What Changed
Fixed missing AlertOriginalStatus extension field in the vimAlertEventMicrosoftDefenderXDR ASIM parser by adding mapping from AdditionalFields.LastRemediationState.
Parser Impact
Data Fidelity Gap Closed: Queries referencing AlertOriginalStatus against this parser previously returned null for all rows — this was a data fidelity gap where alert status information was unavailable despite being present in the raw Microsoft Defender XDR data. The parser now correctly extracts and normalizes the alert status from AdditionalFields.LastRemediationState.
The fix enables proper alert status filtering and analysis in detections that rely on the ASIM AlertEvent schema. Queries using AlertStatus field (which derives from AlertOriginalStatus) can now accurately distinguish between Active and Closed alerts from Microsoft Defender XDR data sources.
No change to other normalized field names or core filter logic — safe for existing detections using this parser.
Affected Files
Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventMicrosoftDefenderXDR.md
Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml