From 1ed517e09ef5a7b5273cfbc41e4c300d54cc0cdd Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 25 Jan 2024 13:29:40 +0100 Subject: [PATCH] [m365_defender] Fix log data stream cursor and query (#37116) * Fix m365_defender cursor value and query building. * Add PR number * Remove formatDate function * Fix changelog --------- Co-authored-by: Bharat Pasupula <123897612+bhapas@users.noreply.github.com> (cherry picked from commit aa72a3fa0d039d3a1fda709355db2e48a4f3975f) --- CHANGELOG.next.asciidoc | 2 ++ .../module/microsoft/m365_defender/config/defender.yml | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7334d11e743f..bd4f874382b0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -70,6 +70,8 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Fix handling of Juniper SRX structured data when there is no leading junos element. {issue}36270[36270] {pull}36308[36308] - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326] - Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496] +- Fix m365_defender cursor value and query building. {pull}37116[37116] +- Fix TCP/UDP metric queue length parsing base. {pull}37714[37714] *Heartbeat* diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml index 6716568ba141..3d8747586153 100644 --- a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml +++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml @@ -19,9 +19,8 @@ request.transforms: value: "MdatpPartner-Elastic-Filebeat/1.0.0" - set: target: "url.params.$filter" - value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]' + value: 'lastUpdateTime gt [[.cursor.lastUpdateTime]]' default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-55m")) "2006-01-02T15:04:05.9999999Z"]]' - response.split: target: body.value ignore_empty_value: true @@ -31,10 +30,10 @@ response.split: split: target: body.alerts.entities keep_parent: true - cursor: lastUpdateTime: - value: "[[.last_response.body.lastUpdateTime]]" + value: "[[.last_event.lastUpdateTime]]" + ignore_empty_value: true {{ else if eq .input "file" }}