[Tuning][Unit Test]`Microsoft Defender XDR` vs `Microsoft Defender for Endpoint` Data Source Tag Update and Compatibility Check

[imays11]

Related SDH Ticket:

• https://github.com/elastic/sdh-protections/issues/645

---

Primary Issue

As part of our initiative to improve prebuilt rules compatibility with 3rd party EDR integrations, 210 detection rules were mistakenly tagged as Data Source: Microsoft Defender for Endpoint. They should be tagged Data Source: Microsoft Defender XDR since they utilize the logs-m365_defender-* index which is the Microsoft Defender XDR Integration. The Microsoft Defender for Endpoint Integration index is logs-microsoft_defender_endpoint-* which we currently don't use for any rules.

• https://github.com/elastic/security-team/issues/8029#issuecomment-3243480997

We should consider adding a unit test to enforce integration names match the tags to catch this in the future. For now, we should double check that all other Data Source tags match the proper Integration names.

• example: Our o365 rules use index logs-o365 and are tagged Data Source: Microsoft 365 and sometimes Data Source: Microsoft 365 Audit Logs. These should instead consistently use the full integration name Data Source: Microsoft Office 365.

Secondary Issue

We should check for rule compatibility between these two Integrations. If there is compatibility we should properly add the Microsoft Defender for Endpoint index and tag.
cc: @approksiu @w0rk3r

Tangent Issue

This will touch a large amount of rules, we should coordinate with other ongoing tagging initiatives to ensure all major tagging updates are pushed within a single release.

• [Security Rules] Integrate security_detection_engine OOM testing pipeline integrations#15829
• https://github.com/elastic/ia-trade-team/issues/729#issuecomment-3540920667
• https://github.com/elastic/ia-trade-team/issues/692
  cc: @Aegrah @terrancedejesus