Dec 02 2021 01:59 AM - edited Dec 02 2021 02:03 AM
Good morning (afternoon, or evening!) everyone.
We're looking at using the Defender for Office365 ingestion for Sentinel to move our detection rules in to Sentinel however, our columns for SenderDisplayName and ReportID are duplicated so we're unable to migrate things like sender display name spoofing detections:
When running the same query in Advanced Hunting this works without issue and shows the display name correctly, so this feels like there's an ingestion mapping process in the background that's incorrect.
Is this a known issue/is anyone else experiencing this?
We've tried contacting support but ... well suffice to say that clearing our cache has not fixed the issue ...
Dec 02 2021 06:57 AM
Dec 02 2021 08:17 AM