diff --git a/.ci/beats-tester.groovy b/.ci/beats-tester.groovy
new file mode 100644
index 000000000000..eb1357700b62
--- /dev/null
+++ b/.ci/beats-tester.groovy
@@ -0,0 +1,106 @@
+#!/usr/bin/env groovy
+
+@Library('apm@current') _
+
+pipeline {
+  agent none
+  environment {
+    BASE_DIR = 'src/github.com/elastic/beats'
+    PIPELINE_LOG_LEVEL = "INFO"
+    BEATS_TESTER_JOB = 'Beats/beats-tester-mbp/master'
+  }
+  options {
+    timeout(time: 1, unit: 'HOURS')
+    buildDiscarder(logRotator(numToKeepStr: '20', artifactNumToKeepStr: '20', daysToKeepStr: '30'))
+    timestamps()
+    ansiColor('xterm')
+    disableResume()
+    durabilityHint('PERFORMANCE_OPTIMIZED')
+    disableConcurrentBuilds()
+  }
+  triggers {
+    issueCommentTrigger('(?i)^\\/beats-tester$')
+    upstream("Beats/packaging/${env.JOB_BASE_NAME}")
+  }
+  stages {
+    stage('Filter build') {
+      agent { label 'ubuntu && immutable' }
+      when {
+        beforeAgent true
+        anyOf {
+          triggeredBy cause: "IssueCommentCause"
+          expression {
+            def ret = isUserTrigger() || isUpstreamTrigger()
+            if(!ret){
+              currentBuild.result = 'NOT_BUILT'
+              currentBuild.description = "The build has been skipped"
+              currentBuild.displayName = "#${BUILD_NUMBER}-(Skipped)"
+              echo("the build has been skipped due the trigger is a branch scan and the allow ones are manual, GitHub comment, and upstream job")
+            }
+            return ret
+          }
+        }
+      }
+      stages {
+        stage('Checkout') {
+          options { skipDefaultCheckout() }
+          steps {
+            deleteDir()
+            gitCheckout(basedir: "${BASE_DIR}")
+            setEnvVar('VERSION', sh(script: "grep ':stack-version:' ${BASE_DIR}/libbeat/docs/version.asciidoc | cut -d' ' -f2", returnStdout: true).trim())
+          }
+        }
+        stage('Build master') {
+          options { skipDefaultCheckout() }
+          when { branch 'master' }
+          steps {
+            runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT")
+          }
+        }
+        stage('Build *.x branch') {
+          options { skipDefaultCheckout() }
+          when { branch '*.x' }
+          steps {
+            runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT")
+          }
+        }
+        stage('Build PullRequest') {
+          options { skipDefaultCheckout() }
+          when { changeRequest() }
+          steps {
+            runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT",
+                              apm: "https://storage.googleapis.com/apm-ci-artifacts/jobs/pull-requests/pr-${env.CHANGE_ID}",
+                              beats: "https://storage.googleapis.com/beats-ci-artifacts/pull-requests/pr-${env.CHANGE_ID}")
+          }
+        }
+        stage('Build release branch') {
+          options { skipDefaultCheckout() }
+          when {
+            not {
+              allOf {
+                branch comparator: 'REGEXP', pattern: '(master|.*x)'
+                changeRequest()
+              }
+            }
+           }
+          steps {
+            runBeatsTesterJob(version: "${env.VERSION}-SNAPSHOT")
+          }
+        }
+      }
+    }
+  }
+}
+
+def runBeatsTesterJob(Map args = [:]) {
+  if (args.apm && args.beats) {
+    build(job: env.BEATS_TESTER_JOB, propagate: false, wait: false,
+          parameters: [
+            string(name: 'APM_URL_BASE', value: args.apm),
+            string(name: 'BEATS_URL_BASE', value: args.beats),
+            string(name: 'VERSION', value: args.version)
+          ])
+  } else {
+    build(job: env.BEATS_TESTER_JOB, propagate: false, wait: false, parameters: [ string(name: 'VERSION', value: args.version) ])
+  }
+}
\ No newline at end of file
diff --git a/.ci/jobs/beats-tester.yml b/.ci/jobs/beats-tester.yml
new file mode 100644
index 000000000000..522abfa5e5c4
--- /dev/null
+++ b/.ci/jobs/beats-tester.yml
@@ -0,0 +1,56 @@
+---
+- job:
+    name: Beats/beats-tester
+    display-name: Beats Tester
+    description: Run the beats-tester
+    view: Beats
+    disabled: false
+    project-type: multibranch
+    script-path: .ci/beats-tester.groovy
+    scm:
+      - github:
+          branch-discovery: 'no-pr'
+          discover-pr-forks-strategy: 'merge-current'
+          discover-pr-forks-trust: 'permission'
+          discover-pr-origin: 'merge-current'
+          discover-tags: true
+          head-filter-regex: '(master|7\.([x9]|1\d+)|8\.\d+|PR-.*|v\d+\.\d+\.\d+)'
+          disable-pr-notifications: true
+          notification-context: 'beats-tester'
+          repo: 'beats'
+          repo-owner: 'elastic'
+          credentials-id: github-app-beats-ci
+          ssh-checkout:
+            credentials: f6c7695a-671e-4f4f-a331-acdce44ff9ba
+          build-strategies:
+          - skip-initial-build: true
+          - tags:
+              ignore-tags-older-than: -1
+              ignore-tags-newer-than: 30
+          - named-branches:
+              - exact-name:
+                  name: 'master'
+                  case-sensitive: true
+              - regex-name:
+                  regex: '7\.([x9]|1\d+)'
+                  case-sensitive: true
+              - regex-name:
+                  regex: '8\.\d+'
+                  case-sensitive: true
+          - change-request:
+              ignore-target-only-changes: true
+          clean:
+              after: true
+              before: true
+          prune: true
+          shallow-clone: true
+          depth: 3
+          do-not-fetch-tags: true
+          submodule:
+              disable: false
+              recursive: true
+              parent-credentials: true
+              timeout: 100
+          timeout: '15'
+          use-author: true
+          wipe-workspace: true
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 0c18d59e0096..145d7ae09e5c 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -21,6 +21,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Remove the deprecated `xpack.monitoring.*` settings. Going forward only `monitoring.*` settings may be used. {issue}9424[9424] {pull}18608[18608]
 - Added `certificate` TLS verification mode to ignore server name mismatch. {issue}12283[12283] {pull}20293[20293]
 - Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898]
+- Remove redundant `cloudfoundry.*.timestamp` fields. This value is set in `@timestamp`. {pull}21175[21175]
 
 *Auditbeat*
 
@@ -171,6 +172,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811]
 - [Autodiscover] Handle input-not-finished errors in config reload. {pull}20915[20915]
 - Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898]
+- Fix `libbeat.output.write.bytes` and `libbeat.output.read.bytes` metrics of the Elasticsearch output. {issue}20752[20752] {pull}21197[21197]
 
 *Auditbeat*
 
@@ -264,6 +266,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Remove wrongly mapped `tls.client.server_name` from `fortinet/firewall` fileset. {pull}20983[20983]
 - Fix an error updating file size being logged when EOF is reached. {pull}21048[21048]
 - Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943]
+- Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159]
 
 *Heartbeat*
 
@@ -345,6 +348,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Disable Kafka metricsets based on Jolokia by default. They require a different configuration. {pull}20989[20989]
 - Fix panic index out of range error when getting AWS account name. {pull}21101[21101] {issue}21095[21095]
 - Handle missing counters in the application_pool metricset. {pull}21071[21071]
+- Fix timestamp handling in remote_write. {pull}21166[21166]
+- Fix remote_write flaky test. {pull}21173[21173]
+- Visualization title fixes in aws, azure and googlecloud compute dashboards. {pull}21098[21098]
 
 *Packetbeat*
 
@@ -362,6 +368,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix timeout option of GCP functions. {issue}16282[16282] {pull}16287[16287]
 - Do not need Google credentials if not required for the operation. {issue}17329[17329] {pull}21072[21072]
 - Fix dependency issues of GCP functions. {issue}20830[20830] {pull}21070[21070]
+- Fix catchall bucket config errors by adding more validation. {issue}17572[16282] {pull}20887[16287]
 
 ==== Added
 
@@ -428,6 +435,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Added experimental dataset `fortinet/fortimanager`. {pull}20820[20820]
 - Added experimental dataset `juniper/netscreen`. {pull}20820[20820]
 - Added experimental dataset `sophos/utm`. {pull}20820[20820]
+- Add Cloud Foundry tags in related events. {pull}21177[21177]
 
 *Auditbeat*
 
@@ -573,12 +581,15 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Convert httpjson to v2 input {pull}20226[20226]
 - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867]
 - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
+- Added new properties field support for event.outcome in azure module {pull}20998[20998]
 - Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958]
 - Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983]
 - Improve Santa module with `x509` ECS mappings {pull}20976[20976]
 - Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973]
 - Added new module for Zoom webhooks {pull}20414[20414]
 - Add type and sub_type to panw panos fileset {pull}20912[20912]
+- Always attempt community_id processor on zeek module {pull}21155[21155]
+- Add related.hosts ecs field to all modules {pull}21160[21160]
 
 *Heartbeat*
 
@@ -694,6 +705,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add state_daemonset metricset for Kubernetes Metricbeat module {pull}20649[20649]
 - Add host inventory metrics to azure compute_vm metricset. {pull}20641[20641]
 - Add host inventory metrics to googlecloud compute metricset. {pull}20391[20391]
+- Add host inventory metrics to system module. {pull}20415[20415]
 - Add billing data collection from Cost Explorer into aws billing metricset. {pull}20527[20527] {issue}20103[20103]
 - Migrate `compute_vm` metricset to a light one, map `cloud.instance.id` field. {pull}20889[20889]
 - Request prometheus endpoints to be gzipped by default {pull}20766[20766]
@@ -702,6 +714,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Move `compute_vm_scaleset` to light metricset. {pull}21038[21038] {issue}20985[20985]
 - Sanitize `event.host`. {pull}21022[21022]
 - Add overview and platform health dashboards to Cloud Foundry module. {pull}21124[21124]
+- Release lambda metricset in aws module as GA. {issue}21251[21251] {pull}21255[21255]
 
 *Packetbeat*
 
diff --git a/README.md b/README.md
index 2864b7f51abb..28fbe081d04d 100644
--- a/README.md
+++ b/README.md
@@ -107,6 +107,8 @@ It is possible to trigger some jobs by putting a comment on a GitHub PR.
   * `/run apm-beats-update`
 * [apm-beats-packaging][]
   * `/package` or `/packaging` will kick of a build to generate the packages for beats.
+* [apm-beats-tester][]
+  * `/beats-tester` will kick of a build to validate the generated packages.
 
 ### PR Labels
 
@@ -118,3 +120,4 @@ It's possible to configure the build on a GitHub PR by labelling the PR with the
 [beats]: https://beats-ci.elastic.co/job/Beats/job/beats/
 [apm-beats-update]: https://beats-ci.elastic.co/job/Beats/job/apm-beats-update/
 [apm-beats-packaging]: https://beats-ci.elastic.co/job/Beats/job/packaging/
+[apm-beats-tester]: https://beats-ci.elastic.co/job/Beats/job/beats-tester/
diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go
index 22b0ae574df8..4340c7fdb4ea 100644
--- a/dev-tools/mage/crossbuild.go
+++ b/dev-tools/mage/crossbuild.go
@@ -267,6 +267,7 @@ func (b GolangCrossBuilder) Build() error {
 		"--env", "MAGEFILE_VERBOSE="+verbose,
 		"--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""),
 		"--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot),
+		"--env", fmt.Sprintf("DEV=%v", DevBuild),
 		"-v", repoInfo.RootDir+":"+mountPoint,
 		"-w", workDir,
 		image,
diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go
index 08a619c3df34..037d4838d035 100644
--- a/dev-tools/mage/settings.go
+++ b/dev-tools/mage/settings.go
@@ -77,6 +77,7 @@ var (
 	BeatProjectType ProjectType
 
 	Snapshot bool
+	DevBuild bool
 
 	versionQualified bool
 	versionQualifier string
@@ -117,6 +118,11 @@ func init() {
 		panic(errors.Wrap(err, "failed to parse SNAPSHOT env value"))
 	}
 
+	DevBuild, err = strconv.ParseBool(EnvOr("DEV", "false"))
+	if err != nil {
+		panic(errors.Wrap(err, "failed to parse DEV env value"))
+	}
+
 	versionQualifier, versionQualified = os.LookupEnv("VERSION_QUALIFIER")
 }
 
@@ -165,6 +171,7 @@ func varMap(args ...map[string]interface{}) map[string]interface{} {
 		"BeatURL":         BeatURL,
 		"BeatUser":        BeatUser,
 		"Snapshot":        Snapshot,
+		"DEV":             DevBuild,
 		"Qualifier":       versionQualifier,
 	}
 
diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index fec578947750..1cfd24021932 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -509,7 +509,7 @@ shared:
   - &docker_ubi_spec
     extra_vars:
       image_name: '{{.BeatName}}-ubi8'
-      from: 'registry.access.redhat.com/ubi8/ubi-minimal'
+      from: 'docker.elastic.co/ubi8/ubi-minimal'
 
   - &elastic_docker_spec
     extra_vars:
diff --git a/docs/devguide/modules-dev-guide.asciidoc b/docs/devguide/modules-dev-guide.asciidoc
index b8aa133f1f86..b3a8cb225926 100644
--- a/docs/devguide/modules-dev-guide.asciidoc
+++ b/docs/devguide/modules-dev-guide.asciidoc
@@ -486,6 +486,6 @@ locally for a specific module, using the following procedure under Filebeat dire
 
 . Run an Elasticsearch instance locally using docker: `docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT`
 . Create python env: `make python-env`
-. Source python env: `./build/python-env/bin/activate`
+. Source python env: `source ./build/python-env/bin/activate`
 . Create the testing binary: `make filebeat.test`
 . Run the test, ie: `GENERATE=1 INTEGRATION_TESTS=1 BEAT_STRICT_PERMS=false TESTING_FILEBEAT_MODULES=nginx pytest tests/system/test_modules.py`
diff --git a/filebeat/docs/filebeat-general-options.asciidoc b/filebeat/docs/filebeat-general-options.asciidoc
index ad471c640842..a1a844f37af6 100644
--- a/filebeat/docs/filebeat-general-options.asciidoc
+++ b/filebeat/docs/filebeat-general-options.asciidoc
@@ -33,13 +33,13 @@ filebeat.registry.path: registry
 -------------------------------------------------------------------------------------
 
 NOTE: The registry is only updated when new events are flushed and not on a predefined period.
-That means in case there are some states where the TTL expired, these are only removed when new event are processed.
+That means in case there are some states where the TTL expired, these are only removed when new events are processed.
 
-NOTE: The registry stores it's data in the subdirectory filebeat/data.json. It
+NOTE: The registry stores its data in the subdirectory filebeat/data.json. It
 also contains a meta data file named filebeat/meta.json. The meta file contains
 the file format version number.
 
-NOTE: The content stored in filebeat/data.json is compatible to the old registry file data format.
+NOTE: The content stored in filebeat/data.json is compatible with the old registry file data format.
 
 [float]
 ==== `registry.file_permissions`
diff --git a/filebeat/docs/modules/logstash.asciidoc b/filebeat/docs/modules/logstash.asciidoc
index 5c9df956e053..73b285aa6da7 100644
--- a/filebeat/docs/modules/logstash.asciidoc
+++ b/filebeat/docs/modules/logstash.asciidoc
@@ -86,7 +86,8 @@ image::./images/kibana-logstash-slowlog.png[]
 
 [float]
 === Known issues
-When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON objct such that
+
+When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON object such that
 the JSON object starts on a new line, the fileset may not parse the multiline plaintext log event correctly.
 
 :has-dashboards!:
diff --git a/filebeat/docs/modules/nginx.asciidoc b/filebeat/docs/modules/nginx.asciidoc
index b5d52d7d0d99..46b3bf347950 100644
--- a/filebeat/docs/modules/nginx.asciidoc
+++ b/filebeat/docs/modules/nginx.asciidoc
@@ -28,7 +28,7 @@ The Nginx module was tested with logs from version 1.10.
 On Windows, the module was tested with Nginx installed from the Chocolatey
 repository.
 
-`ingress_controller` fileset was tested with version 0.28.0 of `nginx-ingress-controller`.
+`ingress_controller` fileset was tested with version v0.28.0 and v0.34.1 of `nginx-ingress-controller`.
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/filebeat/fileset/pipelines.go b/filebeat/fileset/pipelines.go
index 3d89e607ec6e..fe7eb86c884d 100644
--- a/filebeat/fileset/pipelines.go
+++ b/filebeat/fileset/pipelines.go
@@ -132,6 +132,10 @@ func loadPipeline(esClient PipelineLoader, pipelineID string, content map[string
 		return fmt.Errorf("failed to modify set processor in pipeline: %v", err)
 	}
 
+	if err := modifyAppendProcessor(esClient.GetVersion(), pipelineID, content); err != nil {
+		return fmt.Errorf("failed to modify append processor in pipeline: %v", err)
+	}
+
 	body, err := esClient.LoadJSON(path, content)
 	if err != nil {
 		return interpretError(err, body)
@@ -291,3 +295,73 @@ func modifySetProcessor(esVersion common.Version, pipelineID string, content map
 	}
 	return nil
 }
+
+// modifyAppendProcessor replaces allow_duplicates option with an if statement
+// so ES less than 7.10 will still work
+func modifyAppendProcessor(esVersion common.Version, pipelineID string, content map[string]interface{}) error {
+	flagVersion := common.MustNewVersion("7.10.0")
+	if !esVersion.LessThan(flagVersion) {
+		return nil
+	}
+
+	p, ok := content["processors"]
+	if !ok {
+		return nil
+	}
+	processors, ok := p.([]interface{})
+	if !ok {
+		return fmt.Errorf("'processors' in pipeline '%s' expected to be a list, found %T", pipelineID, p)
+	}
+
+	for _, p := range processors {
+		processor, ok := p.(map[string]interface{})
+		if !ok {
+			continue
+		}
+		if options, ok := processor["append"].(map[string]interface{}); ok {
+			allow, ok := options["allow_duplicates"].(bool)
+			if !ok {
+				// don't have allow_duplicates, nothing to do
+				continue
+			}
+
+			logp.Debug("modules", "In pipeline %q removing unsupported 'allow_duplicates' in append processor", pipelineID)
+			delete(options, "allow_duplicates")
+			if allow {
+				// it was set to true, nothing else to do after removing the option
+				continue
+			}
+
+			currIf, _ := options["if"].(string)
+			if strings.Contains(strings.ToLower(currIf), "contains") {
+				// if it has a contains statement, we assume it is checking for duplicates already
+				continue
+			}
+			field, ok := options["field"].(string)
+			if !ok {
+				continue
+			}
+			val, ok := options["value"].(string)
+			if !ok {
+				continue
+			}
+
+			field = strings.ReplaceAll(field, ".", "?.")
+
+			val = strings.TrimLeft(val, "{ ")
+			val = strings.TrimRight(val, "} ")
+			val = strings.ReplaceAll(val, ".", "?.")
+
+			if currIf == "" {
+				// if there is not a previous if we add a value sanity check
+				currIf = fmt.Sprintf("ctx?.%s != null", val)
+			}
+
+			newIf := fmt.Sprintf("%s && ((ctx?.%s instanceof List && !ctx?.%s.contains(ctx?.%s)) || ctx?.%s != ctx?.%s)", currIf, field, field, val, field, val)
+
+			logp.Debug("modules", "In pipeline %q adding if %s to replace 'allow_duplicates: false' in append processor", pipelineID, newIf)
+			options["if"] = newIf
+		}
+	}
+	return nil
+}
diff --git a/filebeat/fileset/pipelines_test.go b/filebeat/fileset/pipelines_test.go
index 65a10212b6ba..7c617034f107 100644
--- a/filebeat/fileset/pipelines_test.go
+++ b/filebeat/fileset/pipelines_test.go
@@ -392,3 +392,205 @@ func TestModifySetProcessor(t *testing.T) {
 		})
 	}
 }
+
+func TestModifyAppendProcessor(t *testing.T) {
+	cases := []struct {
+		name          string
+		esVersion     *common.Version
+		content       map[string]interface{}
+		expected      map[string]interface{}
+		isErrExpected bool
+	}{
+		{
+			name:      "ES < 7.10.0: set to true",
+			esVersion: common.MustNewVersion("7.9.0"),
+			content: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": true,
+						},
+					},
+				}},
+			expected: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field": "related.hosts",
+							"value": "{{host.hostname}}",
+						},
+					},
+				},
+			},
+			isErrExpected: false,
+		},
+		{
+			name:      "ES < 7.10.0: set to false",
+			esVersion: common.MustNewVersion("7.9.0"),
+			content: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": false,
+						},
+					},
+				}},
+			expected: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field": "related.hosts",
+							"value": "{{host.hostname}}",
+							"if":    "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)",
+						},
+					},
+				},
+			},
+			isErrExpected: false,
+		},
+		{
+			name:      "ES == 7.10.0",
+			esVersion: common.MustNewVersion("7.10.0"),
+			content: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": false,
+						},
+					},
+				}},
+			expected: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": false,
+						},
+					},
+				},
+			},
+			isErrExpected: false,
+		},
+		{
+			name:      "ES > 7.10.0",
+			esVersion: common.MustNewVersion("8.0.0"),
+			content: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": false,
+						},
+					},
+				}},
+			expected: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": false,
+						},
+					},
+				},
+			},
+			isErrExpected: false,
+		},
+		{
+			name:      "ES < 7.10.0: existing if",
+			esVersion: common.MustNewVersion("7.7.7"),
+			content: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": false,
+							"if":               "ctx?.host?.hostname != null",
+						},
+					},
+				}},
+			expected: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field": "related.hosts",
+							"value": "{{host.hostname}}",
+							"if":    "ctx?.host?.hostname != null && ((ctx?.related?.hosts instanceof List && !ctx?.related?.hosts.contains(ctx?.host?.hostname)) || ctx?.related?.hosts != ctx?.host?.hostname)",
+						},
+					},
+				}},
+			isErrExpected: false,
+		},
+		{
+			name:      "ES < 7.10.0: existing if with contains",
+			esVersion: common.MustNewVersion("7.7.7"),
+			content: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"value":            "{{host.hostname}}",
+							"allow_duplicates": false,
+							"if":               "!ctx?.related?.hosts.contains(ctx?.host?.hostname)",
+						},
+					},
+				}},
+			expected: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field": "related.hosts",
+							"value": "{{host.hostname}}",
+							"if":    "!ctx?.related?.hosts.contains(ctx?.host?.hostname)",
+						},
+					},
+				}},
+			isErrExpected: false,
+		},
+		{
+			name:      "ES < 7.10.0: no value",
+			esVersion: common.MustNewVersion("7.7.7"),
+			content: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field":            "related.hosts",
+							"allow_duplicates": false,
+						},
+					},
+				}},
+			expected: map[string]interface{}{
+				"processors": []interface{}{
+					map[string]interface{}{
+						"append": map[string]interface{}{
+							"field": "related.hosts",
+						},
+					},
+				}},
+			isErrExpected: false,
+		},
+	}
+
+	for _, test := range cases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			err := modifyAppendProcessor(*test.esVersion, "foo-pipeline", test.content)
+			if test.isErrExpected {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.expected, test.content, test.name)
+			}
+		})
+	}
+}
diff --git a/filebeat/module/logstash/_meta/docs.asciidoc b/filebeat/module/logstash/_meta/docs.asciidoc
index 8f4e0d33a3c7..4fe73d8681ae 100644
--- a/filebeat/module/logstash/_meta/docs.asciidoc
+++ b/filebeat/module/logstash/_meta/docs.asciidoc
@@ -81,7 +81,8 @@ image::./images/kibana-logstash-slowlog.png[]
 
 [float]
 === Known issues
-When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON objct such that
+
+When using the `log` fileset to parse plaintext logs, if a multiline plaintext log contains an embedded JSON object such that
 the JSON object starts on a new line, the fileset may not parse the multiline plaintext log event correctly.
 
 :has-dashboards!:
diff --git a/filebeat/module/nginx/_meta/docs.asciidoc b/filebeat/module/nginx/_meta/docs.asciidoc
index e365dd079d8d..e5d0ff17f955 100644
--- a/filebeat/module/nginx/_meta/docs.asciidoc
+++ b/filebeat/module/nginx/_meta/docs.asciidoc
@@ -23,7 +23,7 @@ The Nginx module was tested with logs from version 1.10.
 On Windows, the module was tested with Nginx installed from the Chocolatey
 repository.
 
