Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Resolved Semantic error for M365Defender ASIM _ItemId field V2

Open v-tsawant opened this issue 6 months ago • 3 comments

Required items, please complete

Change(s):

  • Added an extend operation to define ItemId using the columnifexists('_ItemId', "") function, ensuring compatibility with datasets that may or may not include _ItemId. This change was applied in both ASimAuthenticationM365Defender.yaml and vimAuthenticationM365Defender.yaml. [1] [2]

  • Replaced references to _ItemId with ItemId in the EventUid field mapping to align with the new ItemId field. This ensures consistent naming conventions across the parsers. [1] [2]Make the _ItemID field conditional as this field is present in some client workspace and parser working properly on those workspace.

Reason for Change(s):

  • This pull request updates two ASIM parsers for M365 Defender to enhance compatibility and maintain consistency in handling ItemId. This field is failed for client as reported so created this field condition, so it work in compatibility with existing data

Version Updated:

  • 0.1.3

Testing Completed:

  • Yes

v-tsawant avatar Jun 23 '25 13:06 v-tsawant

@microsoft-github-policy-service agree company="Microsoft"

v-tsawant avatar Jun 23 '25 13:06 v-tsawant

ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. To find the new ARM templates, pull your branch.

contentautomationbot[bot] avatar Jun 23 '25 13:06 contentautomationbot[bot]

ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. To find the new ARM templates, pull your branch.

contentautomationbot[bot] avatar Jun 23 '25 14:06 contentautomationbot[bot]

Validation cleared

v-atulyadav avatar Nov 24 '25 13:11 v-atulyadav