Hi,
Working with a customer to get their Defender Endpoint Alerts.
Following instructions here
I am able to get the Access Token with the info provided by the customer (tenantId, appId, and appSecret)
However getting a 401 attempting
curl -s -v -X GET \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "Authorization: Bearer $token" \
https://wdatp-alertexporter-us.windows.com/api/alerts
When I checked the access token at https://jwt.ms/ I see these these roles
"roles": [
"Url.Read.All",
"Ip.Read.All",
"Ti.Read.All",
"User.Read.All",
"Alert.Read.All",
"Software.Read.All",
"File.Read.All",
"Vulnerability.Read.All",
"AdvancedQuery.Read.All"
]
Noticed that they do not match the roles listed in this doc:
Do I need all of those roles listed in the doc?
If not, what are the minimum set of roles I need to GET alerts via
wdatp-alertexporter-us.windows.com/api/alerts
Or do you see anything else wrong with my request that might be causing the 401 error?
Thanks - Mike