-`ingress_controller` fileset was tested with version 0.28.0 of `nginx-ingress-controller`.
+`ingress_controller` fileset was tested with version v0.28.0 and v0.34.1 of `nginx-ingress-controller`.
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml
index f35881687e8e..1d6d2e0d042d 100644
--- a/filebeat/module/osquery/result/config/result.yml
+++ b/filebeat/module/osquery/result/config/result.yml
@@ -10,4 +10,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json
index c14b9664d1e6..2a0329133fa3 100644
--- a/filebeat/module/osquery/result/ingest/pipeline.json
+++ b/filebeat/module/osquery/result/ingest/pipeline.json
@@ -206,6 +206,14 @@
             "value": "{{osquery.result.name}}",
             "ignore_empty_value": true
         }
+    },
+    {
+        "append": {
+            "field": "related.hosts",
+            "value": "{{host.hostname}}",
+            "if": "ctx?.host?.hostname != null && ctx.host?.hostname != ''",
+            "allow_duplicates": false
+        }
     }
   ],
   "on_failure" : [{
diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json
index bedd286615d9..953a63b299c0 100644
--- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json
+++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json
@@ -29,6 +29,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -66,6 +69,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -103,6 +109,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -140,6 +149,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -177,6 +189,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -214,6 +229,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -251,6 +269,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -288,6 +309,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -325,6 +349,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -362,6 +389,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -399,6 +429,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -436,6 +469,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -473,6 +509,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -510,6 +549,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -547,6 +589,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -584,6 +629,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -621,6 +669,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -658,6 +709,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -695,6 +749,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -732,6 +789,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -769,6 +829,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -806,6 +869,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -843,6 +909,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -880,6 +949,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -917,6 +989,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -954,6 +1029,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -991,6 +1069,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1028,6 +1109,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1065,6 +1149,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1102,6 +1189,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1139,6 +1229,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1176,6 +1269,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1213,6 +1309,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1250,6 +1349,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1287,6 +1389,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1324,6 +1429,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1361,6 +1469,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1398,6 +1509,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1435,6 +1549,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1472,6 +1589,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1509,6 +1629,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1546,6 +1669,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1583,6 +1709,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1620,6 +1749,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1657,6 +1789,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1694,6 +1829,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1731,6 +1869,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1768,6 +1909,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1805,6 +1949,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1842,6 +1989,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1879,6 +2029,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1916,6 +2069,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1953,6 +2109,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1990,6 +2149,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2027,6 +2189,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2064,6 +2229,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2101,6 +2269,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2138,6 +2309,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_osquery-monitoring_schedule",
         "osquery.result.unix_time": "1515423115",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2195,6 +2369,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_ossec-rootkit_slapper_installed",
         "osquery.result.unix_time": "1515431189",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2252,6 +2429,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_ossec-rootkit_adore_worm",
         "osquery.result.unix_time": "1515431988",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json
index bc722ee249f8..5a8083a37e28 100644
--- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json
+++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json
@@ -22,6 +22,9 @@
         "osquery.result.name": "pack_it-compliance_alf_explicit_auths",
         "osquery.result.unix_time": "1514471990",
         "process.name": "org.python.python.app",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -52,6 +55,9 @@
         "osquery.result.name": "pack_it-compliance_alf_explicit_auths",
         "osquery.result.unix_time": "1514471990",
         "process.name": "com.apple.ruby",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -82,6 +88,9 @@
         "osquery.result.name": "pack_it-compliance_alf_explicit_auths",
         "osquery.result.unix_time": "1514471990",
         "process.name": "com.apple.a2p",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -112,6 +121,9 @@
         "osquery.result.name": "pack_it-compliance_alf_explicit_auths",
         "osquery.result.unix_time": "1514471990",
         "process.name": "com.apple.javajdk16.cmd",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -142,6 +154,9 @@
         "osquery.result.name": "pack_it-compliance_alf_explicit_auths",
         "osquery.result.unix_time": "1514471990",
         "process.name": "com.apple.php",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -172,6 +187,9 @@
         "osquery.result.name": "pack_it-compliance_alf_explicit_auths",
         "osquery.result.unix_time": "1514471990",
         "process.name": "com.apple.nc",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -202,6 +220,9 @@
         "osquery.result.name": "pack_it-compliance_alf_explicit_auths",
         "osquery.result.unix_time": "1514471990",
         "process.name": "com.apple.ksh",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -234,6 +255,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "httpd",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -266,6 +290,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "cupsd",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -298,6 +325,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "AEServer",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -330,6 +360,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "ftpd",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -362,6 +395,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "AppleFileServer",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -394,6 +430,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "sshd-keygen-wrapper",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -426,6 +465,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "smbd",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -458,6 +500,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "AppleVNCServer",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -490,6 +535,9 @@
         "osquery.result.name": "pack_it-compliance_alf_services",
         "osquery.result.unix_time": "1514471990",
         "process.name": "ODSAgent",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -544,6 +592,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -599,6 +650,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -653,6 +707,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -707,6 +764,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -761,6 +821,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -815,6 +878,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -869,6 +935,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -923,6 +992,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -977,6 +1049,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1031,6 +1106,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1085,6 +1163,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1139,6 +1220,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1193,6 +1277,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_firefox_addons",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1226,6 +1313,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1258,6 +1348,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1290,6 +1383,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1322,6 +1418,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1354,6 +1453,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1386,6 +1488,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1418,6 +1523,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1450,6 +1558,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1482,6 +1593,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1514,6 +1628,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1546,6 +1663,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1578,6 +1698,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1610,6 +1733,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1642,6 +1768,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1674,6 +1803,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1706,6 +1838,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1738,6 +1873,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1770,6 +1908,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1802,6 +1943,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1834,6 +1978,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1866,6 +2013,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1898,6 +2048,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1930,6 +2083,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1962,6 +2118,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -1994,6 +2153,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2026,6 +2188,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2058,6 +2223,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2090,6 +2258,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2122,6 +2293,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2154,6 +2328,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2186,6 +2363,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2218,6 +2398,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2250,6 +2433,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2282,6 +2468,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2314,6 +2503,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2346,6 +2538,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2378,6 +2573,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2410,6 +2608,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2442,6 +2643,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2474,6 +2678,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2506,6 +2713,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2538,6 +2748,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2570,6 +2783,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2602,6 +2818,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2634,6 +2853,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2666,6 +2888,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2698,6 +2923,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2730,6 +2958,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2762,6 +2993,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2794,6 +3028,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2826,6 +3063,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2858,6 +3098,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2890,6 +3133,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2922,6 +3168,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2954,6 +3203,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -2986,6 +3238,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3018,6 +3273,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3050,6 +3308,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3082,6 +3343,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3114,6 +3378,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3146,6 +3413,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3178,6 +3448,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3210,6 +3483,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3242,6 +3518,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3274,6 +3553,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3306,6 +3588,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3338,6 +3623,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3370,6 +3658,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3402,6 +3693,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3434,6 +3728,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -3466,6 +3763,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_homebrew_packages",
         "osquery.result.unix_time": "1514471991",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json
index c339f8183fd7..0f9afe755c12 100644
--- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json
+++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json
@@ -26,6 +26,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "system_info",
         "osquery.result.unix_time": "1512649280",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -60,6 +63,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -94,6 +100,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -128,6 +137,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -162,6 +174,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -196,6 +211,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -230,6 +248,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -264,6 +285,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -298,6 +322,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -332,6 +359,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -366,6 +396,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -400,6 +433,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -434,6 +470,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -468,6 +507,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -502,6 +544,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -536,6 +581,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -570,6 +618,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -604,6 +655,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -638,6 +692,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -672,6 +729,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -706,6 +766,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -740,6 +803,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -774,6 +840,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -808,6 +877,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -842,6 +914,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -876,6 +951,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -910,6 +988,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -944,6 +1025,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -978,6 +1062,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1012,6 +1099,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1046,6 +1136,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1080,6 +1173,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1114,6 +1210,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1148,6 +1247,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1182,6 +1284,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1216,6 +1321,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1250,6 +1358,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1284,6 +1395,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1318,6 +1432,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1352,6 +1469,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1386,6 +1506,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1420,6 +1543,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1454,6 +1580,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1488,6 +1617,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1522,6 +1654,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1556,6 +1691,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1590,6 +1728,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1624,6 +1765,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1658,6 +1802,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1692,6 +1839,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1726,6 +1876,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1760,6 +1913,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1794,6 +1950,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1828,6 +1987,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1862,6 +2024,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1896,6 +2061,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1930,6 +2098,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_kernel_modules",
         "osquery.result.unix_time": "1512669435",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1964,6 +2135,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -1998,6 +2172,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2032,6 +2209,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2066,6 +2246,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2100,6 +2283,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2134,6 +2320,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2168,6 +2357,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2202,6 +2394,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2236,6 +2431,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2270,6 +2468,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2304,6 +2505,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2341,6 +2545,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_os_version",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2394,6 +2601,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_osquery_info",
         "osquery.result.unix_time": "1512669438",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2428,6 +2638,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2462,6 +2675,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2496,6 +2712,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2530,6 +2749,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2564,6 +2786,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2598,6 +2823,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2632,6 +2860,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2666,6 +2897,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2700,6 +2934,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2734,6 +2971,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2768,6 +3008,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_disk_encryption",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2805,6 +3048,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_os_version",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2858,6 +3104,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_osquery_info",
         "osquery.result.unix_time": "1512669439",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2899,6 +3148,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2940,6 +3192,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -2981,6 +3236,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3022,6 +3280,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3063,6 +3324,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3104,6 +3368,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3145,6 +3412,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3186,6 +3456,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3227,6 +3500,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3268,6 +3544,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3309,6 +3588,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3350,6 +3632,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3391,6 +3676,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3432,6 +3720,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3473,6 +3764,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3514,6 +3808,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
@@ -3555,6 +3852,9 @@
         "osquery.result.host_identifier": "ubuntu-xenial",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1512669441",
+        "related.hosts": [
+            "ubuntu-xenial"
+        ],
         "related.user": [
             "ubuntu"
         ],
diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json
index 37a56ff8f13b..4f7d0589a044 100644
--- a/filebeat/module/osquery/result/test/test.log-expected.json
+++ b/filebeat/module/osquery/result/test/test.log-expected.json
@@ -33,6 +33,9 @@
         "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro",
         "osquery.result.name": "pack_it-compliance_mounts",
         "osquery.result.unix_time": "1514472008",
+        "related.hosts": [
+            "192-168-0-4.rdsnet.ro"
+        ],
         "related.user": [
             "tsg"
         ],
diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml
index 3cdbd459e68f..13f8c95656df 100644
--- a/filebeat/module/system/auth/config/auth.yml
+++ b/filebeat/module/system/auth/config/auth.yml
@@ -12,4 +12,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml
index a958855936a9..54ab0dbf8f5d 100644
--- a/filebeat/module/system/auth/ingest/pipeline.yml
+++ b/filebeat/module/system/auth/ingest/pipeline.yml
@@ -142,6 +142,11 @@ processors:
     field: related.ip
     value: "{{source.ip}}"
     if: "ctx?.source?.ip != null"
+- append:
+    field: related.hosts
+    value: "{{host.hostname}}"
+    if: "ctx.host?.hostname != null && ctx.host?.hostname != ''"
+    allow_duplicates: false
 on_failure:
 - set:
     field: error.message
diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json
index 74654cb6dc17..cff887d76e88 100644
--- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json
+++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json
@@ -11,6 +11,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -23,6 +26,9 @@
         "input.type": "log",
         "log.offset": 81,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -44,6 +50,9 @@
         "log.offset": 464,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -57,6 +66,9 @@
         "log.offset": 570,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -71,6 +83,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -83,6 +98,9 @@
         "input.type": "log",
         "log.offset": 736,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -104,6 +122,9 @@
         "log.offset": 1121,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -117,6 +138,9 @@
         "log.offset": 1227,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -131,6 +155,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -143,6 +170,9 @@
         "input.type": "log",
         "log.offset": 1393,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -164,6 +194,9 @@
         "log.offset": 1776,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -177,6 +210,9 @@
         "log.offset": 1882,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -191,6 +227,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -203,6 +242,9 @@
         "input.type": "log",
         "log.offset": 2048,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -224,6 +266,9 @@
         "log.offset": 2426,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -237,6 +282,9 @@
         "log.offset": 2532,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -251,6 +299,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -263,6 +314,9 @@
         "input.type": "log",
         "log.offset": 2698,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -284,6 +338,9 @@
         "log.offset": 3083,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -297,6 +354,9 @@
         "log.offset": 3189,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -311,6 +371,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -336,6 +399,9 @@
         "input.type": "log",
         "log.offset": 3414,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -357,6 +423,9 @@
         "log.offset": 3977,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -370,6 +439,9 @@
         "log.offset": 4083,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -384,6 +456,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -396,6 +471,9 @@
         "input.type": "log",
         "log.offset": 4249,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -417,6 +495,9 @@
         "log.offset": 4632,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -430,6 +511,9 @@
         "log.offset": 4738,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -444,6 +528,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -456,6 +543,9 @@
         "input.type": "log",
         "log.offset": 4904,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -477,6 +567,9 @@
         "log.offset": 5289,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -490,6 +583,9 @@
         "log.offset": 5395,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -504,6 +600,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -516,6 +615,9 @@
         "input.type": "log",
         "log.offset": 5561,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -537,6 +639,9 @@
         "log.offset": 5942,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -550,6 +655,9 @@
         "log.offset": 6048,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -564,6 +672,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -576,6 +687,9 @@
         "input.type": "log",
         "log.offset": 6214,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -597,6 +711,9 @@
         "log.offset": 6597,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -610,6 +727,9 @@
         "log.offset": 6703,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -624,6 +744,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -636,6 +759,9 @@
         "input.type": "log",
         "log.offset": 6869,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -657,6 +783,9 @@
         "log.offset": 7254,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -670,6 +799,9 @@
         "log.offset": 7360,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -684,6 +816,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -696,6 +831,9 @@
         "input.type": "log",
         "log.offset": 7526,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -717,6 +855,9 @@
         "log.offset": 7911,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -730,6 +871,9 @@
         "log.offset": 8017,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -744,6 +888,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -756,6 +903,9 @@
         "input.type": "log",
         "log.offset": 8183,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -777,6 +927,9 @@
         "log.offset": 8564,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -790,6 +943,9 @@
         "log.offset": 8670,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -804,6 +960,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -816,6 +975,9 @@
         "input.type": "log",
         "log.offset": 8836,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -837,6 +999,9 @@
         "log.offset": 9215,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -850,6 +1015,9 @@
         "log.offset": 9321,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -864,6 +1032,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -876,6 +1047,9 @@
         "input.type": "log",
         "log.offset": 9487,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -897,6 +1071,9 @@
         "log.offset": 9869,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -910,6 +1087,9 @@
         "log.offset": 9975,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -922,6 +1102,9 @@
         "input.type": "log",
         "log.offset": 10060,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -943,6 +1126,9 @@
         "log.offset": 11099,
         "message": " vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -956,6 +1142,9 @@
         "log.offset": 11195,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -969,6 +1158,9 @@
         "log.offset": 11301,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -983,6 +1175,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -997,6 +1192,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1009,6 +1207,9 @@
         "input.type": "log",
         "log.offset": 11548,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1030,6 +1231,9 @@
         "log.offset": 11928,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1043,6 +1247,9 @@
         "log.offset": 12034,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1057,6 +1264,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1069,6 +1279,9 @@
         "input.type": "log",
         "log.offset": 12200,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1090,6 +1303,9 @@
         "log.offset": 12583,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1103,6 +1319,9 @@
         "log.offset": 12689,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1117,6 +1336,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1129,6 +1351,9 @@
         "input.type": "log",
         "log.offset": 12855,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1150,6 +1375,9 @@
         "log.offset": 13241,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1163,6 +1391,9 @@
         "log.offset": 13347,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1177,6 +1408,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1189,6 +1423,9 @@
         "input.type": "log",
         "log.offset": 13513,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1210,6 +1447,9 @@
         "log.offset": 13898,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1223,6 +1463,9 @@
         "log.offset": 14004,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1237,6 +1480,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1249,6 +1495,9 @@
         "input.type": "log",
         "log.offset": 14170,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1270,6 +1519,9 @@
         "log.offset": 14549,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1283,6 +1535,9 @@
         "log.offset": 14655,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1297,6 +1552,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1309,6 +1567,9 @@
         "input.type": "log",
         "log.offset": 14821,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1330,6 +1591,9 @@
         "log.offset": 15203,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1343,6 +1607,9 @@
         "log.offset": 15309,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1357,6 +1624,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1369,6 +1639,9 @@
         "input.type": "log",
         "log.offset": 15475,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1390,6 +1663,9 @@
         "log.offset": 15860,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1403,6 +1679,9 @@
         "log.offset": 15966,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1417,6 +1696,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1429,6 +1711,9 @@
         "input.type": "log",
         "log.offset": 16132,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -1450,6 +1735,9 @@
         "log.offset": 16517,
         "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1463,6 +1751,9 @@
         "log.offset": 16623,
         "message": "pam_unix(sudo:session): session closed for user root",
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1477,6 +1768,9 @@
         "message": "subsystem request for sftp by user vagrant",
         "process.name": "sshd",
         "process.pid": 8317,
+        "related.hosts": [
+            "precise32"
+        ],
         "service.type": "system"
     },
     {
@@ -1489,6 +1783,9 @@
         "input.type": "log",
         "log.offset": 16789,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "vagrant"
         ],
diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json
index 5242ff398d96..7d8ece1d7f24 100644
--- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json
+++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json
@@ -19,6 +19,9 @@
         "log.offset": 0,
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -52,6 +55,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -74,6 +80,9 @@
         "log.offset": 209,
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -107,6 +116,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -129,6 +141,9 @@
         "log.offset": 418,
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -162,6 +177,9 @@
         "message": "fatal: Read from socket failed: Connection reset by peer [preauth]",
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -176,6 +194,9 @@
         "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -190,6 +211,9 @@
         "message": "PAM service(sshd) ignoring max retries; 5 > 3",
         "process.name": "sshd",
         "process.pid": 2738,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -204,6 +228,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -218,6 +245,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -240,6 +270,9 @@
         "log.offset": 1105,
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -273,6 +306,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -295,6 +331,9 @@
         "log.offset": 1314,
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -328,6 +367,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -350,6 +392,9 @@
         "log.offset": 1523,
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -383,6 +428,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -405,6 +453,9 @@
         "log.offset": 1732,
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -438,6 +489,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -460,6 +514,9 @@
         "log.offset": 1941,
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -493,6 +550,9 @@
         "message": "fatal: Read from socket failed: Connection reset by peer [preauth]",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -507,6 +567,9 @@
         "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -521,6 +584,9 @@
         "message": "PAM service(sshd) ignoring max retries; 5 > 3",
         "process.name": "sshd",
         "process.pid": 2742,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -535,6 +601,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -549,6 +618,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -563,6 +635,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -577,6 +652,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -599,6 +677,9 @@
         "log.offset": 2889,
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -632,6 +713,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -654,6 +738,9 @@
         "log.offset": 3098,
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "116.31.116.27"
         ],
@@ -687,6 +774,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -709,6 +799,9 @@
         "log.offset": 3306,
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -742,6 +835,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -764,6 +860,9 @@
         "log.offset": 3515,
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "116.31.116.27"
         ],
@@ -797,6 +896,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -819,6 +921,9 @@
         "log.offset": 3723,
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -852,6 +957,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -874,6 +982,9 @@
         "log.offset": 3932,
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "116.31.116.27"
         ],
@@ -907,6 +1018,9 @@
         "message": "Received disconnect from 116.31.116.27: 11:  [preauth]",
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -921,6 +1035,9 @@
         "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
         "process.name": "sshd",
         "process.pid": 2758,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -943,6 +1060,9 @@
         "log.offset": 4259,
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -976,6 +1096,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -998,6 +1121,9 @@
         "log.offset": 4468,
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1031,6 +1157,9 @@
         "message": "fatal: Read from socket failed: Connection reset by peer [preauth]",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1045,6 +1174,9 @@
         "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1059,6 +1191,9 @@
         "message": "PAM service(sshd) ignoring max retries; 5 > 3",
         "process.name": "sshd",
         "process.pid": 2754,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1073,6 +1208,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1087,6 +1225,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1109,6 +1250,9 @@
         "log.offset": 5155,
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1142,6 +1286,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1164,6 +1311,9 @@
         "log.offset": 5364,
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1197,6 +1347,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1219,6 +1372,9 @@
         "log.offset": 5573,
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1252,6 +1408,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1274,6 +1433,9 @@
         "log.offset": 5782,
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1307,6 +1469,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1329,6 +1494,9 @@
         "log.offset": 5991,
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1362,6 +1530,9 @@
         "message": "fatal: Read from socket failed: Connection reset by peer [preauth]",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1376,6 +1547,9 @@
         "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1390,6 +1564,9 @@
         "message": "PAM service(sshd) ignoring max retries; 5 > 3",
         "process.name": "sshd",
         "process.pid": 2762,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1404,6 +1581,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1418,6 +1598,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1440,6 +1623,9 @@
         "log.offset": 6678,
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1473,6 +1659,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1495,6 +1684,9 @@
         "log.offset": 6887,
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1528,6 +1720,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1550,6 +1745,9 @@
         "log.offset": 7096,
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1583,6 +1781,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1605,6 +1806,9 @@
         "log.offset": 7305,
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1638,6 +1842,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1660,6 +1867,9 @@
         "log.offset": 7514,
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -1693,6 +1903,9 @@
         "message": "fatal: Read from socket failed: Connection reset by peer [preauth]",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1707,6 +1920,9 @@
         "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1721,6 +1937,9 @@
         "message": "PAM service(sshd) ignoring max retries; 5 > 3",
         "process.name": "sshd",
         "process.pid": 2766,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1735,6 +1954,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1749,6 +1971,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1771,6 +1996,9 @@
         "log.offset": 8199,
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "116.31.116.27"
         ],
@@ -1804,6 +2032,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1826,6 +2057,9 @@
         "log.offset": 8407,
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "116.31.116.27"
         ],
@@ -1859,6 +2093,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1881,6 +2118,9 @@
         "log.offset": 8615,
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "116.31.116.27"
         ],
@@ -1914,6 +2154,9 @@
         "message": "Received disconnect from 116.31.116.27: 11:  [preauth]",
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1928,6 +2171,9 @@
         "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27  user=root",
         "process.name": "sshd",
         "process.pid": 2778,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1942,6 +2188,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1956,6 +2205,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -1978,6 +2230,9 @@
         "log.offset": 9205,
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -2011,6 +2266,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2033,6 +2291,9 @@
         "log.offset": 9414,
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -2066,6 +2327,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2088,6 +2352,9 @@
         "log.offset": 9623,
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -2121,6 +2388,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2143,6 +2413,9 @@
         "log.offset": 9832,
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -2176,6 +2449,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2198,6 +2474,9 @@
         "log.offset": 10041,
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -2231,6 +2510,9 @@
         "message": "fatal: Read from socket failed: Connection reset by peer [preauth]",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2245,6 +2527,9 @@
         "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2259,6 +2544,9 @@
         "message": "PAM service(sshd) ignoring max retries; 5 > 3",
         "process.name": "sshd",
         "process.pid": 2785,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2273,6 +2561,9 @@
         "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106  user=root",
         "process.name": "sshd",
         "process.pid": 2797,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2287,6 +2578,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2797,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     },
     {
@@ -2309,6 +2603,9 @@
         "log.offset": 10728,
         "process.name": "sshd",
         "process.pid": 2797,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "202.109.143.106"
         ],
@@ -2342,6 +2639,9 @@
         "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"",
         "process.name": "sshd",
         "process.pid": 2797,
+        "related.hosts": [
+            "slave22"
+        ],
         "service.type": "system"
     }
 ]
\ No newline at end of file
diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json
index 0203b1a1f3bc..88d32188bb7c 100644
--- a/filebeat/module/system/auth/test/test.log-expected.json
+++ b/filebeat/module/system/auth/test/test.log-expected.json
@@ -19,6 +19,9 @@
         "log.offset": 0,
         "process.name": "sshd",
         "process.pid": 3402,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "10.0.2.2"
         ],
@@ -53,6 +56,9 @@
         "log.offset": 152,
         "process.name": "sshd",
         "process.pid": 7483,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "192.168.33.1"
         ],
@@ -86,6 +92,9 @@
         "log.offset": 254,
         "process.name": "sshd",
         "process.pid": 3430,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "10.0.2.2"
         ],
@@ -117,6 +126,9 @@
         "log.offset": 324,
         "process.name": "sshd",
         "process.pid": 5774,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "116.31.116.24"
         ],
@@ -148,6 +160,9 @@
         "input.type": "log",
         "log.offset": 420,
         "process.name": "sudo",
+        "related.hosts": [
+            "localhost"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -169,6 +184,9 @@
         "log.offset": 522,
         "process.name": "sshd",
         "process.pid": 18406,
+        "related.hosts": [
+            "slave22"
+        ],
         "related.ip": [
             "123.57.245.163"
         ],
@@ -195,6 +213,9 @@
         "input.type": "log",
         "log.offset": 617,
         "process.name": "sudo",
+        "related.hosts": [
+            "localhost"
+        ],
         "related.user": [
             "vagrant"
         ],
@@ -215,6 +236,9 @@
         "input.type": "log",
         "log.offset": 736,
         "process.name": "sudo",
+        "related.hosts": [
+            "precise32"
+        ],
         "related.user": [
             "tsg"
         ],
@@ -247,6 +271,9 @@
         "log.offset": 861,
         "process.name": "groupadd",
         "process.pid": 6991,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "system"
     },
     {
@@ -269,6 +296,9 @@
         "log.offset": 934,
         "process.name": "useradd",
         "process.pid": 6995,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.user": [
             "apache"
         ],
diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json
index 8903b63e89e1..4d428b4d1cce 100644
--- a/filebeat/module/system/auth/test/timestamp.log-expected.json
+++ b/filebeat/module/system/auth/test/timestamp.log-expected.json
@@ -12,6 +12,9 @@
         "log.offset": 0,
         "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)",
         "process.name": "sudo",
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "system"
     },
     {
@@ -27,6 +30,9 @@
         "log.offset": 118,
         "message": "user nobody logged out.",
         "process.name": "pam",
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "system"
     }
 ]
\ No newline at end of file
diff --git a/filebeat/module/system/syslog/config/syslog.yml b/filebeat/module/system/syslog/config/syslog.yml
index 3cdbd459e68f..13f8c95656df 100644
--- a/filebeat/module/system/syslog/config/syslog.yml
+++ b/filebeat/module/system/syslog/config/syslog.yml
@@ -12,4 +12,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml
index e45cacec6b6b..b1352f2ad620 100644
--- a/filebeat/module/system/syslog/ingest/pipeline.yml
+++ b/filebeat/module/system/syslog/ingest/pipeline.yml
@@ -54,6 +54,11 @@ processors:
 - set:
     field: event.kind
     value: event
+- append:
+    field: related.hosts
+    value: "{{host.hostname}}"
+    if: "ctx.host?.hostname != null && ctx.host?.hostname != ''"
+    allow_duplicates: false
 on_failure:
 - set:
     field: error.message
diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json
index 7fd9929cf9ec..a5957f19b948 100644
--- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json
+++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json
@@ -14,6 +14,9 @@
         "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine <KSUpdateEngine:0x100341a00\n\t\tticketStore=<KSPersistentTicketStore:0x100204520 store=<KSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=<KSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t>\n\t\t>>\n\t\tprocessor=<KSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=<KSUpdateEngine:0x100341a00>\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -28,6 +31,9 @@
         "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json
index f1abb5047d51..6f12a7a5656c 100644
--- a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json
+++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json
@@ -11,6 +11,9 @@
         "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -28,6 +31,9 @@
         "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine <KSUpdateEngine:0x100341a00\n\t\tticketStore=<KSPersistentTicketStore:0x100204520 store=<KSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=<KSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t>\n\t\t>>\n\t\tprocessor=<KSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=<KSUpdateEngine:0x100341a00>\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -42,6 +48,9 @@
         "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -56,6 +65,9 @@
         "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -73,6 +85,9 @@
         "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t<KSTicket:0x100550bd0\n\t\t\tproductID=com.google.Chrome\n\t\t\tversion=54.0.2840.98\n\t\t\txc=<KSPathExistenceChecker:0x1005507d0 path=/Applications/Google Chrome.app>\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t>,\n\t\t<KSTicket:0x100555140\n\t\t\tproductID=com.google.GoogleDrive\n\t\t\tversion=1.32.3889.0961\n\t\t\txc=<KSPathExistenceChecker:0x100554490 path=/Applications/Google Drive.app>\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t>\n\t)}\n\tUsing server: <KSOmahaServer:0x100555120\n\t\tengine=<KSUpdateEngine:0x100341a00>\n\t>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -87,6 +102,9 @@
         "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -101,6 +119,9 @@
         "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -118,6 +139,9 @@
         "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: <KSOmahaServerUpdateRequest:0x100480470\n\t\tserver=<KSOmahaServer:0x100555120>\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\t\t\t<request protocol=\"3.0\" version=\"KeystoneAgent-1.2.6.1370\" ismachine=\"0\" requestid=\"{8F3B41E7-420E-4526-887D-C40439FD9A8E}\" dedup=\"cr\" sessionid=\"{3BD434BD-06BC-40C7-9A27-EFE887A149E3}\">\n\t\t\t    <os platform=\"mac\" version=\"10.12\" arch=\"x86_64h\" sp=\"10.12.0_x86_64h\"></os>\n\t\t\t    <app appid=\"com.google.Chrome\" version=\"54.0.2840.98\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" lang=\"en-us\" installage=\"536\" installdate=\"3479\" brand=\"GGRO\" _numaccounts=\"1\" _numsignedin=\"1\" signed=\"1\">\n\t\t\t        <ping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{6001AB3C-5253-44A9-94A9-CD4493ED14F9}\"></ping>\n\t\t\t        <updatecheck></updatecheck>\n\t\t\t    </app>\n\t\t\t    <app appid=\"com.google.GoogleDrive\" version=\"1.32.3889.0961\" lang=\"en-us\" installage=\"458\" installdate=\"3479\" brand=\"GGLG\" signed=\"1\">\n\t\t\t        <ping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{1BFFDCCA-5966-4598-819C-C1D075E480C5}\"></ping>\n\t\t\t        <updatecheck></updatecheck>\n\t\t\t    </app>\n\t\t\t</request>\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -132,6 +156,9 @@
         "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -146,6 +173,9 @@
         "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -160,6 +190,9 @@
         "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -174,6 +207,9 @@
         "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -188,6 +224,9 @@
         "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -202,6 +241,9 @@
         "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -216,6 +258,9 @@
         "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -230,6 +275,9 @@
         "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: <NSMutableURLRequest: 0x100119140> { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -244,6 +292,9 @@
         "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -258,6 +309,9 @@
         "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL (<NSMutableURLRequest: 0x100119140> { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -272,6 +326,9 @@
         "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -286,6 +343,9 @@
         "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -300,6 +360,9 @@
         "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -314,6 +377,9 @@
         "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.",
         "process.name": "ksfetch",
         "process.pid": 21414,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -331,6 +397,9 @@
         "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t<>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -345,6 +414,9 @@
         "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -362,6 +434,9 @@
         "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: <KSOmahaServerUpdateResponse:0x100559060\n\t\tserver=<KSOmahaServer:0x100555120>\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n\t\t\t<response protocol=\"3.0\" server=\"prod\">\n\t\t\t    <daystart elapsed_days=\"3634\" elapsed_seconds=\"9330\"></daystart>\n\t\t\t    <app appid=\"com.google.Chrome\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" status=\"ok\">\n\t\t\t        <ping status=\"ok\"></ping>\n\t\t\t        <updatecheck status=\"noupdate\"></updatecheck>\n\t\t\t    </app>\n\t\t\t    <app appid=\"com.google.GoogleDrive\" cohort=\"\" cohortname=\"\" status=\"ok\">\n\t\t\t        <ping status=\"ok\"></ping>\n\t\t\t        <updatecheck status=\"noupdate\"></updatecheck>\n\t\t\t    </app>\n\t\t\t</response>\n\t>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -376,6 +451,9 @@
         "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -390,6 +468,9 @@
         "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -404,6 +485,9 @@
         "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -418,6 +502,9 @@
         "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -432,6 +519,9 @@
         "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -446,6 +536,9 @@
         "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -460,6 +553,9 @@
         "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -477,6 +573,9 @@
         "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine <KSUpdateEngine:0x100341a00\n\t\tticketStore=<KSPersistentTicketStore:0x100204520 store=<KSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=<KSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t>\n\t\t>>\n\t\tprocessor=<KSActionProcessor:0x1002769e0\n\t\t\tdelegate=<KSUpdateEngine:0x100341a00>\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=<KSAgentApp: 0x10052a250>\n\t\tserverInfoStore=<KSServerPrivateInfoStore:0x100317b40 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Servers\">\n\t\terrors=0\n\t>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -491,6 +590,9 @@
         "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to <NSMutableURLRequest: 0x1003cbcd0> { URL: https://tools.google.com/service/update2 }",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -508,6 +610,9 @@
         "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats <KSStatsCollection:0x100212570 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Stats/Keystone.stats\", count=5, stats={\n\t    checks = 2;\n\t    tickets = 2;\n\t    usertickets = 3;\n\t    validtickets = 2;\n\t    validusertickets = 3;\n\t}>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -522,6 +627,9 @@
         "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -536,6 +644,9 @@
         "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 21412,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -550,6 +661,9 @@
         "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -564,6 +678,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -577,6 +694,9 @@
         "log.offset": 15501,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -591,6 +711,9 @@
         "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -605,6 +728,9 @@
         "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -619,6 +745,9 @@
         "message": "ASL Sender Statistics",
         "process.name": "syslogd",
         "process.pid": 46,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -632,6 +761,9 @@
         "log.offset": 16312,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -645,6 +777,9 @@
         "log.offset": 16527,
         "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -659,6 +794,9 @@
         "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -672,6 +810,9 @@
         "log.offset": 16952,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -686,6 +827,9 @@
         "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -700,6 +844,9 @@
         "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -713,6 +860,9 @@
         "log.offset": 17693,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -727,6 +877,9 @@
         "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -741,6 +894,9 @@
         "message": "ASL Sender Statistics",
         "process.name": "syslogd",
         "process.pid": 46,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -755,6 +911,9 @@
         "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -768,6 +927,9 @@
         "log.offset": 18504,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -782,6 +944,9 @@
         "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -795,6 +960,9 @@
         "log.offset": 18982,
         "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -809,6 +977,9 @@
         "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -822,6 +993,9 @@
         "log.offset": 19407,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -836,6 +1010,9 @@
         "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -850,6 +1027,9 @@
         "message": "ASL Sender Statistics",
         "process.name": "syslogd",
         "process.pid": 46,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -864,6 +1044,9 @@
         "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682",
         "process.name": "Slack Helper",
         "process.pid": 55199,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -877,6 +1060,9 @@
         "log.offset": 20078,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -891,6 +1077,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -904,6 +1093,9 @@
         "log.offset": 20556,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -918,6 +1110,9 @@
         "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -932,6 +1127,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -946,6 +1144,9 @@
         "message": "ASL Sender Statistics",
         "process.name": "syslogd",
         "process.pid": 46,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -959,6 +1160,9 @@
         "log.offset": 21367,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -973,6 +1177,9 @@
         "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -987,6 +1194,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1000,6 +1210,9 @@
         "log.offset": 22108,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1014,6 +1227,9 @@
         "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1028,6 +1244,9 @@
         "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1041,6 +1260,9 @@
         "log.offset": 22849,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1055,6 +1277,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1069,6 +1294,9 @@
         "message": "ASL Sender Statistics",
         "process.name": "syslogd",
         "process.pid": 46,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1082,6 +1310,9 @@
         "log.offset": 23397,
         "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1096,6 +1327,9 @@
         "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1109,6 +1343,9 @@
         "log.offset": 23822,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1123,6 +1360,9 @@
         "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b",
         "process.name": "Slack Helper",
         "process.pid": 55199,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1136,6 +1376,9 @@
         "log.offset": 24160,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1150,6 +1393,9 @@
         "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2",
         "process.name": "Slack Helper",
         "process.pid": 55199,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1164,6 +1410,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1178,6 +1427,9 @@
         "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1192,6 +1444,9 @@
         "message": "ASL Sender Statistics",
         "process.name": "syslogd",
         "process.pid": 46,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1205,6 +1460,9 @@
         "log.offset": 25094,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1219,6 +1477,9 @@
         "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1233,6 +1494,9 @@
         "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: <KSAgentSettings:0x100505750 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO>",
         "process.name": "GoogleSoftwareUpdateAgent",
         "process.pid": 22318,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1246,6 +1510,9 @@
         "log.offset": 26456,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1260,6 +1527,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1274,6 +1544,9 @@
         "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371",
         "process.name": "Slack Helper",
         "process.pid": 55199,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1287,6 +1560,9 @@
         "log.offset": 27057,
         "message": "Unknown key for integer: _DirtyJetsamMemoryLimit",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1301,6 +1577,9 @@
         "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702",
         "process.name": "Slack Helper",
         "process.pid": 55199,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1314,6 +1593,9 @@
         "log.offset": 27342,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1328,6 +1610,9 @@
         "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1342,6 +1627,9 @@
         "message": "ASL Sender Statistics",
         "process.name": "syslogd",
         "process.pid": 46,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1356,6 +1644,9 @@
         "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1369,6 +1660,9 @@
         "log.offset": 28153,
         "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook",
         "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])",
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1383,6 +1677,9 @@
         "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     },
     {
@@ -1397,6 +1694,9 @@
         "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.",
         "process.name": "Google Chrome",
         "process.pid": 85294,
+        "related.hosts": [
+            "a-mac-with-esc-key"
+        ],
         "service.type": "system"
     }
 ]
\ No newline at end of file
diff --git a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json
index 48cbc44161b3..4090efed2e73 100644
--- a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json
+++ b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json
@@ -11,6 +11,9 @@
         "message": "Stopped target Basic System.",
         "process.name": "systemd",
         "process.pid": 4179,
+        "related.hosts": [
+            "linux-sqrz"
+        ],
         "service.type": "system"
     },
     {
@@ -25,6 +28,9 @@
         "message": "Stopped target Paths.",
         "process.name": "systemd",
         "process.pid": 4179,
+        "related.hosts": [
+            "linux-sqrz"
+        ],
         "service.type": "system"
     }
 ]
\ No newline at end of file
diff --git a/filebeat/module/system/syslog/test/tz-offset.log-expected.json b/filebeat/module/system/syslog/test/tz-offset.log-expected.json
index 2dfd146dedc0..905d8cfd95d9 100644
--- a/filebeat/module/system/syslog/test/tz-offset.log-expected.json
+++ b/filebeat/module/system/syslog/test/tz-offset.log-expected.json
@@ -13,6 +13,9 @@
         "message": "shutting down for system halt",
         "process.name": "shutdown",
         "process.pid": 2649,
+        "related.hosts": [
+            "rmbkmonitor04"
+        ],
         "service.type": "system"
     },
     {
@@ -28,6 +31,9 @@
         "log.offset": 89,
         "message": "constraint_0_power_limit_uw exceeded.",
         "process.name": "thermald",
+        "related.hosts": [
+            "rmbkmonitor04"
+        ],
         "service.type": "system"
     },
     {
@@ -43,6 +49,9 @@
         "log.offset": 184,
         "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)",
         "process.name": "sudo",
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "system"
     }
 ]
\ No newline at end of file
diff --git a/libbeat/docs/communitybeats.asciidoc b/libbeat/docs/communitybeats.asciidoc
index c2ff8f5ec145..9fc12e4be96b 100644
--- a/libbeat/docs/communitybeats.asciidoc
+++ b/libbeat/docs/communitybeats.asciidoc
@@ -91,7 +91,8 @@ https://github.com/aristanetworks/openconfigbeat[openconfigbeat]:: Streams data
 https://github.com/radoondas/owmbeat[owmbeat]:: Open Weather Map beat to pull weather data from all around the world and store and visualize them in Elastic Stack
 https://github.com/joehillen/packagebeat[packagebeat]:: Collects information about system packages from package
 managers.
-https://github.com/WuerthIT/perfstatbeat[perfstatbeat]:: Collect performance metrics on the AIX operating system.
+https://github.com/WuerthIT/perfstatbeat[perfstatbeat]:: Collects performance metrics on the AIX operating system.
+https://github.com/stric-co/phishbeat[phishbeat]:: Monitors Certificate Transparency logs for phishing and defamatory domains.
 https://github.com/kozlice/phpfpmbeat[phpfpmbeat]:: Reads status from PHP-FPM.
 https://github.com/joshuar/pingbeat[pingbeat]:: Sends ICMP pings to a list
 of targets and stores the round trip time (RTT) in Elasticsearch.
diff --git a/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc
new file mode 100644
index 000000000000..a5516816bf3c
--- /dev/null
+++ b/libbeat/docs/tab-widgets/start-widget-filebeat.asciidoc
@@ -0,0 +1,115 @@
+:beatname_uc: Filebeat
+:beatname_lc: filebeat
+:beatname_pkg: filebeat
+++++
+<div class="tabs" data-tab-group="os">
+  <div role="tablist" aria-label="Start-f">
+    <button role="tab"
+            aria-selected="true"
+            aria-controls="deb-tab-start-filebeat"
+            id="deb-start-filebeat">
+      DEB
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="rpm-tab-start-filebeat"
+            id="rpm-start-filebeat"
+            tabindex="-1">
+      RPM
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="mac-tab-start-filebeat"
+            id="mac-start-filebeat"
+            tabindex="-1">
+      MacOS
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="brew-tab-start-filebeat"
+            id="brew-start-filebeat"
+            tabindex="-1">
+      Brew
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="linux-tab-start-filebeat"
+            id="linux-start-filebeat"
+            tabindex="-1">
+      Linux
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="win-tab-start-filebeat"
+            id="win-start-filebeat"
+            tabindex="-1">
+      Windows
+    </button>
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="deb-tab-start-filebeat"
+       aria-labelledby="deb-start-filebeat">
+++++
+
+include::start.asciidoc[tag=deb]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="rpm-tab-start-filebeat"
+       aria-labelledby="rpm-start-filebeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=rpm]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="mac-tab-start-filebeat"
+       aria-labelledby="mac-start-filebeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=mac]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="brew-tab-start-filebeat"
+       aria-labelledby="brew-start-filebeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=brew]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="linux-tab-start-filebeat"
+       aria-labelledby="linux-start-filebeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=linux]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="win-tab-start-filebeat"
+       aria-labelledby="win-start-filebeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=win]
+
+++++
+  </div>
+</div>
+++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc
new file mode 100644
index 000000000000..92d57b71fa34
--- /dev/null
+++ b/libbeat/docs/tab-widgets/start-widget-heartbeat.asciidoc
@@ -0,0 +1,115 @@
+:beatname_uc: Heartbeat
+:beatname_lc: heartbeat
+:beatname_pkg: heartbeat
+++++
+<div class="tabs" data-tab-group="os">
+  <div role="tablist" aria-label="Start-h">
+    <button role="tab"
+            aria-selected="true"
+            aria-controls="deb-tab-start-heartbeat"
+            id="deb-start-heartbeat">
+      DEB
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="rpm-tab-start-heartbeat"
+            id="rpm-start-heartbeat"
+            tabindex="-1">
+      RPM
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="mac-tab-start-heartbeat"
+            id="mac-start-heartbeat"
+            tabindex="-1">
+      MacOS
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="brew-tab-start-heartbeat"
+            id="brew-start-heartbeat"
+            tabindex="-1">
+      Brew
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="linux-tab-start-heartbeat"
+            id="linux-start-heartbeat"
+            tabindex="-1">
+      Linux
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="win-tab-start-heartbeat"
+            id="win-start-heartbeat"
+            tabindex="-1">
+      Windows
+    </button>
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="deb-tab-start-heartbeat"
+       aria-labelledby="deb-start-heartbeat">
+++++
+
+include::start.asciidoc[tag=deb]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="rpm-tab-start-heartbeat"
+       aria-labelledby="rpm-start-heartbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=rpm]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="mac-tab-start-heartbeat"
+       aria-labelledby="mac-start-heartbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=mac]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="brew-tab-start-heartbeat"
+       aria-labelledby="brew-start-heartbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=brew]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="linux-tab-start-heartbeat"
+       aria-labelledby="linux-start-heartbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=linux]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="win-tab-start-heartbeat"
+       aria-labelledby="win-start-heartbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=win]
+
+++++
+  </div>
+</div>
+++++
\ No newline at end of file
diff --git a/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc b/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc
new file mode 100644
index 000000000000..986377ffd8e0
--- /dev/null
+++ b/libbeat/docs/tab-widgets/start-widget-metricbeat.asciidoc
@@ -0,0 +1,115 @@
+:beatname_uc: Metricbeat
+:beatname_lc: metricbeat
+:beatname_pkg: metricbeat
+++++
+<div class="tabs" data-tab-group="os">
+  <div role="tablist" aria-label="Start-m">
+    <button role="tab"
+            aria-selected="true"
+            aria-controls="deb-tab-start-metricbeat"
+            id="deb-start-metricbeat">
+      DEB
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="rpm-tab-start-metricbeat"
+            id="rpm-start-metricbeat"
+            tabindex="-1">
+      RPM
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="mac-tab-start-metricbeat"
+            id="mac-start-metricbeat"
+            tabindex="-1">
+      MacOS
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="brew-tab-start-metricbeat"
+            id="brew-start-metricbeat"
+            tabindex="-1">
+      Brew
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="linux-tab-start-metricbeat"
+            id="linux-start-metricbeat"
+            tabindex="-1">
+      Linux
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="win-tab-start-metricbeat"
+            id="win-start-metricbeat"
+            tabindex="-1">
+      Windows
+    </button>
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="deb-tab-start-metricbeat"
+       aria-labelledby="deb-start-metricbeat">
+++++
+
+include::start.asciidoc[tag=deb]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="rpm-tab-start-metricbeat"
+       aria-labelledby="rpm-start-metricbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=rpm]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="mac-tab-start-metricbeat"
+       aria-labelledby="mac-start-metricbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=mac]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="brew-tab-start-metricbeat"
+       aria-labelledby="brew-start-metricbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=brew]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="linux-tab-start-metricbeat"
+       aria-labelledby="linux-start-metricbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=linux]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="win-tab-start-metricbeat"
+       aria-labelledby="win-start-metricbeat"
+       hidden="">
+++++
+
+include::start.asciidoc[tag=win]
+
+++++
+  </div>
+</div>
+++++
\ No newline at end of file
diff --git a/libbeat/outputs/elasticsearch/client.go b/libbeat/outputs/elasticsearch/client.go
index 3afa7084057d..0794ee1c13bd 100644
--- a/libbeat/outputs/elasticsearch/client.go
+++ b/libbeat/outputs/elasticsearch/client.go
@@ -90,6 +90,7 @@ func NewClient(
 		Kerberos:         s.Kerberos,
 		Proxy:            s.Proxy,
 		ProxyDisable:     s.ProxyDisable,
+		Observer:         s.Observer,
 		Parameters:       s.Parameters,
 		CompressionLevel: s.CompressionLevel,
 		EscapeHTML:       s.EscapeHTML,
diff --git a/libbeat/outputs/elasticsearch/client_integration_test.go b/libbeat/outputs/elasticsearch/client_integration_test.go
index 9abbbe398738..e243cb7d1e46 100644
--- a/libbeat/outputs/elasticsearch/client_integration_test.go
+++ b/libbeat/outputs/elasticsearch/client_integration_test.go
@@ -40,6 +40,7 @@ import (
 	"github.com/elastic/beats/v7/libbeat/esleg/eslegtest"
 	"github.com/elastic/beats/v7/libbeat/idxmgmt"
 	"github.com/elastic/beats/v7/libbeat/logp"
+	"github.com/elastic/beats/v7/libbeat/monitoring"
 	"github.com/elastic/beats/v7/libbeat/outputs"
 	"github.com/elastic/beats/v7/libbeat/outputs/outest"
 )
@@ -78,7 +79,7 @@ func TestClientPublishEventKerberosAware(t *testing.T) {
 }
 
 func testPublishEvent(t *testing.T, index string, cfg map[string]interface{}) {
-	output, client := connectTestEs(t, cfg)
+	output, client := connectTestEsWithStats(t, cfg, index)
 
 	// drop old index preparing test
 	client.conn.Delete(index, "", "", nil)
@@ -107,6 +108,12 @@ func testPublishEvent(t *testing.T, index string, cfg map[string]interface{}) {
 	}
 
 	assert.Equal(t, 1, resp.Count)
+
+	outputSnapshot := monitoring.CollectFlatSnapshot(monitoring.Default.GetRegistry("output-"+index), monitoring.Full, true)
+	assert.Greater(t, outputSnapshot.Ints["write.bytes"], int64(0), "output.events.write.bytes must be greater than 0")
+	assert.Greater(t, outputSnapshot.Ints["read.bytes"], int64(0), "output.events.read.bytes must be greater than 0")
+	assert.Equal(t, int64(0), outputSnapshot.Ints["write.errors"])
+	assert.Equal(t, int64(0), outputSnapshot.Ints["read.errors"])
 }
 
 func TestClientPublishEventWithPipeline(t *testing.T) {
@@ -117,7 +124,7 @@ func TestClientPublishEventWithPipeline(t *testing.T) {
 	index := "beat-int-pub-single-with-pipeline"
 	pipeline := "beat-int-pub-single-pipeline"
 
-	output, client := connectTestEs(t, obj{
+	output, client := connectTestEsWithoutStats(t, obj{
 		"index":    index,
 		"pipeline": "%{[pipeline]}",
 	})
@@ -199,7 +206,7 @@ func TestClientBulkPublishEventsWithPipeline(t *testing.T) {
 	index := "beat-int-pub-bulk-with-pipeline"
 	pipeline := "beat-int-pub-bulk-pipeline"
 
-	output, client := connectTestEs(t, obj{
+	output, client := connectTestEsWithoutStats(t, obj{
 		"index":    index,
 		"pipeline": "%{[pipeline]}",
 	})
@@ -276,7 +283,7 @@ func TestClientBulkPublishEventsWithPipeline(t *testing.T) {
 
 func TestClientPublishTracer(t *testing.T) {
 	index := "beat-apm-tracer-test"
-	output, client := connectTestEs(t, map[string]interface{}{
+	output, client := connectTestEsWithoutStats(t, map[string]interface{}{
 		"index": index,
 	})
 
@@ -314,7 +321,17 @@ func TestClientPublishTracer(t *testing.T) {
 	assert.Equal(t, "/_bulk", secondSpan.Context.HTTP.URL.Path)
 }
 
-func connectTestEs(t *testing.T, cfg interface{}) (outputs.Client, *Client) {
+func connectTestEsWithStats(t *testing.T, cfg interface{}, suffix string) (outputs.Client, *Client) {
+	m := monitoring.Default.NewRegistry("output-" + suffix)
+	s := outputs.NewStats(m)
+	return connectTestEs(t, cfg, s)
+}
+
+func connectTestEsWithoutStats(t *testing.T, cfg interface{}) (outputs.Client, *Client) {
+	return connectTestEs(t, cfg, outputs.NewNilObserver())
+}
+
+func connectTestEs(t *testing.T, cfg interface{}, stats outputs.Observer) (outputs.Client, *Client) {
 	config, err := common.NewConfigFrom(map[string]interface{}{
 		"hosts":            eslegtest.GetEsHost(),
 		"username":         eslegtest.GetUser(),
@@ -337,7 +354,7 @@ func connectTestEs(t *testing.T, cfg interface{}) (outputs.Client, *Client) {
 
 	info := beat.Info{Beat: "libbeat"}
 	im, _ := idxmgmt.DefaultSupport(nil, info, nil)
-	output, err := makeES(im, info, outputs.NewNilObserver(), config)
+	output, err := makeES(im, info, stats, config)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -356,7 +373,7 @@ func connectTestEs(t *testing.T, cfg interface{}) (outputs.Client, *Client) {
 
 // setupRoleMapping sets up role mapping for the Kerberos user beats@ELASTIC
 func setupRoleMapping(t *testing.T, host string) error {
-	_, client := connectTestEs(t, map[string]interface{}{
+	_, client := connectTestEsWithoutStats(t, map[string]interface{}{
 		"hosts":    host,
 		"username": "elastic",
 		"password": "changeme",
diff --git a/metricbeat/docs/images/metricbeat-aws-ec2-overview.png b/metricbeat/docs/images/metricbeat-aws-ec2-overview.png
index f9b2d621f4f2..67d90263c103 100644
Binary files a/metricbeat/docs/images/metricbeat-aws-ec2-overview.png and b/metricbeat/docs/images/metricbeat-aws-ec2-overview.png differ
diff --git a/metricbeat/docs/modules/aws/lambda.asciidoc b/metricbeat/docs/modules/aws/lambda.asciidoc
index 5e31c8fdc569..202820844ad4 100644
--- a/metricbeat/docs/modules/aws/lambda.asciidoc
+++ b/metricbeat/docs/modules/aws/lambda.asciidoc
@@ -6,8 +6,6 @@ This file is generated! See scripts/mage/docs_collector.go
 [role="xpack"]
 === AWS lambda metricset
 
-beta[]
-
 include::../../../../x-pack/metricbeat/module/aws/lambda/_meta/docs.asciidoc[]
 
 This is a default metricset. If the host module is unconfigured, this metricset is enabled by default.
diff --git a/metricbeat/docs/modules_list.asciidoc b/metricbeat/docs/modules_list.asciidoc
index bfe9052b8e6a..2232cf3b0703 100644
--- a/metricbeat/docs/modules_list.asciidoc
+++ b/metricbeat/docs/modules_list.asciidoc
@@ -22,7 +22,7 @@ This file is generated! See scripts/mage/docs_collector.go
 |<<metricbeat-metricset-aws-ebs,ebs>>   
 |<<metricbeat-metricset-aws-ec2,ec2>>   
 |<<metricbeat-metricset-aws-elb,elb>>   
-|<<metricbeat-metricset-aws-lambda,lambda>> beta[]  
+|<<metricbeat-metricset-aws-lambda,lambda>>   
 |<<metricbeat-metricset-aws-natgateway,natgateway>> beta[]  
 |<<metricbeat-metricset-aws-rds,rds>>   
 |<<metricbeat-metricset-aws-s3_daily_storage,s3_daily_storage>>   
diff --git a/metricbeat/module/prometheus/_meta/prometheus.yml b/metricbeat/module/prometheus/_meta/prometheus.yml
index 06707841f8db..b11de8df0036 100644
--- a/metricbeat/module/prometheus/_meta/prometheus.yml
+++ b/metricbeat/module/prometheus/_meta/prometheus.yml
@@ -17,7 +17,7 @@ rule_files:
   # - "second_rules.yml"
 
 remote_write:
-  - url: "http://REMOTE/write"
+  - url: "http://0.0.0.0:9201/write"
 
 # A scrape configuration containing exactly one endpoint to scrape:
 # Here it's Prometheus itself.
diff --git a/metricbeat/module/prometheus/_meta/run.sh b/metricbeat/module/prometheus/_meta/run.sh
index b2cadc95a3e7..87b83b6d7057 100755
--- a/metricbeat/module/prometheus/_meta/run.sh
+++ b/metricbeat/module/prometheus/_meta/run.sh
@@ -1,25 +1,5 @@
 #!/bin/sh
 
-
-for i in 1 2 3 4 5;
-do
-  a=`nslookup host.docker.internal | grep "** server can't find " | wc -l`;
-  if [ $a -gt 0 ]; then
-    # this works only on Linux envs
-    HOST_DOMAIN="0.0.0.0"
-  else
-    # this works only on Mac envs
-    HOST_DOMAIN="host.docker.internal"
-    break
-  fi
-done
-
-
-
-REMOTE="$HOST_DOMAIN:9201"
-
-sed -i "s/REMOTE/$REMOTE/g" /etc/prometheus/prometheus.yml
-
 /bin/prometheus --config.file=/etc/prometheus/prometheus.yml \
  --storage.tsdb.path=/prometheus \
  --web.console.libraries=/usr/share/prometheus/console_libraries \
diff --git a/metricbeat/module/prometheus/remote_write/data.go b/metricbeat/module/prometheus/remote_write/data.go
index 2eec6aefaa3b..3afaa7e9529c 100644
--- a/metricbeat/module/prometheus/remote_write/data.go
+++ b/metricbeat/module/prometheus/remote_write/data.go
@@ -57,13 +57,14 @@ func (p *remoteWriteEventGenerator) GenerateEvents(metrics model.Samples) map[st
 			labels[string(k)] = v
 		}
 
-		// join metrics with same labels in a single event
-		labelsHash := labels.String()
+		// join metrics with same labels and same timestamp in a single event
+		labelsHash := labels.String() + metric.Timestamp.Time().String()
 		if _, ok := eventList[labelsHash]; !ok {
 			eventList[labelsHash] = mb.Event{
 				ModuleFields: common.MapStr{
 					"metrics": common.MapStr{},
 				},
+				Timestamp: metric.Timestamp.Time(),
 			}
 
 			// Add labels
@@ -74,7 +75,6 @@ func (p *remoteWriteEventGenerator) GenerateEvents(metrics model.Samples) map[st
 
 		// Not checking anything here because we create these maps some lines before
 		e := eventList[labelsHash]
-		e.Timestamp = metric.Timestamp.Time()
 		data := common.MapStr{
 			name: val,
 		}
diff --git a/metricbeat/module/prometheus/remote_write/remote_write_test.go b/metricbeat/module/prometheus/remote_write/remote_write_test.go
new file mode 100644
index 000000000000..f0e533f49bcf
--- /dev/null
+++ b/metricbeat/module/prometheus/remote_write/remote_write_test.go
@@ -0,0 +1,80 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package remote_write
+
+import (
+	"testing"
+
+	"github.com/prometheus/common/model"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/elastic/beats/v7/libbeat/common"
+)
+
+// TestGenerateEventsCounter tests counter simple cases
+func TestGenerateEventsCounter(t *testing.T) {
+	g := remoteWriteEventGenerator{}
+
+	timestamp := model.Time(424242)
+	timestamp1 := model.Time(424243)
+	labels := common.MapStr{
+		"listener_name": model.LabelValue("http"),
+	}
+
+	// first fetch
+	metrics := model.Samples{
+		&model.Sample{
+			Metric: map[model.LabelName]model.LabelValue{
+				"__name__":      "net_conntrack_listener_conn_closed_total",
+				"listener_name": "http",
+			},
+			Value:     model.SampleValue(42),
+			Timestamp: timestamp,
+		},
+		&model.Sample{
+			Metric: map[model.LabelName]model.LabelValue{
+				"__name__":      "net_conntrack_listener_conn_closed_total",
+				"listener_name": "http",
+			},
+			Value:     model.SampleValue(43),
+			Timestamp: timestamp1,
+		},
+	}
+	events := g.GenerateEvents(metrics)
+
+	expected := common.MapStr{
+		"metrics": common.MapStr{
+			"net_conntrack_listener_conn_closed_total": float64(42),
+		},
+		"labels": labels,
+	}
+	expected1 := common.MapStr{
+		"metrics": common.MapStr{
+			"net_conntrack_listener_conn_closed_total": float64(43),
+		},
+		"labels": labels,
+	}
+
+	assert.Equal(t, len(events), 2)
+	e := events[labels.String()+timestamp.Time().String()]
+	assert.EqualValues(t, e.ModuleFields, expected)
+	assert.EqualValues(t, e.Timestamp, timestamp.Time())
+	e = events[labels.String()+timestamp1.Time().String()]
+	assert.EqualValues(t, e.ModuleFields, expected1)
+	assert.EqualValues(t, e.Timestamp, timestamp1.Time())
+}
diff --git a/metricbeat/module/prometheus/test_prometheus.py b/metricbeat/module/prometheus/test_prometheus.py
index 34b8d9daf376..f882cedb6df9 100644
--- a/metricbeat/module/prometheus/test_prometheus.py
+++ b/metricbeat/module/prometheus/test_prometheus.py
@@ -65,7 +65,6 @@ def test_query(self):
         self.assert_fields_are_documented(evt)
 
 
-@unittest.skip("Flaky test: https://github.com/elastic/beats/issues/20967")
 class TestRemoteWrite(metricbeat.BaseTest):
 
