[elastic/integrations] [sophos][utm] host is not displayed in Security App, host.name field is missing

[StefanSa]

Hi there @chemamartinez @jamiehynds
In the latest version v3.7, an incorrect hostname host.hostname is given, correct would be host.name. Due to this bug, the host is not displayed in the security app. I have previously created a user pipeline that renames this field, so the utm host is displayed again in the security app.

Please fix the bug, thank you. Stefan

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

@StefanSa I'm not convinced that this is completely correct. The sophos syslog format is approximately RFC5425 and that document describes the hostname field as potentially holding a variety of values. While the RFC says that the field can contain an FQDN of the host, in the test cases that we have, all the values of this field are hostname according to the ECS definition of host.hostname rather than an FQDN as recommended by the ECS. Do you have examples where the value held by the field is an FQDN?

Though it is not a bug, I think it's reasonable to duplicate the value of host.hostname into host.name if it helps with real-world visibility.

[StefanSa]

@efd6 Dan, Greetings to Down Under. i can live with your objections regarding FQDN. The decisive factor is that Elastic Integration of the security and network category is also visible and can be handled (filter etc.) in the security app without any problems. As you have already suggested, this can be achieved by duplicating the host.hostname field to host.name.