Microsoft Defender XDR connector: add 'Microsoft Defender XDR' to Pro…#14380
Open
juanjosalco wants to merge 1 commit into
Open
Microsoft Defender XDR connector: add 'Microsoft Defender XDR' to Pro…#14380juanjosalco wants to merge 1 commit into
juanjosalco wants to merge 1 commit into
Conversation
…ductName filter Fixes ICM 21000000998563. Post-rebrand alerts arrive with ProductName='Microsoft Defender XDR', which was missing from the SecurityAlert queries in the MicrosoftThreatProtection connector definition. This caused the connector status (lastDataReceivedQuery) to show grey/disconnected and the 'Total data received' chart / sample query to miss alerts. Updated lastDataReceivedQuery, graphQueries baseQuery, and sampleQueries query in MicrosoftThreatProtection.JSON, plus the matching entries in Package/mainTemplate.json.
Author
|
@microsoft-github-policy-service agree company="Microsoft" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes ICM 21000000998563.
Post-rebrand, Microsoft Defender XDR alerts arrive in SecurityAlert with ProductName = "Microsoft Defender XDR", but the MicrosoftThreatProtection connector definition only filters on the legacy product names (MDATP, O365 ATP, Azure ATP, MCAS, Microsoft 365 Defender). As a result:
The connector status icon renders grey/disconnected for SecurityAlert because lastDataReceivedQuery returns 0 rows, even though data is flowing.
The "Total data received" graph (graphQueries.baseQuery) and the "All Microsoft Defender XDR alerts" sample query (sampleQueries.query) miss the rebranded alerts.
Other data types (DeviceEvents, etc.) are unaffected because their queries don't filter on ProductName.
Change(s):
Added "Microsoft Defender XDR" to the ProductName in (...) list in 3 places in Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON: - graphQueries[].baseQuery (Alerts metric)
sampleQueries[].query ("All Microsoft Defender XDR alerts")
dataTypes[].lastDataReceivedQuery for SecurityAlert
Mirrored the same 4 changes in the generated Solutions/Microsoft Defender XDR/Package/mainTemplate.json so the packaged solution stays consistent.
Reason for Change(s):
Resolves connector status displaying grey/disconnected for the Microsoft Defender XDR connector after the product rebrand.
Resolves ICM 21000000998563.
Version Updated:
N/A — this change does not modify any Detections/Analytic Rule templates.
Testing Completed:
Yes — validated the modified JSON files parse correctly. Confirmed via Kusto that SecurityAlert | where ProductName == "Microsoft Defender XDR" returns current rows that the existing query misses; the updated lastDataReceivedQuery returns a non-empty Time.
Checked that the validations are passing and have addressed any issues that are present:
Yes