     COMPOSE_SERVICES = ['prometheus-host-network']
diff --git a/metricbeat/module/system/cpu/_meta/data.json b/metricbeat/module/system/cpu/_meta/data.json
index ff6b7a15491e..4a5fd7c8ff7d 100644
--- a/metricbeat/module/system/cpu/_meta/data.json
+++ b/metricbeat/module/system/cpu/_meta/data.json
@@ -1,36 +1,38 @@
 {
     "@timestamp": "2017-10-12T08:05:34.853Z",
-    "agent": {
-        "hostname": "host.example.com",
-        "name": "host.example.com"
-    },
     "event": {
         "dataset": "system.cpu",
         "duration": 115000,
         "module": "system"
     },
+    "host": {
+        "cpu": {
+            "pct": 0.0816
+        }
+    },
     "metricset": {
-        "name": "cpu"
+        "name": "cpu",
+        "period": 10000
     },
     "service": {
         "type": "system"
     },
     "system": {
         "cpu": {
-            "cores": 4,
+            "cores": 12,
             "idle": {
                 "norm": {
-                    "pct": 0.7198
+                    "pct": 0.9184
                 },
-                "pct": 2.8792,
-                "ticks": 81308898
+                "pct": 11.0208,
+                "ticks": 1964402
             },
             "iowait": {
                 "norm": {
                     "pct": 0
                 },
                 "pct": 0,
-                "ticks": 499109
+                "ticks": 5083
             },
             "irq": {
                 "norm": {
@@ -44,14 +46,14 @@
                     "pct": 0
                 },
                 "pct": 0,
-                "ticks": 172471
+                "ticks": 9752
             },
             "softirq": {
                 "norm": {
-                    "pct": 0
+                    "pct": 0.0058
                 },
-                "pct": 0,
-                "ticks": 578041
+                "pct": 0.0699,
+                "ticks": 10386
             },
             "steal": {
                 "norm": {
@@ -62,23 +64,23 @@
             },
             "system": {
                 "norm": {
-                    "pct": 0.0591
+                    "pct": 0.005
                 },
-                "pct": 0.2365,
-                "ticks": 25140781
+                "pct": 0.06,
+                "ticks": 22274
             },
             "total": {
                 "norm": {
-                    "pct": 0.2802
+                    "pct": 0.0816
                 },
-                "pct": 1.1208
+                "pct": 0.9792
             },
             "user": {
                 "norm": {
-                    "pct": 0.2211
+                    "pct": 0.0708
                 },
-                "pct": 0.8843,
-                "ticks": 75216920
+                "pct": 0.8493,
+                "ticks": 123767
             }
         }
     }
diff --git a/metricbeat/module/system/cpu/cpu.go b/metricbeat/module/system/cpu/cpu.go
index 8d017f0d3733..7333df6dec70 100644
--- a/metricbeat/module/system/cpu/cpu.go
+++ b/metricbeat/module/system/cpu/cpu.go
@@ -70,7 +70,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 	}
 
 	event := common.MapStr{"cores": cpu.NumCores}
-
+	hostFields := common.MapStr{}
 	for _, metric := range m.config.Metrics {
 		switch strings.ToLower(metric) {
 		case percentages:
@@ -95,6 +95,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 			event.Put("softirq.norm.pct", normalizedPct.SoftIRQ)
 			event.Put("steal.norm.pct", normalizedPct.Steal)
 			event.Put("total.norm.pct", normalizedPct.Total)
+			hostFields.Put("host.cpu.pct", normalizedPct.Total)
 		case ticks:
 			ticks := sample.Ticks()
 			event.Put("user.ticks", ticks.User)
@@ -109,6 +110,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 	}
 
 	r.Event(mb.Event{
+		RootFields:      hostFields,
 		MetricSetFields: event,
 	})
 
diff --git a/metricbeat/module/system/diskio/_meta/data.json b/metricbeat/module/system/diskio/_meta/data.json
index 291b1d238408..b9c8533b0c8d 100644
--- a/metricbeat/module/system/diskio/_meta/data.json
+++ b/metricbeat/module/system/diskio/_meta/data.json
@@ -1,16 +1,13 @@
 {
     "@timestamp": "2017-10-12T08:05:34.853Z",
-    "agent": {
-        "hostname": "host.example.com",
-        "name": "host.example.com"
-    },
     "event": {
         "dataset": "system.diskio",
         "duration": 115000,
         "module": "system"
     },
     "metricset": {
-        "name": "diskio"
+        "name": "diskio",
+        "period": 10000
     },
     "service": {
         "type": "system"
@@ -18,7 +15,7 @@
     "system": {
         "diskio": {
             "io": {
-                "time": 656
+                "time": 364
             },
             "iostat": {
                 "await": 0,
@@ -51,16 +48,16 @@
                     }
                 }
             },
-            "name": "nvme0n1p1",
+            "name": "loop1",
             "read": {
-                "bytes": 8028160,
-                "count": 3290,
-                "time": 130016
+                "bytes": 5267456,
+                "count": 4124,
+                "time": 557
             },
             "write": {
-                "bytes": 5120,
-                "count": 3,
-                "time": 12
+                "bytes": 0,
+                "count": 0,
+                "time": 0
             }
         }
     }
diff --git a/metricbeat/module/system/diskio/diskio.go b/metricbeat/module/system/diskio/diskio.go
index 80c494409a3b..9da3a3c2344a 100644
--- a/metricbeat/module/system/diskio/diskio.go
+++ b/metricbeat/module/system/diskio/diskio.go
@@ -38,6 +38,13 @@ type MetricSet struct {
 	mb.BaseMetricSet
 	statistics     *DiskIOStat
 	includeDevices []string
+	prevCounters   diskCounter
+}
+
+// diskCounter stores previous disk counter values for calculating gauges in next collection
+type diskCounter struct {
+	prevDiskReadBytes  uint64
+	prevDiskWriteBytes uint64
 }
 
 // New is a mb.MetricSetFactory that returns a new MetricSet.
@@ -54,6 +61,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 		BaseMetricSet:  base,
 		statistics:     NewDiskIOStat(),
 		includeDevices: config.IncludeDevices,
+		prevCounters:   diskCounter{},
 	}, nil
 }
 
@@ -70,6 +78,7 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 	// Store the last cpu counter when finished
 	defer m.statistics.CloseSampling()
 
+	var diskReadBytes, diskWriteBytes uint64
 	for _, counters := range stats {
 		event := common.MapStr{
 			"name": counters.Name,
@@ -87,6 +96,11 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 				"time": counters.IoTime,
 			},
 		}
+
+		// accumulate values from all interfaces
+		diskReadBytes += counters.ReadBytes
+		diskWriteBytes += counters.WriteBytes
+
 		var extraMetrics DiskIOMetric
 		err := m.statistics.CalIOStatistics(&extraMetrics, counters)
 		if err == nil {
@@ -135,5 +149,23 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 		}
 	}
 
+	if m.prevCounters != (diskCounter{}) {
+		// convert network metrics from counters to gauges
+		r.Event(mb.Event{
+			RootFields: common.MapStr{
+				"host": common.MapStr{
+					"disk": common.MapStr{
+						"read.bytes":  diskReadBytes - m.prevCounters.prevDiskReadBytes,
+						"write.bytes": diskWriteBytes - m.prevCounters.prevDiskWriteBytes,
+					},
+				},
+			},
+		})
+	}
+
+	// update prevCounters
+	m.prevCounters.prevDiskReadBytes = diskReadBytes
+	m.prevCounters.prevDiskWriteBytes = diskWriteBytes
+
 	return nil
 }
diff --git a/metricbeat/module/system/network/_meta/data.json b/metricbeat/module/system/network/_meta/data.json
index 8cf8a5f69a6f..81c174c93e8d 100644
--- a/metricbeat/module/system/network/_meta/data.json
+++ b/metricbeat/module/system/network/_meta/data.json
@@ -1,16 +1,13 @@
 {
     "@timestamp": "2017-10-12T08:05:34.853Z",
-    "agent": {
-        "hostname": "host.example.com",
-        "name": "host.example.com"
-    },
     "event": {
         "dataset": "system.network",
         "duration": 115000,
         "module": "system"
     },
     "metricset": {
-        "name": "network"
+        "name": "network",
+        "period": 10000
     },
     "service": {
         "type": "system"
@@ -18,17 +15,17 @@
     "system": {
         "network": {
             "in": {
-                "bytes": 37904869172,
-                "dropped": 32,
+                "bytes": 0,
+                "dropped": 0,
                 "errors": 0,
-                "packets": 32143403
+                "packets": 0
             },
-            "name": "wlp4s0",
+            "name": "br-18285ad7f418",
             "out": {
-                "bytes": 6299331926,
+                "bytes": 0,
                 "dropped": 0,
                 "errors": 0,
-                "packets": 13362703
+                "packets": 0
             }
         }
     }
diff --git a/metricbeat/module/system/network/network.go b/metricbeat/module/system/network/network.go
index d9c04d834202..4796b5af8413 100644
--- a/metricbeat/module/system/network/network.go
+++ b/metricbeat/module/system/network/network.go
@@ -43,7 +43,16 @@ func init() {
 // MetricSet for fetching system network IO metrics.
 type MetricSet struct {
 	mb.BaseMetricSet
-	interfaces map[string]struct{}
+	interfaces   map[string]struct{}
+	prevCounters networkCounter
+}
+
+// networkCounter stores previous network counter values for calculating gauges in next collection
+type networkCounter struct {
+	prevNetworkInBytes    uint64
+	prevNetworkInPackets  uint64
+	prevNetworkOutBytes   uint64
+	prevNetworkOutPackets uint64
 }
 
 // New is a mb.MetricSetFactory that returns a new MetricSet.
@@ -69,6 +78,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 	return &MetricSet{
 		BaseMetricSet: base,
 		interfaces:    interfaceSet,
+		prevCounters:  networkCounter{},
 	}, nil
 }
 
@@ -79,6 +89,8 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 		return errors.Wrap(err, "network io counters")
 	}
 
+	var networkInBytes, networkOutBytes, networkInPackets, networkOutPackets uint64
+
 	for _, counters := range stats {
 		if m.interfaces != nil {
 			// Select stats by interface name.
@@ -91,11 +103,44 @@ func (m *MetricSet) Fetch(r mb.ReporterV2) error {
 		isOpen := r.Event(mb.Event{
 			MetricSetFields: ioCountersToMapStr(counters),
 		})
+
+		// accumulate values from all interfaces
+		networkInBytes += counters.BytesRecv
+		networkOutBytes += counters.BytesSent
+		networkInPackets += counters.PacketsRecv
+		networkOutPackets += counters.PacketsSent
+
 		if !isOpen {
 			return nil
 		}
 	}
 
+	if m.prevCounters != (networkCounter{}) {
+		// convert network metrics from counters to gauges
+		r.Event(mb.Event{
+			RootFields: common.MapStr{
+				"host": common.MapStr{
+					"network": common.MapStr{
+						"in": common.MapStr{
+							"bytes":   networkInBytes - m.prevCounters.prevNetworkInBytes,
+							"packets": networkInPackets - m.prevCounters.prevNetworkInPackets,
+						},
+						"out": common.MapStr{
+							"bytes":   networkOutBytes - m.prevCounters.prevNetworkOutBytes,
+							"packets": networkOutPackets - m.prevCounters.prevNetworkOutPackets,
+						},
+					},
+				},
+			},
+		})
+	}
+
+	// update prevCounters
+	m.prevCounters.prevNetworkInBytes = networkInBytes
+	m.prevCounters.prevNetworkInPackets = networkInPackets
+	m.prevCounters.prevNetworkOutBytes = networkOutBytes
+	m.prevCounters.prevNetworkOutPackets = networkOutPackets
+
 	return nil
 }
 
diff --git a/metricbeat/module/system/test_system.py b/metricbeat/module/system/test_system.py
index ce8670781db2..f689b99fb4c2 100644
--- a/metricbeat/module/system/test_system.py
+++ b/metricbeat/module/system/test_system.py
@@ -45,6 +45,12 @@
 SYSTEM_NETWORK_FIELDS = ["name", "out.bytes", "in.bytes", "out.packets",
                          "in.packets", "in.error", "out.error", "in.dropped", "out.dropped"]
 
+SYSTEM_CPU_HOST_FIELDS = ["pct"]
+
+SYSTEM_NETWORK_HOST_FIELDS = ["in.bytes", "out.bytes", "in.packets", "out.packets"]
+
+SYSTEM_DISK_HOST_FIELDS = ["read.bytes", "write.bytes"]
+
 # cmdline is also part of the system process fields, but it may not be present
 # for some kernel level processes. fd is also part of the system process, but
 # is not available on all OSes and requires root to read for all processes.
@@ -74,8 +80,12 @@ def test_cpu(self):
         evt = output[0]
         self.assert_fields_are_documented(evt)
 
-        cpu = evt["system"]["cpu"]
-        self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS), cpu.keys())
+        if "system" in evt:
+            cpu = evt["system"]["cpu"]
+            self.assertCountEqual(self.de_dot(SYSTEM_CPU_FIELDS), cpu.keys())
+        else:
+            host_cpu = evt["host"]["cpu"]
+            self.assertCountEqual(self.de_dot(SYSTEM_CPU_HOST_FIELDS), host_cpu.keys())
 
     @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd|openbsd", sys.platform), "os")
     def test_cpu_ticks_option(self):
@@ -196,8 +206,12 @@ def test_diskio(self):
         for evt in output:
             self.assert_fields_are_documented(evt)
             if 'error' not in evt:
-                diskio = evt["system"]["diskio"]
-                self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS), diskio.keys())
+                if "system" in evt:
+                    diskio = evt["system"]["diskio"]
+                    self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS), diskio.keys())
+                elif "host" in evt:
+                    host_disk = evt["host"]["disk"]
+                    self.assertCountEqual(SYSTEM_DISK_HOST_FIELDS, host_disk.keys())
 
     @unittest.skipUnless(re.match("(?i)linux", sys.platform), "os")
     def test_diskio_linux(self):
@@ -219,8 +233,12 @@ def test_diskio_linux(self):
 
         for evt in output:
             self.assert_fields_are_documented(evt)
-            diskio = evt["system"]["diskio"]
-            self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS_LINUX), diskio.keys())
+            if "system" in evt:
+                diskio = evt["system"]["diskio"]
+                self.assertCountEqual(self.de_dot(SYSTEM_DISKIO_FIELDS_LINUX), diskio.keys())
+            else:
+                host_disk = evt["host"]["disk"]
+                self.assertCountEqual(SYSTEM_DISK_HOST_FIELDS, host_disk.keys())
 
     @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd|openbsd", sys.platform), "os")
     def test_filesystem(self):
@@ -328,8 +346,12 @@ def test_network(self):
 
         for evt in output:
             self.assert_fields_are_documented(evt)
-            network = evt["system"]["network"]
-            self.assertCountEqual(self.de_dot(SYSTEM_NETWORK_FIELDS), network.keys())
+            if "system" in evt:
+                network = evt["system"]["network"]
+                self.assertCountEqual(self.de_dot(SYSTEM_NETWORK_FIELDS), network.keys())
+            else:
+                host_network = evt["host"]["network"]
+                self.assertCountEqual(self.de_dot(SYSTEM_NETWORK_HOST_FIELDS), host_network.keys())
 
     @unittest.skipUnless(re.match("(?i)win|linux|darwin|freebsd", sys.platform), "os")
     def test_process_summary(self):
diff --git a/winlogbeat/eventlog/factory.go b/winlogbeat/eventlog/factory.go
index 965ddbdac107..f66c158b2f25 100644
--- a/winlogbeat/eventlog/factory.go
+++ b/winlogbeat/eventlog/factory.go
@@ -28,7 +28,7 @@ import (
 )
 
 var commonConfigKeys = []string{"type", "api", "name", "fields", "fields_under_root",
-	"tags", "processors", "index"}
+	"tags", "processors", "index", "id", "meta", "revision"}
 
 // ConfigCommon is the common configuration data used to instantiate a new
 // EventLog. Each implementation is free to support additional configuration
diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go
index f484cbb371dd..989f8e6d7b6d 100644
--- a/x-pack/auditbeat/magefile.go
+++ b/x-pack/auditbeat/magefile.go
@@ -132,13 +132,13 @@ var (
 		"linux/386":      installLinux386,
 		"linux/amd64":    installLinuxAMD64,
 		"linux/arm64":    installLinuxARM64,
-		"linux/armv5":    installLinuxARMLE,
-		"linux/armv6":    installLinuxARMLE,
+		"linux/armv5":    installLinuxARMEL,
+		"linux/armv6":    installLinuxARMEL,
 		"linux/armv7":    installLinuxARMHF,
 		"linux/mips":     installLinuxMIPS,
-		"linux/mipsle":   installLinuxMIPSLE,
-		"linux/mips64le": installLinuxMIPS64LE,
-		"linux/ppc64le":  installLinuxPPC64LE,
+		"linux/mipsle":   installLinuxMIPSEL,
+		"linux/mips64le": installLinuxMIPS64EL,
+		"linux/ppc64le":  installLinuxPPC64EL,
 		"linux/s390x":    installLinuxS390X,
 
 		//"linux/ppc64":  installLinuxPpc64,
@@ -148,49 +148,56 @@ var (
 
 const (
 	librpmDevPkgName = "librpm-dev"
+
+	// Dependency of librpm-dev in ARM architectures, that needs to be explicitly
+	// installed to replace other conflicting packages pre-installed in the image.
+	libicuDevPkgName = "libicu-dev"
 )
 
 func installLinuxAMD64() error {
-	return installDependencies(librpmDevPkgName, "")
+	return installDependencies("", librpmDevPkgName)
 }
 
 func installLinuxARM64() error {
-	return installDependencies(librpmDevPkgName+":arm64", "arm64")
+	return installDependencies("arm64", librpmDevPkgName+":arm64")
 }
 
 func installLinuxARMHF() error {
-	return installDependencies(librpmDevPkgName+":armhf", "armhf")
+	return installDependencies("armhf", librpmDevPkgName+":armhf", libicuDevPkgName+":armhf")
 }
 
-func installLinuxARMLE() error {
-	return installDependencies(librpmDevPkgName+":armel", "armel")
+func installLinuxARMEL() error {
+	return installDependencies("armel", librpmDevPkgName+":armel", libicuDevPkgName+":armel")
 }
 
 func installLinux386() error {
-	return installDependencies(librpmDevPkgName+":i386", "i386")
+	return installDependencies("i386", librpmDevPkgName+":i386")
 }
 
 func installLinuxMIPS() error {
-	return installDependencies(librpmDevPkgName+":mips", "mips")
+	return installDependencies("mips", librpmDevPkgName+":mips")
 }
 
-func installLinuxMIPS64LE() error {
-	return installDependencies(librpmDevPkgName+":mips64el", "mips64el")
+func installLinuxMIPS64EL() error {
+	return installDependencies("mips64el", librpmDevPkgName+":mips64el")
 }
 
-func installLinuxMIPSLE() error {
-	return installDependencies(librpmDevPkgName+":mipsel", "mipsel")
+func installLinuxMIPSEL() error {
+	return installDependencies("mispel", librpmDevPkgName+":mipsel")
 }
 
-func installLinuxPPC64LE() error {
-	return installDependencies(librpmDevPkgName+":ppc64el", "ppc64el")
+func installLinuxPPC64EL() error {
+	return installDependencies("ppc64el", librpmDevPkgName+":ppc64el")
 }
 
 func installLinuxS390X() error {
-	return installDependencies(librpmDevPkgName+":s390x", "s390x")
+	return installDependencies("s390x", librpmDevPkgName+":s390x")
 }
 
-func installDependencies(pkg, arch string) error {
+func installDependencies(arch string, pkgs ...string) error {
+	if len(pkgs) == 0 {
+		return nil
+	}
 	if arch != "" {
 		err := sh.Run("dpkg", "--add-architecture", arch)
 		if err != nil {
@@ -206,5 +213,6 @@ func installDependencies(pkg, arch string) error {
 		return err
 	}
 
-	return sh.Run("apt-get", "install", "-y", "--no-install-recommends", pkg)
+	args := append([]string{"install", "-y", "--no-install-recommends"}, pkgs...)
+	return sh.Run("apt-get", args...)
 }
diff --git a/x-pack/elastic-agent/.gitignore b/x-pack/elastic-agent/.gitignore
index 34b1341919e5..22e2de50947c 100644
--- a/x-pack/elastic-agent/.gitignore
+++ b/x-pack/elastic-agent/.gitignore
@@ -1,5 +1,6 @@
 # agent
 build/
+elastic-agent
 elastic-agent.dev.yml
 pkg/agent/operation/tests/scripts/short--1.0.yml
 pkg/agent/operation/tests/scripts/configurable-1.0-darwin-x86/configurable
diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc
index abaeb87fa646..bd3983e5716c 100644
--- a/x-pack/elastic-agent/CHANGELOG.asciidoc
+++ b/x-pack/elastic-agent/CHANGELOG.asciidoc
@@ -108,3 +108,4 @@
 - Pick up version from libbeat {pull}18350[18350]
 - More clear output of inspect command {pull}18405[18405]
 - When not port are specified and the https is used fallback to 443 {pull}18844[18844]
+- Basic upgrade process {pull}21002[21002]
diff --git a/x-pack/elastic-agent/GPG-KEY-elasticsearch b/x-pack/elastic-agent/GPG-KEY-elasticsearch
new file mode 100644
index 000000000000..1b50dcca799a
--- /dev/null
+++ b/x-pack/elastic-agent/GPG-KEY-elasticsearch
@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.14 (GNU/Linux)
+
+mQENBFI3HsoBCADXDtbNJnxbPqB1vDNtCsqhe49vFYsZN9IOZsZXgp7aHjh6CJBD
+A+bGFOwyhbd7at35jQjWAw1O3cfYsKAmFy+Ar3LHCMkV3oZspJACTIgCrwnkic/9
+CUliQe324qvObU2QRtP4Fl0zWcfb/S8UYzWXWIFuJqMvE9MaRY1bwUBvzoqavLGZ
+j3SF1SPO+TB5QrHkrQHBsmX+Jda6d4Ylt8/t6CvMwgQNlrlzIO9WT+YN6zS+sqHd
+1YK/aY5qhoLNhp9G/HxhcSVCkLq8SStj1ZZ1S9juBPoXV1ZWNbxFNGwOh/NYGldD
+2kmBf3YgCqeLzHahsAEpvAm8TBa7Q9W21C8vABEBAAG0RUVsYXN0aWNzZWFyY2gg
+KEVsYXN0aWNzZWFyY2ggU2lnbmluZyBLZXkpIDxkZXZfb3BzQGVsYXN0aWNzZWFy
+Y2gub3JnPokBOAQTAQIAIgUCUjceygIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgEC
+F4AACgkQ0n1mbNiOQrRzjAgAlTUQ1mgo3nK6BGXbj4XAJvuZDG0HILiUt+pPnz75
+nsf0NWhqR4yGFlmpuctgCmTD+HzYtV9fp9qW/bwVuJCNtKXk3sdzYABY+Yl0Cez/
+7C2GuGCOlbn0luCNT9BxJnh4mC9h/cKI3y5jvZ7wavwe41teqG14V+EoFSn3NPKm
+TxcDTFrV7SmVPxCBcQze00cJhprKxkuZMPPVqpBS+JfDQtzUQD/LSFfhHj9eD+Xe
+8d7sw+XvxB2aN4gnTlRzjL1nTRp0h2/IOGkqYfIG9rWmSLNlxhB2t+c0RsjdGM4/
+eRlPWylFbVMc5pmDpItrkWSnzBfkmXL3vO2X3WvwmSFiQbkBDQRSNx7KAQgA5JUl
+zcMW5/cuyZR8alSacKqhSbvoSqqbzHKcUQZmlzNMKGTABFG1yRx9r+wa/fvqP6OT
+RzRDvVS/cycws8YX7Ddum7x8uI95b9ye1/Xy5noPEm8cD+hplnpU+PBQZJ5XJ2I+
+1l9Nixx47wPGXeClLqcdn0ayd+v+Rwf3/XUJrvccG2YZUiQ4jWZkoxsA07xx7Bj+
+Lt8/FKG7sHRFvePFU0ZS6JFx9GJqjSBbHRRkam+4emW3uWgVfZxuwcUCn1ayNgRt
+KiFv9jQrg2TIWEvzYx9tywTCxc+FFMWAlbCzi+m4WD+QUWWfDQ009U/WM0ks0Kww
+EwSk/UDuToxGnKU2dQARAQABiQEfBBgBAgAJBQJSNx7KAhsMAAoJENJ9ZmzYjkK0
+c3MIAIE9hAR20mqJWLcsxLtrRs6uNF1VrpB+4n/55QU7oxA1iVBO6IFu4qgsF12J
+TavnJ5MLaETlggXY+zDef9syTPXoQctpzcaNVDmedwo1SiL03uMoblOvWpMR/Y0j
+6rm7IgrMWUDXDPvoPGjMl2q1iTeyHkMZEyUJ8SKsaHh4jV9wp9KmC8C+9CwMukL7
+vM5w8cgvJoAwsp3Fn59AxWthN3XJYcnMfStkIuWgR7U2r+a210W6vnUxU4oN0PmM
+cursYPyeV0NX/KQeUeNMwGTFB6QHS/anRaGQewijkrYYoTNtfllxIu9XYmiBERQ/
+qPDlGRlOgVTd9xUfHFkzB52c70E=
+=92oX
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go b/x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go
new file mode 100644
index 000000000000..55bb33f1fc0d
--- /dev/null
+++ b/x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go
@@ -0,0 +1,113 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package main
+
+import (
+	"bytes"
+	"flag"
+	"fmt"
+	"go/format"
+	"io/ioutil"
+	"os"
+	"text/template"
+
+	"github.com/elastic/beats/v7/licenses"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/packer"
+)
+
+var (
+	input   string
+	output  string
+	license string
+)
+
+func init() {
+	flag.StringVar(&input, "in", "", "Source of input. \"-\" means reading from stdin")
+	flag.StringVar(&output, "out", "-", "Output path. \"-\" means writing to stdout")
+	flag.StringVar(&license, "license", "Elastic", "License header for generated file.")
+}
+
+var tmplPgp = template.Must(template.New("pgp").Parse(`
+{{ .License }}
+// Code generated by x-pack/dev-tools/cmd/buildspec/buildPgp.go - DO NOT EDIT.
+
+package release
+
+import (
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/packer"
+)
+
+// pgp bytes is a packed in public gpg key
+var pgpBytes []byte
+
+func init() {
+	// Packed Files
+	{{ range $i, $f := .Files -}}
+	// {{ $f }}
+	{{ end -}}
+	pgpBytes = packer.MustUnpack("{{ .Pack }}")["GPG-KEY-elasticsearch"]
+}
+
+// PGP return pgpbytes and a flag describing whether or not no pgp is valid.
+func PGP() (bool, []byte) {
+	return allowEmptyPgp == "true", pgpBytes
+}
+`))
+
+func main() {
+	flag.Parse()
+
+	if len(input) == 0 {
+		fmt.Fprintln(os.Stderr, "Invalid input source")
+		os.Exit(1)
+	}
+
+	l, err := licenses.Find(license)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "problem to retrieve the license, error: %+v", err)
+		os.Exit(1)
+		return
+	}
+
+	data, err := gen(input, l)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error while generating the file, err: %+v\n", err)
+		os.Exit(1)
+	}
+
+	if output == "-" {
+		os.Stdout.Write(data)
+		return
+	} else {
+		ioutil.WriteFile(output, data, 0640)
+	}
+
+	return
+}
+
+func gen(path string, l string) ([]byte, error) {
+	pack, files, err := packer.Pack(input)
+	if err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	tmplPgp.Execute(&buf, struct {
+		Pack    string
+		Files   []string
+		License string
+	}{
+		Pack:    pack,
+		Files:   files,
+		License: l,
+	})
+
+	formatted, err := format.Source(buf.Bytes())
+	if err != nil {
+		return nil, err
+	}
+
+	return formatted, nil
+}
diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go
index 499e1d251a22..ec6e76a0995a 100644
--- a/x-pack/elastic-agent/magefile.go
+++ b/x-pack/elastic-agent/magefile.go
@@ -14,6 +14,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"time"
 
@@ -40,6 +41,7 @@ const (
 	buildDir       = "build"
 	metaDir        = "_meta"
 	snapshotEnv    = "SNAPSHOT"
+	devEnv         = "DEV"
 	configFile     = "elastic-agent.yml"
 	agentDropPath  = "AGENT_DROP_PATH"
 )
@@ -345,7 +347,7 @@ func commitID() string {
 
 // Update is an alias for executing control protocol, configs, and specs.
 func Update() {
-	mg.SerialDeps(Config, BuildSpec, BuildFleetCfg)
+	mg.SerialDeps(Config, BuildSpec, BuildPGP, BuildFleetCfg)
 }
 
 // CrossBuild cross-builds the beat for all target platforms.
@@ -370,7 +372,7 @@ func ControlProto() error {
 
 // BuildSpec make sure that all the suppported program spec are built into the binary.
 func BuildSpec() error {
-	// go run x-pack/agent/dev-tools/cmd/buildspec/buildspec.go --in x-pack/agent/spec/*.yml --out x-pack/agent/pkg/agent/program/supported.go
+	// go run x-pack/elastic-agent/dev-tools/cmd/buildspec/buildspec.go --in x-pack/agent/spec/*.yml --out x-pack/elastic-agent/pkg/agent/program/supported.go
 	goF := filepath.Join("dev-tools", "cmd", "buildspec", "buildspec.go")
 	in := filepath.Join("spec", "*.yml")
 	out := filepath.Join("pkg", "agent", "program", "supported.go")
@@ -379,6 +381,16 @@ func BuildSpec() error {
 	return RunGo("run", goF, "--in", in, "--out", out)
 }
 
+func BuildPGP() error {
+	// go run x-pack/elastic-agent/dev-tools/cmd/buildpgp/build_pgp.go --in x-pack/agent/spec/GPG-KEY-elasticsearch --out x-pack/elastic-agent/pkg/release/pgp.go
+	goF := filepath.Join("dev-tools", "cmd", "buildpgp", "build_pgp.go")
+	in := "GPG-KEY-elasticsearch"
+	out := filepath.Join("pkg", "release", "pgp.go")
+
+	fmt.Printf(">> BuildPGP from %s to %s\n", in, out)
+	return RunGo("run", goF, "--in", in, "--out", out)
+}
+
 func configYML() error {
 	return devtools.Config(devtools.AllConfigTypes, ConfigFileParams(), ".")
 }
@@ -620,6 +632,12 @@ func buildVars() map[string]string {
 	isSnapshot, _ := os.LookupEnv(snapshotEnv)
 	vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.snapshot"] = isSnapshot
 
+	if isDevFlag, devFound := os.LookupEnv(devEnv); devFound {
+		if isDev, err := strconv.ParseBool(isDevFlag); err == nil && isDev {
+			vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.allowEmptyPgp"] = "true"
+		}
+	}
+
 	return vars
 }
 
diff --git a/x-pack/elastic-agent/pkg/agent/application/application.go b/x-pack/elastic-agent/pkg/agent/application/application.go
index d0b16f11f134..e003eed61a6b 100644
--- a/x-pack/elastic-agent/pkg/agent/application/application.go
+++ b/x-pack/elastic-agent/pkg/agent/application/application.go
@@ -21,8 +21,12 @@ type Application interface {
 	AgentInfo() *info.AgentInfo
 }
 
+type reexecManager interface {
+	ReExec(argOverrides ...string)
+}
+
 // New creates a new Agent and bootstrap the required subsystem.
-func New(log *logger.Logger, pathConfigFile string) (Application, error) {
+func New(log *logger.Logger, pathConfigFile string, reexec reexecManager) (Application, error) {
 	// Load configuration from disk to understand in which mode of operation
 	// we must start the elastic-agent, the mode of operation cannot be changed without restarting the
 	// elastic-agent.
@@ -35,13 +39,14 @@ func New(log *logger.Logger, pathConfigFile string) (Application, error) {
 		return nil, err
 	}
 
-	return createApplication(log, pathConfigFile, rawConfig)
+	return createApplication(log, pathConfigFile, rawConfig, reexec)
 }
 
 func createApplication(
 	log *logger.Logger,
 	pathConfigFile string,
 	rawConfig *config.Config,
+	reexec reexecManager,
 ) (Application, error) {
 	warn.LogNotGA(log)
 	log.Info("Detecting execution mode")
@@ -58,7 +63,7 @@ func createApplication(
 	}
 
 	log.Info("Agent is managed by Fleet")
-	return newManaged(ctx, log, rawConfig)
+	return newManaged(ctx, log, rawConfig, reexec)
 }
 
 // missing of fleet.enabled: true or fleet.{access_token,kibana} will place Elastic Agent into standalone mode.
diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go
new file mode 100644
index 000000000000..4d0026d4d795
--- /dev/null
+++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_upgrade.go
@@ -0,0 +1,31 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package application
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi"
+)
+
+// After running Upgrade agent should download its own version specified by action
+// from repository specified by fleet.
+type handlerUpgrade struct {
+	log      *logger.Logger
+	upgrader *upgrade.Upgrader
+}
+
+func (h *handlerUpgrade) Handle(ctx context.Context, a action, acker fleetAcker) error {
+	h.log.Debugf("handlerUpgrade: action '%+v' received", a)
+	action, ok := a.(*fleetapi.ActionUpgrade)
+	if !ok {
+		return fmt.Errorf("invalid type, expected ActionUpgrade and received %T", a)
+	}
+
+	return h.upgrader.Upgrade(ctx, action)
+}
diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go
index 76d9d0bed46b..a4e4bf923799 100644
--- a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go
+++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/filters"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/upgrade"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/operation"
@@ -53,12 +54,14 @@ type Managed struct {
 	router      *router
 	srv         *server.Server
 	as          *actionStore
+	upgrader    *upgrade.Upgrader
 }
 
 func newManaged(
 	ctx context.Context,
 	log *logger.Logger,
 	rawConfig *config.Config,
+	reexec reexecManager,
 ) (*Managed, error) {
 	agentInfo, err := info.NewAgentInfo()
 	if err != nil {
@@ -196,6 +199,13 @@ func newManaged(
 		return nil, err
 	}
 
+	managedApplication.upgrader = upgrade.NewUpgrader(
+		cfg.Settings.DownloadConfig,
+		log,
+		[]context.CancelFunc{managedApplication.cancelCtxFn},
+		reexec,
+		acker)
+
 	actionDispatcher.MustRegister(
 		&fleetapi.ActionConfigChange{},
 		&handlerConfigChange{
@@ -215,6 +225,14 @@ func newManaged(
 		},
 	)
 
+	actionDispatcher.MustRegister(
+		&fleetapi.ActionUpgrade{},
+		&handlerUpgrade{
+			upgrader: managedApplication.upgrader,
+			log:      log,
+		},
+	)
+
 	actionDispatcher.MustRegister(
 		&fleetapi.ActionUnknown{},
 		&handlerUnknown{log: log},
@@ -256,6 +274,10 @@ func (m *Managed) Start() error {
 		return nil
 	}
 
+	if err := m.upgrader.Ack(m.bgContext); err != nil {
+		m.log.Warnf("failed to ack update %v", err)
+	}
+
 	m.gateway.Start()
 	return nil
 }
diff --git a/x-pack/elastic-agent/pkg/agent/application/stream.go b/x-pack/elastic-agent/pkg/agent/application/stream.go
index ee2b1f2d0197..41999fcb8329 100644
--- a/x-pack/elastic-agent/pkg/agent/application/stream.go
+++ b/x-pack/elastic-agent/pkg/agent/application/stream.go
@@ -19,6 +19,7 @@ import (
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/monitoring"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/server"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/state"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release"
 )
 
 type operatorStream struct {
@@ -56,7 +57,8 @@ func streamFactory(ctx context.Context, cfg *configuration.SettingsConfig, srv *
 
