Posting as FYI. The instructions for the Filebeat Microsoft Module at Microsoft module | Filebeat Reference [8.17] | Elastic are incomplete.
You need to also add the permissions for the WindowsDefenderATP API > Alerts > Alert.Read.All and Alert.ReadWrite.All.
So your final permissions would look like:
Looking at the documentation, it does look like the WindowsDefenderATP instructions include Alert.Read.All
Are you certain that AlertReadWriteAll is necessary? It shouldn't require write access.
You're right on the documentation. Not sure how I missed that.
However, when I didnt have Alert.Read.All and Alert.ReadWrite.All, I would see error messages saying that I didn't have those permissions.
It's a little confusing, with the m365_defender and the defender_atp settings in different sections. Could you share the error message you got when Write access was not given
Jan 7 15:32:11 LOGGER filebeat[2510619]: {"log.level":"error","@timestamp":"2025-01-07T15:32:11.971Z","log.logger":"input.httpjson-cursor","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson.run.func1","file.name":"httpjson/input.go","file.line":181},"message":"Error while processing http request: failed to collect first response: failed to execute http GET: server responded with status code 403: {"error":{"code":"Forbidden","message":"Missing application roles. API required roles: Alert.Read.All,Alert.ReadWrite.All, application roles: .","target":"|3c365647-11111."}}","service.name":"filebeat","id":"xxxxxxxx","input_source":"https://api.securitycenter.windows.com/api/alerts","input_url":"https://api.securitycenter.windows.com/api/alerts","ecs.version":"1.6.0"}
Thanks! Since it's a GET method, it does seem like Alert.Read.All should be sufficient. From the windows documentation, it seems like only one is required. Did you get this error when Alert.Read.All was enabled? Get alert information by ID API - Microsoft Defender for Endpoint | Microsoft Learn