add related.hosts (#913)

Author: ebeahan

CHANGELOG.next.md

@@ -27,6 +27,7 @@ Thanks, you're awesome :-) -->
 * Added missing field reuse of `pe` at `process.parent.pe` #868
 * Added `span.id` to the tracing fieldset, for additional log correlation (#882)
 * Added `event.reason` for the reason why an event's outcome or action was taken. #907
+* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913
 
 #### Improvements
 

code/go/ecs/related.go

@@ -4610,6 +4610,22 @@ Note: this field should contain an array of values.
 
 
 
+| extended
+
+// ===============================================================
+
+| related.hosts
+| All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+
+
 | extended
 
 // ===============================================================

docs/field-details.asciidoc

@@ -3819,6 +3819,13 @@
         using it to search for hashes can help in situations where you're unsure what
         the hash algorithm is (and therefore which key name to search).
       default_field: false
+    - name: hosts
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      default_field: false
     - name: ip
       level: extended
       type: ip

generated/beats/fields.ecs.yml

@@ -442,6 +442,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
 1.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.6.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
 1.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
 1.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
 1.6.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author

generated/csv/fields.csv

@@ -5717,6 +5717,18 @@ related.hash:
   - array
   short: All the hashes seen on your event.
   type: keyword
+related.hosts:
+  dashed_name: related-hosts
+  description: All hostnames or other host identifiers seen on your event. Example
+    identifiers include FQDNs, domain names, workstation names, or aliases.
+  flat_name: related.hosts
+  ignore_above: 1024
+  level: extended
+  name: hosts
+  normalize:
+  - array
+  short: All the host identifiers seen on your event.
+  type: keyword
 related.ip:
   dashed_name: related-ip
   description: All of the IPs seen on your event.

generated/ecs/ecs_flat.yml

@@ -6807,6 +6807,18 @@ related:
       - array
       short: All the hashes seen on your event.
       type: keyword
+    related.hosts:
+      dashed_name: related-hosts
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      flat_name: related.hosts
+      ignore_above: 1024
+      level: extended
+      name: hosts
+      normalize:
+      - array
+      short: All the host identifiers seen on your event.
+      type: keyword
     related.ip:
       dashed_name: related-ip
       description: All of the IPs seen on your event.

generated/ecs/ecs_nested.yml

@@ -2093,6 +2093,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "hosts": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "ip": {
               "type": "ip"
             },

generated/elasticsearch/6/template.json

@@ -2092,6 +2092,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "hosts": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "ip": {
             "type": "ip"
           },

generated/elasticsearch/7/template.json

@@ -43,3 +43,13 @@
         the hash algorithm is (and therefore which key name to search).
       normalize:
         - array
+
+    - name: hosts
+      level: extended
+      type: keyword
+      short: All the host identifiers seen on your event.
+      description: >
+        All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      normalize:
+        - array