diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 2997981db48e..3f7ee29e63ab 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -306,6 +306,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Update indentation for azure filebeat configuration. {pull}26604[26604]
 - Update Sophos xg module pipeline to deal with missing `date` and `time` fields. {pull}27834[27834]
 - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826]
+- Resolve issue with @timestamp for defender_atp. {pull}28272[28272]
 - Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
 
 *Heartbeat*
diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py
index 3702de33c94b..b552560f83cd 100644
--- a/filebeat/tests/system/test_modules.py
+++ b/filebeat/tests/system/test_modules.py
@@ -274,7 +274,6 @@ def clean_keys(obj):
         "symantec.endpointprotection",
         "system.auth",
         "system.syslog",
-        "microsoft.defender_atp",
         "crowdstrike.falcon_endpoint",
         "crowdstrike.falcon_audit",
         "zoom.webhook",
diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
index aa8e3f976928..7a1d11e8af16 100644
--- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
@@ -45,10 +45,11 @@ processors:
 - set:
     field: cloud.provider
     value: azure
-- set:
-    field: '@timestamp'
-    value: '{{json.alertUpdateTime}}'
-    if: ctx.json?.alertUpdateTime != null
+- date:
+    field: json.lastUpdateTime
+    formats:
+      - ISO8601
+    if: ctx.json?.lastUpdateTime != null
 - rename:
     field: json.aadTenantId
     target_field: cloud.account.id
diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
index 81593221228f..df3441fb8b96 100644
--- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
+++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
@@ -1,5 +1,6 @@
 [
     {
+        "@timestamp": "2020-07-03T15:15:39.130Z",
         "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "c5a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",
@@ -53,6 +54,7 @@
         "threat.technique.name": "Malware"
     },
     {
+        "@timestamp": "2020-06-30T15:29:44.773Z",
         "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "543bc5a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",
@@ -123,6 +125,7 @@
         "user.name": "administrator1"
     },
     {
+        "@timestamp": "2020-06-30T15:29:44.773Z",
         "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "53425a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",
@@ -184,6 +187,7 @@
         "user.name": "administrator1"
     },
     {
+        "@timestamp": "2020-06-30T11:13:12.900Z",
         "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3",
         "cloud.instance.id": "t4563234bc5a964f417c11f6277d5bf9489f0d",
         "cloud.provider": "azure",