Can host.name in Entra ID Entity Analytics be lowercased and domain appended?

Hello,

I've activated Entra ID Entity Analytics integration. Very nice data sets, but I'm having the same issues I've been having for year in different datasets (of which most of them have been solved or mitigated). The host.name field of the devices is not lowercase fqdn. Now the issue is that the Entra ID data doesn't have an domain in the data, so although it might be possible to lowercase, appending the domain might be more difficult, as Entra ID contains all kinds of devices, some of which are not ServerAd. I'm thinking about editing the @custom pipeline logs-entityanalytics_entra_id.device@custom and adding it myself.

But I might not be the only one with a larger environment with multiple domains in need to a unique and correlatable host.name id.

So any chance an option can be added so the host.name can get lowercased and a custom domain appended? That way we can correlate this data with network datasets, vulnerability datasets and more..

Willem

Hello,

So I fixed it like this for now..

PUT _ingest/pipeline/logs-entityanalytics_entra_id.device@custom
{
  "processors": [
    {
      "script": {
        "if": "ctx.entityanalytics_entra_id?.device?.trust_type == 'ServerAd' || ctx.entityanalytics_entra_id?.device?.trust_type == 'AzureAd'",
        "lang": "painless",
        "source": "ctx.host.name = ctx.host.name + '.yourdomain.com'"
      }
    },
    {
      "lowercase": {
        "field": "host.name"
      }
    },
    {
      "set": {
        "field": "host.hostname",
        "value": "{{host.name}}"
      }
    }
  ],
  "on_failure": [
    {
      "append": {
        "field": "tags",
        "value": [
          "failed_custom_entra_id_device"
        ]
      }
    }
  ]
}

Unfortunately I was surprised host.hostname is not in the provided mapping... :frowning:

Guess I'll need to add that too in the @cutom mapping..

WillemD