Description of the issue:
- broken Defender 365 overview dashboard, whenever field status is being used
- root cause is SPL query has capitalized 1st character on status field (New, InProgress, Resolved) while the addon only ingest status (new, inProgress, resolved) without capitalized 1st letter
- same issue can be found in many other Dashboards
- As an example, the below won't return any results:
`defender_atp_index` sourcetype="ms365:defender:incident:alerts"
| stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category by incidentId
| chart dc(incidentId) over assignedTo by status
| eval Total=New + InProgress + Resolved
| fields assignedTo New InProgress Resolved Total
| addcoltotals
- broken Defender 365 overview dashboard, because of reference to non-existing field entities{}.entityType
`defender_atp_index` sourcetype="ms365:defender:incident:alerts"
| stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category latest(entities{}.entityType) AS entityType by incidentId mitre_technique_id
| chart dc(mitre_technique_id) over entityType by category"
Prerequisite:
- Installed latest Splunk Add-on for Microsoft Security
Successful ingestion of below 3 sourcetypes with `Splunk Add-on for Microsoft Security`:
ms:defender:atp:alerts
ms365:defender:incident
ms365:defender:incident:alerts
Installed latest Microsoft 365 app for Splunk