 func newOperator(ctx context.Context, log *logger.Logger, id routingKey, config *configuration.SettingsConfig, srv *server.Server, r state.Reporter, m monitoring.Monitor) (*operation.Operator, error) {
 	fetcher := downloader.NewDownloader(log, config.DownloadConfig)
-	verifier, err := downloader.NewVerifier(log, config.DownloadConfig)
+	allowEmptyPgp, pgp := release.PGP()
+	verifier, err := downloader.NewVerifier(log, config.DownloadConfig, allowEmptyPgp, pgp)
 	if err != nil {
 		return nil, errors.New(err, "initiating verifier")
 	}
diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go
new file mode 100644
index 000000000000..28e93949fbf4
--- /dev/null
+++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_download.go
@@ -0,0 +1,43 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package upgrade
+
+import (
+	"context"
+
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
+	downloader "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download/localremote"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release"
+)
+
+func (u *Upgrader) downloadArtifact(ctx context.Context, version, sourceURI string) (string, error) {
+	// do not update source config
+	settings := *u.settings
+	if sourceURI != "" {
+		settings.SourceURI = sourceURI
+	}
+
+	allowEmptyPgp, pgp := release.PGP()
+	verifier, err := downloader.NewVerifier(u.log, &settings, allowEmptyPgp, pgp)
+	if err != nil {
+		return "", errors.New(err, "initiating verifier")
+	}
+
+	fetcher := downloader.NewDownloader(u.log, &settings)
+	path, err := fetcher.Download(ctx, agentName, agentArtifactName, version)
+	if err != nil {
+		return "", errors.New(err, "failed upgrade of agent binary")
+	}
+
+	matches, err := verifier.Verify(agentName, version)
+	if err != nil {
+		return "", errors.New(err, "failed verification of agent binary")
+	}
+	if !matches {
+		return "", errors.New("failed verification of agent binary, hash does not match", errors.TypeSecurity)
+	}
+
+	return path, nil
+}
diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go
new file mode 100644
index 000000000000..0d8253bb9ca8
--- /dev/null
+++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go
@@ -0,0 +1,123 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package upgrade
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"gopkg.in/yaml.v2"
+
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release"
+)
+
+const markerFilename = ".update-marker"
+
+type updateMarker struct {
+	// Hash agent is updated to
+	Hash string `json:"hash" yaml:"hash"`
+	//UpdatedOn marks a date when update happened
+	UpdatedOn time.Time `json:"updated_on" yaml:"updated_on"`
+
+	// PrevVersion is a version agent is updated from
+	PrevVersion string `json:"prev_version" yaml:"prev_version"`
+	// PrevHash is a hash agent is updated from
+	PrevHash string `json:"prev_hash" yaml:"prev_hash"`
+
+	// Acked is a flag marking whether or not action was acked
+	Acked  bool                    `json:"acked" yaml:"acked"`
+	Action *fleetapi.ActionUpgrade `json:"action" yaml:"action"`
+}
+
+// markUpgrade marks update happened so we can handle grace period
+func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action *fleetapi.ActionUpgrade) error {
+	if err := updateHomePath(hash); err != nil {
+		return err
+	}
+
+	prevVersion := release.Version()
+	prevHash := release.Commit()
+	if len(prevHash) > hashLen {
+		prevHash = prevHash[:hashLen]
+	}
+
+	marker := updateMarker{
+		Hash:        hash,
+		UpdatedOn:   time.Now(),
+		PrevVersion: prevVersion,
+		PrevHash:    prevHash,
+		Action:      action,
+	}
+
+	markerBytes, err := yaml.Marshal(marker)
+	if err != nil {
+		return errors.New(err, errors.TypeConfig, "failed to parse marker file")
+	}
+
+	markerPath := filepath.Join(paths.Data(), markerFilename)
+	if err := ioutil.WriteFile(markerPath, markerBytes, 0600); err != nil {
+		return errors.New(err, errors.TypeFilesystem, "failed to create update marker file", errors.M(errors.MetaKeyPath, markerPath))
+	}
+
+	activeCommitPath := filepath.Join(paths.Config(), agentCommitFile)
+	if err := ioutil.WriteFile(activeCommitPath, []byte(hash), 0644); err != nil {
+		return errors.New(err, errors.TypeFilesystem, "failed to update active commit", errors.M(errors.MetaKeyPath, activeCommitPath))
+	}
+
+	return nil
+}
+
+func updateHomePath(hash string) error {
+	if err := createPathsSymlink(hash); err != nil {
+		return errors.New(err, errors.TypeFilesystem, "failed to create paths symlink")
+	}
+
+	pathsMap := make(map[string]string)
+	pathsFilepath := filepath.Join(paths.Data(), "paths.yml")
+
+	pathsBytes, err := ioutil.ReadFile(pathsFilepath)
+	if err != nil {
+		return errors.New(err, errors.TypeConfig, "failed to read paths file")
+	}
+
+	if err := yaml.Unmarshal(pathsBytes, &pathsMap); err != nil {
+		return errors.New(err, errors.TypeConfig, "failed to parse paths file")
+	}
+
+	pathsMap["path.home"] = filepath.Join(filepath.Dir(paths.Home()), fmt.Sprintf("%s-%s", agentName, hash))
+
+	pathsBytes, err = yaml.Marshal(pathsMap)
+	if err != nil {
+		return errors.New(err, errors.TypeConfig, "failed to marshal paths file")
+	}
+
+	return ioutil.WriteFile(pathsFilepath, pathsBytes, 0740)
+}
+
+func createPathsSymlink(hash string) error {
+	// only on windows, as windows resolves PWD using symlinks in a different way.
+	// we create symlink for each versioned agent inside `data/` directory
+	// on other systems path is shared
+	if runtime.GOOS != "windows" {
+		return nil
+	}
+
+	dir := filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash))
+	versionedPath := filepath.Join(dir, "data", "paths.yml")
+	if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil {
+		return err
+	}
+
+	pathsCfgPath := filepath.Join(paths.Data(), "paths.yml")
+	return os.Symlink(pathsCfgPath, versionedPath)
+}
diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go
new file mode 100644
index 000000000000..48d22de36cfe
--- /dev/null
+++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go
@@ -0,0 +1,42 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package upgrade
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"github.com/elastic/beats/v7/libbeat/common/file"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
+)
+
+// changeSymlink changes root symlink so it points to updated version
+func (u *Upgrader) changeSymlink(ctx context.Context, newHash string) error {
+	// create symlink to elastic-agent-{hash}
+	hashedDir := fmt.Sprintf("%s-%s", agentName, newHash)
+
+	agentBakName := agentName + ".bak"
+	symlinkPath := filepath.Join(paths.Config(), agentName)
+	newPath := filepath.Join(paths.Data(), hashedDir, agentName)
+
+	// handle windows suffixes
+	if runtime.GOOS == "windows" {
+		agentBakName = agentName + ".exe.back" //.bak is already used
+		symlinkPath += ".exe"
+		newPath += ".exe"
+	}
+
+	bakNewPath := filepath.Join(paths.Config(), agentBakName)
+	if err := os.Symlink(newPath, bakNewPath); err != nil {
+		return errors.New(err, errors.TypeFilesystem, "failed to update agent symlink")
+	}
+
+	// safely rotate
+	return file.SafeFileRotate(symlinkPath, bakNewPath)
+}
diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go
new file mode 100644
index 000000000000..ae3d05edd160
--- /dev/null
+++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go
@@ -0,0 +1,219 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package upgrade
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
+)
+
+// untar unpacks archive correctly, skips root (symlink, config...) unpacks data/*
+func (u *Upgrader) unpack(ctx context.Context, version, sourceURI, archivePath string) (string, error) {
+	// unpack must occur in directory that holds the installation directory
+	// or the extraction will be double nested
+	var hash string
+	var err error
+	if runtime.GOOS == "windows" {
+		hash, err = unzip(version, archivePath)
+	} else {
+		hash, err = untar(version, archivePath)
+	}
+	if err != nil {
+		return "", err
+	}
+
+	return hash, nil
+}
+
+func unzip(version, archivePath string) (string, error) {
+	var hash, rootDir string
+	r, err := zip.OpenReader(archivePath)
+	if err != nil {
+		return "", err
+	}
+	defer r.Close()
+
+	fileNamePrefix := strings.TrimSuffix(filepath.Base(archivePath), ".zip") + "/" // omitting `elastic-agent-{version}-{os}-{arch}/` in filename
+
+	unpackFile := func(f *zip.File) (err error) {
+		rc, err := f.Open()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			if cerr := rc.Close(); cerr != nil {
+				err = multierror.Append(err, cerr)
+			}
+		}()
+
+		//get hash
+		fileName := strings.TrimPrefix(f.Name, fileNamePrefix)
+		if fileName == agentCommitFile {
+			hashBytes, err := ioutil.ReadAll(rc)
+			if err != nil || len(hashBytes) < hashLen {
+				return err
+			}
+
+			hash = string(hashBytes[:hashLen])
+			return nil
+		}
+
+		// skip everything outside data/
+		if !strings.HasPrefix(fileName, "data/") {
+			return nil
+		}
+
+		path := filepath.Join(paths.Data(), strings.TrimPrefix(fileName, "data/"))
+
+		if f.FileInfo().IsDir() {
+			os.MkdirAll(path, f.Mode())
+		} else {
+			os.MkdirAll(filepath.Dir(path), f.Mode())
+			f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
+			if err != nil {
+				return err
+			}
+			defer func() {
+				if cerr := f.Close(); cerr != nil {
+					err = multierror.Append(err, cerr)
+				}
+			}()
+
+			if _, err = io.Copy(f, rc); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	for _, f := range r.File {
+		if rootDir == "" && filepath.Base(f.Name) == filepath.Dir(f.Name) {
+			return f.Name, nil
+		}
+		if currentDir := filepath.Dir(f.Name); rootDir == "" || len(currentDir) < len(rootDir) {
+			rootDir = currentDir
+		}
+
+		if err := unpackFile(f); err != nil {
+			return "", err
+		}
+	}
+
+	return hash, nil
+}
+
+func untar(version, archivePath string) (string, error) {
+	r, err := os.Open(archivePath)
+	if err != nil {
+		return "", errors.New(fmt.Sprintf("artifact for 'elastic-agent' version '%s' could not be found at '%s'", version, archivePath), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, archivePath))
+	}
+	defer r.Close()
+
+	zr, err := gzip.NewReader(r)
+	if err != nil {
+		return "", errors.New("requires gzip-compressed body", err, errors.TypeFilesystem)
+	}
+
+	tr := tar.NewReader(zr)
+	var rootDir string
+	var hash string
+	fileNamePrefix := strings.TrimSuffix(filepath.Base(archivePath), ".tar.gz") + "/" // omitting `elastic-agent-{version}-{os}-{arch}/` in filename
+
+	// go through all the content of a tar archive
+	// if elastic-agent.active.commit file is found, get commit of the version unpacked
+	// otherwise copy everything inside data directory (everything related to new version),
+	// pieces outside of data we already have and should not be overwritten as they are usually configs
+	for {
+		f, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return "", err
+		}
+
+		if !validFileName(f.Name) {
+			return "", errors.New("tar contained invalid filename: %q", f.Name, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, f.Name))
+		}
+
+		//get hash
+		fileName := strings.TrimPrefix(f.Name, fileNamePrefix)
+
+		if fileName == agentCommitFile {
+			hashBytes, err := ioutil.ReadAll(tr)
+			if err != nil || len(hashBytes) < hashLen {
+				return "", err
+			}
+
+			hash = string(hashBytes[:hashLen])
+			continue
+		}
+
+		// skip everything outside data/
+		if !strings.HasPrefix(fileName, "data/") {
+			continue
+		}
+
+		rel := filepath.FromSlash(strings.TrimPrefix(fileName, "data/"))
+		abs := filepath.Join(paths.Data(), rel)
+
+		// find the root dir
+		if currentDir := filepath.Dir(abs); rootDir == "" || len(filepath.Dir(rootDir)) > len(currentDir) {
+			rootDir = currentDir
+		}
+
+		fi := f.FileInfo()
+		mode := fi.Mode()
+		switch {
+		case mode.IsRegular():
+			// just to be sure, it should already be created by Dir type
+			if err := os.MkdirAll(filepath.Dir(abs), 0755); err != nil {
+				return "", errors.New(err, "TarInstaller: creating directory for file "+abs, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, abs))
+			}
+
+			wf, err := os.OpenFile(abs, os.O_RDWR|os.O_CREATE|os.O_TRUNC, mode.Perm())
+			if err != nil {
+				return "", errors.New(err, "TarInstaller: creating file "+abs, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, abs))
+			}
+
+			_, err = io.Copy(wf, tr)
+			if closeErr := wf.Close(); closeErr != nil && err == nil {
+				err = closeErr
+			}
+			if err != nil {
+				return "", fmt.Errorf("TarInstaller: error writing to %s: %v", abs, err)
+			}
+		case mode.IsDir():
+			if err := os.MkdirAll(abs, 0755); err != nil {
+				return "", errors.New(err, "TarInstaller: creating directory for file "+abs, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, abs))
+			}
+		default:
+			return "", errors.New(fmt.Sprintf("tar file entry %s contained unsupported file type %v", fileName, mode), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, fileName))
+		}
+	}
+
+	return hash, nil
+}
+
+func validFileName(p string) bool {
+	if p == "" || strings.Contains(p, `\`) || strings.HasPrefix(p, "/") || strings.Contains(p, "../") {
+		return false
+	}
+	return true
+}
diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go
new file mode 100644
index 000000000000..cc27846051f0
--- /dev/null
+++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go
@@ -0,0 +1,139 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package upgrade
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"gopkg.in/yaml.v2"
+
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi"
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release"
+)
+
+const (
+	agentName         = "elastic-agent"
+	hashLen           = 6
+	agentCommitFile   = ".elastic-agent.active.commit"
+	agentArtifactName = "beats/" + agentName
+)
+
+// Upgrader performs an upgrade
+type Upgrader struct {
+	settings *artifact.Config
+	log      *logger.Logger
+	closers  []context.CancelFunc
+	reexec   reexecManager
+	acker    acker
+}
+
+type reexecManager interface {
+	ReExec(argOverrides ...string)
+}
+
+type acker interface {
+	Ack(ctx context.Context, action fleetapi.Action) error
+	Commit(ctx context.Context) error
+}
+
+// NewUpgrader creates an upgrader which is capable of performing upgrade operation
+func NewUpgrader(settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker) *Upgrader {
+	return &Upgrader{
+		settings: settings,
+		log:      log,
+		closers:  closers,
+		reexec:   reexec,
+		acker:    a,
+	}
+}
+
+// Upgrade upgrades running agent
+func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error {
+	archivePath, err := u.downloadArtifact(ctx, a.Version, a.SourceURI)
+	if err != nil {
+		return err
+	}
+
+	newHash, err := u.unpack(ctx, a.Version, a.SourceURI, archivePath)
+	if err != nil {
+		return err
+	}
+
+	if newHash == "" {
+		return errors.New("unknown hash")
+	}
+
+	if strings.HasPrefix(release.Commit(), newHash) {
+		return errors.New("upgrading to same version")
+	}
+
+	if err := u.changeSymlink(ctx, newHash); err != nil {
+		rollbackInstall(newHash)
+		return err
+	}
+
+	if err := u.markUpgrade(ctx, newHash, a); err != nil {
+		rollbackInstall(newHash)
+		return err
+	}
+
+	u.reexec.ReExec()
+	return nil
+}
+
+// Ack acks last upgrade action
+func (u *Upgrader) Ack(ctx context.Context) error {
+	// get upgrade action
+	markerFile := filepath.Join(paths.Data(), markerFilename)
+	markerBytes, err := ioutil.ReadFile(markerFile)
+	if err != nil && os.IsNotExist(err) {
+		return nil
+	} else if err != nil {
+		return err
+	}
+
+	marker := &updateMarker{}
+	if err := yaml.Unmarshal(markerBytes, marker); err != nil {
+		return err
+	}
+
+	if marker.Acked {
+		return nil
+	}
+
+	if err := u.acker.Ack(ctx, marker.Action); err != nil {
+		return err
+	}
+
+	if err := u.acker.Commit(ctx); err != nil {
+		return err
+	}
+
+	marker.Acked = true
+	markerBytes, err = yaml.Marshal(marker)
+	if err != nil {
+		return err
+	}
+
+	return ioutil.WriteFile(markerFile, markerBytes, 0600)
+}
+
+func isSubdir(base, target string) (bool, error) {
+	relPath, err := filepath.Rel(base, target)
+	return strings.HasPrefix(relPath, ".."), err
+}
+
+func rollbackInstall(hash string) {
+	os.RemoveAll(filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash)))
+}
diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go
index a60c8a87c932..a7b56a664bac 100644
--- a/x-pack/elastic-agent/pkg/agent/cmd/run.go
+++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go
@@ -96,7 +96,7 @@ func run(flags *globalFlags, streams *cli.IOStreams) error { // Windows: Mark se
 	}
 	defer control.Stop()
 
-	app, err := application.New(logger, pathConfigFile)
+	app, err := application.New(logger, pathConfigFile, rex)
 	if err != nil {
 		return err
 	}
diff --git a/x-pack/elastic-agent/pkg/artifact/config.go b/x-pack/elastic-agent/pkg/artifact/config.go
index 6faa9861710b..5b0766cb2574 100644
--- a/x-pack/elastic-agent/pkg/artifact/config.go
+++ b/x-pack/elastic-agent/pkg/artifact/config.go
@@ -30,10 +30,6 @@ type Config struct {
 	// Timeout: timeout for downloading package
 	Timeout time.Duration `json:"timeout" config:"timeout"`
 
-	// PgpFile: filepath to a public key used for verifying downloaded artifacts
-	// if not file is present elastic-agent will try to load public key from elastic.co website.
-	PgpFile string `json:"pgpfile" config:"pgpfile"`
-
 	// InstallPath: path to the directory containing installed packages
 	InstallPath string `yaml:"installPath" config:"install_path"`
 
@@ -48,12 +44,10 @@ type Config struct {
 // DefaultConfig creates a config with pre-set default values.
 func DefaultConfig() *Config {
 	homePath := paths.Home()
-	dataPath := paths.Data()
 	return &Config{
 		SourceURI:       "https://artifacts.elastic.co/downloads/",
 		TargetDirectory: filepath.Join(homePath, "downloads"),
 		Timeout:         30 * time.Second,
-		PgpFile:         filepath.Join(dataPath, "elastic.pgp"),
 		InstallPath:     filepath.Join(homePath, "install"),
 	}
 }
diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go
index 20bff381a394..d934b20faefb 100644
--- a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go
+++ b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier.go
@@ -14,11 +14,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"sync"
 
 	"golang.org/x/crypto/openpgp"
 
-	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact"
 )
@@ -30,15 +28,22 @@ const (
 // Verifier verifies a downloaded package by comparing with public ASC
 // file from elastic.co website.
 type Verifier struct {
-	config   *artifact.Config
-	pgpBytes []byte
+	config        *artifact.Config
+	pgpBytes      []byte
+	allowEmptyPgp bool
 }
 
 // NewVerifier create a verifier checking downloaded package on preconfigured
 // location agains a key stored on elastic.co website.
-func NewVerifier(config *artifact.Config) (*Verifier, error) {
+func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Verifier, error) {
+	if len(pgp) == 0 && !allowEmptyPgp {
+		return nil, errors.New("expecting PGP but retrieved none", errors.TypeSecurity)
+	}
+
 	v := &Verifier{
-		config: config,
+		config:        config,
+		allowEmptyPgp: allowEmptyPgp,
+		pgpBytes:      pgp,
 	}
 
 	return v, nil
@@ -59,9 +64,11 @@ func (v *Verifier) Verify(programName, version string) (bool, error) {
 		// remove bits so they can be redownloaded
 		os.Remove(fullPath)
 		os.Remove(fullPath + ".sha512")
+		os.Remove(fullPath + ".asc")
+		return isMatch, err
 	}
 
-	return isMatch, err
+	return v.verifyAsc(filename, fullPath)
 }
 
 func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
@@ -87,7 +94,7 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
 	}
 
 	if expectedHash == "" {
-		return false, fmt.Errorf("hash for '%s' not found", filename)
+		return false, fmt.Errorf("hash for '%s' not found in '%s'", filename, hashFilePath)
 	}
 
 	// compute file hash
@@ -107,19 +114,16 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
 }
 
 func (v *Verifier) verifyAsc(filename, fullPath string) (bool, error) {
-	var err error
-	var pgpBytesLoader sync.Once
-
-	pgpBytesLoader.Do(func() {
-		err = v.loadPGP(v.config.PgpFile)
-	})
-
-	if err != nil {
-		return false, errors.New(err, "loading PGP")
+	if len(v.pgpBytes) == 0 {
+		// no pgp available skip verification process
+		return true, nil
 	}
 
-	ascBytes, err := v.getPublicAsc(filename)
-	if err != nil {
+	ascBytes, err := v.getPublicAsc(fullPath)
+	if err != nil && v.allowEmptyPgp {
+		// asc not available but we allow empty for dev use-case
+		return true, nil
+	} else if err != nil {
 		return false, err
 	}
 
@@ -143,10 +147,8 @@ func (v *Verifier) verifyAsc(filename, fullPath string) (bool, error) {
 	return true, nil
 }
 
-func (v *Verifier) getPublicAsc(filename string) ([]byte, error) {
-	ascFile := fmt.Sprintf("%s%s", filename, ascSuffix)
-	fullPath := filepath.Join(paths.Home(), "downloads", ascFile)
-
+func (v *Verifier) getPublicAsc(fullPath string) ([]byte, error) {
+	fullPath = fmt.Sprintf("%s%s", fullPath, ascSuffix)
 	b, err := ioutil.ReadFile(fullPath)
 	if err != nil {
 		return nil, errors.New(err, fmt.Sprintf("fetching asc file from '%s'", fullPath), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, fullPath))
@@ -154,18 +156,3 @@ func (v *Verifier) getPublicAsc(filename string) ([]byte, error) {
 
 	return b, nil
 }
-
-func (v *Verifier) loadPGP(file string) error {
-	var err error
-
-	if file == "" {
-		return errors.New("pgp file not specified for verifier", errors.TypeConfig)
-	}
-
-	v.pgpBytes, err = ioutil.ReadFile(file)
-	if err != nil {
-		return errors.New(err, errors.TypeFilesystem)
-	}
-
-	return nil
-}
diff --git a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go
index 4787656d8b0a..4fd845482c5d 100644
--- a/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go
+++ b/x-pack/elastic-agent/pkg/artifact/download/fs/verifier_test.go
@@ -59,7 +59,7 @@ func TestFetchVerify(t *testing.T) {
 	assert.NoError(t, err)
 
 	downloader := NewDownloader(config)
-	verifier, err := NewVerifier(config)
+	verifier, err := NewVerifier(config, true, nil)
 	assert.NoError(t, err)
 
 	// first download verify should fail:
@@ -157,7 +157,7 @@ func TestVerify(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	testVerifier, err := NewVerifier(config)
+	testVerifier, err := NewVerifier(config, true, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go b/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go
index a1e1ced0b662..0edb979a320e 100644
--- a/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go
+++ b/x-pack/elastic-agent/pkg/artifact/download/http/elastic_test.go
@@ -105,7 +105,7 @@ func TestVerify(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			testVerifier, err := NewVerifier(config)
+			testVerifier, err := NewVerifier(config, true, nil)
 			if err != nil {
 				t.Fatal(err)
 			}
diff --git a/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go
index 171b3363aecc..9f2eacd93959 100644
--- a/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go
+++ b/x-pack/elastic-agent/pkg/artifact/download/http/verifier.go
@@ -16,7 +16,6 @@ import (
 	"os"
 	"path"
 	"strings"
-	"sync"
 
 	"golang.org/x/crypto/openpgp"
 
@@ -32,20 +31,27 @@ const (
 // Verifier verifies a downloaded package by comparing with public ASC
 // file from elastic.co website.
 type Verifier struct {
-	config   *artifact.Config
-	client   http.Client
-	pgpBytes []byte
+	config        *artifact.Config
+	client        http.Client
+	pgpBytes      []byte
+	allowEmptyPgp bool
 }
 
 // NewVerifier create a verifier checking downloaded package on preconfigured
 // location agains a key stored on elastic.co website.
-func NewVerifier(config *artifact.Config) (*Verifier, error) {
+func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (*Verifier, error) {
+	if len(pgp) == 0 && !allowEmptyPgp {
+		return nil, errors.New("expecting PGP but retrieved none", errors.TypeSecurity)
+	}
+
 	client := http.Client{Timeout: config.Timeout}
 	rtt := withHeaders(client.Transport, headers)
 	client.Transport = rtt
 	v := &Verifier{
-		config: config,
-		client: client,
+		config:        config,
+		client:        client,
+		allowEmptyPgp: allowEmptyPgp,
+		pgpBytes:      pgp,
 	}
 
 	return v, nil
@@ -71,9 +77,11 @@ func (v *Verifier) Verify(programName, version string) (bool, error) {
 		// remove bits so they can be redownloaded
 		os.Remove(fullPath)
 		os.Remove(fullPath + ".sha512")
+		os.Remove(fullPath + ".asc")
+		return isMatch, err
 	}
 
-	return isMatch, err
+	return v.verifyAsc(programName, version)
 }
 
 func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
@@ -120,15 +128,9 @@ func (v *Verifier) verifyHash(filename, fullPath string) (bool, error) {
 }
 
 func (v *Verifier) verifyAsc(programName, version string) (bool, error) {
-	var err error
-	var pgpBytesLoader sync.Once
-
-	pgpBytesLoader.Do(func() {
-		err = v.loadPGP(v.config.PgpFile)
-	})
-
-	if err != nil {
-		return false, errors.New(err, "loading PGP")
+	if len(v.pgpBytes) == 0 {
+		// no pgp available skip verification process
+		return true, nil
 	}
 
 	filename, err := artifact.GetArtifactName(programName, version, v.config.OS(), v.config.Arch())
@@ -147,7 +149,10 @@ func (v *Verifier) verifyAsc(programName, version string) (bool, error) {
 	}
 
 	ascBytes, err := v.getPublicAsc(ascURI)
-	if err != nil {
+	if err != nil && v.allowEmptyPgp {
+		// asc not available but we allow empty for dev use-case
+		return true, nil
+	} else if err != nil {
 		return false, errors.New(err, fmt.Sprintf("fetching asc file from %s", ascURI), errors.TypeNetwork, errors.M(errors.MetaKeyURI, ascURI))
 	}
 
@@ -202,33 +207,3 @@ func (v *Verifier) getPublicAsc(sourceURI string) ([]byte, error) {
 
 	return ioutil.ReadAll(resp.Body)
 }
-
-func (v *Verifier) loadPGP(file string) error {
-	var err error
-
-	if file == "" {
-		v.pgpBytes, err = v.loadPGPFromWeb()
-		return err
-	}
-
-	v.pgpBytes, err = ioutil.ReadFile(file)
-	if err != nil {
-		return errors.New(err, errors.TypeFilesystem, errors.M(errors.MetaKeyPath, file))
-	}
-
-	return nil
-}
-
-func (v *Verifier) loadPGPFromWeb() ([]byte, error) {
-	resp, err := v.client.Get(publicKeyURI)
-	if err != nil {
-		return nil, errors.New(err, "failed loading public key", errors.TypeNetwork, errors.M(errors.MetaKeyURI, publicKeyURI))
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != 200 {
-		return nil, errors.New(fmt.Sprintf("call to '%s' returned unsuccessful status code: %d", publicKeyURI, resp.StatusCode), errors.TypeNetwork, errors.M(errors.MetaKeyURI, publicKeyURI))
-	}
-
-	return ioutil.ReadAll(resp.Body)
-}
diff --git a/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go
index 34863270679b..4f33cbbdb8e2 100644
--- a/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go
+++ b/x-pack/elastic-agent/pkg/artifact/download/localremote/verifier.go
@@ -17,10 +17,10 @@ import (
 
 // NewVerifier creates a downloader which first checks local directory
 // and then fallbacks to remote if configured.
-func NewVerifier(log *logger.Logger, config *artifact.Config) (download.Verifier, error) {
+func NewVerifier(log *logger.Logger, config *artifact.Config, allowEmptyPgp bool, pgp []byte) (download.Verifier, error) {
 	verifiers := make([]download.Verifier, 0, 3)
 
-	fsVer, err := fs.NewVerifier(config)
+	fsVer, err := fs.NewVerifier(config, allowEmptyPgp, pgp)
 	if err != nil {
 		return nil, err
 	}
@@ -28,7 +28,7 @@ func NewVerifier(log *logger.Logger, config *artifact.Config) (download.Verifier
 
 	// try snapshot repo before official
 	if release.Snapshot() {
-		snapshotVerifier, err := snapshot.NewVerifier(config)
+		snapshotVerifier, err := snapshot.NewVerifier(config, allowEmptyPgp, pgp)
 		if err != nil {
 			log.Error(err)
 		} else {
@@ -36,7 +36,7 @@ func NewVerifier(log *logger.Logger, config *artifact.Config) (download.Verifier
 		}
 	}
 
-	remoteVer, err := http.NewVerifier(config)
+	remoteVer, err := http.NewVerifier(config, allowEmptyPgp, pgp)
 	if err != nil {
 		return nil, err
 	}
diff --git a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go
index f45a38d3f973..6f28ad8d9269 100644
--- a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go
+++ b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go
@@ -38,7 +38,6 @@ func snapshotConfig(config *artifact.Config) (*artifact.Config, error) {
 		SourceURI:       snapshotURI,
 		TargetDirectory: config.TargetDirectory,
 		Timeout:         config.Timeout,
-		PgpFile:         config.PgpFile,
 		InstallPath:     config.InstallPath,
 		DropPath:        config.DropPath,
 	}, nil
diff --git a/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go b/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go
index 91626a6b55b0..e9d8bbd4dc14 100644
--- a/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go
+++ b/x-pack/elastic-agent/pkg/artifact/download/snapshot/verifier.go
@@ -12,10 +12,10 @@ import (
 
 // NewVerifier creates a downloader which first checks local directory
 // and then fallbacks to remote if configured.
-func NewVerifier(config *artifact.Config, downloaders ...download.Downloader) (download.Verifier, error) {
+func NewVerifier(config *artifact.Config, allowEmptyPgp bool, pgp []byte) (download.Verifier, error) {
 	cfg, err := snapshotConfig(config)
 	if err != nil {
 		return nil, err
 	}
-	return http.NewVerifier(cfg)
+	return http.NewVerifier(cfg, allowEmptyPgp, pgp)
 }
diff --git a/x-pack/elastic-agent/pkg/fleetapi/action.go b/x-pack/elastic-agent/pkg/fleetapi/action.go
index bf7024e304f0..efb4e1672aaf 100644
--- a/x-pack/elastic-agent/pkg/fleetapi/action.go
+++ b/x-pack/elastic-agent/pkg/fleetapi/action.go
@@ -12,6 +12,15 @@ import (
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
 )
 
+const (
+	// ActionTypeUpgrade specifies upgrade action.
+	ActionTypeUpgrade = "UPGRADE"
+	// ActionTypeUnenroll specifies unenroll action.
+	ActionTypeUnenroll = "UNENROLL"
+	// ActionTypeConfigChange specifies config change action.
+	ActionTypeConfigChange = "CONFIG_CHANGE"
+)
+
 // Action base interface for all the implemented action from the fleet API.
 type Action interface {
 	fmt.Stringer
@@ -83,6 +92,33 @@ func (a *ActionConfigChange) ID() string {
 	return a.ActionID
 }
 
+// ActionUpgrade is a request for agent to upgrade.
+type ActionUpgrade struct {
+	ActionID   string `json:"id" yaml:"id"`
+	ActionType string `json:"type" yaml:"type"`
+	Version    string `json:"version" yaml:"version"`
+	SourceURI  string `json:"source_uri" yaml:"source_uri"`
+}
+
+func (a *ActionUpgrade) String() string {
+	var s strings.Builder
+	s.WriteString("action_id: ")
+	s.WriteString(a.ActionID)
+	s.WriteString(", type: ")
+	s.WriteString(a.ActionType)
+	return s.String()
+}
+
+// Type returns the type of the Action.
+func (a *ActionUpgrade) Type() string {
+	return a.ActionType
+}
+
+// ID returns the ID of the Action.
+func (a *ActionUpgrade) ID() string {
+	return a.ActionID
+}
+
 // ActionUnenroll is a request for agent to unhook from fleet.
 type ActionUnenroll struct {
 	ActionID   string
@@ -133,7 +169,7 @@ func (a *Actions) UnmarshalJSON(data []byte) error {
 
 	for _, response := range responses {
 		switch response.ActionType {
-		case "CONFIG_CHANGE":
+		case ActionTypeConfigChange:
 			action = &ActionConfigChange{
 				ActionID:   response.ActionID,
 				ActionType: response.ActionType,
@@ -143,11 +179,22 @@ func (a *Actions) UnmarshalJSON(data []byte) error {
 					"fail to decode CONFIG_CHANGE action",
 					errors.TypeConfig)
 			}
-		case "UNENROLL":
+		case ActionTypeUnenroll:
 			action = &ActionUnenroll{
 				ActionID:   response.ActionID,
 				ActionType: response.ActionType,
 			}
+		case ActionTypeUpgrade:
+			action = &ActionUpgrade{
+				ActionID:   response.ActionID,
+				ActionType: response.ActionType,
+			}
+
+			if err := json.Unmarshal(response.Data, action); err != nil {
+				return errors.New(err,
+					"fail to decode UPGRADE_ACTION action",
+					errors.TypeConfig)
+			}
 		default:
 			action = &ActionUnknown{
 				ActionID:     response.ActionID,
diff --git a/x-pack/elastic-agent/pkg/release/pgp.go b/x-pack/elastic-agent/pkg/release/pgp.go
new file mode 100644
index 000000000000..00ca6add25a3
--- /dev/null
+++ b/x-pack/elastic-agent/pkg/release/pgp.go
@@ -0,0 +1,25 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// Code generated by x-pack/dev-tools/cmd/buildspec/buildPgp.go - DO NOT EDIT.
+
+package release
+
+import (
+	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/packer"
+)
+
+// pgp bytes is a packed in public gpg key
+var pgpBytes []byte
+
+func init() {
+	// Packed Files
+	// GPG-KEY-elasticsearch
+	pgpBytes = packer.MustUnpack("eJyMlsuOtLoBhPd5jH9/JBua0U+ksxguhobGjI0v4B1gNDQ2NNPNTNNEeffoRMoqipR1Va1KVfr+8Sv5SP7I4+aPwbaP7do/hvbej7/+/utSge1SwZBynbFrQCh8/+RIhCy20TnekKyCkMV+VL3+8oEttMr2C1475/R2jvW3FkF6TpvXZXr/Lhj5zGNdisovWunBITR5OENKuRdSY44qxT/E4ICiMdZJVlazd2pssJMJOTT2AHHx3iYclLVKZI1bNtmMwfWQdlz6SI9Vst6wwTkxJCfVdqVAfWjX3pqZuE1NDixX2lod6AN9FA6eZY0vRMJkqLagn3BRxRi3sDk6uB59vAYE0kwB/NKOd29l8VOSNRJyX7nkRzHRXRv/KlhG+UIJjtWjSNe6cdT1AouTEPZNwLGuuILVgrA23GMSVZKhq4Yi1Mv600vksFi34Xw7OGh2DoOPHNIQC/Sqku3F+Rj2DmxysJqGKYORfejo80dHKtIGugqiskuzx2DsRyk0z6Et8bKy3MV7lZC8EPZycZDCNbp1YC/b9N2jL/88JOPEoYpasO8lwkwnt13a284P+6V5Rjo4ykKsNZuzEzVeqoF/uwBPUWc39P32ah0YqgkrBfCu+P5WJejWA4T6VAUdGzmZY5czWxcTispUBcSIkHCUFigTYsFKxqdnI3Q52LWmi1XFrJfQbOh/aYJlj27Oti4V7cCzQtrx3sc2HpKtlWidmwmHg0Xpf+dNLlm2aHk+qtkjnbOFDCAqYkQrjjIFRSTkOqnaLpXMAg1tQSBaqhi5FdcJlzoiEP2wOAslx4EGIqoSjchzTXCMAuLoO2fBdyHhlc32g9dZNcxroAB6CCRoIeHSHfi7OlRI4XhtJ9oQvjparDE9gnPF91XU5N6j4HuYehjO3qGmoBTOuPOJehSoR1cHsHHpQhzIabidB2uBmOzcR3YXL/+qoYKVwaWOt6Y98KHSVRGeqRzaRxFjO1x/5xgUL+qKlAD/0cynZ5eKiFnikWXMu/kTdLzw2tCfKmCOgYkvbW+udpCjHQ6Kmtqe9ztGzZ1KP+HO6WA2uHRk5UOCYxGrl5g064QiQ4zDBqI3xd6fDVhvfZpdhmSD0kDCkdr7OGM5WGeKEBisoDT0Cw7U3MbjVylFnMPRhtNosIvdHI7OEJ9fDT8B5Xi8Q9lba557Z2nVR8GtuPoZA/reCztXvPd6qzcO9rJLxxuZMpA7xZMv+EvFGuPwd65E9uBIe12srsLACdfBRtMg02l2FxB/DyabWwc2LMIOO7KmgNrRDmR0trSZt5AiVHHgnTDYAi51gPkquvf1rQGwxpU/6dq2fBrHDuGxAdveInzVs8/6Gl0HM14aKKic4WMwHq6A5oRnCT2Qx5dPr79ublP5s14Qwcbnoc3euKGOsMVP49pJu8VJik+XJhR2TJ/KVGQlE9eytrao/GZg4ruDAerYONFwu/XJ/t0jfudxRqW5QRnfXlX1yAv59NhsT0NEXA2DVCYi6uJ9bxz6XSTIU+Hm5DBz1VT8SCTyflFTA/qXFKtoRQxaq9vW8U89iJ/YHU8YZF/5cy3++iRqthS7+MyNcpQIEsGClh8qp8unR8G6txaHjRkrPm9jVz2AkrAuXFErqGa5jFA7WBDntDe1LRXMQGi2lS6N11r0UkfGK6GRXlY1RBYMtebEHaccqIQJHXRJFg2zuXeM1jTcqBC6VobSInr3ROXXjAX3/ggu2u1zWmvWvnxBU8E7d0w7s4lippSILOAcha1ASJksVCD7a8c5sSj/T+9tijHh6Kcyoqwm23b1qtp5uxTv61QAmBFuUSnHgE/nZ1ejXIB96t2x0GlW9YeCzDS7WLInuT5Ad/0NsUACO/6JMLQKk31gYxPN6K5cnBQsy0NLRz17OeawaLjgXaIXicx9MNSqyR6DoEQmPm1c+hxmPDKr4k4Ko53fO3dsUUQYMulfu9h3hBtgfvVVkdxyvGQbBnbpDawFpw1FgdPBIG0NfBRLvLeC2oGPdyZWNAiRlwhfeged24h+icm6fWQvHS9O5PXwiKuxlluBn6vDmHDLBC/arD+k1kcf4aSbuEfqsdbJWBZwzKXE30wqppMt00IvfNKiWM73hp33AvWOnj0xIA46cHryBOJwxrBfsOKptWIKShn6Fy6FUNzDGmhOzdnhfGQXB33zGaVcCreV6723VnWQljpRjy4dM81sIyVciREVr37nvQjiLtZVF/uLsNSU9SiUGZPWXUPMsgkfAfogN79k2Y98v/2bbS5clDT8Pxjo888/f/3zb/8KAAD///dAGpU=")["GPG-KEY-elasticsearch"]
+}
+
+// PGP return pgpbytes and a flag describing whether or not no pgp is valid.
+func PGP() (bool, []byte) {
+	return allowEmptyPgp == "true", pgpBytes
+}
diff --git a/x-pack/elastic-agent/pkg/release/version.go b/x-pack/elastic-agent/pkg/release/version.go
index 542ea8294177..37579ac86de5 100644
--- a/x-pack/elastic-agent/pkg/release/version.go
+++ b/x-pack/elastic-agent/pkg/release/version.go
@@ -15,6 +15,10 @@ import (
 // snapshot is a flag marking build as a snapshot.
 var snapshot = ""
 
+// allowEmptyPgp is used as a debug flag and allows working
+// without valid pgp
+var allowEmptyPgp string
+
 // Commit returns the current build hash or unknown if it was not injected in the build process.
 func Commit() string {
 	return libbeatVersion.Commit()
@@ -54,7 +58,7 @@ func Info() VersionInfo {
 	}
 }
 
-// String returns the string format for the version informaiton.
+// String returns the string format for the version information.
 func (v *VersionInfo) String() string {
 	var sb strings.Builder
 
diff --git a/x-pack/filebeat/input/httpjson/requester.go b/x-pack/filebeat/input/httpjson/requester.go
index 579e5e267564..b5f58179aa0b 100644
--- a/x-pack/filebeat/input/httpjson/requester.go
+++ b/x-pack/filebeat/input/httpjson/requester.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"strings"
 
 	stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless"
 	"github.com/elastic/beats/v7/libbeat/common"
@@ -214,7 +215,7 @@ func (r *requester) processEventArray(publisher stateless.Publisher, events []in
 	for _, t := range events {
 		switch v := t.(type) {
 		case map[string]interface{}:
-			for _, e := range r.splitEvent(v) {
+			for _, e := range splitEvent(r.splitEventsBy, v) {
 				last = e
 				d, err := json.Marshal(e)
 				if err != nil {
@@ -229,15 +230,23 @@ func (r *requester) processEventArray(publisher stateless.Publisher, events []in
 	return last, nil
 }
 
-func (r *requester) splitEvent(event map[string]interface{}) []map[string]interface{} {
+func splitEvent(splitKey string, event map[string]interface{}) []map[string]interface{} {
 	m := common.MapStr(event)
 
-	hasSplitKey, _ := m.HasKey(r.splitEventsBy)
-	if r.splitEventsBy == "" || !hasSplitKey {
+	// NOTE: this notation is only used internally, not meant to be documented
+	// and will be removed in the next release
+	keys := strings.SplitN(splitKey, "..", 2)
+	if len(keys) < 2 {
+		// we append an empty key to force the recursive call
+		keys = append(keys, "")
+	}
+
+	hasSplitKey, _ := m.HasKey(keys[0])
+	if keys[0] == "" || !hasSplitKey {
 		return []map[string]interface{}{event}
 	}
 
-	splitOnIfc, _ := m.GetValue(r.splitEventsBy)
+	splitOnIfc, _ := m.GetValue(keys[0])
 	splitOn, ok := splitOnIfc.([]interface{})
 	// if not an array or is empty, we do nothing
 	if !ok || len(splitOn) == 0 {
@@ -252,12 +261,14 @@ func (r *requester) splitEvent(event map[string]interface{}) []map[string]interf
 			return []map[string]interface{}{event}
 		}
 
-		mm := m.Clone()
-		if _, err := mm.Put(r.splitEventsBy, s); err != nil {
-			return []map[string]interface{}{event}
+		// call splitEvent recursively for each part
+		for _, nestedSplit := range splitEvent(keys[1], s) {
+			mm := m.Clone()
+			if _, err := mm.Put(keys[0], nestedSplit); err != nil {
+				return []map[string]interface{}{event}
+			}
+			events = append(events, mm)
 		}
-
-		events = append(events, mm)
 	}
 
