[7.16](backport #28272) Resolved timestamp for defender atp (#28293)

* Resolved timestamp for defender atp (#28272) * Resolved timestamp for defender atp * Update Changelog for 28272 (cherry picked from commit 0786f89) Co-authored-by: Sai Kiran <85323324+r00tu53r@users.noreply.github.com>
elastic · Dec 13, 2021 · 1aaa42f · 1aaa42f
1 parent 3ab4514
commit 1aaa42f
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 5 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -141,6 +141,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix parsing of apache log levels including numbers. {pull}28717[28717]
 - Upgrade azure-eventhub sdk reference, contains potential checkpoint fixes. {pull}28919[28919]
 - Revert usageDetails api version to 2019-01-01. {pull}28995[28995]
+- Resolve issue with @timestamp for defender_atp. {pull}28272[28272]
 - Fix in `aws-s3` input regarding provider discovery through endpoint {pull}28963[28963]
 - Fix `threatintel.misp` filters configuration. {issue}27970[27970]
 - Fix opening files on Windows in filestream so open files can be deleted. {issue}29113[29113] {pull}29180[29180]

diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py
@@ -270,7 +270,6 @@ def clean_keys(obj):
         "symantec.endpointprotection",
         "system.auth",
         "system.syslog",
-        "microsoft.defender_atp",
         "crowdstrike.falcon_endpoint",
         "crowdstrike.falcon_audit",
         "gsuite.admin",

diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
@@ -45,10 +45,11 @@ processors:
 - set:
     field: cloud.provider
     value: azure
-- set:
-    field: '@timestamp'
-    value: '{{json.alertUpdateTime}}'
-    if: ctx.json?.alertUpdateTime != null
+- date:
+    field: json.lastUpdateTime
+    formats:
+      - ISO8601
+    if: ctx.json?.lastUpdateTime != null
 - rename:
     field: json.aadTenantId
     target_field: cloud.account.id

diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
@@ -1,5 +1,6 @@
 [
     {
+        "@timestamp": "2020-07-03T15:15:39.130Z",
         "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "c5a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",
@@ -53,6 +54,7 @@
         "threat.technique.name": "Malware"
     },
     {
+        "@timestamp": "2020-06-30T15:29:44.773Z",
         "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "543bc5a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",
@@ -123,6 +125,7 @@
         "user.name": "administrator1"
     },
     {
+        "@timestamp": "2020-06-30T15:29:44.773Z",
         "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "53425a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",
@@ -184,6 +187,7 @@
         "user.name": "administrator1"
     },
     {
+        "@timestamp": "2020-06-30T11:13:12.900Z",
         "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "t4563234bc5a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",