401 received when using defender module

[lsoumille]

We would like to use filebeat to get Incidents from Microsoft Security portal

Please include configurations and logs if available.

Module configuration:

- module: microsoft
  # ATP configuration
  m365_defender:
    enabled: true
    # How often the API should be polled
    #var.interval: 5m

    # Oauth Client ID
    var.oauth2.client.id: "beeae248-e357-496d-a714-b18d6eba6ba8"

    # Oauth Client Secret
    var.oauth2.client.secret: "XXXXXXX"

    # Oauth Token URL, should include the tenant ID
    var.oauth2.token_url: "https://login.microsoftonline.com/09e89d02-ee53-4258-b2ed-0590d72a6f21/oauth2/token"

Error in filebeat logs:

{"log.level":"error","@timestamp":"2024-12-06T11:42:55.168+0100","log.logger":"input.httpjson-cursor","log.origin":{"function":"github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson.run.func1","file.name":"httpjson/input.go","file.line":181},"message":"Error while processing http request: failed to collect first response: failed to execute http GET: server responded with status code 401: {\"error\":{\"code\":\"Unauthorized\",\"message\":\"Invalid Authorization payload. AppId: beeae248-e357-496d-a714-b18d6eba6ba8, Audience: 00000002-0000-0000-c000-000000000000, Issuer: https://sts.windows.net/09e89d02-ee53-4258-b2ed-0590d72a6f21/, Validity: valid from 2024-12-06T10:37:53.0000000Z to 2024-12-06T11:42:53.0000000Z\",\"target\":\"|e9f3423a-450386dc180390ed.\"}}","service.name":"filebeat","id":"82DDC72ACDE3E2AB","input_source":"https://api.security.microsoft.com/api/incidents","input_url":"https://api.security.microsoft.com/api/incidents","ecs.version":"1.6.0"} 

For confirmed bugs, please report:

• Version: 8.16
• Operating System: Windows Server 2016

[botelastic]

This issue doesn't have a Team:<team> label.