From d089bbe3322159f8fac529c53311cf43cd94eee8 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 12 Aug 2020 17:11:07 -0500
Subject: [PATCH] add related.hosts (#913)

---
 CHANGELOG.next.md                       |  1 +
 code/go/ecs/related.go                  |  4 ++++
 docs/field-details.asciidoc             | 16 ++++++++++++++++
 generated/beats/fields.ecs.yml          |  7 +++++++
 generated/csv/fields.csv                |  1 +
 generated/ecs/ecs_flat.yml              | 12 ++++++++++++
 generated/ecs/ecs_nested.yml            | 12 ++++++++++++
 generated/elasticsearch/6/template.json |  4 ++++
 generated/elasticsearch/7/template.json |  4 ++++
 schemas/related.yml                     | 10 ++++++++++
 10 files changed, 71 insertions(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index ae6e775639..9c0144cd0a 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -27,6 +27,7 @@ Thanks, you're awesome :-) -->
 * Added missing field reuse of `pe` at `process.parent.pe` #868
 * Added `span.id` to the tracing fieldset, for additional log correlation (#882)
 * Added `event.reason` for the reason why an event's outcome or action was taken. #907
+* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913
 
 #### Improvements
 
diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go
index 8facf9bcec..22acb9fee2 100644
--- a/code/go/ecs/related.go
+++ b/code/go/ecs/related.go
@@ -38,4 +38,8 @@ type Related struct {
 	// to search for hashes can help in situations where you're unsure what the
 	// hash algorithm is (and therefore which key name to search).
 	Hash string `ecs:"hash"`
+
+	// All hostnames or other host identifiers seen on your event. Example
+	// identifiers include FQDNs, domain names, workstation names, or aliases.
+	Hosts string `ecs:"hosts"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index f9d23b7d47..c0c97dc14e 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -4610,6 +4610,22 @@ Note: this field should contain an array of values.
 
 
 
+| extended
+
+// ===============================================================
+
+| related.hosts
+| All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+
+
 | extended
 
 // ===============================================================
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 1b2d7679cd..2daa3cee41 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3819,6 +3819,13 @@
         using it to search for hashes can help in situations where you're unsure what
         the hash algorithm is (and therefore which key name to search).
       default_field: false
+    - name: hosts
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      default_field: false
     - name: ip
       level: extended
       type: ip
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index 45ef39de6b..ccad5efe98 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -442,6 +442,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
 1.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.6.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
 1.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
 1.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
 1.6.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 8f8d13078f..bf40d50bbc 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5717,6 +5717,18 @@ related.hash:
   - array
   short: All the hashes seen on your event.
   type: keyword
+related.hosts:
+  dashed_name: related-hosts
+  description: All hostnames or other host identifiers seen on your event. Example
+    identifiers include FQDNs, domain names, workstation names, or aliases.
+  flat_name: related.hosts
+  ignore_above: 1024
+  level: extended
+  name: hosts
+  normalize:
+  - array
+  short: All the host identifiers seen on your event.
+  type: keyword
 related.ip:
   dashed_name: related-ip
   description: All of the IPs seen on your event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 427dcbbbf7..fe594745d0 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6807,6 +6807,18 @@ related:
       - array
       short: All the hashes seen on your event.
       type: keyword
+    related.hosts:
+      dashed_name: related-hosts
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      flat_name: related.hosts
+      ignore_above: 1024
+      level: extended
+      name: hosts
+      normalize:
+      - array
+      short: All the host identifiers seen on your event.
+      type: keyword
     related.ip:
       dashed_name: related-ip
       description: All of the IPs seen on your event.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index 45973e04e4..761e480ed1 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -2093,6 +2093,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "hosts": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "ip": {
               "type": "ip"
             },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 35c05f8040..977e4a88b0 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -2092,6 +2092,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "hosts": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "ip": {
             "type": "ip"
           },
diff --git a/schemas/related.yml b/schemas/related.yml
index fd68c8b74f..5e53009475 100644
--- a/schemas/related.yml
+++ b/schemas/related.yml
@@ -43,3 +43,13 @@
         the hash algorithm is (and therefore which key name to search).
       normalize:
         - array
+
+    - name: hosts
+      level: extended
+      type: keyword
+      short: All the host identifiers seen on your event.
+      description: >
+        All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      normalize:
+        - array