 	return events
diff --git a/x-pack/filebeat/input/httpjson/requester_test.go b/x-pack/filebeat/input/httpjson/requester_test.go
new file mode 100644
index 000000000000..31e65a57c739
--- /dev/null
+++ b/x-pack/filebeat/input/httpjson/requester_test.go
@@ -0,0 +1,86 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package httpjson
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSplitEventsBy(t *testing.T) {
+	event := map[string]interface{}{
+		"this": "is kept",
+		"alerts": []interface{}{
+			map[string]interface{}{
+				"this_is": "also kept",
+				"entities": []interface{}{
+					map[string]interface{}{
+						"something": "something",
+					},
+					map[string]interface{}{
+						"else": "else",
+					},
+				},
+			},
+			map[string]interface{}{
+				"this_is": "also kept 2",
+				"entities": []interface{}{
+					map[string]interface{}{
+						"something": "something 2",
+					},
+					map[string]interface{}{
+						"else": "else 2",
+					},
+				},
+			},
+		},
+	}
+
+	expectedEvents := []map[string]interface{}{
+		{
+			"this": "is kept",
+			"alerts": map[string]interface{}{
+				"this_is": "also kept",
+				"entities": map[string]interface{}{
+					"something": "something",
+				},
+			},
+		},
+		{
+			"this": "is kept",
+			"alerts": map[string]interface{}{
+				"this_is": "also kept",
+				"entities": map[string]interface{}{
+					"else": "else",
+				},
+			},
+		},
+		{
+			"this": "is kept",
+			"alerts": map[string]interface{}{
+				"this_is": "also kept 2",
+				"entities": map[string]interface{}{
+					"something": "something 2",
+				},
+			},
+		},
+		{
+			"this": "is kept",
+			"alerts": map[string]interface{}{
+				"this_is": "also kept 2",
+				"entities": map[string]interface{}{
+					"else": "else 2",
+				},
+			},
+		},
+	}
+
+	const key = "alerts..entities"
+
+	got := splitEvent(key, event)
+
+	assert.Equal(t, expectedEvents, got)
+}
diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
index f8f10132a0de..2d75cb072417 100644
--- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml
@@ -74,7 +74,12 @@ processors:
     field: azure.activitylogs.result_type
     target_field: event.outcome
     type: string
-    if: "ctx?.azure?.activitylogs?.resultType != null && ctx.azure.activitylogs.resultType instanceof String && (ctx.azure.activitylogs.resultType.toLowerCase() == 'success' || ctx.azure.activitylogs.resultType.toLowerCase() == 'failure')"
+    if: "ctx?.azure?.activitylogs?.result_type != null && ctx.azure.activitylogs.result_type instanceof String && (ctx.azure.activitylogs.result_type.toLowerCase() == 'success' || ctx.azure.activitylogs.result_type.toLowerCase() == 'failure')"
+- convert:
+    field: azure.activitylogs.properties.result
+    target_field: event.outcome
+    type: string
+    if: "ctx?.event?.outcome == null && ctx?.azure?.activitylogs?.properties?.result != null && ctx?.azure?.activitylogs?.properties?.result instanceof String && ['success', 'failure', 'unknown'].contains(ctx.azure?.activitylogs?.properties?.result)"
 - rename:
     field: azure.activitylogs.operationName
     target_field: azure.activitylogs.operation_name
diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
index 7ba307ee6690..db962bd4df6f 100644
--- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
+++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json
@@ -45,6 +45,7 @@
         "event.duration": -1468967296,
         "event.kind": "event",
         "event.module": "azure",
+        "event.outcome": "success",
         "event.type": [
             "change"
         ],
diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml
index c93494c2dbb1..cdafe4ebde0d 100644
--- a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml
+++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml
index 67018925f0f2..2ae84bd17e5b 100644
--- a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{url.domain}}'
+        if: ctx?.url?.domain != null && ctx?.url?.domain != ""
+        allow_duplicates: false
+  - append:
+        field: related.hosts
+        value: '{{server.domain}}'
+        if: ctx?.server?.domain != null && ctx?.url?.domain != ""
+        allow_duplicates: false
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json
index 247344bdbfe6..ff70486fab55 100644
--- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json
@@ -46,6 +46,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "etdo"
+        ],
         "related.ip": [
             "10.173.228.223"
         ],
@@ -256,6 +259,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "tempor"
+        ],
         "related.ip": [
             "10.138.137.28"
         ],
@@ -296,6 +302,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "ari"
+        ],
         "related.ip": [
             "10.108.180.105"
         ],
@@ -422,6 +431,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "aveniam"
+        ],
         "related.ip": [
             "10.82.201.113"
         ],
@@ -484,8 +496,8 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
         "related.ip": [
-            "10.110.109.5",
-            "10.18.165.35"
+            "10.18.165.35",
+            "10.110.109.5"
         ],
         "rsa.internal.messageid": "outbound/smtp",
         "rsa.investigations.event_cat": 1901000000,
@@ -518,6 +530,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "dolore"
+        ],
         "related.ip": [
             "10.195.109.134"
         ],
@@ -857,6 +872,10 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "hitect",
+            "lit5929.test"
+        ],
         "related.ip": [
             "10.198.6.166"
         ],
@@ -937,6 +956,10 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "equat",
+            "uptat3156.www5.test"
+        ],
         "related.ip": [
             "10.77.137.72"
         ],
@@ -980,6 +1003,10 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "vitaedi",
+            "neav6028.internal.domain"
+        ],
         "related.ip": [
             "10.128.114.77"
         ],
@@ -1225,6 +1252,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "olupta"
+        ],
         "related.ip": [
             "10.98.92.244"
         ],
@@ -1423,6 +1453,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "tquov"
+        ],
         "related.ip": [
             "10.211.93.62"
         ],
@@ -1480,6 +1513,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "qui"
+        ],
         "related.ip": [
             "10.199.182.123"
         ],
@@ -1824,6 +1860,10 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "aveni",
+            "oremagna3521.mail.home"
+        ],
         "related.ip": [
             "10.29.155.171"
         ],
@@ -2509,6 +2549,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "obeataev"
+        ],
         "related.ip": [
             "10.139.127.232"
         ],
@@ -2550,6 +2593,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "inv"
+        ],
         "related.ip": [
             "10.163.209.70"
         ],
@@ -2719,6 +2765,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "eritatis"
+        ],
         "related.ip": [
             "10.209.184.60"
         ],
@@ -2818,6 +2867,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "plic"
+        ],
         "related.ip": [
             "10.17.87.79"
         ],
@@ -2933,6 +2985,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "taedi"
+        ],
         "related.ip": [
             "10.17.98.243"
         ],
@@ -3209,6 +3264,10 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "der",
+            "piciatis2460.api.host"
+        ],
         "related.ip": [
             "10.77.182.191"
         ],
@@ -3251,6 +3310,9 @@
         "observer.product": "Spam",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Barracuda",
+        "related.hosts": [
+            "iame"
+        ],
         "related.ip": [
             "10.193.110.71"
         ],
diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml
index 30e0d5f27451..d90859f5f614 100644
--- a/x-pack/filebeat/module/barracuda/waf/config/input.yml
+++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml
index 7fc587fb028c..3e7d940acf90 100644
--- a/x-pack/filebeat/module/bluecoat/director/config/input.yml
+++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml
index 9d462241ae8a..97fbbb72c92b 100644
--- a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json
index 94a001da91ac..1d0de305beb0 100644
--- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json
@@ -247,6 +247,9 @@
         "observer.product": "Director",
         "observer.type": "Configuration",
         "observer.vendor": "Bluecoat",
+        "related.hosts": [
+            "seq3874.mail.domain"
+        ],
         "rsa.internal.messageid": "dmd",
         "rsa.misc.change_new": "fug",
         "rsa.misc.change_old": "quid",
@@ -988,6 +991,9 @@
         "observer.product": "Director",
         "observer.type": "Configuration",
         "observer.vendor": "Bluecoat",
+        "related.hosts": [
+            "elitse6672.internal.localdomain"
+        ],
         "rsa.db.index": "mquisno",
         "rsa.internal.event_desc": "info on device connection",
         "rsa.internal.messageid": "ccd",
@@ -1218,6 +1224,9 @@
         "observer.product": "Director",
         "observer.type": "Configuration",
         "observer.vendor": "Bluecoat",
+        "related.hosts": [
+            "itation4168.api.domain"
+        ],
         "rsa.db.index": "dipisci",
         "rsa.internal.event_desc": "This file is automatically generated",
         "rsa.internal.messageid": "configd",
@@ -1569,6 +1578,9 @@
         "observer.product": "Director",
         "observer.type": "Configuration",
         "observer.vendor": "Bluecoat",
+        "related.hosts": [
+            "sBonor2001.www5.example"
+        ],
         "rsa.internal.messageid": "dmd",
         "rsa.misc.client": "dmd:",
         "rsa.misc.severity": "medium",
@@ -1639,6 +1651,9 @@
         "observer.product": "Director",
         "observer.type": "Configuration",
         "observer.vendor": "Bluecoat",
+        "related.hosts": [
+            "ersp6625.internal.domain"
+        ],
         "rsa.internal.messageid": "dmd",
         "rsa.misc.client": "dmd:",
         "rsa.misc.severity": "high",
@@ -1754,6 +1769,9 @@
         "observer.product": "Director",
         "observer.type": "Configuration",
         "observer.vendor": "Bluecoat",
+        "related.hosts": [
+            "eleumiu2454.api.local"
+        ],
         "rsa.db.index": "tat",
         "rsa.internal.event_desc": "info on device connection",
         "rsa.internal.messageid": "ccd",
@@ -1866,6 +1884,9 @@
         "observer.product": "Director",
         "observer.type": "Configuration",
         "observer.vendor": "Bluecoat",
+        "related.hosts": [
+            "olu5333.www.domain"
+        ],
         "rsa.db.index": "orumSe",
         "rsa.internal.event_desc": "info on device connection",
         "rsa.internal.messageid": "ccd",
diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml
index 0cffa76a01f9..b5271fe85983 100644
--- a/x-pack/filebeat/module/cisco/asa/config/input.yml
+++ b/x-pack/filebeat/module/cisco/asa/config/input.yml
@@ -23,4 +23,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
index 8d8b28fe30fd..73d42d43af78 100644
--- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json
@@ -40,6 +40,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -95,6 +98,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -140,6 +146,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -184,6 +193,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2"
         ],
@@ -223,6 +235,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2"
         ],
@@ -265,6 +280,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -317,6 +335,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -370,6 +391,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.192.18.4",
             "10.192.70.66"
@@ -415,6 +439,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -463,6 +490,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.192.18.4"
@@ -501,6 +531,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -536,6 +569,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -574,6 +610,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -615,6 +654,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10"
         ],
@@ -657,6 +699,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10"
         ],
@@ -699,6 +744,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.192.46.90",
             "10.10.10.10"
@@ -743,6 +791,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -796,6 +847,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -850,6 +904,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -902,6 +959,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -949,6 +1009,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -995,6 +1058,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -1043,6 +1109,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1105,6 +1174,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.186.2.2"
@@ -1159,6 +1231,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -1214,6 +1289,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -1265,6 +1343,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -1311,6 +1392,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1358,6 +1442,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1403,6 +1490,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1448,6 +1538,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1493,6 +1586,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1531,6 +1627,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1562,6 +1661,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1595,6 +1697,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1628,6 +1733,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1671,6 +1779,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1721,6 +1832,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "192.168.2.2",
             "10.10.10.10"
@@ -1759,6 +1873,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1790,6 +1907,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1828,6 +1948,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -1866,6 +1989,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1897,6 +2023,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -1939,6 +2068,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "10.10.10.10"
@@ -1983,6 +2115,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -2025,6 +2160,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "10.10.10.10"
@@ -2072,6 +2210,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.10",
             "192.168.2.2"
@@ -2114,6 +2255,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.20.30.40",
             "10.20.30.40"
@@ -2156,6 +2300,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.20.30.40",
             "10.20.30.40"
@@ -2198,6 +2345,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.20.30.40",
             "10.20.30.40"
@@ -2240,6 +2390,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.20.30.40",
             "10.20.30.40"
@@ -2302,6 +2455,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "1.2.3.4",
             "2.3.4.5"
@@ -2359,6 +2515,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.10.2",
             "192.168.2.2"
@@ -2418,6 +2577,10 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01",
+            "somedomainname.local"
+        ],
         "related.ip": [
             "195.122.12.242"
         ],
@@ -2456,6 +2619,10 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01",
+            "console"
+        ],
         "service.type": "cisco",
         "source.address": "console",
         "source.domain": "console",
@@ -2491,6 +2658,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.0.87"
         ],
@@ -2530,6 +2700,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -2568,6 +2741,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.1.212",
             "10.10.1.254"
@@ -2609,6 +2785,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.0.87"
         ],
@@ -2652,6 +2831,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.0.87",
             "10.10.1.254"
@@ -2693,6 +2875,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "10.10.0.87"
         ],
@@ -2729,6 +2914,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "91.240.17.178"
         ],
@@ -2789,6 +2977,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "91.240.17.178"
         ],
@@ -2826,6 +3017,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "8.8.8.8"
         ],
@@ -2869,6 +3063,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "8.8.8.8"
         ],
@@ -2928,6 +3125,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "dev01"
+        ],
         "related.ip": [
             "104.46.88.19",
             "195.74.114.34"
diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
index 90ec4ed3a8f8..94f2b616d271 100644
--- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json
@@ -40,6 +40,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.233.123.123"
@@ -89,6 +92,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.123.123.123"
@@ -187,6 +193,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.123.123.123"
@@ -229,6 +238,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.123.123.123"
@@ -274,6 +286,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "fe80::1ff:fe23:4567:890a"
         ],
diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json
index 18ea450c55fc..ea4dcecdef3d 100644
--- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json
@@ -37,6 +37,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -94,6 +97,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.205.104",
             "172.31.98.44"
@@ -151,6 +157,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.211.242",
             "172.31.98.44"
@@ -208,6 +217,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.211.242",
             "172.31.98.44"
@@ -265,6 +277,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.185.90",
             "172.31.98.44"
@@ -322,6 +337,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.185.90",
             "172.31.98.44"
@@ -379,6 +397,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.160.197",
             "172.31.98.44"
@@ -436,6 +457,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.205.14",
             "172.31.98.44"
@@ -493,6 +517,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.124.33",
             "172.31.98.44"
@@ -550,6 +577,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.35.9",
             "172.31.98.44"
@@ -607,6 +637,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.211.242",
             "172.31.98.44"
@@ -664,6 +697,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.218.21",
             "172.31.98.44"
@@ -721,6 +757,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.27",
             "172.31.98.44"
@@ -778,6 +817,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.27",
             "172.31.98.44"
@@ -835,6 +877,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.202.211",
             "172.31.98.44"
@@ -892,6 +937,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.124.15",
             "172.31.98.44"
@@ -949,6 +997,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.124.15",
             "172.31.98.44"
@@ -1006,6 +1057,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.209.247",
             "172.31.98.44"
@@ -1063,6 +1117,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.35.162",
             "172.31.98.44"
@@ -1114,6 +1171,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1171,6 +1231,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.80.32",
             "172.31.98.44"
@@ -1228,6 +1291,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.80.32",
             "172.31.98.44"
@@ -1285,6 +1351,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.6",
             "172.31.98.44"
@@ -1342,6 +1411,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.6",
             "172.31.98.44"
@@ -1393,6 +1465,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1450,6 +1525,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.226",
             "172.31.98.44"
@@ -1501,6 +1579,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1558,6 +1639,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.226",
             "172.31.98.44"
@@ -1615,6 +1699,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.238.126",
             "172.31.98.44"
@@ -1672,6 +1759,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.93.51",
             "172.31.98.44"
@@ -1729,6 +1819,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.238.126",
             "172.31.98.44"
@@ -1786,6 +1879,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.93.51",
             "172.31.98.44"
@@ -1837,6 +1933,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1894,6 +1993,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.225.103",
             "172.31.98.44"
@@ -1945,6 +2047,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -2002,6 +2107,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.240.126",
             "172.31.98.44"
@@ -2059,6 +2167,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.44.45",
             "172.31.98.44"
@@ -2116,6 +2227,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.240.126",
             "172.31.98.44"
@@ -2173,6 +2287,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.44.45",
             "172.31.98.44"
@@ -2224,6 +2341,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -2281,6 +2401,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.179.219",
             "172.31.98.44"
@@ -2338,6 +2461,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.157.232",
             "172.31.98.44"
@@ -2395,6 +2521,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.178.133",
             "172.31.98.44"
@@ -2452,6 +2581,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.157.232",
             "172.31.98.44"
@@ -2509,6 +2641,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.178.133",
             "172.31.98.44"
@@ -2560,6 +2695,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -2617,6 +2755,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.133.112",
             "172.31.98.44"
@@ -2674,6 +2815,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.133.112",
             "172.31.98.44"
@@ -2731,6 +2875,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.204.197",
             "172.31.98.44"
@@ -2788,6 +2935,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.157.232",
             "172.31.98.44"
@@ -2845,6 +2995,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.204.197",
             "172.31.98.44"
@@ -2896,6 +3049,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -2953,6 +3109,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.128.3",
             "172.31.98.44"
@@ -3004,6 +3163,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3061,6 +3223,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.128.3",
             "172.31.98.44"
@@ -3112,6 +3277,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3169,6 +3337,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.128.3",
             "172.31.98.44"
@@ -3226,6 +3397,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.100.4",
             "172.31.98.44"
@@ -3283,6 +3457,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.100.4",
             "172.31.98.44"
@@ -3334,6 +3511,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3391,6 +3571,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3442,6 +3625,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3499,6 +3685,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3556,6 +3745,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.1.107",
             "172.31.98.44"
@@ -3613,6 +3805,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3664,6 +3859,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3721,6 +3919,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3778,6 +3979,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.1.107",
             "172.31.98.44"
@@ -3829,6 +4033,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3886,6 +4093,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.192.44",
             "172.31.98.44"
@@ -3928,6 +4138,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -3972,6 +4185,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.156.80",
             "100.66.98.44"
@@ -4029,6 +4245,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.156.80"
@@ -4071,6 +4290,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -4106,6 +4328,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -4141,6 +4366,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -4176,6 +4404,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -4211,6 +4442,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -4246,6 +4480,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -4296,6 +4533,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.115.46",
             "172.31.156.80"
@@ -4353,6 +4593,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.156.80"
@@ -4404,6 +4647,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.156.80",
             "100.66.98.44"
@@ -4461,6 +4707,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.115.46",
             "172.31.156.80"
@@ -4515,6 +4764,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4569,6 +4821,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4623,6 +4878,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4677,6 +4935,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4731,6 +4992,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4785,6 +5049,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4839,6 +5106,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4893,6 +5163,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4947,6 +5220,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5001,6 +5277,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5055,6 +5334,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5109,6 +5391,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5163,6 +5448,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5214,6 +5502,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -5271,6 +5562,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.205.99",
             "172.31.98.44"
@@ -5322,6 +5616,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -5379,6 +5676,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.14.30",
             "172.31.98.44"
diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json
index e0c78694ae95..948f6c85ab41 100644
--- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json
@@ -26,6 +26,9 @@
         "observer.vendor": "Cisco",
         "process.name": "asa",
         "process.pid": 1234,
+        "related.hosts": [
+            "beats"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-asa",
@@ -69,6 +72,9 @@
         "observer.vendor": "Cisco",
         "process.name": "asa",
         "process.pid": 1234,
+        "related.hosts": [
+            "beats"
+        ],
         "related.ip": [
             "10.13.12.11",
             "192.168.33.12"
diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json
index 7d010afe62c9..70df45cbf917 100644
--- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json
@@ -31,6 +31,11 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "localhost",
+            "target.destination.hostname.local",
+            "Prod-host.name.addr"
+        ],
         "service.type": "cisco",
         "source.domain": "Prod-host.name.addr",
         "source.nat.ip": "10.0.55.66",
@@ -73,6 +78,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "MYHOSTNAME"
+        ],
         "related.ip": [
             "192.0.2.134",
             "192.0.2.15"
diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json
index 74097780ab21..85bfef8b52af 100644
--- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json
@@ -36,6 +36,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244"
+        ],
         "related.ip": [
             "203.0.113.42"
         ],
@@ -82,6 +85,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "192.168.132.46",
             "172.24.177.29"
@@ -140,6 +146,10 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "localhost",
+            "example.org"
+        ],
         "related.ip": [
             "10.10.10.1",
             "172.24.177.3"
diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
index d27f89ab5b9f..fcf7d3392220 100644
--- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
+++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json
@@ -189,6 +189,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "INT-FW01"
+        ],
         "related.ip": [
             "172.29.2.101",
             "192.0.2.10"
@@ -241,6 +244,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "INT-FW01"
+        ],
         "related.ip": [
             "172.29.2.3",
             "192.0.2.57"
@@ -700,6 +706,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "FJSG2NRFW01"
+        ],
         "related.ip": [
             "192.168.132.46",
             "172.24.177.29"
@@ -2154,6 +2163,9 @@
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "process.name": "<IP>",
+        "related.hosts": [
+            "OCSP_Server"
+        ],
         "related.ip": [
             "192.0.2.222"
         ],
@@ -2207,6 +2219,9 @@
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "process.name": "<IP>",
+        "related.hosts": [
+            "OCSP_Server"
+        ],
         "related.ip": [
             "192.0.2.222"
         ],
@@ -2772,6 +2787,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.47"
@@ -2817,6 +2835,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.57"
@@ -2862,6 +2883,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.47"
@@ -2907,6 +2931,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.47"
@@ -2952,6 +2979,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.57"
@@ -2997,6 +3027,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.57"
@@ -3042,6 +3075,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.168.1.255"
@@ -3087,6 +3123,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.168.1.255"
@@ -3138,6 +3177,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "192.0.2.95",
             "10.32.112.125"
@@ -3186,6 +3228,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "10.2.3.5"
         ],
@@ -3285,6 +3330,9 @@
         "observer.product": "asa",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "bad.example.com"
+        ],
         "related.ip": [
             "10.1.1.45",
             "192.88.99.129"
diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml
index a505d3030eb9..4892400a8b97 100644
--- a/x-pack/filebeat/module/cisco/ftd/config/input.yml
+++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml
@@ -22,4 +22,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json
index 21dc57d33150..72b115c6975b 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json
@@ -41,6 +41,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.233.123.123"
@@ -91,6 +94,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.123.123.123"
@@ -191,6 +197,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.123.123.123"
@@ -234,6 +243,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "SNL-ASA-VPN-A01"
+        ],
         "related.ip": [
             "10.123.123.123",
             "10.123.123.123"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json
index b1b3a633ad18..70e87e332d95 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json
@@ -36,6 +36,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -92,6 +95,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.205.104",
             "172.31.98.44"
@@ -148,6 +154,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.211.242",
             "172.31.98.44"
@@ -204,6 +213,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.211.242",
             "172.31.98.44"
@@ -260,6 +272,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.185.90",
             "172.31.98.44"
@@ -316,6 +331,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.185.90",
             "172.31.98.44"
@@ -372,6 +390,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.160.197",
             "172.31.98.44"
@@ -428,6 +449,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.205.14",
             "172.31.98.44"
@@ -484,6 +508,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.124.33",
             "172.31.98.44"
@@ -540,6 +567,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.35.9",
             "172.31.98.44"
@@ -596,6 +626,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.211.242",
             "172.31.98.44"
@@ -652,6 +685,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.218.21",
             "172.31.98.44"
@@ -708,6 +744,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.27",
             "172.31.98.44"
@@ -764,6 +803,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.27",
             "172.31.98.44"
@@ -820,6 +862,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.202.211",
             "172.31.98.44"
@@ -876,6 +921,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.124.15",
             "172.31.98.44"
@@ -932,6 +980,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.124.15",
             "172.31.98.44"
@@ -988,6 +1039,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.209.247",
             "172.31.98.44"
@@ -1044,6 +1098,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.35.162",
             "172.31.98.44"
@@ -1094,6 +1151,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1150,6 +1210,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.80.32",
             "172.31.98.44"
@@ -1206,6 +1269,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.80.32",
             "172.31.98.44"
@@ -1262,6 +1328,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.6",
             "172.31.98.44"
@@ -1318,6 +1387,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.6",
             "172.31.98.44"
@@ -1368,6 +1440,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1424,6 +1499,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.226",
             "172.31.98.44"
@@ -1474,6 +1552,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1530,6 +1611,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.252.226",
             "172.31.98.44"
@@ -1586,6 +1670,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.238.126",
             "172.31.98.44"
@@ -1642,6 +1729,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.93.51",
             "172.31.98.44"
@@ -1698,6 +1788,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.238.126",
             "172.31.98.44"
@@ -1754,6 +1847,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.93.51",
             "172.31.98.44"
@@ -1804,6 +1900,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1860,6 +1959,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.225.103",
             "172.31.98.44"
@@ -1910,6 +2012,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -1966,6 +2071,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.240.126",
             "172.31.98.44"
@@ -2022,6 +2130,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.44.45",
             "172.31.98.44"
@@ -2078,6 +2189,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.240.126",
             "172.31.98.44"
@@ -2134,6 +2248,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.44.45",
             "172.31.98.44"
@@ -2184,6 +2301,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -2240,6 +2360,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.179.219",
             "172.31.98.44"
@@ -2296,6 +2419,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.157.232",
             "172.31.98.44"
@@ -2352,6 +2478,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.178.133",
             "172.31.98.44"
@@ -2408,6 +2537,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.157.232",
             "172.31.98.44"
@@ -2464,6 +2596,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.178.133",
             "172.31.98.44"
@@ -2514,6 +2649,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -2570,6 +2708,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.133.112",
             "172.31.98.44"
@@ -2626,6 +2767,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.133.112",
             "172.31.98.44"
@@ -2682,6 +2826,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.204.197",
             "172.31.98.44"
@@ -2738,6 +2885,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.157.232",
             "172.31.98.44"
@@ -2794,6 +2944,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.204.197",
             "172.31.98.44"
@@ -2844,6 +2997,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -2900,6 +3056,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.128.3",
             "172.31.98.44"
@@ -2950,6 +3109,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3006,6 +3168,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.128.3",
             "172.31.98.44"
@@ -3056,6 +3221,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3112,6 +3280,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.128.3",
             "172.31.98.44"
@@ -3168,6 +3339,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.100.4",
             "172.31.98.44"
@@ -3224,6 +3398,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.100.4",
             "172.31.98.44"
@@ -3274,6 +3451,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3330,6 +3510,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3380,6 +3563,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3436,6 +3622,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3492,6 +3681,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.1.107",
             "172.31.98.44"
@@ -3548,6 +3740,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3598,6 +3793,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3654,6 +3852,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.198.40",
             "172.31.98.44"
@@ -3710,6 +3911,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.1.107",
             "172.31.98.44"
@@ -3760,6 +3964,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -3816,6 +4023,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.192.44",
             "172.31.98.44"
@@ -3857,6 +4067,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -3900,6 +4113,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.156.80",
             "100.66.98.44"
@@ -3956,6 +4172,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.156.80"
@@ -3997,6 +4216,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -4031,6 +4253,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -4065,6 +4290,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -4099,6 +4327,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -4133,6 +4364,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -4167,6 +4401,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -4216,6 +4453,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.115.46",
             "172.31.156.80"
@@ -4272,6 +4512,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.156.80"
@@ -4322,6 +4565,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.156.80",
             "100.66.98.44"
@@ -4378,6 +4624,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.115.46",
             "172.31.156.80"
@@ -4431,6 +4680,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4484,6 +4736,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4537,6 +4792,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4590,6 +4848,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4643,6 +4904,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4696,6 +4960,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4749,6 +5016,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4802,6 +5072,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4855,6 +5128,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4908,6 +5184,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -4961,6 +5240,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5014,6 +5296,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5067,6 +5352,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.19.254",
             "172.31.98.44"
@@ -5117,6 +5405,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -5173,6 +5464,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.205.99",
             "172.31.98.44"
@@ -5223,6 +5517,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "172.31.98.44",
             "100.66.98.44"
@@ -5279,6 +5576,9 @@
         "observer.vendor": "Cisco",
         "process.name": "CiscoASA",
         "process.pid": 999,
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "100.66.14.30",
             "172.31.98.44"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json
index ae2b729ada8a..37efb99f4832 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json
@@ -82,6 +82,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -187,6 +190,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -290,6 +296,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -395,6 +404,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -499,6 +511,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -602,6 +617,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -708,6 +726,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -811,6 +832,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -915,6 +939,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -1020,6 +1047,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -1126,6 +1156,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "205.251.196.144"
@@ -1225,6 +1258,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -1329,6 +1365,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "9.9.9.9"
@@ -1432,6 +1471,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "9.9.9.9"
@@ -1536,6 +1578,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "9.9.9.9"
@@ -1641,6 +1686,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -1744,6 +1792,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -1847,6 +1898,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -1950,6 +2004,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -2051,6 +2108,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -2156,6 +2216,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json
index 2364b5ed1a1d..6e77e652aff9 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json
@@ -27,6 +27,9 @@
         "observer.vendor": "Cisco",
         "process.name": "asa",
         "process.pid": 1234,
+        "related.hosts": [
+            "beats"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json
index 83616ceec8b5..681c8052cb07 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json
@@ -62,6 +62,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -144,6 +147,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -222,6 +228,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.100.30",
             "10.0.1.20"
@@ -300,6 +309,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.100.30",
             "10.0.1.20"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json
index e2939392ef56..b204f179fa3e 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json
@@ -37,6 +37,9 @@
         "observer.vendor": "Cisco",
         "process.name": "ftd",
         "process.pid": 1234,
+        "related.hosts": [
+            "beats"
+        ],
         "related.ip": [
             "10.1.123.45",
             "10.8.12.47"
@@ -81,6 +84,9 @@
         "observer.vendor": "Cisco",
         "process.name": "ftd",
         "process.pid": 1234,
+        "related.hosts": [
+            "beats"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -120,6 +126,9 @@
         "observer.vendor": "Cisco",
         "process.name": "ftd",
         "process.pid": 1234,
+        "related.hosts": [
+            "beats"
+        ],
         "service.type": "cisco",
         "tags": [
             "cisco-ftd",
@@ -171,6 +180,9 @@
         "observer.vendor": "Cisco",
         "process.name": "ftd",
         "process.pid": 1234,
+        "related.hosts": [
+            "beats"
+        ],
         "related.ip": [
             "127.0.0.1",
             "192.168.3.33"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json
index 90fd65d46cd2..cc0af87b551e 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json
@@ -35,6 +35,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244"
+        ],
         "related.ip": [
             "203.0.113.42"
         ],
@@ -80,6 +83,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "localhost"
+        ],
         "related.ip": [
             "192.168.132.46",
             "172.24.177.29"
@@ -137,6 +143,10 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "localhost",
+            "example.org"
+        ],
         "related.ip": [
             "10.10.10.1",
             "172.24.177.3"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
index 371218e511be..592e7ae85e98 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json
@@ -185,6 +185,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "INT-FW01"
+        ],
         "related.ip": [
             "172.29.2.101",
             "192.0.2.10"
@@ -236,6 +239,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "INT-FW01"
+        ],
         "related.ip": [
             "172.29.2.3",
             "192.0.2.57"
@@ -686,6 +692,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "FJSG2NRFW01"
+        ],
         "related.ip": [
             "192.168.132.46",
             "172.24.177.29"
@@ -1959,6 +1968,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.168.77.12",
             "10.0.13.13"
@@ -2010,6 +2022,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.168.1.33",
             "192.0.0.12"
@@ -2061,6 +2076,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.168.1.33",
             "192.0.0.12"
@@ -2115,6 +2133,10 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1",
+            "OCSP_Server"
+        ],
         "related.ip": [
             "192.0.2.222"
         ],
@@ -2168,6 +2190,10 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1",
+            "OCSP_Server"
+        ],
         "related.ip": [
             "192.0.2.222"
         ],
@@ -2221,6 +2247,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "192.168.1.34"
@@ -2275,6 +2304,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "192.168.1.35"
@@ -2329,6 +2361,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "192.168.1.35"
@@ -2375,6 +2410,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "192.168.1.34"
@@ -2421,6 +2459,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "192.168.1.34"
@@ -2472,6 +2513,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.168.1.34",
             "192.0.0.12"
@@ -2526,6 +2570,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "192.168.1.34"
@@ -2580,6 +2627,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "192.168.1.34"
@@ -2634,6 +2684,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "127.0.0.1"
+        ],
         "related.ip": [
             "192.0.2.222",
             "10.10.10.10"
@@ -2731,6 +2784,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.47"
@@ -2775,6 +2831,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.57"
@@ -2819,6 +2878,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.47"
@@ -2863,6 +2925,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.47"
@@ -2907,6 +2972,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.57"
@@ -2951,6 +3019,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.88.99.57"
@@ -2995,6 +3066,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.168.1.255"
@@ -3039,6 +3113,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "0.0.0.0",
             "192.168.1.255"
@@ -3089,6 +3166,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "192.0.2.95",
             "10.32.112.125"
@@ -3136,6 +3216,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "GIFRCHN01"
+        ],
         "related.ip": [
             "10.2.3.5"
         ],
@@ -3233,6 +3316,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "bad.example.com"
+        ],
         "related.ip": [
             "10.1.1.45",
             "192.88.99.129"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json
index 7d48283bdaa8..3cef5df9a0fa 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json
@@ -65,6 +65,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.100.30",
             "10.0.1.20"
@@ -154,6 +157,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.100.30",
             "10.0.1.20"
@@ -251,6 +257,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -355,6 +364,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "8.8.8.8"
@@ -447,6 +459,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "52.59.244.233"
@@ -557,6 +572,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "52.59.244.233"
@@ -652,6 +670,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "213.211.198.62"
@@ -758,6 +779,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "213.211.198.62"
@@ -843,6 +867,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.100.30",
             "10.0.1.20"
@@ -941,6 +968,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json
index c9105b957ab5..8ab3e55fc873 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json
@@ -51,6 +51,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -122,6 +125,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -193,6 +199,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -264,6 +273,9 @@
         "observer.product": "ftd",
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -344,6 +356,9 @@
         "related.hash": [
             "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
         ],
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -424,6 +439,9 @@
         "related.hash": [
             "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
         ],
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -508,6 +526,9 @@
         "related.hash": [
             "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
         ],
+        "related.hosts": [
+            "siem-ftd"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -600,6 +621,9 @@
         "related.hash": [
             "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad"
         ],
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "213.211.198.62"
@@ -683,6 +707,9 @@
         "related.hash": [
             "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7"
         ],
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "10.0.100.30"
@@ -776,6 +803,9 @@
         "related.hash": [
             "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7"
         ],
+        "related.hosts": [
+            "firepower"
+        ],
         "related.ip": [
             "10.0.1.20",
             "18.197.225.123"
diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json
index 2fe9194946ad..73ab6378da19 100644
--- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json
+++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json
@@ -86,6 +86,9 @@
         "observer.type": "firewall",
         "observer.vendor": "Cisco",
         "process.name": "Alerts",
+        "related.hosts": [
+            "CISCO-SENSOR-3D"
+        ],
         "related.ip": [
             "3.3.3.3",
             "2.2.2.2"
diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml
index 2ed8ae959c27..e3e336cbe03b 100644
--- a/x-pack/filebeat/module/cisco/ios/config/input.yml
+++ b/x-pack/filebeat/module/cisco/ios/config/input.yml
@@ -23,7 +23,7 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
   - script:
       lang: javascript
       id: cisco_ios
diff --git a/x-pack/filebeat/module/cisco/meraki/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml
index ccc2cd1a6af8..be15aeb075cb 100644
--- a/x-pack/filebeat/module/cisco/meraki/config/input.yml
+++ b/x-pack/filebeat/module/cisco/meraki/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml
index 6172ce75db7f..cf0d61d1a524 100644
--- a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        if: ctx.host?.name != null
+        allow_duplicates: false
+  - append:
+        field: related.hosts
+        value: '{{host.hostname}}'
+        if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+        allow_duplicates: false
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json
index f8677343c209..beeffa9b5eb7 100644
--- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json
@@ -17,8 +17,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.15.44.253",
-            "10.193.124.51"
+            "10.193.124.51",
+            "10.15.44.253"
         ],
         "rsa.internal.event_desc": "olaborissecurity_event tur",
         "rsa.internal.messageid": "security_event",
@@ -57,8 +57,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.15.16.212",
-            "10.102.218.31"
+            "10.102.218.31",
+            "10.15.16.212"
         ],
         "rsa.internal.messageid": "events",
         "rsa.misc.event_source": "appliance",
@@ -519,8 +519,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.53.150.119",
-            "10.85.10.165"
+            "10.85.10.165",
+            "10.53.150.119"
         ],
         "rsa.internal.messageid": "events",
         "rsa.misc.event_source": "appliance",
@@ -557,8 +557,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.187.77.245",
-            "10.88.231.224"
+            "10.88.231.224",
+            "10.187.77.245"
         ],
         "rsa.internal.messageid": "ids-alerts",
         "rsa.misc.event_type": "ids-alerts",
@@ -692,8 +692,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.182.178.217",
-            "10.63.194.87"
+            "10.63.194.87",
+            "10.182.178.217"
         ],
         "rsa.counters.dclass_r1": "fdeFi",
         "rsa.internal.messageid": "events",
@@ -831,8 +831,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.12.182.70",
-            "10.31.77.157"
+            "10.31.77.157",
+            "10.12.182.70"
         ],
         "rsa.internal.event_desc": "uiac security_event epte",
         "rsa.internal.messageid": "security_event",
@@ -896,8 +896,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.93.68.231",
-            "10.135.217.12"
+            "10.135.217.12",
+            "10.93.68.231"
         ],
         "rsa.internal.messageid": "flows",
         "rsa.misc.action": [
@@ -1025,8 +1025,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.173.136.186",
-            "10.221.102.245"
+            "10.221.102.245",
