Hi
It seems that all the log sources that I am collecting IDR does not show which device the logs are coming from like a hostname or ip address. It does show the “Log Source Type” but that is not helpful.
I’m pretty sure this information is included with most of my log sources but I think IDR strips this info out at some point in the event pipeline…
whilst what you are describing is a feature of some other security tools, it is not a feature of IDR. That is to say, when you have a collector listening on a network port and ingesting logs from more than one source, IDR doesn’t prepend or add the source device information to each log, rather it simply takes a raw payload it receives and sends it to log search.
You can validate this by hitting the view raw log button on any given event source and note there is no mention of the source device, unless that information is contained within the payload itself or can be added as a header.
Adding this functionality would be considered a request for enhancement.