Hi,

Running Splunk 9.0.7 and addon Splunk_TA_MS_Security version 2.1.1.

I followed the instructions from the addon https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configure

and reviewed from Microsoft article  https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwid...

Basically I created an App Registration in our Azure tenant, add the following permissions

and created a secret

with all this, I followed the Microsot article and run the powershell scripts to test the connection and the token I obtain only gets a single permission.

could someone tell me what I am doing wrong? I expected to get all the permissions assigned to the application and I think that is why I get the 403 error in the splunkd.log.

12-17-2023 13:14:32.037 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_defender_endpoint_atp_alerts.py"" 403 Client Error: Forbidden for url: https://api-eu.securitycenter.microsoft.com/api/alerts?$expand=evidence&$filter=lastUpdateTime+gt+2023-11-17T12:14:31Z

12-17-2023 13:17:38.251 +0100 ERROR ExecProcessor [19404 ExecProcessor] - message from ""C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_MS_Security\bin\microsoft_365_defender_endpoint_incidents.py"" 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2023-11-17T12:17:31Z

thanks