We're using the "Microsoft" module in Filebeat to collect data from Microsoft Defender -- both the "defender_atp" and the "m365_defender". We're also using the Ingest Pipelines provided via Filebeat to parse and process the events.
We have noticed that the (parsed) events from Defender ATP include the fields host.name and host.hostname, but these fields seem to be missing from the 365 Defender events.
Looking at the Ingest Pipeline for 365 Defender it seems to be doing this:
- removing any 'host' field from the raw event
- not populating any host.name or host.hostname field
- appending 'host.hostname' (which will never exist?) to the field 'related.hosts'
Compared to the Ingest Pipeline for Defender ATP, which seems to be doing this:
- removing any 'host' field from the raw event
- renaming the field 'json.computerDnsName' to 'host.hostname'
- copying 'host.hostname' to 'host.name'
- appending 'host.hostname' to 'related.hosts'
Is that a bug in 365 Defender, that it is not populating any host.name or host.hostname field? It looks like the field 'json.alerts.devices.deviceDnsName' could be used to provide the hostname, at least in most of the events that we see.
Or is there some other reason why the 365 Defender events do not include a hostname field?