I'm seeking advice regarding the integration between Cato XDR and Microsoft Defender for Endpoint (MDE).
Previously, MDE alerts were being displayed correctly in Cato XDR (Home > Stories Workbench),
but since yesterday, new incidents detected in MDE are no longer appearing in XDR.
Below is the current status of our investigation:
When an incident occurs on a device, it is properly detected and displayed in MDE.
The integration with MDE was successfully completed, and the corresponding application in Entra ID has been granted the following application permissions with admin consent:
SecurityAlert.Read.All
SecurityIncident.Read.All
ThreatHunting.Read.All
User.Read (delegated)
User.Read.All (application)
In Microsoft Entra ID, the Sign-in logs show that all sign-ins by the service principal are marked as "successful."
We tried deleting "Microsoft Defender" once from Security > Endpoint Connector and re-integrating it, but the alerts still do not appear in XDR.
I would greatly appreciate any advice or insights to help resolve this issue.
Thank you very much in advance.