+            "10.173.136.186"
         ],
         "rsa.internal.event_desc": "idestlab",
         "rsa.internal.messageid": "security_event",
@@ -1064,8 +1064,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.58.64.108",
-            "10.54.37.86"
+            "10.54.37.86",
+            "10.58.64.108"
         ],
         "rsa.internal.messageid": "ids-alerts",
         "rsa.misc.event_type": "ids-alerts",
@@ -1100,8 +1100,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.163.93.20",
-            "10.147.76.202"
+            "10.147.76.202",
+            "10.163.93.20"
         ],
         "rsa.internal.messageid": "flows",
         "rsa.misc.action": [
@@ -1142,8 +1142,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.0.200.27",
-            "10.183.44.198"
+            "10.183.44.198",
+            "10.0.200.27"
         ],
         "rsa.internal.event_desc": "uradi security_event tot",
         "rsa.internal.messageid": "security_event",
@@ -1312,8 +1312,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.242.77.170",
-            "10.150.245.88"
+            "10.150.245.88",
+            "10.242.77.170"
         ],
         "rsa.internal.messageid": "ids-alerts",
         "rsa.misc.event_type": "ids-alerts",
@@ -1486,8 +1486,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.193.219.34",
-            "10.179.40.170"
+            "10.179.40.170",
+            "10.193.219.34"
         ],
         "rsa.counters.dclass_r1": "emip",
         "rsa.internal.messageid": "events",
@@ -1638,8 +1638,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.90.99.245",
-            "10.124.63.4"
+            "10.124.63.4",
+            "10.90.99.245"
         ],
         "rsa.internal.event_desc": "etconsec",
         "rsa.internal.messageid": "security_event",
@@ -1791,6 +1791,9 @@
         "observer.product": "Meraki",
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "remips188.api.invalid"
+        ],
         "related.ip": [
             "10.40.101.224",
             "10.78.199.43"
@@ -1864,8 +1867,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.39.172.93",
-            "10.83.131.245"
+            "10.83.131.245",
+            "10.39.172.93"
         ],
         "rsa.internal.messageid": "flows",
         "rsa.misc.action": [
@@ -2008,8 +2011,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.97.46.16",
-            "10.120.4.9"
+            "10.120.4.9",
+            "10.97.46.16"
         ],
         "rsa.internal.messageid": "ids-alerts",
         "rsa.misc.event_type": "ids-alerts",
@@ -2077,9 +2080,12 @@
         "observer.product": "Meraki",
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "uames4985.mail.localdomain"
+        ],
         "related.ip": [
-            "10.144.57.239",
-            "10.150.163.151"
+            "10.150.163.151",
+            "10.144.57.239"
         ],
         "rsa.internal.messageid": "events",
         "rsa.misc.event_source": "appliance",
@@ -2246,8 +2252,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.103.49.129",
-            "10.2.110.73"
+            "10.2.110.73",
+            "10.103.49.129"
         ],
         "rsa.counters.dclass_r1": "orumS",
         "rsa.internal.messageid": "events",
@@ -2323,9 +2329,12 @@
         "observer.product": "Meraki",
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
+        "related.hosts": [
+            "lors2232.api.example"
+        ],
         "related.ip": [
-            "10.105.136.146",
-            "10.46.217.155"
+            "10.46.217.155",
+            "10.105.136.146"
         ],
         "rsa.internal.messageid": "events",
         "rsa.misc.event_source": "appliance",
@@ -2428,8 +2437,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.16.230.121",
-            "10.196.176.243"
+            "10.196.176.243",
+            "10.16.230.121"
         ],
         "rsa.counters.dclass_r1": "velites",
         "rsa.internal.messageid": "events",
@@ -2471,8 +2480,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.34.62.190",
-            "10.246.152.72"
+            "10.246.152.72",
+            "10.34.62.190"
         ],
         "rsa.internal.event_desc": "Nem",
         "rsa.internal.messageid": "security_event",
@@ -2710,8 +2719,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.103.91.159",
-            "10.199.19.205"
+            "10.199.19.205",
+            "10.103.91.159"
         ],
         "rsa.internal.messageid": "ids-alerts",
         "rsa.misc.event_type": "ids-alerts",
@@ -2749,8 +2758,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.17.111.91",
-            "10.65.0.157"
+            "10.65.0.157",
+            "10.17.111.91"
         ],
         "rsa.db.index": "nostrum",
         "rsa.internal.messageid": "flows",
@@ -3018,8 +3027,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.254.96.130",
-            "10.247.118.132"
+            "10.247.118.132",
+            "10.254.96.130"
         ],
         "rsa.counters.dclass_r1": "ectet",
         "rsa.internal.messageid": "events",
@@ -3058,8 +3067,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.101.13.122",
-            "10.200.98.243"
+            "10.200.98.243",
+            "10.101.13.122"
         ],
         "rsa.counters.dclass_r1": "uteirur",
         "rsa.internal.messageid": "events",
@@ -3321,8 +3330,8 @@
         "observer.type": "Wireless",
         "observer.vendor": "Cisco",
         "related.ip": [
-            "10.85.59.172",
-            "10.75.122.111"
+            "10.75.122.111",
+            "10.85.59.172"
         ],
         "rsa.counters.dclass_r1": "sequat",
         "rsa.internal.messageid": "events",
diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml
index 5608926d9558..747a6cf00858 100644
--- a/x-pack/filebeat/module/cisco/nexus/config/input.yml
+++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml
index ae975fb7e868..b85ab503dda0 100644
--- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        if: ctx.host?.name != null  && ctx.host?.name != ''
+        allow_duplicates: false
+  - append:
+        field: related.hosts
+        value: '{{host.hostname}}'
+        if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+        allow_duplicates: false
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
index 7671bb649b91..c828c45250a0 100644
--- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
+++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml
@@ -1547,6 +1547,26 @@ processors:
       field: related.hash
       value: "{{file.hash.sha256}}"
       if: "ctx?.file?.hash?.sha256 != null"
+  - append:
+      field: related.hosts
+      value: "{{host.hostname}}"
+      if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{observer.hostname}}"
+      if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{destination.domain}}"
+      if: ctx.destination?.domain != null && ctx.destination?.domain != ''
+      allow_duplicates: false
+  - append:
+      field: related.hosts
+      value: "{{source.domain}}"
+      if: ctx.source?.domain != null && ctx.source?.domain != ''
+      allow_duplicates: false
 on_failure:
   # Copy any fields under _temp_.cisco to its final destination. Those can help
   # with diagnosing the failure.
diff --git a/x-pack/filebeat/module/citrix/netscaler/config/input.yml b/x-pack/filebeat/module/citrix/netscaler/config/input.yml
index 1226056cf174..42bba0c0995a 100644
--- a/x-pack/filebeat/module/citrix/netscaler/config/input.yml
+++ b/x-pack/filebeat/module/citrix/netscaler/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml
index 51c9ebaf329d..a2f7da6f2a0d 100644
--- a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{server.domain}}'
+        allow_duplicates: false
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json
index 861edae9b880..cb772d912684 100644
--- a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json
@@ -144,8 +144,8 @@
         "rsa.db.index": "undeo",
         "rsa.internal.messageid": "APPFW_COOKIE",
         "rsa.misc.action": [
-            "cancel",
-            "iumto"
+            "iumto",
+            "cancel"
         ],
         "rsa.misc.policy_name": "isqu",
         "rsa.misc.rule": "uaera",
@@ -186,8 +186,8 @@
         "related.ip": [
             "10.96.119.12",
             "10.21.92.218",
-            "10.109.68.21",
             "10.83.234.60",
+            "10.109.68.21",
             "10.156.210.168"
         ],
         "related.user": [
@@ -570,6 +570,9 @@
         "observer.product": "Netscaler",
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
+        "related.hosts": [
+            "tor4410.api.localhost"
+        ],
         "related.ip": [
             "10.206.87.219"
         ],
@@ -808,8 +811,8 @@
         "rsa.db.index": "uidol",
         "rsa.internal.messageid": "APPFW_COOKIE",
         "rsa.misc.action": [
-            "cancel",
-            "tincu"
+            "tincu",
+            "cancel"
         ],
         "rsa.misc.policy_name": "aec",
         "rsa.misc.rule": "rQu",
@@ -989,8 +992,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.248.165.185",
-            "10.32.39.220"
+            "10.32.39.220",
+            "10.248.165.185"
         ],
         "related.user": [
             "exeaco"
@@ -1025,9 +1028,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.197.6.245",
             "10.81.45.174",
-            "10.82.28.220"
+            "10.82.28.220",
+            "10.197.6.245"
         ],
         "related.user": [
             "agnaaliq"
@@ -1454,8 +1457,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.101.172.233",
-            "10.211.163.7"
+            "10.211.163.7",
+            "10.101.172.233"
         ],
         "related.user": [
             "est"
@@ -1884,8 +1887,8 @@
         "rsa.db.index": "orem",
         "rsa.internal.messageid": "APPFW_FIELDCONSISTENCY",
         "rsa.misc.action": [
-            "tesse",
-            "allow"
+            "allow",
+            "tesse"
         ],
         "rsa.misc.policy_name": "rsi",
         "rsa.misc.rule": "ntutlab",
@@ -2081,9 +2084,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.80.5.101",
+            "10.225.146.5",
             "10.41.65.89",
-            "10.225.146.5"
+            "10.80.5.101"
         ],
         "related.user": [
             "picia"
@@ -2475,8 +2478,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.187.86.64",
-            "10.197.128.162"
+            "10.197.128.162",
+            "10.187.86.64"
         ],
         "rsa.internal.messageid": "ICA_SESSION_UPDATE",
         "rsa.misc.msgIdPart1": "ICA",
@@ -2544,8 +2547,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.204.20.8",
-            "10.43.239.97"
+            "10.43.239.97",
+            "10.204.20.8"
         ],
         "rsa.internal.messageid": "ICA_SESSION_UPDATE",
         "rsa.misc.msgIdPart1": "ICA",
@@ -2581,11 +2584,11 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.8.82.22",
+            "10.148.244.55",
             "10.133.153.174",
-            "10.76.129.136",
+            "10.8.82.22",
             "10.113.135.78",
-            "10.148.244.55"
+            "10.76.129.136"
         ],
         "related.user": [
             "asiar"
@@ -2697,8 +2700,8 @@
         "rsa.db.index": "iat",
         "rsa.internal.messageid": "AF_MALFORMED_REQ_ERR",
         "rsa.misc.action": [
-            "ati",
-            "block"
+            "block",
+            "ati"
         ],
         "rsa.misc.policy_name": "llu",
         "rsa.misc.rule": "etd",
@@ -2730,9 +2733,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.213.112.186",
             "10.215.229.78",
-            "10.67.233.159"
+            "10.67.233.159",
+            "10.213.112.186"
         ],
         "related.user": [
             "emquiav"
@@ -2842,8 +2845,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "related.ip": [
-            "10.96.104.212",
-            "10.73.45.19"
+            "10.73.45.19",
+            "10.96.104.212"
         ],
         "rsa.internal.messageid": "ICA_SESSION_UPDATE",
         "rsa.misc.msgIdPart1": "ICA",
@@ -3032,6 +3035,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Citrix",
         "observer.version": "1.897",
+        "related.hosts": [
+            "hend1170.www5.lan"
+        ],
         "related.ip": [
             "10.111.22.134"
         ],
diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml
index 4a0d6359c633..4b34d80711be 100644
--- a/x-pack/filebeat/module/cyberark/corepas/config/input.yml
+++ b/x-pack/filebeat/module/cyberark/corepas/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml
index dafb265af35d..ffe90e79f858 100644
--- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.hostname server.domain}}'
+        allow_duplicates: false
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
+  - append:
+        field: related.hosts
+        value: '{{server.domain}}'
+        allow_duplicates: false
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json
index 2df25e0b1fe7..2bf31b06a524 100644
--- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json
@@ -20,8 +20,8 @@
             "10.208.15.216"
         ],
         "related.user": [
-            "itv",
             "quasiarc",
+            "itv",
             "utl"
         ],
         "rsa.db.index": "nes",
@@ -63,9 +63,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.259",
+        "related.hosts": [
+            "iatnu3810.mail.localdomain"
+        ],
         "related.ip": [
-            "10.175.75.18",
-            "10.92.136.230"
+            "10.92.136.230",
+            "10.175.75.18"
         ],
         "related.user": [
             "nnumqu",
@@ -123,13 +126,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.7269",
+        "related.hosts": [
+            "anti4454.api.example"
+        ],
         "related.ip": [
             "10.51.132.10",
             "10.46.185.46"
         ],
         "related.user": [
-            "nse",
             "incid",
+            "nse",
             "serror"
         ],
         "rsa.db.database": "byC",
@@ -183,14 +189,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.6713",
+        "related.hosts": [
+            "uam6303.api.lan"
+        ],
         "related.ip": [
             "10.155.236.240",
             "10.53.192.140"
         ],
         "related.user": [
-            "atcup",
             "psumquia",
-            "ptass"
+            "ptass",
+            "atcup"
         ],
         "rsa.db.database": "aperi",
         "rsa.db.index": "llumd",
@@ -244,9 +253,9 @@
             "10.81.199.122"
         ],
         "related.user": [
-            "eos",
             "oremips",
-            "giatq"
+            "giatq",
+            "eos"
         ],
         "rsa.db.index": "tempo",
         "rsa.internal.event_desc": "uian",
@@ -287,6 +296,9 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3491",
+        "related.hosts": [
+            "temq1198.internal.example"
+        ],
         "related.ip": [
             "10.139.186.201",
             "10.172.14.142"
@@ -347,9 +359,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.6875",
+        "related.hosts": [
+            "tenbyCic5882.api.home"
+        ],
         "related.ip": [
-            "10.47.76.251",
-            "10.104.111.129"
+            "10.104.111.129",
+            "10.47.76.251"
         ],
         "related.user": [
             "ele",
@@ -409,8 +424,8 @@
         ],
         "related.user": [
             "umdo",
-            "quiratio",
-            "animi"
+            "animi",
+            "quiratio"
         ],
         "rsa.db.index": "oll",
         "rsa.internal.event_desc": "rumet",
@@ -451,14 +466,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.5529",
+        "related.hosts": [
+            "isqu7224.localdomain"
+        ],
         "related.ip": [
             "10.57.40.29",
             "10.62.54.220"
         ],
         "related.user": [
-            "rnatura",
             "taevi",
-            "psum"
+            "psum",
+            "rnatura"
         ],
         "rsa.db.database": "emeumfug",
         "rsa.db.index": "omn",
@@ -512,9 +530,9 @@
             "10.74.237.180"
         ],
         "related.user": [
+            "tnon",
             "ema",
-            "cup",
-            "tnon"
+            "cup"
         ],
         "rsa.db.index": "remeumf",
         "rsa.internal.event_desc": "lup",
@@ -556,9 +574,9 @@
             "10.18.165.35"
         ],
         "related.user": [
-            "lor",
             "modocons",
-            "remeum"
+            "remeum",
+            "lor"
         ],
         "rsa.db.index": "etM",
         "rsa.internal.event_desc": "etc",
@@ -600,9 +618,9 @@
             "10.74.253.127"
         ],
         "related.user": [
+            "icab",
             "tema",
-            "onproide",
-            "icab"
+            "onproide"
         ],
         "rsa.db.index": "mqui",
         "rsa.internal.event_desc": "eomnisis",
@@ -642,9 +660,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.1697",
+        "related.hosts": [
+            "tlabo6088.www.localdomain"
+        ],
         "related.ip": [
-            "10.189.109.245",
-            "10.92.8.15"
+            "10.92.8.15",
+            "10.189.109.245"
         ],
         "related.user": [
             "inima",
@@ -701,8 +722,8 @@
             "10.21.78.128"
         ],
         "related.user": [
-            "taut",
             "upt",
+            "taut",
             "giatquov"
         ],
         "rsa.db.index": "iadese",
@@ -746,8 +767,8 @@
         ],
         "related.user": [
             "pida",
-            "tatn",
-            "hil"
+            "hil",
+            "tatn"
         ],
         "rsa.db.index": "quip",
         "rsa.internal.event_desc": "ecillu",
@@ -788,13 +809,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3727",
+        "related.hosts": [
+            "iavolu5352.localhost"
+        ],
         "related.ip": [
             "10.63.37.192",
             "10.225.115.13"
         ],
         "related.user": [
-            "reetd",
             "iunt",
+            "reetd",
             "equep"
         ],
         "rsa.db.database": "aliqu",
@@ -848,9 +872,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3219",
+        "related.hosts": [
+            "estiae3750.api.corp"
+        ],
         "related.ip": [
-            "10.95.64.124",
-            "10.47.202.102"
+            "10.47.202.102",
+            "10.95.64.124"
         ],
         "related.user": [
             "run",
@@ -907,13 +934,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.6371",
+        "related.hosts": [
+            "aquaeabi7735.internal.lan"
+        ],
         "related.ip": [
             "10.244.114.61",
             "10.106.239.55"
         ],
         "related.user": [
-            "serunt",
-            "itquiin"
+            "itquiin",
+            "serunt"
         ],
         "rsa.db.database": "itame",
         "rsa.db.index": "oluptas",
@@ -965,13 +995,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.821",
+        "related.hosts": [
+            "etMalor4236.www5.host"
+        ],
         "related.ip": [
-            "10.125.160.129",
-            "10.53.168.235"
+            "10.53.168.235",
+            "10.125.160.129"
         ],
         "related.user": [
-            "one",
             "abi",
+            "one",
             "ione"
         ],
         "rsa.db.database": "sperna",
@@ -1025,14 +1058,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.1123",
+        "related.hosts": [
+            "quioffi1359.internal.lan"
+        ],
         "related.ip": [
-            "10.227.177.121",
-            "10.33.245.220"
+            "10.33.245.220",
+            "10.227.177.121"
         ],
         "related.user": [
+            "iduntu",
             "liqui",
-            "tasuntex",
-            "iduntu"
+            "tasuntex"
         ],
         "rsa.db.database": "rvel",
         "rsa.db.index": "onsecte",
@@ -1088,13 +1124,17 @@
         "observer.version": "1.5071",
         "process.name": "laboree.exe",
         "process.pid": 6501,
+        "related.hosts": [
+            "",
+            "nsecte3304.mail.corp"
+        ],
         "related.ip": [
-            "10.167.85.181",
-            "10.98.182.220"
+            "10.98.182.220",
+            "10.167.85.181"
         ],
         "related.user": [
-            "econs",
-            "fde"
+            "fde",
+            "econs"
         ],
         "rsa.db.database": "equat",
         "rsa.internal.event_desc": "orpor",
@@ -1149,9 +1189,9 @@
             "10.89.208.95"
         ],
         "related.user": [
-            "iciadese",
             "icabo",
-            "sintoc"
+            "sintoc",
+            "iciadese"
         ],
         "rsa.db.index": "eni",
         "rsa.internal.event_desc": "rcitati",
@@ -1192,6 +1232,9 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.509",
+        "related.hosts": [
+            "nevo4284.internal.local"
+        ],
         "related.ip": [
             "10.72.148.32",
             "10.214.191.180"
@@ -1252,9 +1295,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3599",
+        "related.hosts": [
+            "itas981.mail.domain"
+        ],
         "related.ip": [
-            "10.136.190.236",
-            "10.252.124.150"
+            "10.252.124.150",
+            "10.136.190.236"
         ],
         "related.user": [
             "ipsumd",
@@ -1312,14 +1358,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.5649",
+        "related.hosts": [
+            "tnonpro7635.localdomain"
+        ],
         "related.ip": [
-            "10.213.144.249",
-            "10.192.34.76"
+            "10.192.34.76",
+            "10.213.144.249"
         ],
         "related.user": [
-            "iquipe",
+            "lore",
             "temqu",
-            "lore"
+            "iquipe"
         ],
         "rsa.db.database": "gnamal",
         "rsa.db.index": "ntexplic",
@@ -1371,9 +1420,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.2217",
+        "related.hosts": [
+            "rQuisau5300.www5.example"
+        ],
         "related.ip": [
-            "10.216.84.30",
-            "10.154.4.197"
+            "10.154.4.197",
+            "10.216.84.30"
         ],
         "related.user": [
             "untu",
@@ -1431,8 +1483,8 @@
         ],
         "related.user": [
             "tqu",
-            "niamqui",
-            "quid"
+            "quid",
+            "niamqui"
         ],
         "rsa.db.index": "inci",
         "rsa.internal.event_desc": "eroinBCS",
@@ -1473,14 +1525,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.5632",
+        "related.hosts": [
+            "uamei2389.internal.example"
+        ],
         "related.ip": [
-            "10.193.83.81",
-            "10.65.175.9"
+            "10.65.175.9",
+            "10.193.83.81"
         ],
         "related.user": [
+            "umqu",
             "ritatise",
-            "essequam",
-            "umqu"
+            "essequam"
         ],
         "rsa.db.database": "ender",
         "rsa.db.index": "entorev",
@@ -1534,8 +1589,8 @@
             "10.205.72.243"
         ],
         "related.user": [
-            "isiuta",
             "umdolo",
+            "isiuta",
             "tatn"
         ],
         "rsa.db.index": "proide",
@@ -1578,9 +1633,9 @@
             "10.107.9.163"
         ],
         "related.user": [
-            "mac",
+            "mquisno",
             "sit",
-            "mquisno"
+            "mac"
         ],
         "rsa.db.index": "sit",
         "rsa.internal.event_desc": "tdol",
@@ -1623,8 +1678,8 @@
         ],
         "related.user": [
             "asiarc",
-            "umSe",
-            "quidexea"
+            "quidexea",
+            "umSe"
         ],
         "rsa.db.index": "veli",
         "rsa.internal.event_desc": "quatu",
@@ -1665,14 +1720,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.267",
+        "related.hosts": [
+            "miurerep1152.internal.domain"
+        ],
         "related.ip": [
-            "10.39.10.155",
-            "10.235.136.109"
+            "10.235.136.109",
+            "10.39.10.155"
         ],
         "related.user": [
+            "aboreetd",
             "urExcept",
-            "ptass",
-            "aboreetd"
+            "ptass"
         ],
         "rsa.db.database": "teirured",
         "rsa.db.index": "dolorem",
@@ -1771,8 +1829,8 @@
         ],
         "related.user": [
             "reseo",
-            "moenimi",
-            "aec"
+            "aec",
+            "moenimi"
         ],
         "rsa.db.index": "mac",
         "rsa.internal.event_desc": "quamest",
@@ -1813,6 +1871,9 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3804",
+        "related.hosts": [
+            "rum5798.home"
+        ],
         "related.ip": [
             "10.226.101.180",
             "10.226.20.199"
@@ -1874,14 +1935,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.1493",
+        "related.hosts": [
+            "nisiut3624.api.example"
+        ],
         "related.ip": [
-            "10.134.65.15",
-            "10.86.22.67"
+            "10.86.22.67",
+            "10.134.65.15"
         ],
         "related.user": [
-            "utaliqu",
             "quaUten",
-            "cab"
+            "cab",
+            "utaliqu"
         ],
         "rsa.db.database": "isciv",
         "rsa.db.index": "nofd",
@@ -1981,14 +2045,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.6255",
+        "related.hosts": [
+            "tesse1089.www.host"
+        ],
         "related.ip": [
-            "10.24.111.229",
-            "10.178.242.100"
+            "10.178.242.100",
+            "10.24.111.229"
         ],
         "related.user": [
+            "loi",
             "dqu",
-            "idid",
-            "loi"
+            "idid"
         ],
         "rsa.db.database": "tenatuse",
         "rsa.db.index": "ullamcor",
@@ -2129,14 +2196,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.1844",
+        "related.hosts": [
+            "dictasun3878.internal.localhost"
+        ],
         "related.ip": [
             "10.212.214.4",
             "10.6.79.159"
         ],
         "related.user": [
+            "midestl",
             "quid",
-            "amvo",
-            "midestl"
+            "amvo"
         ],
         "rsa.db.database": "urExce",
         "rsa.db.index": "ectiono",
@@ -2189,9 +2259,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3546",
+        "related.hosts": [
+            "aecatcup2241.www5.test"
+        ],
         "related.ip": [
-            "10.70.147.46",
-            "10.237.170.202"
+            "10.237.170.202",
+            "10.70.147.46"
         ],
         "related.user": [
             "liquide",
@@ -2249,13 +2322,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.4282",
+        "related.hosts": [
+            "mad5185.www5.localhost"
+        ],
         "related.ip": [
-            "10.179.50.138",
-            "10.228.118.81"
+            "10.228.118.81",
+            "10.179.50.138"
         ],
         "related.user": [
-            "itasper",
             "emoe",
+            "itasper",
             "tatemU"
         ],
         "rsa.db.database": "toditaut",
@@ -2309,14 +2385,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3806",
+        "related.hosts": [
+            "esseq7889.www.invalid"
+        ],
         "related.ip": [
             "10.49.71.118",
             "10.234.165.130"
         ],
         "related.user": [
             "emip",
-            "henderit",
-            "iuntNequ"
+            "iuntNequ",
+            "henderit"
         ],
         "rsa.db.database": "veniamqu",
         "rsa.db.index": "atquo",
@@ -2457,14 +2536,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.7083",
+        "related.hosts": [
+            "tem6815.home"
+        ],
         "related.ip": [
             "10.174.185.109",
             "10.120.167.217"
         ],
         "related.user": [
             "animid",
-            "rsp",
-            "dolorem"
+            "dolorem",
+            "rsp"
         ],
         "rsa.db.database": "tsuntinc",
         "rsa.db.index": "quovo",
@@ -2517,14 +2599,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.1432",
+        "related.hosts": [
+            "mporainc2064.home"
+        ],
         "related.ip": [
             "10.117.137.159",
             "10.141.213.219"
         ],
         "related.user": [
-            "atev",
             "accusa",
-            "ate"
+            "ate",
+            "atev"
         ],
         "rsa.db.database": "nibus",
         "rsa.db.index": "ser",
@@ -2577,13 +2662,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.4043",
+        "related.hosts": [
+            "caboNem1043.internal.home"
+        ],
         "related.ip": [
             "10.166.90.130",
             "10.94.224.229"
         ],
         "related.user": [
-            "rem",
             "eavol",
+            "rem",
             "etconsec"
         ],
         "rsa.db.database": "oditempo",
@@ -2639,14 +2727,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.2456",
+        "related.hosts": [
+            "tatio6513.www.invalid"
+        ],
         "related.ip": [
-            "10.38.28.151",
-            "10.201.81.46"
+            "10.201.81.46",
+            "10.38.28.151"
         ],
         "related.user": [
+            "tiumto",
             "incidid",
-            "mipsumqu",
-            "tiumto"
+            "mipsumqu"
         ],
         "rsa.db.database": "abor",
         "rsa.db.index": "adol",
@@ -2701,14 +2792,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.2721",
+        "related.hosts": [
+            "dolori6232.api.invalid"
+        ],
         "related.ip": [
             "10.255.28.56",
             "10.214.245.95"
         ],
         "related.user": [
-            "rerepre",
+            "umdolors",
             "uptatem",
-            "umdolors"
+            "rerepre"
         ],
         "rsa.db.database": "odt",
         "rsa.db.index": "riosa",
@@ -2763,8 +2857,8 @@
         ],
         "related.user": [
             "mip",
-            "qui",
-            "Utenima"
+            "Utenima",
+            "qui"
         ],
         "rsa.db.index": "boree",
         "rsa.internal.event_desc": "uteir",
@@ -2807,8 +2901,8 @@
         ],
         "related.user": [
             "enim",
-            "ess",
-            "iame"
+            "iame",
+            "ess"
         ],
         "rsa.db.index": "nofdeFi",
         "rsa.internal.event_desc": "isnostru",
@@ -2893,14 +2987,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3147",
+        "related.hosts": [
+            "mestq2106.api.host"
+        ],
         "related.ip": [
-            "10.39.143.155",
-            "10.41.89.217"
+            "10.41.89.217",
+            "10.39.143.155"
         ],
         "related.user": [
+            "tem",
             "tperspic",
-            "sedquiac",
-            "tem"
+            "sedquiac"
         ],
         "rsa.db.database": "radipis",
         "rsa.db.index": "nse",
@@ -2953,14 +3050,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.6382",
+        "related.hosts": [
+            "lors7553.api.local"
+        ],
         "related.ip": [
             "10.153.123.20",
             "10.5.5.1"
         ],
         "related.user": [
+            "minim",
             "unt",
-            "CSe",
-            "minim"
+            "CSe"
         ],
         "rsa.db.database": "atu",
         "rsa.db.index": "roi",
@@ -3013,13 +3113,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3193",
+        "related.hosts": [
+            "olu5333.www.domain"
+        ],
         "related.ip": [
-            "10.210.61.109",
-            "10.168.132.175"
+            "10.168.132.175",
+            "10.210.61.109"
         ],
         "related.user": [
-            "iamea",
             "giatquov",
+            "iamea",
             "eursinto"
         ],
         "rsa.db.database": "ici",
@@ -3074,9 +3177,9 @@
             "10.123.154.17"
         ],
         "related.user": [
-            "quiac",
+            "dolorsi",
             "lmo",
-            "dolorsi"
+            "quiac"
         ],
         "rsa.db.index": "idunt",
         "rsa.internal.event_desc": "usantiu",
@@ -3168,8 +3271,8 @@
         ],
         "related.user": [
             "rsitvol",
-            "Nemoenim",
-            "iati"
+            "iati",
+            "Nemoenim"
         ],
         "rsa.db.index": "eFini",
         "rsa.internal.event_desc": "acom",
@@ -3210,13 +3313,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3184",
+        "related.hosts": [
+            "fic5107.home"
+        ],
         "related.ip": [
             "10.169.101.161",
             "10.164.66.154"
         ],
         "related.user": [
-            "eufug",
             "orissu",
+            "eufug",
             "ine"
         ],
         "rsa.db.database": "stquidol",
@@ -3314,14 +3420,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.4887",
+        "related.hosts": [
+            "onpr47.api.home"
+        ],
         "related.ip": [
             "10.207.97.192",
             "10.134.55.11"
         ],
         "related.user": [
-            "madminim",
             "tanimid",
-            "mmod"
+            "mmod",
+            "madminim"
         ],
         "rsa.db.database": "tetura",
         "rsa.db.index": "uptasnul",
@@ -3374,14 +3483,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3601",
+        "related.hosts": [
+            "rehen4859.api.host"
+        ],
         "related.ip": [
             "10.31.187.19",
             "10.52.150.104"
         ],
         "related.user": [
+            "texplica",
             "eritq",
-            "oinBCSed",
-            "texplica"
+            "oinBCSed"
         ],
         "rsa.db.database": "lit",
         "rsa.db.index": "ritati",
@@ -3434,13 +3546,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3175",
+        "related.hosts": [
+            "eufugia4481.corp"
+        ],
         "related.ip": [
-            "10.61.175.217",
-            "10.41.232.147"
+            "10.41.232.147",
+            "10.61.175.217"
         ],
         "related.user": [
-            "tat",
             "ntexpl",
+            "tat",
             "runtm"
         ],
         "rsa.db.database": "rere",
@@ -3495,9 +3610,9 @@
             "10.150.30.95"
         ],
         "related.user": [
-            "mini",
+            "atnonpr",
             "uisnos",
-            "atnonpr"
+            "mini"
         ],
         "rsa.db.index": "smod",
         "rsa.internal.event_desc": "isn",
@@ -3627,9 +3742,9 @@
             "10.197.203.167"
         ],
         "related.user": [
-            "eserun",
+            "uta",
             "iumdo",
-            "uta"
+            "eserun"
         ],
         "rsa.db.index": "smo",
         "rsa.internal.event_desc": "olesti",
@@ -3672,8 +3787,8 @@
         ],
         "related.user": [
             "sectetu",
-            "ibusBo",
-            "enima"
+            "enima",
+            "ibusBo"
         ],
         "rsa.db.index": "uido",
         "rsa.internal.event_desc": "lab",
@@ -3714,9 +3829,12 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3824",
+        "related.hosts": [
+            "involu1450.www.localhost"
+        ],
         "related.ip": [
-            "10.123.62.215",
-            "10.250.248.215"
+            "10.250.248.215",
+            "10.123.62.215"
         ],
         "related.user": [
             "aevitaed",
@@ -3773,6 +3891,9 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3759",
+        "related.hosts": [
+            "osa3211.www5.example"
+        ],
         "related.ip": [
             "10.147.154.118",
             "10.146.57.23"
@@ -3833,8 +3954,8 @@
         ],
         "related.user": [
             "niamqui",
-            "ptatemU",
-            "uamestqu"
+            "uamestqu",
+            "ptatemU"
         ],
         "rsa.db.index": "doeiu",
         "rsa.internal.event_desc": "uasiarc",
@@ -3877,8 +3998,8 @@
         ],
         "related.user": [
             "nesci",
-            "onnumqua",
-            "tetura"
+            "tetura",
+            "onnumqua"
         ],
         "rsa.db.index": "oinBCSed",
         "rsa.internal.event_desc": "ntor",
@@ -3920,9 +4041,9 @@
             "10.47.63.70"
         ],
         "related.user": [
-            "midestl",
+            "expl",
             "tpers",
-            "expl"
+            "midestl"
         ],
         "rsa.db.index": "olu",
         "rsa.internal.event_desc": "odocons",
@@ -4007,14 +4128,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.6648",
+        "related.hosts": [
+            "tatemac5192.www5.test"
+        ],
         "related.ip": [
-            "10.89.154.115",
-            "10.85.13.237"
+            "10.85.13.237",
+            "10.89.154.115"
         ],
         "related.user": [
             "emeu",
-            "luptat",
-            "Nem"
+            "Nem",
+            "luptat"
         ],
         "rsa.db.database": "nturmag",
         "rsa.db.index": "maliqua",
@@ -4067,13 +4191,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3387",
+        "related.hosts": [
+            "nimve2787.mail.test"
+        ],
         "related.ip": [
-            "10.65.207.234",
-            "10.222.32.183"
+            "10.222.32.183",
+            "10.65.207.234"
         ],
         "related.user": [
-            "eruntmo",
             "itame",
+            "eruntmo",
             "eve"
         ],
         "rsa.db.database": "udexerc",
@@ -4128,8 +4255,8 @@
             "10.16.181.60"
         ],
         "related.user": [
-            "gnama",
             "oinven",
+            "gnama",
             "olore"
         ],
         "rsa.db.index": "uatu",
@@ -4173,8 +4300,8 @@
         ],
         "related.user": [
             "illoin",
-            "uianon",
-            "amnis"
+            "amnis",
+            "uianon"
         ],
         "rsa.db.index": "ons",
         "rsa.internal.event_desc": "temaccus",
@@ -4216,9 +4343,9 @@
             "10.204.214.98"
         ],
         "related.user": [
+            "tdolo",
             "eprehe",
-            "porissus",
-            "tdolo"
+            "porissus"
         ],
         "rsa.db.index": "abo",
         "rsa.internal.event_desc": "ecte",
@@ -4260,9 +4387,9 @@
             "10.223.178.192"
         ],
         "related.user": [
+            "etc",
             "moenimip",
-            "evel",
-            "etc"
+            "evel"
         ],
         "rsa.db.index": "iarchit",
         "rsa.internal.event_desc": "apari",
@@ -4303,13 +4430,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.801",
+        "related.hosts": [
+            "ama6820.mail.example"
+        ],
         "related.ip": [
-            "10.26.137.126",
-            "10.26.33.181"
+            "10.26.33.181",
+            "10.26.137.126"
         ],
         "related.user": [
-            "ati",
             "audant",
+            "ati",
             "taevit"
         ],
         "rsa.db.database": "com",
@@ -4363,14 +4493,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.10",
+        "related.hosts": [
+            "olupt966.www5.corp"
+        ],
         "related.ip": [
-            "10.148.195.208",
-            "10.142.161.116"
+            "10.142.161.116",
+            "10.148.195.208"
         ],
         "related.user": [
-            "quaerat",
+            "mpori",
             "isi",
-            "mpori"
+            "quaerat"
         ],
         "rsa.db.database": "squamest",
         "rsa.db.index": "pteu",
@@ -4423,14 +4556,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.1026",
+        "related.hosts": [
+            "lit4112.www.localhost"
+        ],
         "related.ip": [
             "10.10.174.253",
             "10.107.24.54"
         ],
         "related.user": [
             "hend",
-            "itinvo",
-            "uptasn"
+            "uptasn",
+            "itinvo"
         ],
         "rsa.db.database": "lup",
         "rsa.db.index": "isau",
@@ -4485,9 +4621,9 @@
             "10.87.92.17"
         ],
         "related.user": [
+            "tamr",
             "luptate",
-            "eeufug",
-            "tamr"
+            "eeufug"
         ],
         "rsa.db.index": "oreeufug",
         "rsa.internal.event_desc": "ura",
@@ -4532,13 +4668,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.5649",
+        "related.hosts": [
+            "dictasun3408.internal.invalid"
+        ],
         "related.ip": [
             "10.161.51.135",
             "10.231.51.136"
         ],
         "related.user": [
-            "asper",
             "Finibus",
+            "asper",
             "accus"
         ],
         "rsa.db.database": "litani",
@@ -4593,9 +4732,9 @@
             "10.51.17.32"
         ],
         "related.user": [
-            "itten",
             "mquido",
-            "llum"
+            "llum",
+            "itten"
         ],
         "rsa.db.index": "uscipit",
         "rsa.internal.event_desc": "llitani",
@@ -4637,8 +4776,8 @@
             "10.108.123.148"
         ],
         "related.user": [
-            "mmodicon",
             "cusa",
+            "mmodicon",
             "ollita"
         ],
         "rsa.db.index": "ercitati",
@@ -4681,13 +4820,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.425",
+        "related.hosts": [
+            "uidol6868.mail.localdomain"
+        ],
         "related.ip": [
-            "10.198.187.144",
-            "10.114.0.148"
+            "10.114.0.148",
+            "10.198.187.144"
         ],
         "related.user": [
-            "equatD",
             "rsitamet",
+            "equatD",
             "ons"
         ],
         "rsa.db.database": "periam",
@@ -4746,8 +4888,8 @@
             "10.61.140.120"
         ],
         "related.user": [
-            "loru",
             "naaliq",
+            "loru",
             "equa"
         ],
         "rsa.db.index": "umfugiat",
@@ -4789,14 +4931,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.6988",
+        "related.hosts": [
+            "ptat4878.lan"
+        ],
         "related.ip": [
-            "10.93.24.151",
-            "10.149.238.108"
+            "10.149.238.108",
+            "10.93.24.151"
         ],
         "related.user": [
-            "nven",
+            "sequamn",
             "ite",
-            "sequamn"
+            "nven"
         ],
         "rsa.db.database": "fugi",
         "rsa.db.index": "nesciu",
@@ -4895,8 +5040,8 @@
             "10.2.204.161"
         ],
         "related.user": [
-            "ore",
             "quela",
+            "ore",
             "eumfugia"
         ],
         "rsa.db.index": "olup",
@@ -4944,8 +5089,8 @@
         ],
         "related.user": [
             "ptatemse",
-            "enimad",
-            "aliqu"
+            "aliqu",
+            "enimad"
         ],
         "rsa.db.index": "Except",
         "rsa.internal.event_desc": "cons",
@@ -4986,14 +5131,17 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.3175",
+        "related.hosts": [
+            "isno4595.local"
+        ],
         "related.ip": [
-            "10.94.152.238",
-            "10.151.110.250"
+            "10.151.110.250",
+            "10.94.152.238"
         ],
         "related.user": [
+            "tla",
             "neavol",
-            "pidatatn",
-            "tla"
+            "pidatatn"
         ],
         "rsa.db.database": "itaedict",
         "rsa.db.index": "onemull",
@@ -5046,13 +5194,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.4965",
+        "related.hosts": [
+            "tatemse5403.home"
+        ],
         "related.ip": [
-            "10.77.9.17",
-            "10.146.61.5"
+            "10.146.61.5",
+            "10.77.9.17"
         ],
         "related.user": [
-            "umS",
             "tevel",
+            "umS",
             "alorumwr"
         ],
         "rsa.db.database": "amremap",
@@ -5107,8 +5258,8 @@
             "10.128.102.130"
         ],
         "related.user": [
-            "ore",
             "que",
+            "ore",
             "sequatu"
         ],
         "rsa.db.index": "exerci",
@@ -5150,13 +5301,16 @@
         "observer.type": "Access",
         "observer.vendor": "Cyberark",
         "observer.version": "1.7701",
+        "related.hosts": [
+            "reprehe650.www.corp"
+        ],
         "related.ip": [
-            "10.31.86.83",
-            "10.200.162.248"
+            "10.200.162.248",
+            "10.31.86.83"
         ],
         "related.user": [
-            "reseo",
             "onnu",
+            "reseo",
             "doloremi"
         ],
         "rsa.db.database": "billo",
@@ -5211,9 +5365,9 @@
             "10.103.215.159"
         ],
         "related.user": [
+            "volup",
             "apa",
-            "atatn",
-            "volup"
+            "atatn"
         ],
         "rsa.db.index": "atcupi",
         "rsa.internal.event_desc": "did",
diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml
index fc90f92344c0..28123fafd350 100644
--- a/x-pack/filebeat/module/cylance/protect/config/input.yml
+++ b/x-pack/filebeat/module/cylance/protect/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml
index 4df5148c7700..72aa57c217a7 100644
--- a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json
index aeb8dfcbd466..4f73edba010c 100644
--- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json
@@ -12,6 +12,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "nostrud4819.mail.test"
+        ],
         "rsa.identity.firstname": "uii",
         "rsa.identity.lastname": "umexe",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -44,6 +47,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "volup208.invalid"
+        ],
         "rsa.identity.firstname": "luptat",
         "rsa.identity.lastname": "isiutal",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -75,6 +81,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "eius6159.www5.localhost"
+        ],
         "rsa.db.index": "temvel",
         "rsa.identity.firstname": "lupt",
         "rsa.identity.lastname": "tia",
@@ -106,6 +115,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ratvolup497.www.corp"
+        ],
         "rsa.db.index": "ommodic",
         "rsa.identity.firstname": "mipsu",
         "rsa.identity.lastname": "consec",
@@ -137,6 +149,9 @@
         "observer.product": "taliqu",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "tatno5625.api.local"
+        ],
         "rsa.identity.firstname": "tur",
         "rsa.identity.lastname": "aperi",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -170,6 +185,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "maveniam1399.mail.lan"
+        ],
         "related.ip": [
             "10.124.61.119"
         ],
@@ -211,6 +229,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "nimadmin6499.local"
+        ],
         "rsa.db.index": "lorem",
         "rsa.identity.firstname": "urerep",
         "rsa.identity.lastname": "aquaeab",
@@ -242,6 +263,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "suntinc4934.www5.test"
+        ],
         "rsa.identity.firstname": "dmi",
         "rsa.identity.lastname": "olab",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -277,6 +301,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.2344",
+        "related.hosts": [
+            "reetdolo2451.www.example"
+        ],
         "related.user": [
             "usan"
         ],
@@ -310,6 +337,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "uis7612.www5.domain"
+        ],
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
         "rsa.investigations.event_cat_name": "Other.Default",
@@ -337,6 +367,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "admi3749.api.lan"
+        ],
         "rsa.db.index": "nimadmin",
         "rsa.identity.firstname": "iqui",
         "rsa.identity.lastname": "etc",
@@ -371,6 +404,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.5383",
+        "related.hosts": [
+            "rudexerc703.internal.host"
+        ],
         "related.user": [
             "isaute"
         ],
@@ -444,6 +480,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "estqu1709.internal.example"
+        ],
         "related.ip": [
             "10.64.70.5"
         ],
@@ -484,6 +523,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "xeac7155.www.localdomain"
+        ],
         "related.ip": [
             "10.143.239.210"
         ],
@@ -527,6 +569,9 @@
         "observer.vendor": "Cylance",
         "process.name": "aliqu.exe",
         "process.pid": 2289,
+        "related.hosts": [
+            "maccusa5126.api.domain"
+        ],
         "related.ip": [
             "10.32.143.134"
         ],
@@ -570,6 +615,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "llu4718.localhost"
+        ],
         "rsa.db.index": "psaquae",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -629,6 +677,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "eaq908.api.home"
+        ],
         "rsa.db.index": "equat",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -661,6 +712,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.4129",
+        "related.hosts": [
+            "mcolab379.internal.home"
+        ],
         "related.user": [
             "fdeFi"
         ],
@@ -733,6 +787,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "sciun4694.api.lan"
+        ],
         "rsa.db.index": "enderit",
         "rsa.identity.firstname": "idata",
         "rsa.identity.lastname": "rumwritt",
@@ -764,6 +821,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "mni7200.mail.localdomain"
+        ],
         "rsa.db.index": "uisau",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -821,6 +881,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.3212",
+        "related.hosts": [
+            "ntoccae1705.internal.invalid"
+        ],
         "related.user": [
             "aperiame"
         ],
@@ -854,6 +917,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "etconsec6708.internal.invalid"
+        ],
         "rsa.db.index": "mquame",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1502030000,
@@ -884,6 +950,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "Sedutp7428.internal.home"
+        ],
         "rsa.db.index": "iquipe",
         "rsa.identity.firstname": "upida",
         "rsa.identity.lastname": "tvolupt",
@@ -916,6 +985,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ati4639.www5.home"
+        ],
         "rsa.identity.firstname": "con",
         "rsa.identity.lastname": "nisist",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -947,6 +1019,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "torever662.www5.home"
+        ],
         "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240",
         "rsa.identity.firstname": "amcol",
         "rsa.identity.lastname": "adeser",
@@ -978,6 +1053,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "emeumfug4387.internal.lan"
+        ],
         "rsa.identity.firstname": "ccaeca",
         "rsa.identity.lastname": "niamq",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -1010,6 +1088,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "rumwrit764.www5.local"
+        ],
         "rsa.db.index": "miu",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1804020000,
@@ -1072,6 +1153,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "oremi1485.api.localhost"
+        ],
         "rsa.identity.firstname": "atisund",
         "rsa.identity.lastname": "xea",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -1104,6 +1188,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "periam126.api.host"
+        ],
         "rsa.crypto.sig_type": "rExc",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -1135,6 +1222,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "tate6578.api.localdomain"
+        ],
         "related.ip": [
             "10.252.165.146"
         ],
@@ -1175,6 +1265,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "midestl1919.host"
+        ],
         "related.ip": [
             "10.124.88.222"
         ],
@@ -1215,6 +1308,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "eiusmod3517.internal.invalid"
+        ],
         "rsa.identity.firstname": "dol",
         "rsa.identity.lastname": "sciun",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -1248,6 +1344,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ntexpl3889.www.home"
+        ],
         "related.ip": [
             "10.156.34.19"
         ],
@@ -1290,6 +1389,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ntium4450.www5.localdomain"
+        ],
         "related.ip": [
             "10.22.94.10"
         ],
@@ -1330,6 +1432,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "erspi5757.local"
+        ],
         "rsa.db.index": "undeomni",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1401060000,
@@ -1424,6 +1529,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "magnid3343.home"
+        ],
         "rsa.db.index": "obea",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -1454,6 +1562,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "asperna7623.www.home"
+        ],
         "rsa.identity.firstname": "onproide",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -1486,6 +1597,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.3421",
+        "related.hosts": [
+            "undeom845.www5.example"
+        ],
         "related.user": [
             "tassita"
         ],
@@ -1548,6 +1662,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ons5050.mail.test"
+        ],
         "related.ip": [
             "10.48.209.115"
         ],
@@ -1588,6 +1705,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "oloreeu7597.mail.home"
+        ],
         "related.ip": [
             "10.7.99.47"
         ],
@@ -1628,6 +1748,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ueip5847.api.test"
+        ],
         "rsa.crypto.sig_type": "Nemoenim",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1804010000,
@@ -1660,6 +1783,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.989",
+        "related.hosts": [
+            "uid3520.www.home"
+        ],
         "related.user": [
             "ici"
         ],
@@ -1745,6 +1871,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "teir7585.www5.localdomain"
