[Agent]: Microsoft Module (ATP) keeps showing permission errors

[btvmunoz]

Filebeat 7.11, Microsoft Module
OS: Ubuntu
Steps to Reproduce:

• Enabled Microsoft module after doing the configuration
• Per the documentation the permissions required have been given
• All permissions added to confirm if this is the issue
• Verifying through Journalctl reveals that it still requires permissions even though it has all of them

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jamiehynds]

@P1llus could this be a result of the change Microsoft made to the Oauth flow, and resolved by your PR? #24829

[cakarlen]

Commenting here to stay up to date on this issue. Currently preventing workflows related to pulling events from M365 API endpoints

[P1llus]

Hllo @cakarlen, Microsoft decided to modify some of their audit flow, there is a PR merged for this now: #24829, I will merge a similar one for Agent as well.

[btvmunoz]

@P1llus I just got an e-mail from Microsoft about a value change on the OS Architecture field, while I know this was originally opened because of an authentication issue I am wondering if the change will have any impact on the Microsoft module?

[eduardoarreolabt]

I experienced the same permission error on Filebeat v.7.11 and have upgraded to version 7.14 but I received a new error

[eduardoarreolabt]

recently updated the var.oauth2.token_url in the Microsoft defender_atp module and the error is regarding "oauth2: cannot fetch token: 400 Bad Request"

[tmrt22]

I am experiencing the same issue. I followed the microsoft documentation step by step. But it is not working. Even if I try to connect via curl i get the same error message (401: Unauthorized).

One of our azure experts told me that the authentication via client id & secret is not sufficient anymore to access the security center.

https://m365log.com/apps-365/oauth-interface-for-office-365-reporting-web-service/

An alternative would be using app id & app secret or using the graph API.

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!