Microsoft Defender XDR connector: add 'Microsoft Defender XDR' to Pro…#14380
Microsoft Defender XDR connector: add 'Microsoft Defender XDR' to Pro…#14380juanjosalco wants to merge 1 commit into
Conversation
|
@microsoft-github-policy-service agree company="Microsoft" |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Updates the Microsoft Defender XDR data connector queries to include the post-rebrand SecurityAlert.ProductName = "Microsoft Defender XDR" so connector status/metrics and sample alert queries reflect current data.
Changes:
- Extended
SecurityAlertProductName in (...)filters to include"Microsoft Defender XDR"in the connector definition. - Mirrored the same query updates into the packaged
mainTemplate.jsonso the shipped package reflects the connector changes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON | Adds "Microsoft Defender XDR" to SecurityAlert filters for graph metric, sample query, and lastDataReceivedQuery. |
| Solutions/Microsoft Defender XDR/Package/mainTemplate.json | Mirrors the same SecurityAlert filter updates in the generated package template. |
juanjosalco
force-pushed
the
juansala/icm-998563-mdxdr-productname
branch
from
50cb46b to
edabab3
Compare
|
@v-shukore I addressed Copilot's feedback by regenerating the Package/ artifacts via Tools/Create-Azure-Sentinel-Solution/V3/createSolutionV3.ps1 instead of hand-editing mainTemplate.json. However, the script produced a much larger diff than my actual change. Beyond my intended 4-line ProductName update, the regenerated mainTemplate.json includes:
The content is functionally equivalent to what's already in master, it's just reorganized/reformatted by the newer tooling version. Is this expected output and safe to commit as part of this ICM hotfix, or should I scope the PR down to only my targeted edits and leave the broader regeneration for a separate PR? Happy to go either way, just want to confirm before continuing |
|
Hi @juanjosalco, thanks for your update. I'll review the PR and let you know if anything required. Thanks! |
|
Hi @juanjosalco, please resolve arm-ttk failure causing due to hardcoded values please update it. Thanks! |
…ductName filter Fixes ICM 21000000998563. Post-rebrand alerts arrive with ProductName='Microsoft Defender XDR', which was missing from the SecurityAlert queries in the MicrosoftThreatProtection connector definition. This caused the connector status (lastDataReceivedQuery) to show grey/disconnected and the 'Total data received' chart / sample query to miss alerts. Updated lastDataReceivedQuery, graphQueries baseQuery, and sampleQueries query in MicrosoftThreatProtection.JSON, plus the matching entries in Package/mainTemplate.json.
juanjosalco
force-pushed
the
juansala/icm-998563-mdxdr-productname
branch
from
edabab3 to
b58de3d
Compare
@v-shukore I've looked into it and it seems it's not a problem my code introduced. I ran the same validation in the master branch (without my code) and I got the same error. |
juanjosalco
force-pushed
the
juansala/icm-998563-mdxdr-productname
branch
2 times, most recently
from
eb491ef to
9e79146
Compare
|
Hi @juanjosalco, please don't delete the old zip with version |
juanjosalco
force-pushed
the
juansala/icm-998563-mdxdr-productname
branch
3 times, most recently
from
96c6715 to
b58de3d
Compare
|
Done @v-shukore thank you for your help |
Fixes ICM 21000000998563.
Post-rebrand, Microsoft Defender XDR alerts arrive in SecurityAlert with ProductName = "Microsoft Defender XDR", but the MicrosoftThreatProtection connector definition only filters on the legacy product names (MDATP, O365 ATP, Azure ATP, MCAS, Microsoft 365 Defender). As a result:
The connector status icon renders grey/disconnected for SecurityAlert because lastDataReceivedQuery returns 0 rows, even though data is flowing.
The "Total data received" graph (graphQueries.baseQuery) and the "All Microsoft Defender XDR alerts" sample query (sampleQueries.query) miss the rebranded alerts.
Other data types (DeviceEvents, etc.) are unaffected because their queries don't filter on ProductName.
Change(s):
Added "Microsoft Defender XDR" to the ProductName in (...) list in 3 places in Solutions/Microsoft Defender XDR/Data Connectors/MicrosoftThreatProtection.JSON: - graphQueries[].baseQuery (Alerts metric)
sampleQueries[].query ("All Microsoft Defender XDR alerts")
dataTypes[].lastDataReceivedQuery for SecurityAlert
Mirrored the same 4 changes in the generated Solutions/Microsoft Defender XDR/Package/mainTemplate.json so the packaged solution stays consistent.
Reason for Change(s):
Resolves connector status displaying grey/disconnected for the Microsoft Defender XDR connector after the product rebrand.
Resolves ICM 21000000998563.
Version Updated:
No
Testing Completed:
Testing is planned to happen in Canary after the PR is merged as this PR doesn't introduce any dangerous change
Checked that the validations are passing and have addressed any issues that are present:
Yes