Description of the issue:

• broken Defender 365 overview dashboard, whenever field status is being used
  
  • root cause is SPL query has capitalized 1st character on status field (New, InProgress, Resolved) while the addon only ingest status (new, inProgress, resolved) without capitalized 1st letter
  • same issue can be found in many other Dashboards
  • As an example, the below won't return any results:

`defender_atp_index` sourcetype="ms365:defender:incident:alerts" 
| stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category by incidentId
| chart dc(incidentId) over assignedTo by status 
| eval Total=New + InProgress + Resolved 
| fields assignedTo New InProgress Resolved Total 
| addcoltotals

• broken Defender 365 overview dashboard, because of reference to non-existing field entities{}.entityType

`defender_atp_index` sourcetype="ms365:defender:incident:alerts" 
| stats latest(status) AS status latest(severity) AS severity latest(assignedTo) AS assignedTo latest(category) AS category latest(entities{}.entityType) AS entityType by incidentId mitre_technique_id
| chart dc(mitre_technique_id) over entityType by category"

Prerequisite:

1. Installed latest Splunk Add-on for Microsoft Security

2. Successful ingestion of below 3 sourcetypes with `Splunk Add-on for Microsoft Security`:

   1. ms:defender:atp:alerts

   2. ms365:defender:incident

   3. ms365:defender:incident:alerts

3. Installed latest Microsoft 365 app for Splunk