[M365 Defender] Improve response action support in event dataset. (#13769)

This PR copies the value, when present, from m365_defender.event.device.id
to cloud.instance.id. The value will not be copied if the device ID is null
or cloud.instance.id is already set.

Setting this field addresses one of the solutions in elastic/kibana#218756

The M365 Defender response action is available on alerts with the
following fields:

  microsoft_defender_endpoint: [
    'm365_defender.alerts.entities.deviceId',
    'm365_defender.alerts.devices.mdatpDeviceId',
    'm365_defender.incident.alert.evidence.mde_device_id',
    'cloud.instance.id',
  ],

Currently, any alert generated from the m365_defender.event dataset will not
have a response action available. Once cloud.instance.id is set, it is
possible to isolate/release a host via the connector.

The alternative/supplemental solution, adding m365_defender.event.device.id
to the constant, microsoft_defender_endpoint would require an update to
Kibana, making the approach here a more immediate fix.

Author: jvalente-salemstate

packages/m365_defender/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.4.0"
+  changes:
+    - description: Set `cloud.instance.id` in event dataset.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13769
 - version: "3.3.1"
   changes:
     - description: Fix default request trace enabled behavior.

packages/m365_defender/data_stream/event/_dev/test/pipeline/test-alert.log-expected.json

@@ -2,6 +2,11 @@
     "expected": [
         {
             "@timestamp": "2022-11-08T08:41:56.595Z",
+            "cloud": {
+                "instance": {
+                    "id": "08f8d2adebd88b1b7e509fcca55a665831912345"
+                }
+            },
             "ecs": {
                 "version": "8.11.0"
             },
@@ -267,6 +272,11 @@
         },
         {
             "@timestamp": "2024-09-10T03:59:59.294Z",
+            "cloud": {
+                "instance": {
+                    "id": "debfb10830a9dacd8800e9e3bb7169248a361653"
+                }
+            },
             "ecs": {
                 "version": "8.11.0"
             },
@@ -518,6 +528,11 @@
         },
         {
             "@timestamp": "2024-09-10T14:20:33.665Z",
+            "cloud": {
+                "instance": {
+                    "id": "ddddd"
+                }
+            },
             "ecs": {
                 "version": "8.11.0"
             },