Getting 401 doing a GET from https://wdatp-alertexporter-us.windows.com/api/alerts – Microsoft Q&A
Hi,
Working with a customer to get their Defender Endpoint Alerts.
Following instructions here
https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api
I am able to get the Access Token with the info provided by the customer (tenantId, appId, and appSecret)
However getting a 401 attempting
curl -s -v -X GET \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "Authorization: Bearer $token" \
https://wdatp-alertexporter-us.windows.com/api/alerts
When I checked the access token at https://jwt.ms/ I see these these roles
"roles": [
"Url.Read.All",
"Ip.Read.All",
"Ti.Read.All",
"User.Read.All",
"Alert.Read.All",
"Software.Read.All",
"File.Read.All",
"Vulnerability.Read.All",
"AdvancedQuery.Read.All"
]
Noticed that they do not match the roles listed in this doc:
https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp#validate-the-token
Do I need all of those roles listed in the doc?
If not, what are the minimum set of roles I need to GET alerts via
wdatp-alertexporter-us.windows.com/api/alerts
Or do you see anything else wrong with my request that might be causing the 401 error?
Thanks – Mike