The Ingest Pipeline for Microsoft 365 Defender should populate hostname

[hinchliff]

Describe the enhancement:
The events from Defender ATP include the fields host.name and host.hostname, but these fields seem to be missing from the 365 Defender events.

Describe a specific use case for the enhancement or feature:
In order to use Elastic Security, host.name is a required field (Elastic Security ECS field reference)

Additional Details

• https://discuss.elastic.co/t/the-ingest-pipeline-for-365-defender-doesnt-populate-hostname/294312

Is this a "bug", that host.name is missing? Or an enhancement request to add host.name ?

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic]

This issue doesn't have a Team:<team> label.

[hinchliff]

I hadn't realized at first, looking at the data in Elasticsearch, that the devices from 365 Defender is actually an array, e.g. from the expected test output

        "microsoft.m365_defender.alerts.devices": [
            {
                "deviceDnsName": "TestServer4",
                "firstSeen": "2020-06-30T08:55:08.8320449Z",
                "healthStatus": "Inactive",
                "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d",
                "osBuild": 17763,
                "osPlatform": "Other",
                "osProcessor": "x64",
                "rbacGroupId": 0,
                "riskScore": "High",
                "version": "Other"
            }
        ],

I think it still makes sense to use (all) of the deviceDnsName field(s) to populate host.name and host.hostname ... but that may be more complicated to do?

I added a section to the ingest pipeline, based on the Defender ATP pipeline. But the test output has apparently not changed from the unmodified pipeline? (I have not yet adjusted the tests, and none of the tests are failing.)

  ######################
  ## ECS Host Mapping ##
  ######################
- rename:
    field: json.alerts.devices.deviceDnsName
    target_field: host.hostname
    ignore_missing: true
- set:
    field: host.name
    value: '{{host.hostname}}'
    if: ctx?.host?.hostname != null

maybe it would need to look something like this?

  ######################
  ## ECS Host Mapping ##
  ######################
- foreach:
  field: json.alerts.devices
  ignore_missing: true
  processor:
    - rename:
        field: _ingest._value.deviceDnsName
        target_field: host.hostname
        ignore_missing: true

- set:
    field: host.name
    value: '{{host.hostname}}'
    if: ctx?.host?.hostname != null

or maybe the rename will need to be an append, since it's inside theforeach loop?

i'm working on testing this now.