entra ID PIM group, for the permissions to be applied to Defender. Microsoft support can't decide whether this problem should be addressed by the Entra ID division or the Defender XDR division, and therefore it's not getting addressed. Has anyone configured an Entra ID PIM group with a custom Defender RBAC role (using these instructions: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configure-just-in-time-access-to-m365-defender/ba-p/3764564) and if so, how well is it working. Thanks in advance!
