[8.12](backport #37116) [m365_defender] Fix log data stream cursor an…

…d query (#37745)

* [m365_defender] Fix log data stream cursor and query  (#37116)

* Fix m365_defender cursor value and query building.

* Add PR number

* Remove formatDate function

* Fix changelog

---------

Co-authored-by: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
(cherry picked from commit aa72a3f)

* Update CHANGELOG.next.asciidoc

---------

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>

CHANGELOG.next.asciidoc

@@ -71,6 +71,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
 - Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496]
 - Fix TCP/UDP metric queue length parsing base. {pull}37714[37714]
+- Fix m365_defender cursor value and query building. {pull}37116[37116]
 
 *Heartbeat*
 

x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml

@@ -19,9 +19,8 @@ request.transforms:
       value: "MdatpPartner-Elastic-Filebeat/1.0.0"
   - set:
       target: "url.params.$filter"
-      value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]'
+      value: 'lastUpdateTime gt [[.cursor.lastUpdateTime]]'
       default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-55m")) "2006-01-02T15:04:05.9999999Z"]]'
-
 response.split:
   target: body.value
   ignore_empty_value: true
@@ -31,10 +30,10 @@ response.split:
     split:
       target: body.alerts.entities
       keep_parent: true
-
 cursor:
   lastUpdateTime:
-    value: "[[.last_response.body.lastUpdateTime]]"
+    value: "[[.last_event.lastUpdateTime]]"
+    ignore_empty_value: true
 
 {{ else if eq .input "file" }}