Strange. I remember I actually saw an IP which returned '.' as a hostname if asked for reverse DNS some time ago...
Could you try to click the plus button as line with the mystery host, and click one of devices which reported that traffic - this will lead you to endpoint details page, where you should get listing of IP addressed seen for that host (with option to manually edit the hostname for it), plus bunch of charts showing related traffic, to help you figure it out.
Thank you, choly
I checked our top Endpoints page again, looking for ingress hosts and found that the "." host was still present. Opening up the plus button led to several devices, and it was apparent which interface the majority of the traffic was coming through (compared against the Ingress Bytes or Ingress Packets field). After that, checking the interface brought up the ip address.
It seems this can also show multiple hosts, so we'll have to play around with this until we can clearly identify which host is the source of the traffic.