[SECURITY] Endpoint only use `host.hostname`

[XavierM]

In the SIEM app, we are using host.name vs using host.hostname. At the beginning of the project we were using only host.hostname but we switch to only use host.name because this field can be edited via the config file in beat.

We think that the endpoint should fill host.hostname and host.name at the same time, so we do not need to have a workaround in every query and the user won't be surprised that it is different trough our security app.

[kevinlog]

@nnamdifrankie @ferullo @jonathan-buttner

FYI on the above. We may want to populate both fields. The Endpoint would need to write both fields (host.name and host.hostname) in the documents it ships. In the schemas we'd need to include host.name and host.hostname.

Let me know your thoughts or if you see any complications. The fields can just be copies of each other.

[tsg]

This comment in the ECS repo gives an explanation of how we expect host.hostname and host.name to be used. Like Xavier said, host.name has the advantage that can be overwritten via the config, so it is useful for people that have all their hosts called vagrant or something similar :).

As we can see in the linked ticket, the naming and/or descriptions are not very clear since other ECS implementors have hit the same confusion. So we should probably discuss how to improve it in ECS, but until then, I suggest filling both host.name and host.hostname to be consistent with the other Kibana apps.

[nnamdifrankie]

@kevinlog on the kibana/registry side it touches all the events we send. Am sure it is the same thing on Endpoint side too. I thought that name was more arbitrary than hostname. But it will be a wide change.

[jonathan-buttner]

@ferullo based on the issue here: https://github.com/elastic/endpoint-dev/issues/6637 I think the endpoint is populating those fields for all messages already. I haven't checked the latest endpoint though to verify though.

We will need to update the package for policy and metadata though because they don't map that field.

[nnamdifrankie]

@XavierM @stephmilovic adding the changes for the data to master.

[webmat]

I agree, please fill both.

If the endpoint offers the option to customize machine names, this customization should affect host.name. Even if the endpoint doesn't offer this functionality, it should populate host.name.

Populating host.name is a requirement for events to be picked up by the SIEM: https://www.elastic.co/guide/en/siem/guide/current/siem-field-reference.html