elastic
[Tuning][Unit Test]`Microsoft Defender XDR` vs `Microsoft Defender for Endpoint` Data Source Tag Update and Compatibility Check
Related SDH Ticket:
- https://github.com/elastic/sdh-protections/issues/645
Primary Issue
As part of our initiative to improve prebuilt rules compatibility with 3rd party EDR integrations, 210 detection rules were mistakenly tagged as Data Source: Microsoft Defender for Endpoint. They should be tagged Data Source: Microsoft Defender XDR since they utilize the logs-m365_defender-* index which is the Microsoft Defender XDR Integration. The Microsoft Defender for Endpoint Integration index is logs-microsoft_defender_endpoint-* which we currently don't use for any rules.
- https://github.com/elastic/security-team/issues/8029#issuecomment-3243480997
We should consider adding a unit test to enforce integration names match the tags to catch this in the future. For now, we should double check that all other Data Source tags match the proper Integration names.
- example: Our o365 rules use index
logs-o365and are taggedData Source: Microsoft 365and sometimesData Source: Microsoft 365 Audit Logs. These should instead consistently use the full integration nameData Source: Microsoft Office 365.
Secondary Issue
We should check for rule compatibility between these two Integrations. If there is compatibility we should properly add the Microsoft Defender for Endpoint index and tag.
cc: @approksiu @w0rk3r
Tangent Issue
This will touch a large amount of rules, we should coordinate with other ongoing tagging initiatives to ensure all major tagging updates are pushed within a single release.
- https://github.com/elastic/integrations/pull/15829
- https://github.com/elastic/ia-trade-team/issues/729#issuecomment-3540920667
- https://github.com/elastic/ia-trade-team/issues/692 cc: @Aegrah @terrancedejesus
