Log ID Correlation Field Name

[neu5ron]

Would like to reopen the discussion on adding a related.id field ( I am also OK with log.id.
This field could either be a single value or an array depending on the log source / scenario. but regardless still a keyword ES type.
These would be dissimilar to event.id, because this proposed field would be the log source's internal identifier for correlating across multiple log types that it is. Also, this is distinct from the unique number/id of the log itself that the log source uses to prevent collisions or what not in its own internal logging database/function/system.

Four log sources that could immediately benefit:

• Windows Event Log (WEF) field ActivityID
  correlating multiple different EventIDs
• Bro (Zeek) field uid
  correlating multiple different log types. ex: conn <> ssl <> file <> x509 <> intel
• Suricata field flow_id
  correlating flow log <> application log <> alert log
• PaloAlto field Session ID
  correlating traffic <> threat <>

** Side note, the above fields aren't exhaustive. example Bro has at least over 10+ other's and WEF has a whole lot of em **

Reference to #67
but I wanted to potentially add clarity by adding more use cases and splitting this related log id into its own discussion.

[ebeahan]

We created meta-issue ##1547 to assess correlated event support in ECS. Closing in favor of the meta issue.