Add a related.host field

[nemhods]

Summary

Add a related.host field to capture hostnames and other host identifiers.

Motivation:

We can already define related usernames and IPs for a document, so it seems very natural to also be able to search for related hostnames (some events, like windows eventlog code 4776 don't even provide IPs, but rather workstation names).

Detailed Design:

Why related.host, and not related.hostname or something else?

• The field should hold all types of text-based host identifiers, be that hostnames, dns names, dns aliases, or workstation names.
• This is in line with the related.user field, which also doesn't discriminate between full user names, user handles, or even user IDs.
• If you look at the host fieldset, the closest thing to my proposed field would be host.name. however related.name is too ambiguous, so i think related.host is a good fit.

A related issue might be the standardization of domain representations: #728 - this issue isn't completed yet, but I don't see it colliding with what I'm proposing here.

PS: If you ask me, the related fields should be plurals (related.ips, related.users, related.hosts), because they will often contain arrays (as per the guidelines. But to keep in line with the already existing fields, I'm fine with related.host.

[ebeahan]

Thanks @nemhods for the proposal! Agreed this would be a logical and useful addition - there's a PR open in #913 if you have any input or feedback.

I've also opened #909 to track switching the related.* fields from singular to plural. Agree again this is a logical change, but as a breaking change this is something under consideration for ECS 2.0.