From 085dc4d05281433a703d722fe560f6eae9365553 Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 6 Aug 2020 13:44:38 -0500
Subject: [PATCH 1/4] add related.host

---
 code/go/ecs/related.go                  |  4 ++++
 docs/field-details.asciidoc             | 16 ++++++++++++++++
 generated/beats/fields.ecs.yml          |  7 +++++++
 generated/csv/fields.csv                |  1 +
 generated/ecs/ecs_flat.yml              | 12 ++++++++++++
 generated/ecs/ecs_nested.yml            | 12 ++++++++++++
 generated/elasticsearch/6/template.json |  4 ++++
 generated/elasticsearch/7/template.json |  4 ++++
 schemas/related.yml                     | 10 ++++++++++
 9 files changed, 70 insertions(+)

diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go
index 8facf9bcec..e96d7fe3db 100644
--- a/code/go/ecs/related.go
+++ b/code/go/ecs/related.go
@@ -38,4 +38,8 @@ type Related struct {
 	// to search for hashes can help in situations where you're unsure what the
 	// hash algorithm is (and therefore which key name to search).
 	Hash string `ecs:"hash"`
+
+	// All hostnames or other host identifiers seen on your event. Example
+	// identifiers include FQDNs, domain names, workstation names, or aliases.
+	Host string `ecs:"host"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index e0865fc9fc..d14b70828a 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -4610,6 +4610,22 @@ Note: this field should contain an array of values.
 
 
 
+| extended
+
+// ===============================================================
+
+| related.host
+| All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+
+
 | extended
 
 // ===============================================================
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 187523e869..0c3aa93047 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3798,6 +3798,13 @@
         using it to search for hashes can help in situations where you're unsure what
         the hash algorithm is (and therefore which key name to search).
       default_field: false
+    - name: host
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      default_field: false
     - name: ip
       level: extended
       type: ip
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index ec4c956fc7..b558de4ea9 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -439,6 +439,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
 1.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
+1.6.0-dev,true,related,related.host,keyword,extended,array,,All the host identifiers seen on your event.
 1.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
 1.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
 1.6.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index 10ed2d2f67..c859618d43 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5678,6 +5678,18 @@ related.hash:
   - array
   short: All the hashes seen on your event.
   type: keyword
+related.host:
+  dashed_name: related-host
+  description: All hostnames or other host identifiers seen on your event. Example
+    identifiers include FQDNs, domain names, workstation names, or aliases.
+  flat_name: related.host
+  ignore_above: 1024
+  level: extended
+  name: host
+  normalize:
+  - array
+  short: All the host identifiers seen on your event.
+  type: keyword
 related.ip:
   dashed_name: related-ip
   description: All of the IPs seen on your event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 504a2c2bc8..8557e2cdf3 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6768,6 +6768,18 @@ related:
       - array
       short: All the hashes seen on your event.
       type: keyword
+    related.host:
+      dashed_name: related-host
+      description: All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      flat_name: related.host
+      ignore_above: 1024
+      level: extended
+      name: host
+      normalize:
+      - array
+      short: All the host identifiers seen on your event.
+      type: keyword
     related.ip:
       dashed_name: related-ip
       description: All of the IPs seen on your event.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index c8b12fcd27..cc3c150bee 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -2081,6 +2081,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "host": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "ip": {
               "type": "ip"
             },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index 0c284b21e0..e46238908f 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -2080,6 +2080,10 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
+          "host": {
+            "ignore_above": 1024,
+            "type": "keyword"
+          },
           "ip": {
             "type": "ip"
           },
diff --git a/schemas/related.yml b/schemas/related.yml
index fd68c8b74f..d88c49beb1 100644
--- a/schemas/related.yml
+++ b/schemas/related.yml
@@ -43,3 +43,13 @@
         the hash algorithm is (and therefore which key name to search).
       normalize:
         - array
+
+    - name: host
+      level: extended
+      type: keyword
+      short: All the host identifiers seen on your event.
+      description: >
+        All hostnames or other host identifiers seen on your event. Example
+        identifiers include FQDNs, domain names, workstation names, or aliases.
+      normalize:
+        - array

From b54e83576e1fb8113c8314b851cbf33543e83a7f Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Thu, 6 Aug 2020 13:49:23 -0500
Subject: [PATCH 2/4] update changelog

---
 CHANGELOG.next.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 7c0ace0f5f..1629bf7e95 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -27,6 +27,7 @@ Thanks, you're awesome :-) -->
 * Added missing field reuse of `pe` at `process.parent.pe` #868
 * Added `span.id` to the tracing fieldset, for additional log correlation (#882)
 * Added `event.reason` for the reason why an event's outcome or action was taken. #907
+* Added `related.host` to capture all hostnames and host identifiers on an event. #913
 
 #### Improvements
 

From 183670d6241d8b6e9c029ccacf28eccae2d7258f Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 12 Aug 2020 13:55:55 -0500
Subject: [PATCH 3/4] using plural for hosts

---
 code/go/ecs/related.go                  | 2 +-
 docs/field-details.asciidoc             | 2 +-
 generated/beats/fields.ecs.yml          | 2 +-
 generated/csv/fields.csv                | 2 +-
 generated/ecs/ecs_flat.yml              | 8 ++++----
 generated/ecs/ecs_nested.yml            | 8 ++++----
 generated/elasticsearch/6/template.json | 2 +-
 generated/elasticsearch/7/template.json | 2 +-
 schemas/related.yml                     | 2 +-
 9 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/code/go/ecs/related.go b/code/go/ecs/related.go
index e96d7fe3db..22acb9fee2 100644
--- a/code/go/ecs/related.go
+++ b/code/go/ecs/related.go
@@ -41,5 +41,5 @@ type Related struct {
 
 	// All hostnames or other host identifiers seen on your event. Example
 	// identifiers include FQDNs, domain names, workstation names, or aliases.
-	Host string `ecs:"host"`
+	Hosts string `ecs:"hosts"`
 }
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
index d14b70828a..4e8345a812 100644
--- a/docs/field-details.asciidoc
+++ b/docs/field-details.asciidoc
@@ -4614,7 +4614,7 @@ Note: this field should contain an array of values.
 
