Hello!
We just started feeding our DNSFilter logs into the SIEM. I noticed that when viewing the logs, the "Agent" column is blank. I assume this is because the events are not coming from the agent. The DNS filter data does include a "DNS filter.Client" field, which contains the name of the endpoint.
It would be nice if the SIEM could use this information to populate the "Agent" column with the machine name if there is a corresponding machine with that name for that client.