Microsoft 365 Defender ASIM: Fixed Field Compatibility Issue in Authentication Parsers

What Changed

Updated two ASIM authentication parsers for Microsoft 365 Defender to conditionally handle the _ItemId field using columnifexists() function, ensuring compatibility across different workspace configurations.

Parser Impact

The _ItemId field is present in some client workspaces but not others, causing parser failures when the field was missing. Queries referencing _ItemId in EventUid mapping previously failed with “column not found” errors in workspaces lacking this field — this is a data fidelity fix that restores parser functionality.

Fixed Logic

Added conditional field mapping: ItemId = columnifexists("_ItemId", “”)
Updated EventUid references to use the new conditional ItemId field
Maintains backward compatibility with workspaces that have _ItemId

Affected Files

Parsers/ASimAuthentication/Parsers/ASimAuthenticationM365Defender.yaml Parsers/ASimAuthentication/Parsers/vimAuthenticationM365Defender.yaml

What Changed#

Parser Impact#

Fixed Logic#

Affected Files#

What Changed

Parser Impact

Fixed Logic

Affected Files