diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
index 5210fc53e75..5108ebdad07 100644
--- a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
+++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
@@ -11,7 +11,7 @@ url: {{ .url }}
 oauth2: {{ .oauth2 | tojson }}
 oauth2.provider: azure
 oauth2.azure.resource: https://api.securitycenter.windows.com/
-
+http_headers: {{ .http_headers | tojson }}
 date_cursor.field: lastUpdateTime
 date_cursor.url_field: '$filter'
 date_cursor.value_template: {{ .date_cursor.value_template }}
diff --git a/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml b/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml
index 99cca9da1af..22db3448710 100644
--- a/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml
+++ b/x-pack/filebeat/module/microsoft/defender_atp/manifest.yml
@@ -6,14 +6,17 @@ var:
   - name: interval
     default: 5m
   - name: date_cursor
-    default: 
+    default:
       value_template: "lastUpdateTime gt {{.}}"
   - name: tags
     default: [defender-atp, forwarded]
+  - name: http_headers
+    default:
+      User-Agent: MdatpPartner-Elastic-Filebeat/1.0.0
   - name: url
     default: "https://api.securitycenter.windows.com/api/alerts?$expand=evidence"
   - name: oauth2
-      
+
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/atp.yml