+        ],
         "rsa.identity.firstname": "scip",
         "rsa.identity.lastname": "Finibus",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -1831,6 +1960,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "serrorsi1096.www5.localdomain"
+        ],
         "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -1860,6 +1992,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "prehen4807.mail.invalid"
+        ],
         "rsa.db.index": "meum",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1600000000,
@@ -1890,6 +2025,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "sit1400.www.lan"
+        ],
         "rsa.db.index": "ntsunti",
         "rsa.identity.firstname": "uid",
         "rsa.identity.lastname": "idatat",
@@ -1922,6 +2060,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "sectetu7182.localdomain"
+        ],
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1804010000,
         "rsa.investigations.event_cat_name": "Network.Devices.Additions",
@@ -1949,6 +2090,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "officiad4982.www5.domain"
+        ],
         "rsa.identity.firstname": "etdolore",
         "rsa.identity.lastname": "magnaa",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -1980,6 +2124,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "consequa1486.internal.localdomain"
+        ],
         "rsa.crypto.sig_type": "quaeratv",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -2010,6 +2157,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "its6443.mail.example"
+        ],
         "related.ip": [
             "10.139.80.71"
         ],
@@ -2053,6 +2203,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "tconsec7604.corp"
+        ],
         "related.ip": [
             "10.223.246.244"
         ],
@@ -2092,6 +2245,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "tuser2694.internal.invalid"
+        ],
         "rsa.identity.firstname": "natus",
         "rsa.identity.lastname": "boreet",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -2124,6 +2280,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "gnaaliq5240.api.test"
+        ],
         "rsa.crypto.sig_type": "ratvo",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -2153,6 +2312,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "illum2625.test"
+        ],
         "rsa.crypto.sig_type": "iaeconse",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1401060000,
@@ -2182,6 +2344,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "nulamc5617.mail.host"
+        ],
         "related.ip": [
             "10.134.137.205"
         ],
@@ -2221,6 +2386,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "tatem4713.internal.host"
+        ],
         "rsa.db.index": "usci",
         "rsa.identity.firstname": "lupta",
         "rsa.identity.lastname": "ura",
@@ -2254,6 +2422,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ugits5961.www5.local"
+        ],
         "related.ip": [
             "10.91.2.225"
         ],
@@ -2297,6 +2468,9 @@
         "observer.vendor": "Cylance",
         "process.name": "nimadmi.exe",
         "process.pid": 601,
+        "related.hosts": [
+            "prehende5460.mail.localdomain"
+        ],
         "related.ip": [
             "10.191.99.14"
         ],
@@ -2340,6 +2514,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "velites1745.api.corp"
+        ],
         "rsa.db.index": "lor",
         "rsa.identity.firstname": "naaliq",
         "rsa.identity.lastname": "plica",
@@ -2373,6 +2550,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "Duis583.api.local"
+        ],
         "rsa.crypto.sig_type": "dminim",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1401060000,
@@ -2404,6 +2584,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.2478",
+        "related.hosts": [
+            "velitess2401.www.lan"
+        ],
         "rsa.db.index": "dolo",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -2434,6 +2617,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "sequines3991.mail.local"
+        ],
         "rsa.identity.firstname": "sequines",
         "rsa.identity.lastname": "minimve",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -2470,6 +2656,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "iatquo2815.mail.host"
+        ],
         "related.ip": [
             "10.181.215.164"
         ],
@@ -2537,6 +2726,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "issusci7005.mail.host"
+        ],
         "rsa.db.index": "tiumtot",
         "rsa.identity.firstname": "ecillumd",
         "rsa.identity.lastname": "iumto",
@@ -2571,6 +2763,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "umq7428.invalid"
+        ],
         "related.ip": [
             "10.164.59.219"
         ],
@@ -2639,6 +2834,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "epteurs5503.www5.home"
+        ],
         "related.ip": [
             "10.1.193.187"
         ],
@@ -2707,6 +2905,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "omnisis5339.www5.local"
+        ],
         "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod",
         "rsa.internal.messageid": "CylancePROTECT",
         "rsa.investigations.event_cat": 1901000000,
@@ -2737,6 +2938,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "ction491.www5.local"
+        ],
         "rsa.identity.firstname": "imveniam",
         "rsa.identity.lastname": "sunte",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -2769,6 +2973,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "undeom7847.api.corp"
+        ],
         "related.ip": [
             "10.146.228.234"
         ],
@@ -2810,6 +3017,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "dolo6230.mail.invalid"
+        ],
         "related.ip": [
             "10.59.232.97"
         ],
@@ -2845,6 +3055,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "nvolup6280.api.home"
+        ],
         "rsa.identity.firstname": "dantium",
         "rsa.identity.lastname": "ors",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -2877,6 +3090,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "urautodi3892.www5.example"
+        ],
         "rsa.db.index": "nibu",
         "rsa.identity.firstname": "mdolo",
         "rsa.identity.lastname": "nof",
@@ -2952,6 +3168,9 @@
         "observer.vendor": "Cylance",
         "process.name": "oluptat.exe",
         "process.pid": 4608,
+        "related.hosts": [
+            "uraut3756.www5.test"
+        ],
         "related.ip": [
             "10.127.30.119"
         ],
@@ -2995,6 +3214,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "squ2213.www.test"
+        ],
         "rsa.db.index": "rExce",
         "rsa.identity.firstname": "rinc",
         "rsa.identity.lastname": "tno",
@@ -3056,6 +3278,9 @@
         "observer.vendor": "Cylance",
         "process.name": "ngelitse.exe",
         "process.pid": 4190,
+        "related.hosts": [
+            "umet5891.api.localdomain"
+        ],
         "related.ip": [
             "10.8.150.213"
         ],
@@ -3099,6 +3324,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "umquam5574.internal.test"
+        ],
         "related.ip": [
             "10.108.59.10"
         ],
@@ -3134,6 +3362,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "volupt6822.api.invalid"
+        ],
         "rsa.identity.firstname": "qui",
         "rsa.identity.lastname": "epteurs",
         "rsa.internal.messageid": "CylancePROTECT",
@@ -3224,6 +3455,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
         "observer.version": "1.3237",
+        "related.hosts": [
+            "amvol4075.mail.localhost"
+        ],
         "related.user": [
             "pta"
         ],
@@ -3257,6 +3491,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "asi4651.api.test"
+        ],
         "rsa.db.index": "ssecill",
         "rsa.identity.firstname": "officiad",
         "rsa.identity.lastname": "veniam",
@@ -3288,6 +3525,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "perna6751.internal.home"
+        ],
         "related.ip": [
             "10.138.85.233"
         ],
@@ -3323,6 +3563,9 @@
         "observer.product": "Protect",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Cylance",
+        "related.hosts": [
+            "evolupta7790.internal.local"
+        ],
         "rsa.db.index": "rehe",
         "rsa.identity.firstname": "tam",
         "rsa.identity.lastname": "deser",
diff --git a/x-pack/filebeat/module/f5/bigipafm/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml
index e17540ff0416..e4c79ac07c58 100644
--- a/x-pack/filebeat/module/f5/bigipafm/config/input.yml
+++ b/x-pack/filebeat/module/f5/bigipafm/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml
index 5df41d6ec6fa..395794625931 100644
--- a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json
index a366e228e250..d17290622826 100644
--- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json
@@ -20,11 +20,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2262",
+        "related.hosts": [
+            "tatemac3541.api.corp"
+        ],
         "related.ip": [
-            "10.11.196.142",
-            "10.208.121.85",
             "10.165.201.71",
-            "10.228.193.207"
+            "10.228.193.207",
+            "10.11.196.142",
+            "10.208.121.85"
         ],
         "related.user": [
             "billoi"
@@ -85,11 +88,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.445",
+        "related.hosts": [
+            "enatus2114.mail.home"
+        ],
         "related.ip": [
-            "10.92.202.200",
-            "10.162.9.235",
             "10.51.132.10",
-            "10.94.67.230"
+            "10.162.9.235",
+            "10.94.67.230",
+            "10.92.202.200"
         ],
         "related.user": [
             "byC"
@@ -150,6 +156,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4726",
+        "related.hosts": [
+            "gelit6728.api.invalid"
+        ],
         "related.ip": [
             "10.122.116.161",
             "10.209.155.149",
@@ -214,11 +223,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2696",
+        "related.hosts": [
+            "uid545.www5.localhost"
+        ],
         "related.ip": [
             "10.12.44.169",
+            "10.202.66.28",
             "10.50.112.141",
-            "10.131.233.27",
-            "10.202.66.28"
+            "10.131.233.27"
         ],
         "related.user": [
             "elits"
@@ -279,11 +291,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3341",
+        "related.hosts": [
+            "emquiavo452.internal.localhost"
+        ],
         "related.ip": [
+            "10.159.182.171",
             "10.151.111.38",
-            "10.206.197.113",
             "10.96.35.212",
-            "10.159.182.171"
+            "10.206.197.113"
         ],
         "related.user": [
             "mol"
@@ -344,11 +359,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6179",
+        "related.hosts": [
+            "sun1403.www.invalid"
+        ],
         "related.ip": [
-            "10.169.144.147",
-            "10.89.163.114",
+            "10.126.177.162",
             "10.213.113.28",
-            "10.126.177.162"
+            "10.169.144.147",
+            "10.89.163.114"
         ],
         "related.user": [
             "ist"
@@ -408,11 +426,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6316",
+        "related.hosts": [
+            "ittenbyC7838.api.localdomain"
+        ],
         "related.ip": [
             "10.101.223.43",
-            "10.146.88.52",
+            "10.18.124.28",
             "10.103.107.47",
-            "10.18.124.28"
+            "10.146.88.52"
         ],
         "related.user": [
             "rudexerc"
@@ -473,9 +494,12 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3768",
+        "related.hosts": [
+            "ume465.corp"
+        ],
         "related.ip": [
-            "10.189.109.245",
             "10.150.220.75",
+            "10.189.109.245",
             "10.69.57.206",
             "10.110.99.17"
         ],
@@ -537,11 +561,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2299",
+        "related.hosts": [
+            "iciatisu1463.www5.localdomain"
+        ],
         "related.ip": [
-            "10.19.194.101",
-            "10.153.136.222",
             "10.199.34.241",
-            "10.121.219.204"
+            "10.121.219.204",
+            "10.153.136.222",
+            "10.19.194.101"
         ],
         "related.user": [
             "temveleu"
@@ -601,10 +628,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4138",
+        "related.hosts": [
+            "aliqu6801.api.localdomain"
+        ],
         "related.ip": [
+            "10.57.103.192",
             "10.64.141.105",
             "10.46.27.57",
-            "10.57.103.192",
             "10.182.199.231"
         ],
         "related.user": [
@@ -665,11 +695,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7410",
+        "related.hosts": [
+            "itame189.domain"
+        ],
         "related.ip": [
             "10.32.67.231",
-            "10.164.6.207",
             "10.3.134.237",
-            "10.160.210.31"
+            "10.160.210.31",
+            "10.164.6.207"
         ],
         "related.user": [
             "pic"
@@ -730,11 +763,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3545",
+        "related.hosts": [
+            "tsedqu2456.www5.invalid"
+        ],
         "related.ip": [
             "10.42.138.192",
+            "10.201.6.10",
             "10.235.101.253",
-            "10.182.178.217",
-            "10.201.6.10"
+            "10.182.178.217"
         ],
         "related.user": [
             "giatnu"
@@ -795,11 +831,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3795",
+        "related.hosts": [
+            "stlabo1228.mail.host"
+        ],
         "related.ip": [
-            "10.151.161.70",
             "10.86.101.235",
-            "10.22.102.198",
-            "10.194.247.171"
+            "10.194.247.171",
+            "10.151.161.70",
+            "10.22.102.198"
         ],
         "related.user": [
             "nse"
@@ -860,11 +899,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4901",
+        "related.hosts": [
+            "ecte4762.local"
+        ],
         "related.ip": [
-            "10.167.172.155",
             "10.174.252.105",
+            "10.204.35.15",
             "10.107.168.60",
-            "10.204.35.15"
+            "10.167.172.155"
         ],
         "related.user": [
             "mnisi"
@@ -924,11 +966,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3427",
+        "related.hosts": [
+            "smo7167.www.test"
+        ],
         "related.ip": [
+            "10.99.249.210",
             "10.182.191.174",
-            "10.214.249.164",
             "10.81.26.208",
-            "10.99.249.210"
+            "10.214.249.164"
         ],
         "related.user": [
             "upta"
@@ -988,11 +1033,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1766",
+        "related.hosts": [
+            "sauteiru4554.api.domain"
+        ],
         "related.ip": [
-            "10.101.226.128",
             "10.88.101.53",
             "10.201.238.90",
-            "10.220.5.143"
+            "10.220.5.143",
+            "10.101.226.128"
         ],
         "related.user": [
             "porro"
@@ -1052,11 +1100,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7491",
+        "related.hosts": [
+            "untut4046.internal.domain"
+        ],
         "related.ip": [
-            "10.30.133.66",
-            "10.157.18.252",
             "10.243.218.215",
-            "10.217.150.196"
+            "10.217.150.196",
+            "10.157.18.252",
+            "10.30.133.66"
         ],
         "related.user": [
             "evit"
@@ -1116,10 +1167,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.752",
+        "related.hosts": [
+            "quid3147.mail.home"
+        ],
         "related.ip": [
+            "10.167.227.44",
             "10.181.133.187",
             "10.148.161.250",
-            "10.167.227.44",
             "10.66.181.6"
         ],
         "related.user": [
@@ -1181,9 +1235,12 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5663",
+        "related.hosts": [
+            "umdolo1029.mail.localhost"
+        ],
         "related.ip": [
-            "10.54.17.32",
             "10.74.11.43",
+            "10.54.17.32",
             "10.84.163.178",
             "10.107.9.163"
         ],
@@ -1245,11 +1302,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5726",
+        "related.hosts": [
+            "lorsita2019.internal.home"
+        ],
         "related.ip": [
             "10.230.129.252",
-            "10.112.32.213",
             "10.184.73.211",
-            "10.192.229.221"
+            "10.192.229.221",
+            "10.112.32.213"
         ],
         "related.user": [
             "odi"
@@ -1310,11 +1370,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1721",
+        "related.hosts": [
+            "paquioff624.mail.invalid"
+        ],
         "related.ip": [
             "10.161.148.64",
-            "10.198.213.189",
+            "10.199.216.143",
             "10.7.200.140",
-            "10.199.216.143"
+            "10.198.213.189"
         ],
         "related.user": [
             "ccaeca"
@@ -1374,11 +1437,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1000",
+        "related.hosts": [
+            "mex2054.mail.corp"
+        ],
         "related.ip": [
-            "10.128.157.27",
-            "10.65.232.27",
             "10.206.96.56",
-            "10.22.187.69"
+            "10.22.187.69",
+            "10.128.157.27",
+            "10.65.232.27"
         ],
         "related.user": [
             "uaeab"
@@ -1438,11 +1504,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3104",
+        "related.hosts": [
+            "avolupt7576.api.corp"
+        ],
         "related.ip": [
-            "10.71.114.14",
             "10.194.210.62",
             "10.68.253.120",
-            "10.183.130.225"
+            "10.183.130.225",
+            "10.71.114.14"
         ],
         "related.user": [
             "admin"
@@ -1503,11 +1572,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.341",
+        "related.hosts": [
+            "loi7596.www5.home"
+        ],
         "related.ip": [
-            "10.107.45.175",
+            "10.47.255.237",
             "10.45.253.103",
-            "10.31.177.226",
-            "10.47.255.237"
+            "10.107.45.175",
+            "10.31.177.226"
         ],
         "related.user": [
             "remagn"
@@ -1568,11 +1640,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1607",
+        "related.hosts": [
+            "nsequat1971.internal.invalid"
+        ],
         "related.ip": [
-            "10.225.212.189",
             "10.44.58.106",
             "10.55.105.113",
-            "10.213.94.135"
+            "10.213.94.135",
+            "10.225.212.189"
         ],
         "related.user": [
             "dquia"
@@ -1632,11 +1707,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.51",
+        "related.hosts": [
+            "ectiono2241.lan"
+        ],
         "related.ip": [
-            "10.163.209.70",
-            "10.2.114.9",
             "10.255.74.136",
-            "10.69.161.78"
+            "10.69.161.78",
+            "10.163.209.70",
+            "10.2.114.9"
         ],
         "related.user": [
             "olabor"
@@ -1696,9 +1774,12 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.380",
+        "related.hosts": [
+            "umetMal1664.mail.lan"
+        ],
         "related.ip": [
-            "10.252.102.110",
             "10.46.115.216",
+            "10.252.102.110",
             "10.12.129.137",
             "10.184.59.148"
         ],
@@ -1761,11 +1842,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1729",
+        "related.hosts": [
+            "derit5270.mail.local"
+        ],
         "related.ip": [
-            "10.105.52.140",
-            "10.199.194.79",
             "10.81.184.7",
-            "10.155.204.243"
+            "10.199.194.79",
+            "10.155.204.243",
+            "10.105.52.140"
         ],
         "related.user": [
             "eetd"
@@ -1826,11 +1910,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1453",
+        "related.hosts": [
+            "orisni5238.mail.lan"
+        ],
         "related.ip": [
-            "10.177.238.45",
             "10.251.231.142",
-            "10.110.2.166",
-            "10.18.226.72"
+            "10.177.238.45",
+            "10.18.226.72",
+            "10.110.2.166"
         ],
         "related.user": [
             "taliqui"
@@ -1891,6 +1978,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6332",
+        "related.hosts": [
+            "iutali7297.www.domain"
+        ],
         "related.ip": [
             "10.99.202.229",
             "10.100.199.226",
@@ -1956,11 +2046,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6463",
+        "related.hosts": [
+            "orumw5960.www5.home"
+        ],
         "related.ip": [
             "10.248.111.207",
-            "10.172.154.97",
+            "10.162.97.197",
             "10.37.193.70",
-            "10.162.97.197"
+            "10.172.154.97"
         ],
         "related.user": [
             "culpaq"
@@ -2020,11 +2113,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3912",
+        "related.hosts": [
+            "oinv5493.internal.domain"
+        ],
         "related.ip": [
             "10.171.221.230",
             "10.222.165.250",
-            "10.36.63.31",
-            "10.45.35.180"
+            "10.45.35.180",
+            "10.36.63.31"
         ],
         "related.user": [
             "otamr"
@@ -2084,11 +2180,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4329",
+        "related.hosts": [
+            "tnonproi195.api.home"
+        ],
         "related.ip": [
-            "10.238.4.219",
-            "10.83.238.145",
+            "10.1.171.61",
             "10.199.127.211",
-            "10.1.171.61"
+            "10.83.238.145",
+            "10.238.4.219"
         ],
         "related.user": [
             "reetdolo"
@@ -2148,11 +2247,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3789",
+        "related.hosts": [
+            "edictasu5362.internal.localhost"
+        ],
         "related.ip": [
             "10.170.252.219",
+            "10.65.141.244",
             "10.74.213.42",
-            "10.44.226.104",
-            "10.65.141.244"
+            "10.44.226.104"
         ],
         "related.user": [
             "Nequepo"
@@ -2212,11 +2314,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2965",
+        "related.hosts": [
+            "uido492.www5.home"
+        ],
         "related.ip": [
             "10.180.48.221",
-            "10.225.141.172",
+            "10.225.255.211",
             "10.183.223.149",
-            "10.225.255.211"
+            "10.225.141.172"
         ],
         "related.user": [
             "nihil"
@@ -2276,11 +2381,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7612",
+        "related.hosts": [
+            "redo6311.api.invalid"
+        ],
         "related.ip": [
             "10.176.64.28",
             "10.97.138.181",
-            "10.169.123.103",
-            "10.205.174.181"
+            "10.205.174.181",
+            "10.169.123.103"
         ],
         "related.user": [
             "eseruntm"
@@ -2341,11 +2449,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4226",
+        "related.hosts": [
+            "dolorem1698.www.domain"
+        ],
         "related.ip": [
             "10.75.120.11",
+            "10.169.101.161",
             "10.53.101.131",
-            "10.204.4.40",
-            "10.169.101.161"
+            "10.204.4.40"
         ],
         "related.user": [
             "tquo"
@@ -2406,11 +2517,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2990",
+        "related.hosts": [
+            "evitae7333.www.lan"
+        ],
         "related.ip": [
             "10.156.117.169",
+            "10.28.51.219",
             "10.6.222.112",
-            "10.87.120.87",
-            "10.28.51.219"
+            "10.87.120.87"
         ],
         "related.user": [
             "onsequu"
@@ -2470,11 +2584,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.388",
+        "related.hosts": [
+            "arc2412.mail.lan"
+        ],
         "related.ip": [
-            "10.4.126.103",
-            "10.253.167.17",
             "10.247.44.59",
-            "10.57.89.155"
+            "10.57.89.155",
+            "10.253.167.17",
+            "10.4.126.103"
         ],
         "related.user": [
             "ntorever"
@@ -2534,11 +2651,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6451",
+        "related.hosts": [
+            "olorsi2746.internal.localhost"
+        ],
         "related.ip": [
-            "10.15.240.220",
             "10.36.69.125",
-            "10.143.183.208",
-            "10.248.206.210"
+            "10.15.240.220",
+            "10.248.206.210",
+            "10.143.183.208"
         ],
         "related.user": [
             "met"
@@ -2599,11 +2719,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4386",
+        "related.hosts": [
+            "edqu2208.www.localhost"
+        ],
         "related.ip": [
             "10.69.170.107",
             "10.6.32.7",
-            "10.142.186.43",
-            "10.34.133.2"
+            "10.34.133.2",
+            "10.142.186.43"
         ],
         "related.user": [
             "ipitlabo"
@@ -2664,11 +2787,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2026",
+        "related.hosts": [
+            "ender5647.www5.example"
+        ],
         "related.ip": [
             "10.59.103.10",
-            "10.142.22.24",
+            "10.170.165.164",
             "10.121.153.197",
-            "10.170.165.164"
+            "10.142.22.24"
         ],
         "related.user": [
             "borumSec"
@@ -2729,6 +2855,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1576",
+        "related.hosts": [
+            "sis3986.internal.lan"
+        ],
         "related.ip": [
             "10.19.99.129",
             "10.247.114.30",
@@ -2794,11 +2923,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3824",
+        "related.hosts": [
+            "uatu2894.api.lan"
+        ],
         "related.ip": [
-            "10.64.139.17",
             "10.70.7.23",
+            "10.40.177.138",
             "10.8.29.219",
-            "10.40.177.138"
+            "10.64.139.17"
         ],
         "related.user": [
             "rep"
@@ -2858,10 +2990,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6066",
+        "related.hosts": [
+            "rmagnido5483.local"
+        ],
         "related.ip": [
             "10.2.189.20",
-            "10.67.173.228",
             "10.67.221.220",
+            "10.67.173.228",
             "10.180.62.222"
         ],
         "related.user": [
@@ -2923,6 +3058,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5040",
+        "related.hosts": [
+            "uian521.www.example"
+        ],
         "related.ip": [
             "10.147.127.181",
             "10.209.52.47",
@@ -2987,10 +3125,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7604",
+        "related.hosts": [
+            "taliq5213.api.corp"
+        ],
         "related.ip": [
-            "10.231.18.90",
-            "10.248.140.59",
             "10.226.24.84",
+            "10.248.140.59",
+            "10.231.18.90",
             "10.85.13.237"
         ],
         "related.user": [
@@ -3052,11 +3193,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5407",
+        "related.hosts": [
+            "ntsunt4894.mail.domain"
+        ],
         "related.ip": [
-            "10.203.46.215",
+            "10.59.215.207",
             "10.207.183.204",
             "10.8.224.72",
-            "10.59.215.207"
+            "10.203.46.215"
         ],
         "related.user": [
             "eruntmo"
@@ -3117,11 +3261,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6814",
+        "related.hosts": [
+            "mexer3864.api.corp"
+        ],
         "related.ip": [
+            "10.98.154.146",
             "10.73.84.95",
             "10.230.38.148",
-            "10.255.145.22",
-            "10.98.154.146"
+            "10.255.145.22"
         ],
         "related.user": [
             "sitam"
@@ -3181,11 +3328,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7160",
+        "related.hosts": [
+            "oluptat6960.www5.test"
+        ],
         "related.ip": [
-            "10.105.120.162",
             "10.166.142.198",
-            "10.211.29.187",
-            "10.175.181.138"
+            "10.105.120.162",
+            "10.175.181.138",
+            "10.211.29.187"
         ],
         "related.user": [
             "tium"
@@ -3246,11 +3396,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6057",
+        "related.hosts": [
+            "fugiatnu2498.www.localhost"
+        ],
         "related.ip": [
-            "10.220.202.102",
             "10.182.213.195",
             "10.195.139.25",
-            "10.122.133.162"
+            "10.122.133.162",
+            "10.220.202.102"
         ],
         "related.user": [
             "aquae"
@@ -3311,11 +3464,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3297",
+        "related.hosts": [
+            "ptat3230.domain"
+        ],
         "related.ip": [
-            "10.156.208.5",
-            "10.53.72.161",
+            "10.33.143.163",
             "10.247.144.9",
-            "10.33.143.163"
+            "10.156.208.5",
+            "10.53.72.161"
         ],
         "related.user": [
             "scip"
@@ -3375,11 +3531,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2476",
+        "related.hosts": [
+            "exer447.internal.localhost"
+        ],
         "related.ip": [
+            "10.241.143.145",
             "10.35.190.164",
             "10.21.58.162",
-            "10.113.65.192",
-            "10.241.143.145"
+            "10.113.65.192"
         ],
         "related.user": [
             "porin"
@@ -3440,11 +3599,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.768",
+        "related.hosts": [
+            "itanimi1934.home"
+        ],
         "related.ip": [
-            "10.19.154.103",
-            "10.53.27.253",
+            "10.129.16.166",
             "10.75.113.240",
-            "10.129.16.166"
+            "10.19.154.103",
+            "10.53.27.253"
         ],
         "related.user": [
             "luptat"
@@ -3505,6 +3667,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5812",
+        "related.hosts": [
+            "pteurs1031.mail.corp"
+        ],
         "related.ip": [
             "10.150.153.61",
             "10.22.213.196",
@@ -3570,10 +3735,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7232",
+        "related.hosts": [
+            "edquiaco6562.api.lan"
+        ],
         "related.ip": [
             "10.85.52.249",
-            "10.238.171.184",
             "10.229.155.171",
+            "10.238.171.184",
             "10.113.2.13"
         ],
         "related.user": [
@@ -3635,11 +3803,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.536",
+        "related.hosts": [
+            "tatis7315.mail.home"
+        ],
         "related.ip": [
             "10.249.174.35",
-            "10.198.150.185",
             "10.51.245.225",
-            "10.220.1.249"
+            "10.220.1.249",
+            "10.198.150.185"
         ],
         "related.user": [
             "quela"
@@ -3700,10 +3871,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.219",
+        "related.hosts": [
+            "eosqui3723.api.localdomain"
+        ],
         "related.ip": [
-            "10.190.96.181",
             "10.38.185.31",
             "10.251.82.195",
+            "10.190.96.181",
             "10.152.157.32"
         ],
         "related.user": [
@@ -3764,11 +3938,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6526",
+        "related.hosts": [
+            "itaedict199.mail.corp"
+        ],
         "related.ip": [
-            "10.190.247.194",
             "10.103.102.242",
-            "10.211.198.50",
-            "10.230.112.179"
+            "10.190.247.194",
+            "10.230.112.179",
+            "10.211.198.50"
         ],
         "related.user": [
             "tDuisaut"
@@ -3828,11 +4005,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7750",
+        "related.hosts": [
+            "xeaco7887.www.localdomain"
+        ],
         "related.ip": [
             "10.219.83.199",
             "10.47.223.155",
-            "10.251.101.61",
-            "10.101.13.122"
+            "10.101.13.122",
+            "10.251.101.61"
         ],
         "related.user": [
             "ectetur"
@@ -3893,11 +4073,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5568",
+        "related.hosts": [
+            "saute7421.www.invalid"
+        ],
         "related.ip": [
+            "10.31.86.83",
             "10.21.30.43",
-            "10.83.136.233",
             "10.21.80.157",
-            "10.31.86.83"
+            "10.83.136.233"
         ],
         "related.user": [
             "litsed"
@@ -3958,11 +4141,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5445",
+        "related.hosts": [
+            "oluptas1637.home"
+        ],
         "related.ip": [
-            "10.195.90.73",
+            "10.27.181.27",
             "10.45.152.205",
             "10.194.197.107",
-            "10.27.181.27"
+            "10.195.90.73"
         ],
         "related.user": [
             "datatn"
@@ -4023,11 +4209,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.508",
+        "related.hosts": [
+            "ididu5505.api.localdomain"
+        ],
         "related.ip": [
             "10.222.2.132",
+            "10.183.90.25",
             "10.43.239.97",
-            "10.129.161.18",
-            "10.183.90.25"
+            "10.129.161.18"
         ],
         "related.user": [
             "aedicta"
@@ -4087,11 +4276,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4479",
+        "related.hosts": [
+            "mqui1099.api.corp"
+        ],
         "related.ip": [
+            "10.67.129.100",
             "10.231.167.171",
-            "10.248.156.138",
             "10.189.162.131",
-            "10.67.129.100"
+            "10.248.156.138"
         ],
         "related.user": [
             "sedquia"
@@ -4152,11 +4344,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2927",
+        "related.hosts": [
+            "siuta2155.lan"
+        ],
         "related.ip": [
-            "10.63.103.30",
-            "10.142.106.66",
             "10.6.146.184",
-            "10.185.107.27"
+            "10.185.107.27",
+            "10.63.103.30",
+            "10.142.106.66"
         ],
         "related.user": [
             "sequu"
@@ -4216,11 +4411,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4023",
+        "related.hosts": [
+            "tatiset4191.localdomain"
+        ],
         "related.ip": [
             "10.93.39.237",
             "10.119.179.182",
-            "10.214.93.200",
-            "10.0.202.9"
+            "10.0.202.9",
+            "10.214.93.200"
         ],
         "related.user": [
             "tionofd"
@@ -4281,9 +4479,12 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5939",
+        "related.hosts": [
+            "aute2433.mail.lan"
+        ],
         "related.ip": [
-            "10.252.204.162",
             "10.28.145.163",
+            "10.252.204.162",
             "10.123.154.140",
             "10.30.189.166"
         ],
@@ -4345,10 +4546,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6564",
+        "related.hosts": [
+            "idolo6535.internal.example"
+        ],
         "related.ip": [
+            "10.145.128.250",
             "10.79.49.3",
             "10.46.162.198",
-            "10.145.128.250",
             "10.29.122.183"
         ],
         "related.user": [
@@ -4410,10 +4614,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3341",
+        "related.hosts": [
+            "one7728.api.localdomain"
+        ],
         "related.ip": [
+            "10.166.169.167",
             "10.65.174.196",
             "10.177.232.136",
-            "10.166.169.167",
             "10.142.235.217"
         ],
         "related.user": [
@@ -4475,10 +4682,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.325",
+        "related.hosts": [
+            "uptatem4446.internal.localhost"
+        ],
         "related.ip": [
             "10.29.217.44",
-            "10.191.78.86",
             "10.215.184.154",
+            "10.191.78.86",
             "10.53.188.140"
         ],
         "related.user": [
@@ -4540,11 +4750,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3567",
+        "related.hosts": [
+            "emq2514.api.localhost"
+        ],
         "related.ip": [
             "10.135.77.156",
-            "10.74.74.129",
+            "10.46.222.149",
             "10.76.148.147",
-            "10.46.222.149"
+            "10.74.74.129"
         ],
         "related.user": [
             "urve"
@@ -4604,11 +4817,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1186",
+        "related.hosts": [
+            "agna5654.www.corp"
+        ],
         "related.ip": [
-            "10.130.203.37",
             "10.145.49.29",
+            "10.96.200.223",
             "10.11.146.253",
-            "10.96.200.223"
+            "10.130.203.37"
         ],
         "related.user": [
             "mvele"
@@ -4668,10 +4884,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6845",
+        "related.hosts": [
+            "ipi4827.mail.lan"
+        ],
         "related.ip": [
-            "10.48.75.140",
-            "10.162.78.48",
             "10.24.23.209",
+            "10.162.78.48",
+            "10.48.75.140",
             "10.162.2.180"
         ],
         "related.user": [
@@ -4732,9 +4951,12 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.419",
+        "related.hosts": [
+            "sequatD163.internal.example"
+        ],
         "related.ip": [
-            "10.66.92.83",
             "10.151.206.38",
+            "10.66.92.83",
             "10.119.12.186",
             "10.97.105.115"
         ],
@@ -4796,11 +5018,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7551",
+        "related.hosts": [
+            "itamet1303.invalid"
+        ],
         "related.ip": [
-            "10.12.148.73",
-            "10.201.132.114",
+            "10.64.76.142",
             "10.169.139.250",
-            "10.64.76.142"
+            "10.12.148.73",
+            "10.201.132.114"
         ],
         "related.user": [
             "borisnis"
@@ -4861,10 +5086,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5292",
+        "related.hosts": [
+            "epr3512.internal.domain"
+        ],
         "related.ip": [
-            "10.35.38.185",
-            "10.9.236.18",
             "10.111.128.11",
+            "10.9.236.18",
+            "10.35.38.185",
             "10.200.116.191"
         ],
         "related.user": [
@@ -4925,11 +5153,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5991",
+        "related.hosts": [
+            "uredol2174.home"
+        ],
         "related.ip": [
-            "10.236.67.227",
             "10.134.238.8",
-            "10.240.62.238",
-            "10.191.27.182"
+            "10.191.27.182",
+            "10.236.67.227",
+            "10.240.62.238"
         ],
         "related.user": [
             "tlabo"
@@ -4989,11 +5220,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6837",
+        "related.hosts": [
+            "ididunt7607.mail.localhost"
+        ],
         "related.ip": [
             "10.109.14.142",
+            "10.22.231.91",
             "10.65.35.64",
-            "10.165.66.92",
-            "10.22.231.91"
+            "10.165.66.92"
         ],
         "related.user": [
             "perna"
@@ -5053,11 +5287,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.99",
+        "related.hosts": [
+            "inimav5557.www5.test"
+        ],
         "related.ip": [
-            "10.29.230.203",
-            "10.89.221.90",
+            "10.64.161.215",
             "10.71.112.86",
-            "10.64.161.215"
+            "10.89.221.90",
+            "10.29.230.203"
         ],
         "related.user": [
             "rnatur"
@@ -5117,11 +5354,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.5232",
+        "related.hosts": [
+            "nonn1650.www.test"
+        ],
         "related.ip": [
-            "10.140.118.182",
-            "10.88.226.76",
             "10.221.199.137",
-            "10.79.208.135"
+            "10.88.226.76",
+            "10.79.208.135",
+            "10.140.118.182"
         ],
         "related.user": [
             "erspic"
@@ -5182,11 +5422,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2492",
+        "related.hosts": [
+            "acons3940.api.lan"
+        ],
         "related.ip": [
-            "10.133.48.55",
-            "10.126.61.230",
             "10.35.73.208",
-            "10.189.244.22"
+            "10.126.61.230",
+            "10.189.244.22",
+            "10.133.48.55"
         ],
         "related.user": [
             "tia"
@@ -5246,10 +5489,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4044",
+        "related.hosts": [
+            "suscipit587.www.localhost"
+        ],
         "related.ip": [
-            "10.81.154.115",
             "10.240.94.109",
             "10.239.194.105",
+            "10.81.154.115",
             "10.35.65.72"
         ],
         "related.user": [
@@ -5311,11 +5557,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2307",
+        "related.hosts": [
+            "mnisiut6146.internal.local"
+        ],
         "related.ip": [
             "10.150.56.227",
-            "10.38.253.213",
+            "10.52.70.192",
             "10.248.72.104",
-            "10.52.70.192"
+            "10.38.253.213"
         ],
         "related.user": [
             "ionem"
@@ -5376,10 +5625,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2031",
+        "related.hosts": [
+            "borios1067.www5.home"
+        ],
         "related.ip": [
-            "10.73.172.186",
             "10.218.15.164",
             "10.62.218.239",
+            "10.73.172.186",
             "10.203.193.134"
         ],
         "related.user": [
@@ -5440,11 +5692,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2555",
+        "related.hosts": [
+            "msequ323.www.example"
+        ],
         "related.ip": [
-            "10.60.20.76",
             "10.10.46.43",
-            "10.136.211.234",
-            "10.131.127.113"
+            "10.131.127.113",
+            "10.60.20.76",
+            "10.136.211.234"
         ],
         "related.user": [
             "nev"
@@ -5505,11 +5760,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3291",
+        "related.hosts": [
+            "tdolorem813.internal.host"
+        ],
         "related.ip": [
-            "10.233.181.250",
             "10.248.0.74",
-            "10.50.177.151",
-            "10.187.237.220"
+            "10.233.181.250",
+            "10.187.237.220",
+            "10.50.177.151"
         ],
         "related.user": [
             "ugiatq"
@@ -5570,11 +5828,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2859",
+        "related.hosts": [
+            "volupt4626.internal.test"
+        ],
         "related.ip": [
-            "10.248.248.120",
             "10.96.223.46",
+            "10.80.129.81",
             "10.189.43.11",
-            "10.80.129.81"
+            "10.248.248.120"
         ],
         "related.user": [
             "iatn"
@@ -5635,10 +5896,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.1910",
+        "related.hosts": [
+            "ntium5103.www5.localhost"
+        ],
         "related.ip": [
-            "10.173.114.63",
-            "10.102.109.199",
             "10.91.115.139",
+            "10.102.109.199",
+            "10.173.114.63",
             "10.66.106.186"
         ],
         "related.user": [
@@ -5700,10 +5964,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3690",
+        "related.hosts": [
+            "orpori3334.www.local"
+        ],
         "related.ip": [
-            "10.159.155.88",
             "10.0.175.17",
             "10.198.157.122",
+            "10.159.155.88",
             "10.221.223.127"
         ],
         "related.user": [
@@ -5764,6 +6031,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.6302",
+        "related.hosts": [
+            "equu7361.www5.localdomain"
+        ],
         "related.ip": [
             "10.252.136.130",
             "10.189.70.237",
@@ -5829,11 +6099,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2037",
+        "related.hosts": [
+            "tse2979.internal.localhost"
+        ],
         "related.ip": [
-            "10.102.109.194",
             "10.60.224.93",
             "10.242.121.165",
-            "10.83.105.69"
+            "10.83.105.69",
+            "10.102.109.194"
         ],
         "related.user": [
             "mni"
@@ -5894,10 +6167,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7314",
+        "related.hosts": [
+            "uisnostr2390.mail.domain"
+        ],
         "related.ip": [
-            "10.251.167.219",
             "10.219.174.45",
             "10.181.134.69",
+            "10.251.167.219",
             "10.17.20.93"
         ],
         "related.user": [
@@ -5959,11 +6235,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.596",
+        "related.hosts": [
+            "luptate4811.mail.example"
+        ],
         "related.ip": [
-            "10.30.117.82",
             "10.28.233.253",
-            "10.223.99.90",
-            "10.37.14.20"
+            "10.37.14.20",
+            "10.30.117.82",
+            "10.223.99.90"
         ],
         "related.user": [
             "numqua"
@@ -6024,11 +6303,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.95",
+        "related.hosts": [
+            "lites1614.www.corp"
+        ],
         "related.ip": [
-            "10.50.61.114",
-            "10.125.20.22",
             "10.57.85.113",
-            "10.8.32.17"
+            "10.8.32.17",
+            "10.50.61.114",
+            "10.125.20.22"
         ],
         "related.user": [
             "qua"
@@ -6089,10 +6371,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.3064",
+        "related.hosts": [
+            "lorinrep7686.mail.corp"
+        ],
         "related.ip": [
-            "10.113.78.101",
             "10.200.28.55",
             "10.215.224.27",
+            "10.113.78.101",
             "10.181.63.82"
         ],
         "related.user": [
@@ -6154,10 +6439,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.4522",
+        "related.hosts": [
+            "nderit6272.mail.example"
+        ],
         "related.ip": [
-            "10.139.20.223",
-            "10.177.14.106",
             "10.243.43.168",
+            "10.177.14.106",
+            "10.139.20.223",
             "10.169.95.128"
         ],
         "related.user": [
@@ -6219,11 +6507,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7456",
+        "related.hosts": [
+            "ntu1279.mail.lan"
+        ],
         "related.ip": [
             "10.92.168.198",
             "10.90.93.4",
-            "10.18.176.44",
-            "10.39.100.88"
+            "10.39.100.88",
+            "10.18.176.44"
         ],
         "related.user": [
             "adminima"
@@ -6284,10 +6575,13 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.2909",
+        "related.hosts": [
+            "essequam1161.domain"
+        ],
         "related.ip": [
-            "10.49.68.8",
             "10.163.203.191",
             "10.193.43.135",
+            "10.49.68.8",
             "10.173.13.179"
         ],
         "related.user": [
@@ -6348,11 +6642,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.7726",
+        "related.hosts": [
+            "cipitl2184.localdomain"
+        ],
         "related.ip": [
-            "10.31.147.51",
-            "10.84.64.28",
             "10.240.47.113",
-            "10.209.226.7"
+            "10.209.226.7",
+            "10.31.147.51",
+            "10.84.64.28"
         ],
         "related.user": [
             "ull"
@@ -6413,11 +6710,14 @@
         "observer.type": "Firewall",
         "observer.vendor": "F5",
         "observer.version": "1.292",
+        "related.hosts": [
+            "item3647.home"
+        ],
         "related.ip": [
-            "10.32.20.4",
+            "10.225.189.229",
             "10.86.1.244",
             "10.52.13.192",
-            "10.225.189.229"
+            "10.32.20.4"
         ],
         "related.user": [
             "odtemp"
diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml
index 2cfda9d24b58..72e7af4e0303 100644
--- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml
+++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml
index e80593079289..8dbd2e2e6cb0 100644
--- a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{rsa.web.fqdn}}'
+        allow_duplicates: false
+        if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json
index b3f74874b99b..fe5ce75e1829 100644
--- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json
@@ -42,6 +42,9 @@
         "observer.type": "Access",
         "observer.vendor": "F5",
         "process.pid": 6153,
+        "related.hosts": [
+            "sist1803.mail.local"
+        ],
         "rsa.internal.messageid": "01490504",
         "rsa.misc.log_session_id": "deF",
         "rsa.misc.severity": "medium",
@@ -809,6 +812,9 @@
         "observer.type": "Access",
         "observer.vendor": "F5",
         "process.pid": 7589,
+        "related.hosts": [
+            "dolores2519.mail.host"
+        ],
         "related.user": [
             "tob"
         ],
@@ -839,6 +845,9 @@
         "observer.type": "Access",
         "observer.vendor": "F5",
         "process.pid": 5899,
+        "related.hosts": [
+            "luptat2979.internal.local"
+        ],
         "related.user": [
             "iqua"
         ],
@@ -974,8 +983,8 @@
         "observer.vendor": "F5",
         "process.pid": 4318,
         "related.ip": [
-            "10.122.204.151",
-            "10.169.101.161"
+            "10.169.101.161",
+            "10.122.204.151"
         ],
         "rsa.internal.messageid": "01490500",
         "rsa.misc.log_session_id": "snulap",
@@ -1556,8 +1565,8 @@
         "observer.vendor": "F5",
         "process.pid": 1973,
         "related.ip": [
-            "10.187.64.126",
-            "10.47.99.72"
+            "10.47.99.72",
+            "10.187.64.126"
         ],
         "rsa.internal.messageid": "01490500",
         "rsa.misc.category": "oremipsu",
diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml
index 2792f46aafd7..40b42e4e5275 100644
--- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml
+++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml
index 36997bc43794..28bbbd0e58e2 100644
--- a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
+  - append:
+        field: related.hosts
+        value: '{{server.domain}}'
+        allow_duplicates: false
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json
index 3b9dc0716ec7..69eab97fe352 100644
--- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json
@@ -20,6 +20,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7880,
+        "related.hosts": [
+            "boNemoe4402.www.invalid",
+            "litesse6379.api.domain"
+        ],
         "related.ip": [
             "10.150.92.220",
             "10.102.123.34"
@@ -75,9 +79,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4539,
+        "related.hosts": [
+            "olupt4880.api.home",
+            "gnaali6189.internal.localhost"
+        ],
         "related.ip": [
-            "10.149.203.46",
-            "10.33.212.159"
+            "10.33.212.159",
+            "10.149.203.46"
         ],
         "related.user": [
             "mipsumq"
@@ -130,6 +138,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 445,
+        "related.hosts": [
+            "aqu1628.internal.domain",
+            "quis1130.internal.corp"
+        ],
         "related.ip": [
             "10.118.175.9",
             "10.173.116.41"
@@ -185,9 +197,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5712,
+        "related.hosts": [
+            "tinculp2940.internal.local",
+            "reprehe189.internal.home"
+        ],
         "related.ip": [
-            "10.202.204.154",
-            "10.134.137.177"
+            "10.134.137.177",
+            "10.202.204.154"
         ],
         "related.user": [
             "orsitame"
@@ -240,9 +256,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6557,
+        "related.hosts": [
+            "rad2103.api.domain",
+            "enimad2283.internal.domain"
+        ],
         "related.ip": [
-            "10.70.0.60",
-            "10.245.142.250"
+            "10.245.142.250",
+            "10.70.0.60"
         ],
         "related.user": [
             "eos"
@@ -295,9 +315,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2061,
+        "related.hosts": [
+            "enim5316.www5.local",
+            "doloreeu3553.www5.home"
+        ],
         "related.ip": [
-            "10.202.72.124",
-            "10.200.188.142"
+            "10.200.188.142",
+            "10.202.72.124"
         ],
         "related.user": [
             "iusmodt"
@@ -350,9 +374,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5722,
+        "related.hosts": [
+            "reetdolo2770.www5.local",
+            "iutal13.api.localdomain"
+        ],
         "related.ip": [
-            "10.214.225.125",
-            "10.12.44.169"
+            "10.12.44.169",
+            "10.214.225.125"
         ],
         "related.user": [
             "erep"
@@ -405,6 +433,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5037,
+        "related.hosts": [
+            "isiu1114.internal.corp",
+            "uovol492.www.localhost"
+        ],
         "related.ip": [
             "10.198.136.50",
             "10.66.108.11"
@@ -460,6 +492,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 776,
