From aa72a3fa0d039d3a1fda709355db2e48a4f3975f Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc-gr@users.noreply.github.com>
Date: Thu, 25 Jan 2024 13:29:40 +0100
Subject: [PATCH] [m365_defender] Fix log data stream cursor and query 
 (#37116)

* Fix m365_defender cursor value and query building.

* Add PR number

* Remove formatDate function

* Fix changelog

---------

Co-authored-by: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
---
 CHANGELOG.next.asciidoc                                    | 1 +
 .../module/microsoft/m365_defender/config/defender.yml     | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 308f607a8ee..8203c6d8f0b 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -74,6 +74,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix handling of Juniper SRX structured data when there is no leading junos element. {issue}36270[36270] {pull}36308[36308]
 - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
 - Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496]
+- Fix m365_defender cursor value and query building. {pull}37116[37116]
 - Fix TCP/UDP metric queue length parsing base. {pull}37714[37714]
 
 *Heartbeat*
diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
index 6716568ba14..3d874758615 100644
--- a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
+++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
@@ -19,9 +19,8 @@ request.transforms:
       value: "MdatpPartner-Elastic-Filebeat/1.0.0"
   - set:
       target: "url.params.$filter"
-      value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]'
+      value: 'lastUpdateTime gt [[.cursor.lastUpdateTime]]'
       default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-55m")) "2006-01-02T15:04:05.9999999Z"]]'
-
 response.split:
   target: body.value
   ignore_empty_value: true
@@ -31,10 +30,10 @@ response.split:
     split:
       target: body.alerts.entities
       keep_parent: true
-
 cursor:
   lastUpdateTime:
-    value: "[[.last_response.body.lastUpdateTime]]"
+    value: "[[.last_event.lastUpdateTime]]"
+    ignore_empty_value: true
 
 {{ else if eq .input "file" }}