[BUG] Wrong data in "ID" variable from MDE-Module - STAT v2

[SimonRefslund]

Im not sure if this is an error in the custom connector, the python module, or somewhere else.

When using the "id" variable from the MDE-Module, STATv1 returned only the DeviceID from the Defender API. However after updating to STATv2, it now returns a full HTML formatted URL,

This error was introduced after updating to STATv2 preview (1.5.5) Below is a sample of the output from the STATv2 MDE module. I would expect the "id" to only contain the deviceID.

            "Hosts": [
                {
                    "id": "<a href=\"https://security.microsoft.com/machines/DEVICEID-REDACTED?tid=TENANTID-REDACTED\" target=\"_blank\">DEVICEID-REDACTED</a>",
                    "computerDnsName": "REDACTED-app-1.REDACTED.local",
                    "riskScore": "High",
                    "exposureLevel": "High"
                }
            ],

Could this be a bug, or am i misunderstanding something completely?

[briandelmsft]

@SimonRefslund thanks for bringing this up. Sounds like a bug, we'll take a look into it

[briandelmsft]

@SimonRefslund This issue occurs only when commenting is on for the MDE module. As a temporary workaround you can disable comments for the MDE module.

The problem is the hyperlinking we do in the incident comments is done on a reference to the same object that is returned by the module, so the module return also includes the hyperlinked content

[briandelmsft]

@SimonRefslund To apply the patch go to your STATv2 function -> Settings -> Configuration and edit the WEBSITE_RUN_FROM_PACKAGE application setting to a value of: https://github.com/briandelmsft/STAT-Function/releases/download/v1.5.10/stat.zip and Save the change and then restart the function app.

With this build you will still be able to make comments on the incident without it impacting the output.

[SimonRefslund]

Thanks a lot guys, and thank you for a great project!