I am using the Filebeat Microsoft module to ingest Defender Endpoint logs. I have setup an App on the Azure AD site and added the documented permissions. I am getting a message that indicates I do not have the required rolls on the API, specifically Incident.Read.All,Incident.ReadWrite.All. I have double checked my API permissions and these are listed. I have searched the entire internet for answers and have found nothing to help.
Ensure that the permissions Incident.Read.All and Incident.ReadWrite.All are not only listed but also granted. In Azure AD, adding a permission and granting it are two separate steps.
I also noticed that if I create a App Context Token and run it through a JWT Decoder It only shows the Incident.Read.All role assigned. Could I have done something wrong creating the App?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
