[ECS] Adds related.hosts to capture all hostnames and host identifie…

…rs on an event. (elastic#21160) * Add related.hosts to panos * Add related.hosts to osquery * Add related.hosts to system * Add related.hosts to defender atp * Add related.hosts to cisco * Add related.hosts to suricata * Use allow_duplicates: false to remove duplicate hosts * Add related.hosts to rsa2elk modules * Add changelog entry * Add checks to avoid empty strings
marc-gr · Sep 23, 2020 · 3fb01e3 · 3fb01e3
1 parent 43ca900
commit 3fb01e3
Show file tree

Hide file tree

Showing 126 changed files with 9,460 additions and 1,517 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -589,6 +589,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Added new module for Zoom webhooks {pull}20414[20414]
 - Add type and sub_type to panw panos fileset {pull}20912[20912]
 - Always attempt community_id processor on zeek module {pull}21155[21155]
+- Add related.hosts ecs field to all modules {pull}21160[21160]
 
 *Heartbeat*
 

diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml
@@ -10,4 +10,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json
@@ -206,6 +206,14 @@
             "value": "{{osquery.result.name}}",
             "ignore_empty_value": true
         }
+    },
+    {
+        "append": {
+            "field": "related.hosts",
+            "value": "{{host.hostname}}",
+            "if": "ctx?.host?.hostname != null && ctx.host?.hostname != ''",
+            "allow_duplicates": false
+        }
     }
   ],
   "on_failure" : [{