Update Sysmon Event ID 22 for ECS DNS (#13323)

Change two fields to match ECS DNS. This is a follow-up to #13116 now that the field names are finalized.

winlogbeat/docs/fields.asciidoc

@@ -4708,66 +4708,6 @@ type: keyword
 
 --
 
-*`dns.question.name`*::
-+
---
-The name being queried.
-
-
-type: keyword
-
---
-
-*`dns.answers`*::
-+
---
-An array containing a dictionary about each answer section returned by the server.
-
-
-type: object
-
---
-
-*`dns.answers.type`*::
-+
---
-The type of data contained in this resource record.
-
-type: keyword
-
-example: CNAME
-
---
-
-*`dns.answers.data`*::
-+
---
-type: keyword
-
---
-
-*`dns.answers_count`*::
-+
---
-The number of resource records contained in the `dns.answers` field.
-
-
-type: long
-
-example: 3
-
---
-
-*`dns.grouped.ip`*::
-+
---
-Array containing all IPs seen in `dns.answers.data`.
-
-
-type: ip
-
---
-
 [[exported-fields-winlog]]
 == Winlogbeat fields
 

x-pack/winlogbeat/module/sysmon/_meta/fields.yml

@@ -8,37 +8,3 @@
     - name: sysmon.dns.status
       type: keyword
       description: Windows status code returned for the DNS query.
-
-    # These dns.* fields are anticipated to be added to ECS.
-    - name: dns.question.name
-      type: keyword
-      description: >
-        The name being queried.
-
-    - name: dns.answers
-      type: object
-      description: >
-        An array containing a dictionary about each answer section returned by
-        the server.
-
-    - name: dns.answers.type
-      type: keyword
-      description: The type of data contained in this resource record.
-      example: CNAME
-
-    - name: dns.answers.data
-      type: keyword
-      short: The data describing the resource.
-
-    - name: dns.answers_count
-      type: long
-      description: >
-        The number of resource records contained in the `dns.answers` field.
-      example: 3
-
-    - name: dns.grouped.ip
-      type: ip
-      description: >
-        Array containing all IPs seen in `dns.answers.data`.
-
-

x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js

@@ -373,10 +373,9 @@ var sysmon = (function () {
 
         if (answers.length > 0) {
             evt.Put("dns.answers", answers);
-            evt.Put("dns.answers_count", answers.length);
         }
         if (ips.length > 0) {
-            evt.Put("dns.grouped.ip", ips);
+            evt.Put("dns.resolved_ip", ips);
         }
         evt.Delete("winlog.event_data.QueryResults");
     };
@@ -792,6 +791,12 @@ var sysmon = (function () {
             ignore_missing: true,
             fail_on_error: false,
         })
+        .RegisteredDomain({
+            ignore_failure: true,
+            ignore_missing: true,
+            field: "dns.question.name",
+            target_field: "dns.question.registered_domain",
+        })
         .Add(translateDnsQueryStatus)
         .Add(splitDnsQueryResults)
         .Add(setProcessNameUsingExe)