Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Defender for 365 Ingestion: Duplicate values

Copper Contributor

Good morning (afternoon, or evening!) everyone.

 

We're looking at using the Defender for Office365 ingestion for Sentinel to move our detection rules in to Sentinel however, our columns for SenderDisplayName and ReportID are duplicated so we're unable to migrate things like sender display name spoofing detections:

 

sirkillnotalot_0-1638438741685.png

When running the same query in Advanced Hunting this works without issue and shows the display name correctly, so this feels like there's an ingestion mapping process in the background that's incorrect.

 

Is this a known issue/is anyone else experiencing this?

 

We've tried contacting support but ... well suffice to say that clearing our cache has not fixed the issue ...

2 Replies
I have the same issue, I never raised with Microsoft as the connector is still in preview and the EmailEvents have only recently been added, so assume some teething problems. I did ping my contact in MS a message, who said the Engineer teams are aware. So I would say keep an eye out as the problem should be resolved in the near future.
Thanks @MattBurrows, glad to know I'm not going mad!

To be honest I half expected this to be the case given preview/new release. I'd also expect/hope the Sentinel support teams to be more responsive/in the loop with known issues.

Here's hoping this is sorted quickly as it'll be an awesome feature to have working as intended. SenderDisplayName spoofing is still rampant so having automation playbooks for this would be amazing.