elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Closed brentcox820 closed 8 months ago
elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
efd6
commented
1 year ago @brentcox820 Are you able to provide some example event inputs for testing? Also can you clarify this
The previous ticket updated the alerts but it did not create the new assets so they are all still using the m365_defender.event.severity instead of m365_defender.event.severity
Do you mean "they are all still using the m365_defender.event.severity instead of m365_defender.incident.severity"?
I'm a little concerned about changing the terms in the dashboards since that would break the dashboards for historical data. Is there a reason that we could not rename the m365_defender.incident group to be m365_defender.event instead? This would leave the dashboards unaltered and allow comparison between new and historical date ranges.
P1llus
commented
1 year ago I am a bit unsure if this is not simply a misunderstanding. The m365 Defender Integration has 3 datastreams:
Are you sure there is just not some confusion around this?
Elastic Agent integration for M365 Defender Assets are broken as the field names have changed since microsoft changed the field from Event to incident.
The previous ticket updated the alerts but it did not create the new assets so they are all still using the m365_defender.event.severity instead of m365_defender.event.severity
All Assets and searches are using the m365_defender.event data set and needs to be updated.
This is using the most recent 1.8 version of the integration.