Hello,
I'm currently using Elastic SIEM and trying to troubleshoot an issue regarding some detection rules. For several rules — for example, "Unusual File Transfer Utility Launched" (which monitors tools like rsync, scp, etc.) — the field host.name (or hostname) is missing in the alert document, even though it appears correctly for other rules.
This is a problem for me because I have multiple VMs with Elastic agents deployed, and without host.name, I can't easily determine which system triggered the alert. In such cases, the rule becomes difficult to act upon.
Am I missing a configuration or mapping step?
Any insight would be greatly appreciated — thanks in advance!