 // ===============================================================
 
-| related.host
+| related.hosts
 | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
 
 type: keyword
diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
index 0c3aa93047..abebf609e1 100644
--- a/generated/beats/fields.ecs.yml
+++ b/generated/beats/fields.ecs.yml
@@ -3798,7 +3798,7 @@
         using it to search for hashes can help in situations where you're unsure what
         the hash algorithm is (and therefore which key name to search).
       default_field: false
-    - name: host
+    - name: hosts
       level: extended
       type: keyword
       ignore_above: 1024
diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
index b558de4ea9..2c731207cb 100644
--- a/generated/csv/fields.csv
+++ b/generated/csv/fields.csv
@@ -439,7 +439,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value"
 1.6.0-dev,true,registry,registry.value,keyword,core,,Debugger,Name of the value written.
 1.6.0-dev,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event.
-1.6.0-dev,true,related,related.host,keyword,extended,array,,All the host identifiers seen on your event.
+1.6.0-dev,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event.
 1.6.0-dev,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event.
 1.6.0-dev,true,related,related.user,keyword,extended,array,,All the user names seen on your event.
 1.6.0-dev,true,rule,rule.author,keyword,extended,array,['Star-Lord'],Rule author
diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
index c859618d43..43ce24371a 100644
--- a/generated/ecs/ecs_flat.yml
+++ b/generated/ecs/ecs_flat.yml
@@ -5678,14 +5678,14 @@ related.hash:
   - array
   short: All the hashes seen on your event.
   type: keyword
-related.host:
-  dashed_name: related-host
+related.hosts:
+  dashed_name: related-hosts
   description: All hostnames or other host identifiers seen on your event. Example
     identifiers include FQDNs, domain names, workstation names, or aliases.
-  flat_name: related.host
+  flat_name: related.hosts
   ignore_above: 1024
   level: extended
-  name: host
+  name: hosts
   normalize:
   - array
   short: All the host identifiers seen on your event.
diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml
index 8557e2cdf3..daf1cfb8e1 100644
--- a/generated/ecs/ecs_nested.yml
+++ b/generated/ecs/ecs_nested.yml
@@ -6768,14 +6768,14 @@ related:
       - array
       short: All the hashes seen on your event.
       type: keyword
-    related.host:
-      dashed_name: related-host
+    related.hosts:
+      dashed_name: related-hosts
       description: All hostnames or other host identifiers seen on your event. Example
         identifiers include FQDNs, domain names, workstation names, or aliases.
-      flat_name: related.host
+      flat_name: related.hosts
       ignore_above: 1024
       level: extended
-      name: host
+      name: hosts
       normalize:
       - array
       short: All the host identifiers seen on your event.
diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json
index cc3c150bee..30b7caebcc 100644
--- a/generated/elasticsearch/6/template.json
+++ b/generated/elasticsearch/6/template.json
@@ -2081,7 +2081,7 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
-            "host": {
+            "hosts": {
               "ignore_above": 1024,
               "type": "keyword"
             },
diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json
index e46238908f..6f50268280 100644
--- a/generated/elasticsearch/7/template.json
+++ b/generated/elasticsearch/7/template.json
@@ -2080,7 +2080,7 @@
             "ignore_above": 1024,
             "type": "keyword"
           },
-          "host": {
+          "hosts": {
             "ignore_above": 1024,
             "type": "keyword"
           },
diff --git a/schemas/related.yml b/schemas/related.yml
index d88c49beb1..5e53009475 100644
--- a/schemas/related.yml
+++ b/schemas/related.yml
@@ -44,7 +44,7 @@
       normalize:
         - array
 
-    - name: host
+    - name: hosts
       level: extended
       type: keyword
       short: All the host identifiers seen on your event.

From 3299b3f551e23275f9e4dc0b92379b2d44b130df Mon Sep 17 00:00:00 2001
From: Eric Beahan <eric.beahan@elastic.co>
Date: Wed, 12 Aug 2020 14:58:17 -0500
Subject: [PATCH 4/4] related.hosts made plural here too

---
 CHANGELOG.next.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
index 1629bf7e95..a6699d25e8 100644
--- a/CHANGELOG.next.md
+++ b/CHANGELOG.next.md
@@ -27,7 +27,7 @@ Thanks, you're awesome :-) -->
 * Added missing field reuse of `pe` at `process.parent.pe` #868
 * Added `span.id` to the tracing fieldset, for additional log correlation (#882)
 * Added `event.reason` for the reason why an event's outcome or action was taken. #907
-* Added `related.host` to capture all hostnames and host identifiers on an event. #913
+* Added `related.hosts` to capture all hostnames and host identifiers on an event. #913
 
 #### Improvements