Description of the issue: broken Defender 365 overview dashboard, whenever field status is being used root cause is SPL query has capitalized 1st character on status field (New, InProgress, Resolved) while the addon only ingest status (new, inProgress, resolved) without capitalized 1st letter same issue can be found in many other Dashboards As an example, the below won't return any results: `defender_atp_index` sourcetype="ms365:defender:incident:alerts" | stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category by incidentId | chart dc(incidentId) over assignedTo by status | eval Total=New + InProgress + Resolved | fields assignedTo New InProgress Resolved Total | addcoltotals broken Defender 365 overview dashboard, because of reference to non-existing field entities{}.entityType `defender_atp_index` sourcetype="ms365:defender:incident:alerts" | stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category latest(entities{}.entityType) AS entityType by incidentId mitre_technique_id | chart dc(mitre_technique_id) over entityType by category" Prerequisite: Installed latest Splunk Add-on for Microsoft Security Successful ingestion of below 3 sourcetypes with `Splunk Add-on for Microsoft Security`: ms:defender:atp:alerts ms365:defender:incident ms365:defender:incident:alerts Installed latest Microsoft 365 app for Splunk
... View more