[ECS] Use related.hosts instead of related.mac

[quentains]

According to the mapping file corelight-ds-component_template-main_logs-mappings, MAC addresses are "copied to" related.mac.

This is the case for :

• source.mac
• destination.mac
• radius.mac
• host.mac
• radius.mac

However related.mac seems to not be ECS compliant. See Elastic documentation.

What do you think about using related.hosts instead ? The same mapping file is already using related.hosts for 11 other fields.

related.hosts : All hostnames or other host identifiers seen on your event. [...]

[hunter32me]

I will look into this and see what impact this has. First thought is in how we define Host, and how will it impact search, by keeping it related.mac it would be easer to search on mac address

[neu5ron]

Hi @quentains thanks for bringing this up. Great question.

I want to preface that although related.mac is not "ECS" complaint, there is still an analytical and pivoting use case and in fact to not mix and break the ECS compliance related mac addresses were placed in related.mac. ECS in it's goal is great, but with anything iot has some short comings and specifically missing fields (for example the related 4 tuple and other hashes that some of the various pipelines create).
Although the primary goal of this repository is to map fields to ECS, as maintainers we are also users of the data, and with that comes an obligation to also make it useful above and beyond what ECS provides.

Let me know if this is satisfactory or not. I am open to discussion.