From cf731e6339926e505b48078ac07bd99ee8a5deb0 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Mon, 29 Jan 2024 08:49:43 +0100
Subject: [PATCH] [8.12](backport #37116) [m365_defender] Fix log data stream
 cursor and query  (#37745)

* [m365_defender] Fix log data stream cursor and query  (#37116)

* Fix m365_defender cursor value and query building.

* Add PR number

* Remove formatDate function

* Fix changelog

---------

Co-authored-by: Bharat Pasupula <123897612+bhapas@users.noreply.github.com>
(cherry picked from commit aa72a3fa0d039d3a1fda709355db2e48a4f3975f)

* Update CHANGELOG.next.asciidoc

---------

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
---
 CHANGELOG.next.asciidoc                                    | 1 +
 .../module/microsoft/m365_defender/config/defender.yml     | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index ceb3de1b608..42044b9cb62 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -71,6 +71,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
 - Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496]
 - Fix TCP/UDP metric queue length parsing base. {pull}37714[37714]
+- Fix m365_defender cursor value and query building. {pull}37116[37116]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
index 6716568ba14..3d874758615 100644
--- a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
+++ b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
@@ -19,9 +19,8 @@ request.transforms:
       value: "MdatpPartner-Elastic-Filebeat/1.0.0"
   - set:
       target: "url.params.$filter"
-      value: 'lastUpdateTime gt [[formatDate .cursor.lastUpdateTime "2006-01-02T15:04:05.9999999Z"]]'
+      value: 'lastUpdateTime gt [[.cursor.lastUpdateTime]]'
       default: 'lastUpdateTime gt [[formatDate (now (parseDuration "-55m")) "2006-01-02T15:04:05.9999999Z"]]'
-
 response.split:
   target: body.value
   ignore_empty_value: true
@@ -31,10 +30,10 @@ response.split:
     split:
       target: body.alerts.entities
       keep_parent: true
-
 cursor:
   lastUpdateTime:
-    value: "[[.last_response.body.lastUpdateTime]]"
+    value: "[[.last_event.lastUpdateTime]]"
+    ignore_empty_value: true
 
 {{ else if eq .input "file" }}