For reference, I created this table that helps identify which MSFT API to configure. It took our team a few attempts to get this right before we had data flowing in for all the sourcetypes - except for advanced hunting (not configured). Hope this helps someone in the future 🙂 Sourcetype Permission Input type MSFT API ms365:defender:incident/ms365:defender:incident:alert Incident.Read.All Modinput Microsoft Threat Protection ms:defender:atp:alerts Alert.Read.All Modinput WindowsDefenderATP ms365:defender:incident/ms365:defender:incident:alert Incident.ReadWrite.All Alert Action Microsoft Threat Protection m365:defender:incident:advanced_hunting AdvancedHunting.Read.All Alert Action Microsoft Threat Protection
... View more