+        "related.hosts": [
+            "usmodte1296.www.corp",
+            "osquir6997.corp"
+        ],
         "related.ip": [
             "10.69.20.77",
             "10.178.244.31"
@@ -515,6 +551,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6096,
+        "related.hosts": [
+            "tatno4987.www5.localhost",
+            "eniam7007.api.invalid"
+        ],
         "related.ip": [
             "10.54.231.100",
             "10.203.5.162"
@@ -570,9 +610,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7307,
+        "related.hosts": [
+            "tatno6787.internal.localhost",
+            "snulapar3794.api.domain"
+        ],
         "related.ip": [
-            "10.136.252.240",
-            "10.65.83.160"
+            "10.65.83.160",
+            "10.136.252.240"
         ],
         "related.user": [
             "ender"
@@ -625,6 +669,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2703,
+        "related.hosts": [
+            "essecill2595.mail.local",
+            "liq5883.localdomain"
+        ],
         "related.ip": [
             "10.210.213.18",
             "10.57.40.29"
@@ -680,6 +728,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5166,
+        "related.hosts": [
+            "ali6446.localhost",
+            "rsint7026.test"
+        ],
         "related.ip": [
             "10.144.82.69",
             "10.200.156.102"
@@ -735,6 +787,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7668,
+        "related.hosts": [
+            "torev7118.internal.domain",
+            "qua2945.www.local"
+        ],
         "related.ip": [
             "10.109.232.112",
             "10.72.58.135"
@@ -790,9 +846,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1044,
+        "related.hosts": [
+            "dolore6103.www5.example",
+            "luptat6494.www.example"
+        ],
         "related.ip": [
-            "10.38.22.45",
-            "10.72.29.73"
+            "10.72.29.73",
+            "10.38.22.45"
         ],
         "related.user": [
             "onproide"
@@ -845,6 +905,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7183,
+        "related.hosts": [
+            "errorsi6996.www.domain",
+            "moenimi6317.internal.invalid"
+        ],
         "related.ip": [
             "10.70.95.74",
             "10.76.72.111"
@@ -900,6 +964,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6907,
+        "related.hosts": [
+            "lumquido5839.api.corp",
+            "tion1761.home"
+        ],
         "related.ip": [
             "10.73.69.75",
             "10.19.201.13"
@@ -955,6 +1023,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 499,
+        "related.hosts": [
+            "aperia4409.www5.invalid",
+            "santium4235.api.local"
+        ],
         "related.ip": [
             "10.84.105.75",
             "10.78.151.178"
@@ -1010,6 +1082,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1531,
+        "related.hosts": [
+            "tem2496.api.lan",
+            "CSed2857.www5.example"
+        ],
         "related.ip": [
             "10.25.192.202",
             "10.135.233.146"
@@ -1065,9 +1141,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6051,
+        "related.hosts": [
+            "eme6710.mail.invalid",
+            "equep5085.mail.domain"
+        ],
         "related.ip": [
-            "10.121.219.204",
-            "10.104.134.200"
+            "10.104.134.200",
+            "10.121.219.204"
         ],
         "related.user": [
             "uptat"
@@ -1120,9 +1200,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6994,
+        "related.hosts": [
+            "ihilm1669.mail.invalid",
+            "conseq557.mail.lan"
+        ],
         "related.ip": [
-            "10.191.105.82",
-            "10.225.160.182"
+            "10.225.160.182",
+            "10.191.105.82"
         ],
         "related.user": [
             "eirure"
@@ -1175,6 +1259,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5200,
+        "related.hosts": [
+            "umexerci1284.internal.localdomain",
+            "ite2026.www.invalid"
+        ],
         "related.ip": [
             "10.141.44.153",
             "10.161.57.8"
@@ -1230,6 +1318,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3365,
+        "related.hosts": [
+            "adol485.example",
+            "lit5929.test"
+        ],
         "related.ip": [
             "10.153.111.103",
             "10.6.167.7"
@@ -1285,6 +1377,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1835,
+        "related.hosts": [
+            "evita5008.www.localdomain",
+            "oru6938.invalid"
+        ],
         "related.ip": [
             "10.248.204.182",
             "10.134.148.219"
@@ -1340,6 +1436,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2019,
+        "related.hosts": [
+            "tsedqu2456.www5.invalid",
+            "etdol5473.local"
+        ],
         "related.ip": [
             "10.163.5.243",
             "10.178.77.231"
@@ -1395,9 +1495,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2493,
+        "related.hosts": [
+            "ris3314.mail.invalid",
+            "nimid893.mail.corp"
+        ],
         "related.ip": [
-            "10.177.194.18",
-            "10.221.89.228"
+            "10.221.89.228",
+            "10.177.194.18"
         ],
         "related.user": [
             "aliquam"
@@ -1450,6 +1554,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3022,
+        "related.hosts": [
+            "reme622.mail.example",
+            "rumwritt6003.host"
+        ],
         "related.ip": [
             "10.32.239.1",
             "10.241.65.49"
@@ -1505,9 +1613,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2328,
+        "related.hosts": [
+            "non3341.mail.invalid",
+            "xeacomm6855.api.corp"
+        ],
         "related.ip": [
-            "10.101.57.120",
-            "10.168.90.81"
+            "10.168.90.81",
+            "10.101.57.120"
         ],
         "related.user": [
             "eporr"
@@ -1560,6 +1672,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1156,
+        "related.hosts": [
+            "ris727.api.local",
+            "icabo4125.mail.domain"
+        ],
         "related.ip": [
             "10.130.14.60",
             "10.14.211.43"
@@ -1615,9 +1731,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6003,
+        "related.hosts": [
+            "stquido5705.api.host",
+            "ionofdeF5643.www.localhost"
+        ],
         "related.ip": [
-            "10.248.101.25",
-            "10.60.129.15"
+            "10.60.129.15",
+            "10.248.101.25"
         ],
         "related.user": [
             "evolup"
@@ -1670,9 +1790,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5651,
+        "related.hosts": [
+            "etcons7378.api.lan",
+            "orem6702.invalid"
+        ],
         "related.ip": [
-            "10.72.93.28",
-            "10.111.187.12"
+            "10.111.187.12",
+            "10.72.93.28"
         ],
         "related.user": [
             "niamqui"
@@ -1725,6 +1849,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3470,
+        "related.hosts": [
+            "vita2681.www5.local",
+            "oin6780.mail.domain"
+        ],
         "related.ip": [
             "10.27.14.168",
             "10.66.2.232"
@@ -1780,6 +1908,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6932,
+        "related.hosts": [
+            "tnulapa7592.www.local",
+            "eprehen3224.www5.localdomain"
+        ],
         "related.ip": [
             "10.195.2.130",
             "10.75.99.127"
@@ -1835,6 +1967,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6945,
+        "related.hosts": [
+            "lup2134.www.localhost",
+            "ptasn6599.www.localhost"
+        ],
         "related.ip": [
             "10.201.238.90",
             "10.245.104.182"
@@ -1890,9 +2026,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 853,
+        "related.hosts": [
+            "tanimid3337.mail.corp",
+            "nisist2752.home"
+        ],
         "related.ip": [
-            "10.105.91.31",
-            "10.217.150.196"
+            "10.217.150.196",
+            "10.105.91.31"
         ],
         "related.user": [
             "con"
@@ -1945,9 +2085,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4153,
+        "related.hosts": [
+            "eumiu765.api.lan",
+            "gitsedqu2649.mail.lan"
+        ],
         "related.ip": [
-            "10.4.157.1",
-            "10.184.18.202"
+            "10.184.18.202",
+            "10.4.157.1"
         ],
         "related.user": [
             "oditem"
@@ -2000,9 +2144,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1693,
+        "related.hosts": [
+            "mquelau5326.mail.lan",
+            "entsunt3962.www.example"
+        ],
         "related.ip": [
-            "10.255.39.252",
-            "10.113.95.59"
+            "10.113.95.59",
+            "10.255.39.252"
         ],
         "related.user": [
             "persp"
@@ -2055,9 +2203,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 337,
+        "related.hosts": [
+            "idestlab2631.www.lan",
+            "tut2703.www.host"
+        ],
         "related.ip": [
-            "10.83.177.2",
-            "10.27.16.118"
+            "10.27.16.118",
+            "10.83.177.2"
         ],
         "related.user": [
             "borios"
@@ -2110,6 +2262,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7041,
+        "related.hosts": [
+            "inesci6789.test",
+            "entorev160.test"
+        ],
         "related.ip": [
             "10.167.227.44",
             "10.38.54.72"
@@ -2165,6 +2321,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3854,
+        "related.hosts": [
+            "ccaeca7077.internal.corp",
+            "proide3714.mail.localdomain"
+        ],
         "related.ip": [
             "10.215.205.216",
             "10.216.54.184"
@@ -2220,6 +2380,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 55,
+        "related.hosts": [
+            "ima2031.api.corp",
+            "tot5313.mail.invalid"
+        ],
         "related.ip": [
             "10.9.18.237",
             "10.9.12.248"
@@ -2275,9 +2439,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 228,
+        "related.hosts": [
+            "ian867.internal.corp",
+            "rumet3801.internal.domain"
+        ],
         "related.ip": [
-            "10.83.130.226",
-            "10.41.123.102"
+            "10.41.123.102",
+            "10.83.130.226"
         ],
         "related.user": [
             "tenim"
@@ -2330,9 +2498,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4253,
+        "related.hosts": [
+            "lorin4249.corp",
+            "liqua2834.www5.lan"
+        ],
         "related.ip": [
-            "10.80.152.108",
-            "10.175.112.197"
+            "10.175.112.197",
+            "10.80.152.108"
         ],
         "related.user": [
             "tametcon"
@@ -2385,6 +2557,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2200,
+        "related.hosts": [
+            "gnaaliqu3935.api.test",
+            "sequat7273.api.host"
+        ],
         "related.ip": [
             "10.134.18.114",
             "10.142.25.100"
@@ -2440,6 +2616,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5717,
+        "related.hosts": [
+            "nsequat1859.internal.localhost",
+            "uidol4575.localhost"
+        ],
         "related.ip": [
             "10.28.118.160",
             "10.223.119.218"
@@ -2495,6 +2675,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4469,
+        "related.hosts": [
+            "ritin2495.api.corp",
+            "oremq2000.api.corp"
+        ],
         "related.ip": [
             "10.47.28.48",
             "10.110.114.175"
@@ -2550,6 +2734,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5524,
+        "related.hosts": [
+            "tetur2694.mail.local",
+            "oremi1485.api.localhost"
+        ],
         "related.ip": [
             "10.40.251.202",
             "10.90.33.138"
@@ -2605,9 +2793,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3624,
+        "related.hosts": [
+            "rem7043.localhost",
+            "sequatD5469.www5.lan"
+        ],
         "related.ip": [
-            "10.227.173.252",
-            "10.65.2.106"
+            "10.65.2.106",
+            "10.227.173.252"
         ],
         "related.user": [
             "itation"
@@ -2660,6 +2852,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1609,
+        "related.hosts": [
+            "emqu2846.internal.home",
+            "item2738.test"
+        ],
         "related.ip": [
             "10.28.84.106",
             "10.193.233.229"
@@ -2715,9 +2911,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6248,
+        "related.hosts": [
+            "dqu6144.api.localhost",
+            "iosamnis1047.internal.localdomain"
+        ],
         "related.ip": [
-            "10.150.245.88",
-            "10.210.89.183"
+            "10.210.89.183",
+            "10.150.245.88"
         ],
         "related.user": [
             "sequa"
@@ -2770,6 +2970,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7224,
+        "related.hosts": [
+            "giatquov1918.internal.example",
+            "orroq6677.internal.example"
+        ],
         "related.ip": [
             "10.85.185.13",
             "10.180.195.43"
@@ -2825,6 +3029,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 430,
+        "related.hosts": [
+            "estl5804.internal.local",
+            "onevo4326.internal.local"
+        ],
         "related.ip": [
             "10.210.28.247",
             "10.207.211.230"
@@ -2880,9 +3088,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3589,
+        "related.hosts": [
+            "Sedut1775.www.domain",
+            "itaedict7233.mail.localdomain"
+        ],
         "related.ip": [
-            "10.248.165.185",
-            "10.86.11.48"
+            "10.86.11.48",
+            "10.248.165.185"
         ],
         "related.user": [
             "dquiac"
@@ -2935,9 +3147,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4814,
+        "related.hosts": [
+            "mac7484.www5.test",
+            "numquam5869.internal.example"
+        ],
         "related.ip": [
-            "10.47.125.38",
-            "10.118.6.177"
+            "10.118.6.177",
+            "10.47.125.38"
         ],
         "related.user": [
             "quunt"
@@ -2990,6 +3206,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 276,
+        "related.hosts": [
+            "oin1140.mail.localhost",
+            "onu6137.api.home"
+        ],
         "related.ip": [
             "10.60.142.127",
             "10.50.233.155"
@@ -3045,6 +3265,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2452,
+        "related.hosts": [
+            "naaliq3710.api.local",
+            "aecatcup2241.www5.test"
+        ],
         "related.ip": [
             "10.28.82.189",
             "10.120.10.211"
@@ -3100,6 +3324,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3453,
+        "related.hosts": [
+            "volupta3552.internal.localhost",
+            "labor6360.mail.local"
+        ],
         "related.ip": [
             "10.31.237.225",
             "10.6.38.163"
@@ -3155,9 +3383,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2302,
+        "related.hosts": [
+            "onse380.internal.localdomain",
+            "mveleum4322.www5.host"
+        ],
         "related.ip": [
-            "10.125.165.144",
-            "10.226.5.189"
+            "10.226.5.189",
+            "10.125.165.144"
         ],
         "related.user": [
             "mvolu"
@@ -3210,6 +3442,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7079,
+        "related.hosts": [
+            "queips4947.mail.example",
+            "archite1843.mail.home"
+        ],
         "related.ip": [
             "10.46.56.204",
             "10.97.149.97"
@@ -3265,9 +3501,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5773,
+        "related.hosts": [
+            "oloreseo5039.test",
+            "itanim4024.api.example"
+        ],
         "related.ip": [
-            "10.218.0.197",
-            "10.28.105.124"
+            "10.28.105.124",
+            "10.218.0.197"
         ],
         "related.user": [
             "ntNe"
@@ -3320,6 +3560,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1586,
+        "related.hosts": [
+            "minim459.mail.local",
+            "nreprehe715.api.home"
+        ],
         "related.ip": [
             "10.17.87.79",
             "10.123.199.198"
@@ -3375,9 +3619,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5137,
+        "related.hosts": [
+            "eratv211.api.host",
+            "unte893.internal.host"
+        ],
         "related.ip": [
-            "10.115.68.40",
-            "10.38.86.177"
+            "10.38.86.177",
+            "10.115.68.40"
         ],
         "related.user": [
             "mpo"
@@ -3430,9 +3678,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5704,
+        "related.hosts": [
+            "aparia1179.www.localdomain",
+            "aspe951.mail.domain"
+        ],
         "related.ip": [
-            "10.193.118.163",
-            "10.115.174.107"
+            "10.115.174.107",
+            "10.193.118.163"
         ],
         "related.user": [
             "exeacomm"
@@ -3485,6 +3737,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2310,
+        "related.hosts": [
+            "iatqu6203.mail.corp",
+            "dipiscin4957.www.home"
+        ],
         "related.ip": [
             "10.77.77.208",
             "10.37.128.49"
@@ -3540,6 +3796,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5398,
+        "related.hosts": [
+            "ptasnula6576.api.invalid",
+            "econs2687.internal.localdomain"
+        ],
         "related.ip": [
             "10.54.73.158",
             "10.1.96.93"
@@ -3595,6 +3855,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2465,
+        "related.hosts": [
+            "mag1506.internal.domain",
+            "tiumto5834.api.lan"
+        ],
         "related.ip": [
             "10.182.152.242",
             "10.131.126.109"
@@ -3650,6 +3914,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6064,
+        "related.hosts": [
+            "fugits1163.host",
+            "iutal6032.www.test"
+        ],
         "related.ip": [
             "10.181.247.224",
             "10.77.229.168"
@@ -3705,9 +3973,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2861,
+        "related.hosts": [
+            "gitse2463.www5.invalid",
+            "inculp2078.host"
+        ],
         "related.ip": [
-            "10.72.162.6",
-            "10.235.116.121"
+            "10.235.116.121",
+            "10.72.162.6"
         ],
         "related.user": [
             "oinv"
@@ -3760,9 +4032,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3559,
+        "related.hosts": [
+            "temse6953.www.example",
+            "mexerc2757.internal.home"
+        ],
         "related.ip": [
-            "10.149.193.117",
-            "10.28.124.236"
+            "10.28.124.236",
+            "10.149.193.117"
         ],
         "related.user": [
             "mullam"
@@ -3815,6 +4091,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1710,
+        "related.hosts": [
+            "deriti6952.mail.domain",
+            "squira4455.api.domain"
+        ],
         "related.ip": [
             "10.196.96.162",
             "10.34.131.224"
@@ -3870,6 +4150,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4984,
+        "related.hosts": [
+            "abor1370.www.domain",
+            "emveleum3661.localhost"
+        ],
         "related.ip": [
             "10.97.236.123",
             "10.77.78.180"
@@ -3925,9 +4209,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3421,
+        "related.hosts": [
+            "emullamc5418.mail.test",
+            "sedquiac6517.internal.localhost"
+        ],
         "related.ip": [
-            "10.45.54.107",
-            "10.82.133.66"
+            "10.82.133.66",
+            "10.45.54.107"
         ],
         "related.user": [
             "olorem"
@@ -3980,6 +4268,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4020,
+        "related.hosts": [
+            "squirati7050.www5.lan",
+            "veniam3148.www5.home"
+        ],
         "related.ip": [
             "10.170.252.219",
             "10.180.180.230"
@@ -4035,9 +4327,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 617,
+        "related.hosts": [
+            "venia2079.mail.example",
+            "unt3559.www.home"
+        ],
         "related.ip": [
-            "10.65.144.51",
-            "10.5.11.205"
+            "10.5.11.205",
+            "10.65.144.51"
         ],
         "related.user": [
             "uptat"
@@ -4090,6 +4386,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 487,
+        "related.hosts": [
+            "snostrum3450.www5.localhost",
+            "rere5274.mail.domain"
+        ],
         "related.ip": [
             "10.76.122.196",
             "10.195.223.82"
@@ -4145,6 +4445,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2442,
+        "related.hosts": [
+            "gelitsed3249.corp",
+            "uaeabi3728.www5.invalid"
+        ],
         "related.ip": [
             "10.225.255.211",
             "10.138.210.116"
@@ -4200,6 +4504,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6311,
+        "related.hosts": [
+            "dolor7082.internal.localhost",
+            "uamqu2804.test"
+        ],
         "related.ip": [
             "10.250.81.189",
             "10.219.1.151"
@@ -4255,6 +4563,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 7128,
+        "related.hosts": [
+            "totam6886.api.localhost",
+            "olor5201.host"
+        ],
         "related.ip": [
             "10.54.23.133",
             "10.76.125.70"
@@ -4310,9 +4622,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2780,
+        "related.hosts": [
+            "laborum5749.www.example",
+            "eufug3348.www.lan"
+        ],
         "related.ip": [
-            "10.36.110.69",
-            "10.189.42.62"
+            "10.189.42.62",
+            "10.36.110.69"
         ],
         "related.user": [
             "eque"
@@ -4365,6 +4681,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3284,
+        "related.hosts": [
+            "lup3313.api.home",
+            "stquidol239.www5.invalid"
+        ],
         "related.ip": [
             "10.47.179.68",
             "10.183.202.82"
@@ -4420,6 +4740,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2314,
+        "related.hosts": [
+            "edq5397.www.test",
+            "gia6531.mail.invalid"
+        ],
         "related.ip": [
             "10.73.28.165",
             "10.221.206.74"
@@ -4475,9 +4799,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5284,
+        "related.hosts": [
+            "udan6536.www5.test",
+            "lamcola4879.www5.localdomain"
+        ],
         "related.ip": [
-            "10.85.104.146",
-            "10.14.204.36"
+            "10.14.204.36",
+            "10.85.104.146"
         ],
         "related.user": [
             "emp"
@@ -4530,6 +4858,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3990,
+        "related.hosts": [
+            "rumet6923.www5.lan",
+            "edquian330.mail.local"
+        ],
         "related.ip": [
             "10.208.18.210",
             "10.30.246.132"
@@ -4585,6 +4917,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4337,
+        "related.hosts": [
+            "itse522.internal.localdomain",
+            "santi837.api.domain"
+        ],
         "related.ip": [
             "10.19.119.17",
             "10.106.249.91"
@@ -4640,9 +4976,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5275,
+        "related.hosts": [
+            "amc3059.local",
+            "lpaquiof804.internal.invalid"
+        ],
         "related.ip": [
-            "10.181.41.154",
-            "10.29.109.126"
+            "10.29.109.126",
+            "10.181.41.154"
         ],
         "related.user": [
             "labo"
@@ -4695,6 +5035,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2286,
+        "related.hosts": [
+            "enbyCi3813.api.domain",
+            "nonn4478.host"
+        ],
         "related.ip": [
             "10.164.207.42",
             "10.164.120.197"
@@ -4750,6 +5094,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2990,
+        "related.hosts": [
+            "liquipex1155.mail.corp",
+            "amquaer3985.www5.example"
+        ],
         "related.ip": [
             "10.183.189.133",
             "10.154.191.225"
@@ -4805,9 +5153,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 226,
+        "related.hosts": [
+            "isn3991.local",
+            "orem6317.local"
+        ],
         "related.ip": [
-            "10.29.120.226",
-            "10.103.189.199"
+            "10.103.189.199",
+            "10.29.120.226"
         ],
         "related.user": [
             "emu"
@@ -4860,9 +5212,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4691,
+        "related.hosts": [
+            "iumtotam1010.www5.corp",
+            "velill3230.www.corp"
+        ],
         "related.ip": [
-            "10.210.153.7",
-            "10.133.254.23"
+            "10.133.254.23",
+            "10.210.153.7"
         ],
         "related.user": [
             "voluptas"
@@ -4915,9 +5271,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5647,
+        "related.hosts": [
+            "onsecte91.www5.localdomain",
+            "orumS757.www5.corp"
+        ],
         "related.ip": [
-            "10.126.245.73",
-            "10.91.2.135"
+            "10.91.2.135",
+            "10.126.245.73"
         ],
         "related.user": [
             "olore"
@@ -4970,6 +5330,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 2313,
+        "related.hosts": [
+            "abori7686.internal.host",
+            "emi4534.www.localdomain"
+        ],
         "related.ip": [
             "10.137.85.123",
             "10.183.243.246"
@@ -5025,6 +5389,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1585,
+        "related.hosts": [
+            "reprehen3513.test",
+            "inimav1576.mail.example"
+        ],
         "related.ip": [
             "10.61.225.196",
             "10.10.86.55"
@@ -5080,6 +5448,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 3141,
+        "related.hosts": [
+            "orroquis284.api.domain",
+            "aturQu7083.mail.host"
+        ],
         "related.ip": [
             "10.79.73.195",
             "10.125.143.153"
@@ -5135,6 +5507,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6331,
+        "related.hosts": [
+            "tionula2060.www5.localhost",
+            "lumqui7769.mail.local"
+        ],
         "related.ip": [
             "10.64.139.17",
             "10.240.216.85"
@@ -5190,9 +5566,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4474,
+        "related.hosts": [
+            "rumSecti111.www5.domain",
+            "siarc6339.internal.corp"
+        ],
         "related.ip": [
-            "10.87.90.49",
-            "10.222.245.80"
+            "10.222.245.80",
+            "10.87.90.49"
         ],
         "related.user": [
             "ptatemse"
@@ -5245,6 +5625,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4855,
+        "related.hosts": [
+            "olores7881.local",
+            "ptatev6552.www.test"
+        ],
         "related.ip": [
             "10.87.144.208",
             "10.143.53.214"
@@ -5300,6 +5684,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 1729,
+        "related.hosts": [
+            "tDuis3281.www5.localdomain",
+            "byC5766.internal.home"
+        ],
         "related.ip": [
             "10.105.97.134",
             "10.204.178.19"
@@ -5355,9 +5743,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 4493,
+        "related.hosts": [
+            "uptasnul2751.www5.corp",
+            "hender6628.local"
+        ],
         "related.ip": [
-            "10.161.64.168",
-            "10.194.67.223"
+            "10.194.67.223",
+            "10.161.64.168"
         ],
         "related.user": [
             "tion"
@@ -5410,9 +5802,13 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 6094,
+        "related.hosts": [
+            "upt6017.api.localdomain",
+            "xercit7649.www5.home"
+        ],
         "related.ip": [
-            "10.100.154.220",
-            "10.120.148.241"
+            "10.120.148.241",
+            "10.100.154.220"
         ],
         "related.user": [
             "rsitam"
@@ -5465,6 +5861,10 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Fortinet",
         "process.pid": 5012,
+        "related.hosts": [
+            "tpers2217.internal.lan",
+            "porissu1470.domain"
+        ],
         "related.ip": [
             "10.180.90.112",
             "10.116.153.19"
diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml
index a994af47a3bd..ccee80408a8b 100644
--- a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml
+++ b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml
index ef17c6f4130f..f142da3fcfb6 100644
--- a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{server.domain}}'
+        allow_duplicates: false
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json
index a6b2f00ef54b..e3803f80ef3e 100644
--- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json
@@ -586,6 +586,9 @@
         "observer.product": "FortiMail",
         "observer.type": "Firewall",
         "observer.vendor": "Fortinet",
+        "related.hosts": [
+            "lamcolab3252.www.invalid"
+        ],
         "related.ip": [
             "10.179.124.125",
             "10.177.36.38"
@@ -991,8 +994,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.140.7.83",
-            "10.68.246.187"
+            "10.68.246.187",
+            "10.140.7.83"
         ],
         "rsa.email.email_dst": "gna",
         "rsa.email.email_src": "icabo",
@@ -1241,6 +1244,9 @@
         "observer.product": "FortiMail",
         "observer.type": "Firewall",
         "observer.vendor": "Fortinet",
+        "related.hosts": [
+            "atise3421.www5.localdomain"
+        ],
         "related.ip": [
             "10.179.210.218",
             "10.73.207.70"
@@ -2640,9 +2646,12 @@
         "observer.product": "FortiMail",
         "observer.type": "Firewall",
         "observer.vendor": "Fortinet",
+        "related.hosts": [
+            "mveni5084.internal.local"
+        ],
         "related.ip": [
-            "10.62.61.1",
-            "10.144.111.42"
+            "10.144.111.42",
+            "10.62.61.1"
         ],
         "rsa.email.email_dst": "com",
         "rsa.email.email_src": "lam",
@@ -3081,6 +3090,9 @@
         "observer.product": "FortiMail",
         "observer.type": "Firewall",
         "observer.vendor": "Fortinet",
+        "related.hosts": [
+            "taevitae6868.www.corp"
+        ],
         "related.ip": [
             "10.60.164.100",
             "10.161.1.146"
@@ -3178,9 +3190,12 @@
         "observer.product": "FortiMail",
         "observer.type": "Firewall",
         "observer.vendor": "Fortinet",
+        "related.hosts": [
+            "tetura7106.www5.corp"
+        ],
         "related.ip": [
-            "10.44.35.57",
-            "10.93.239.216"
+            "10.93.239.216",
+            "10.44.35.57"
         ],
         "rsa.email.email_dst": "ciun",
         "rsa.email.email_src": "vento",
@@ -3779,8 +3794,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.201.105.58",
-            "10.251.183.113"
+            "10.251.183.113",
+            "10.201.105.58"
         ],
         "rsa.email.email_dst": "ionemu",
         "rsa.email.email_src": "ent",
diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml
index 5d399e10da57..735db765ff82 100644
--- a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml
+++ b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml
index 8452bb6c2bfc..79b9a8856281 100644
--- a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json
index 58b8f8f46893..78030aa2c531 100644
--- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json
@@ -90,9 +90,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.410",
+        "related.hosts": [
+            "aer445.host"
+        ],
         "related.ip": [
-            "10.62.4.246",
-            "10.171.204.166"
+            "10.171.204.166",
+            "10.62.4.246"
         ],
         "related.user": [
             "oluptas"
@@ -102,8 +105,8 @@
         "rsa.investigations.event_vcat": "eius",
         "rsa.misc.OS": "anonnu",
         "rsa.misc.action": [
-            "mol",
-            "accept"
+            "accept",
+            "mol"
         ],
         "rsa.misc.category": "exe",
         "rsa.misc.client": "radip",
@@ -177,9 +180,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.200.188.142",
             "10.94.103.117",
-            "10.15.159.80"
+            "10.15.159.80",
+            "10.200.188.142"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -241,9 +244,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.50.112.141",
             "10.131.233.27",
-            "10.27.88.95"
+            "10.27.88.95",
+            "10.50.112.141"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -307,6 +310,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.5670",
+        "related.hosts": [
+            "olo7148.mail.home"
+        ],
         "related.ip": [
             "10.87.212.179",
             "10.157.213.15"
@@ -319,8 +325,8 @@
         "rsa.investigations.event_vcat": "aveniam",
         "rsa.misc.OS": "oll",
         "rsa.misc.action": [
-            "allow",
-            "ali"
+            "ali",
+            "allow"
         ],
         "rsa.misc.category": "emeumfug",
         "rsa.misc.client": "caecatc",
@@ -395,6 +401,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.152",
+        "related.hosts": [
+            "agna7678.internal.host"
+        ],
         "related.ip": [
             "10.76.73.140",
             "10.114.150.67"
@@ -407,8 +416,8 @@
         "rsa.investigations.event_vcat": "mwr",
         "rsa.misc.OS": "imaven",
         "rsa.misc.action": [
-            "accept",
-            "uines"
+            "uines",
+            "accept"
         ],
         "rsa.misc.category": "uidolo",
         "rsa.misc.client": "emips",
@@ -483,9 +492,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4059",
+        "related.hosts": [
+            "equep5085.mail.domain"
+        ],
         "related.ip": [
-            "10.195.36.51",
-            "10.95.64.124"
+            "10.95.64.124",
+            "10.195.36.51"
         ],
         "related.user": [
             "nnum"
@@ -495,8 +507,8 @@
         "rsa.investigations.event_vcat": "quae",
         "rsa.misc.OS": "qui",
         "rsa.misc.action": [
-            "iadese",
-            "accept"
+            "accept",
+            "iadese"
         ],
         "rsa.misc.category": "aturve",
         "rsa.misc.client": "utei",
@@ -570,8 +582,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.176.216.90",
             "10.114.16.155",
+            "10.176.216.90",
             "10.186.85.3"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -635,6 +647,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.3917",
+        "related.hosts": [
+            "eturadi6608.mail.host"
+        ],
         "related.ip": [
             "10.61.163.4",
             "10.23.62.94"
@@ -647,8 +662,8 @@
         "rsa.investigations.event_vcat": "oide",
         "rsa.misc.OS": "gel",
         "rsa.misc.action": [
-            "cancel",
-            "luptatem"
+            "luptatem",
+            "cancel"
         ],
         "rsa.misc.category": "uir",
         "rsa.misc.client": "ratvolu",
@@ -723,9 +738,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.2580",
+        "related.hosts": [
+            "ipsumdol4488.api.localdomain"
+        ],
         "related.ip": [
-            "10.28.76.42",
-            "10.106.31.86"
+            "10.106.31.86",
+            "10.28.76.42"
         ],
         "related.user": [
             "cons"
@@ -811,8 +829,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.238.164.74",
-            "10.58.214.16",
-            "10.106.162.153"
+            "10.106.162.153",
+            "10.58.214.16"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -874,8 +892,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.217.150.196",
             "10.110.31.190",
+            "10.217.150.196",
             "10.225.141.20"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -939,9 +957,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.3319",
+        "related.hosts": [
+            "cusant4946.www.domain"
+        ],
         "related.ip": [
-            "10.137.56.173",
-            "10.69.103.176"
+            "10.69.103.176",
+            "10.137.56.173"
         ],
         "related.user": [
             "proide"
@@ -1026,9 +1047,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.30.47.165",
             "10.5.235.217",
-            "10.25.212.118"
+            "10.25.212.118",
+            "10.30.47.165"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -1091,9 +1112,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.225",
+        "related.hosts": [
+            "ccaeca5504.internal.example"
+        ],
         "related.ip": [
-            "10.40.152.253",
-            "10.149.13.76"
+            "10.149.13.76",
+            "10.40.152.253"
         ],
         "related.user": [
             "tetur"
@@ -1307,6 +1331,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.1847",
+        "related.hosts": [
+            "tore7088.www.invalid"
+        ],
         "related.ip": [
             "10.199.47.220",
             "10.212.214.4"
@@ -1395,9 +1422,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.760",
+        "related.hosts": [
+            "mve1890.internal.home"
+        ],
         "related.ip": [
-            "10.234.165.130",
-            "10.46.56.204"
+            "10.46.56.204",
+            "10.234.165.130"
         ],
         "related.user": [
             "orese"
@@ -1483,9 +1513,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4450",
+        "related.hosts": [
+            "eturad6143.www.home"
+        ],
         "related.ip": [
-            "10.95.117.134",
-            "10.128.46.70"
+            "10.128.46.70",
+            "10.95.117.134"
         ],
         "related.user": [
             "enim"
@@ -1495,8 +1528,8 @@
         "rsa.investigations.event_vcat": "boNem",
         "rsa.misc.OS": "ntium",
         "rsa.misc.action": [
-            "acommodi",
-            "block"
+            "block",
+            "acommodi"
         ],
         "rsa.misc.category": "inrepreh",
         "rsa.misc.client": "moles",
@@ -1571,9 +1604,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.7544",
+        "related.hosts": [
+            "orinrep5386.www.corp"
+        ],
         "related.ip": [
-            "10.208.21.135",
-            "10.253.228.140"
+            "10.253.228.140",
+            "10.208.21.135"
         ],
         "related.user": [
             "inculp"
@@ -1583,8 +1619,8 @@
         "rsa.investigations.event_vcat": "emagn",
         "rsa.misc.OS": "oditempo",
         "rsa.misc.action": [
-            "cancel",
-            "ugitse"
+            "ugitse",
+            "cancel"
         ],
         "rsa.misc.category": "magnid",
         "rsa.misc.client": "sci",
@@ -1659,9 +1695,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.1710",
+        "related.hosts": [
+            "henderi724.www5.home"
+        ],
         "related.ip": [
-            "10.243.226.122",
-            "10.3.23.172"
+            "10.3.23.172",
+            "10.243.226.122"
         ],
         "related.user": [
             "olorem"
@@ -1671,8 +1710,8 @@
         "rsa.investigations.event_vcat": "ess",
         "rsa.misc.OS": "equatDu",
         "rsa.misc.action": [
-            "emullamc",
-            "cancel"
+            "cancel",
+            "emullamc"
         ],
         "rsa.misc.category": "niamquis",
         "rsa.misc.client": "tutlabo",
@@ -1747,9 +1786,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.5380",
+        "related.hosts": [
+            "reseosqu1629.mail.lan"
+        ],
         "related.ip": [
-            "10.94.242.80",
-            "10.106.85.174"
+            "10.106.85.174",
+            "10.94.242.80"
         ],
         "related.user": [
             "lmo"
@@ -1835,9 +1877,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.168.20.20",
             "10.117.63.181",
-            "10.247.53.179"
+            "10.247.53.179",
+            "10.168.20.20"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -1901,6 +1943,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.2208",
+        "related.hosts": [
+            "tasnul4179.internal.host"
+        ],
         "related.ip": [
             "10.141.156.217",
             "10.53.168.187"
@@ -1913,8 +1958,8 @@
         "rsa.investigations.event_vcat": "illumq",
         "rsa.misc.OS": "idata",
         "rsa.misc.action": [
-            "block",
-            "emacc"
+            "emacc",
+            "block"
         ],
         "rsa.misc.category": "ueporro",
         "rsa.misc.client": "veli",
@@ -1990,6 +2035,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.3402",
+        "related.hosts": [
+            "bore5546.www.local"
+        ],
         "related.ip": [
             "10.44.198.184",
             "10.189.82.19"
@@ -2002,8 +2050,8 @@
         "rsa.investigations.event_vcat": "eturadip",
         "rsa.misc.OS": "turadip",
         "rsa.misc.action": [
-            "odoc",
-            "accept"
+            "accept",
+            "odoc"
         ],
         "rsa.misc.category": "volup",
         "rsa.misc.client": "tur",
@@ -2078,6 +2126,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.91",
+        "related.hosts": [
+            "Utenima260.mail.invalid"
+        ],
         "related.ip": [
             "10.151.170.207",
             "10.181.183.104"
@@ -2090,8 +2141,8 @@
         "rsa.investigations.event_vcat": "eturadip",
         "rsa.misc.OS": "onsecte",
         "rsa.misc.action": [
-            "amni",
-            "cancel"
+            "cancel",
+            "amni"
         ],
         "rsa.misc.category": "umdolore",
         "rsa.misc.client": "modoc",
@@ -2166,6 +2217,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.7278",
+        "related.hosts": [
+            "uido2046.mail.lan"
+        ],
         "related.ip": [
             "10.70.7.23",
             "10.130.240.11"
@@ -2178,8 +2232,8 @@
         "rsa.investigations.event_vcat": "uatu",
         "rsa.misc.OS": "tnulapar",
         "rsa.misc.action": [
-            "odic",
-            "deny"
+            "deny",
+            "odic"
         ],
         "rsa.misc.category": "deri",
         "rsa.misc.client": "scivelit",
@@ -2318,8 +2372,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.170.196.181",
-            "10.153.166.133",
-            "10.158.175.98"
+            "10.158.175.98",
+            "10.153.166.133"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -2382,9 +2436,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.5978",
+        "related.hosts": [
+            "con6049.internal.lan"
+        ],
         "related.ip": [
-            "10.63.171.91",
-            "10.48.25.200"
+            "10.48.25.200",
+            "10.63.171.91"
         ],
         "related.user": [
             "usanti"
@@ -2533,9 +2590,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.225.37.73",
+            "10.166.142.198",
             "10.36.99.207",
-            "10.166.142.198"
+            "10.225.37.73"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -2598,8 +2655,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.214.156.161",
-            "10.66.90.225",
-            "10.145.194.12"
+            "10.145.194.12",
+            "10.66.90.225"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -2661,8 +2718,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.163.36.101",
             "10.156.208.5",
+            "10.163.36.101",
             "10.6.242.108"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -2726,6 +2783,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4713",
+        "related.hosts": [
+            "remeum2641.www5.corp"
+        ],
         "related.ip": [
             "10.68.233.163",
             "10.220.148.127"
@@ -2814,9 +2874,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4481",
+        "related.hosts": [
+            "itaspe3216.localdomain"
+        ],
         "related.ip": [
-            "10.94.177.125",
-            "10.116.82.108"
+            "10.116.82.108",
+            "10.94.177.125"
         ],
         "related.user": [
             "ecatc"
@@ -2826,8 +2889,8 @@
         "rsa.investigations.event_vcat": "ihi",
         "rsa.misc.OS": "amquaera",
         "rsa.misc.action": [
-            "nimides",
-            "allow"
+            "allow",
+            "nimides"
         ],
         "rsa.misc.category": "mve",
         "rsa.misc.client": "plica",
@@ -2903,9 +2966,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4442",
+        "related.hosts": [
+            "mea6298.api.example"
+        ],
         "related.ip": [
-            "10.115.121.243",
-            "10.113.152.241"
+            "10.113.152.241",
+            "10.115.121.243"
         ],
         "related.user": [
             "norumetM"
@@ -2915,8 +2981,8 @@
         "rsa.investigations.event_vcat": "teirured",
         "rsa.misc.OS": "oloremi",
         "rsa.misc.action": [
-            "ali",
-            "cancel"
+            "cancel",
+            "ali"
         ],
         "rsa.misc.category": "idolor",
         "rsa.misc.client": "imveni",
@@ -2991,6 +3057,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.3804",
+        "related.hosts": [
+            "iqu7510.internal.corp"
+        ],
         "related.ip": [
             "10.49.82.45",
             "10.179.153.97"
@@ -3079,8 +3148,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.205.83.138",
-            "10.99.55.115",
-            "10.98.52.184"
+            "10.98.52.184",
+            "10.99.55.115"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -3142,9 +3211,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
+            "10.197.128.162",
             "10.228.11.50",
-            "10.90.189.248",
-            "10.197.128.162"
+            "10.90.189.248"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -3247,9 +3316,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.7318",
+        "related.hosts": [
+            "deFinibu3940.internal.lan"
+        ],
         "related.ip": [
-            "10.124.71.88",
-            "10.22.248.52"
+            "10.22.248.52",
+            "10.124.71.88"
         ],
         "related.user": [
             "tcons"
@@ -3335,9 +3407,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4895",
+        "related.hosts": [
+            "tatiset4191.localdomain"
+        ],
         "related.ip": [
-            "10.185.37.176",
-            "10.26.58.20"
+            "10.26.58.20",
+            "10.185.37.176"
         ],
         "related.user": [
             "eumiure"
@@ -3423,8 +3498,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.14.145.107",
-            "10.250.231.196",
-            "10.200.12.126"
+            "10.200.12.126",
+            "10.250.231.196"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -3550,9 +3625,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.140.59.161",
+            "10.5.67.140",
             "10.118.111.183",
-            "10.5.67.140"
+            "10.140.59.161"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -3615,6 +3690,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4493",
+        "related.hosts": [
+            "nimadmi4084.api.home"
+        ],
         "related.ip": [
             "10.7.70.169",
             "10.28.212.191"
@@ -3627,8 +3705,8 @@
         "rsa.investigations.event_vcat": "Loremips",
         "rsa.misc.OS": "eritquii",
         "rsa.misc.action": [
-            "nostru",
-            "accept"
+            "accept",
+            "nostru"
         ],
         "rsa.misc.category": "amnisiu",
         "rsa.misc.client": "rcita",
@@ -3703,6 +3781,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.6506",
+        "related.hosts": [
+            "reprehe3525.www5.example"
+        ],
         "related.ip": [
             "10.143.144.52",
             "10.148.197.60"
@@ -3715,8 +3796,8 @@
         "rsa.investigations.event_vcat": "uep",
         "rsa.misc.OS": "iatisund",
         "rsa.misc.action": [
-            "nvo",
-            "block"
+            "block",
+            "nvo"
         ],
         "rsa.misc.category": "tenima",
         "rsa.misc.client": "iuntNe",
@@ -3790,8 +3871,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.22.149.132",
             "10.217.145.137",
+            "10.22.149.132",
             "10.251.183.113"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -3854,8 +3935,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.203.66.175",
             "10.51.60.203",
+            "10.203.66.175",
             "10.183.16.252"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -3919,6 +4000,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.409",
+        "related.hosts": [
+            "ursint411.www.lan"
+        ],
         "related.ip": [
             "10.61.200.105",
             "10.157.14.165"
@@ -4007,9 +4091,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.5475",
+        "related.hosts": [
+            "ididunt7607.mail.localhost"
+        ],
         "related.ip": [
-            "10.242.178.15",
-            "10.217.111.77"
+            "10.217.111.77",
+            "10.242.178.15"
         ],
         "related.user": [
             "nimadmin"
@@ -4095,6 +4182,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.142",
+        "related.hosts": [
+            "mco2906.domain"
+        ],
         "related.ip": [
             "10.199.119.251",
             "10.86.152.227"
@@ -4183,6 +4273,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.1789",
+        "related.hosts": [
+            "ntex5135.corp"
+        ],
         "related.ip": [
             "10.239.194.105",
             "10.234.171.117"
@@ -4195,8 +4288,8 @@
         "rsa.investigations.event_vcat": "uia",
         "rsa.misc.OS": "mquae",
         "rsa.misc.action": [
-            "tenatus",
-            "deny"
+            "deny",
+            "tenatus"
         ],
         "rsa.misc.category": "abo",
         "rsa.misc.client": "umtota",
@@ -4271,9 +4364,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.249.16.201",
             "10.107.168.208",
-            "10.34.41.75"
+            "10.34.41.75",
+            "10.249.16.201"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -4336,6 +4429,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.6905",
+        "related.hosts": [
+            "tat1845.internal.invalid"
+        ],
         "related.ip": [
             "10.109.106.194",
             "10.96.168.24"
@@ -4348,8 +4444,8 @@
         "rsa.investigations.event_vcat": "agnaaliq",
         "rsa.misc.OS": "itte",
         "rsa.misc.action": [
-            "allow",
-            "Sedut"
+            "Sedut",
+            "allow"
         ],
         "rsa.misc.category": "aqueip",
         "rsa.misc.client": "serr",
@@ -4424,6 +4520,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.1353",
+        "related.hosts": [
+            "ulamc767.internal.lan"
+        ],
         "related.ip": [
             "10.47.191.95",
             "10.112.155.228"
@@ -4512,8 +4611,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.103.169.94",
-            "10.140.137.17",
-            "10.62.241.218"
+            "10.62.241.218",
+            "10.140.137.17"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -4575,9 +4674,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.90.229.92",
             "10.251.212.166",
-            "10.77.105.160"
+            "10.77.105.160",
+            "10.90.229.92"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -4640,9 +4739,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4261",
+        "related.hosts": [
+            "spici5547.internal.test"
+        ],
         "related.ip": [
-            "10.216.49.112",
-            "10.112.242.68"
+            "10.112.242.68",
+            "10.216.49.112"
         ],
         "related.user": [
             "urmag"
@@ -4728,9 +4830,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.491",
+        "related.hosts": [
+            "istenatu3686.invalid"
+        ],
         "related.ip": [
-            "10.96.100.84",
-            "10.182.58.108"
+            "10.182.58.108",
+            "10.96.100.84"
         ],
         "related.user": [
             "lpaquiof"
@@ -4740,8 +4845,8 @@
         "rsa.investigations.event_vcat": "uatDuisa",
         "rsa.misc.OS": "citation",
         "rsa.misc.action": [
-            "accept",
-            "utlabore"
+            "utlabore",
+            "accept"
         ],
         "rsa.misc.category": "reeu",
         "rsa.misc.client": "ntut",
@@ -4816,8 +4921,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.246.41.77",
-            "10.157.22.21",
-            "10.228.61.5"
+            "10.228.61.5",
+            "10.157.22.21"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -4879,9 +4984,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.188.131.18",
+            "10.242.119.111",
             "10.239.231.168",
-            "10.242.119.111"
+            "10.188.131.18"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -4944,9 +5049,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.979",
+        "related.hosts": [
+            "tru3812.mail.lan"
+        ],
         "related.ip": [
-            "10.106.101.87",
-            "10.247.124.74"
+            "10.247.124.74",
+            "10.106.101.87"
         ],
         "related.user": [
             "ainci"
@@ -4956,8 +5064,8 @@
         "rsa.investigations.event_vcat": "amnihil",
         "rsa.misc.OS": "tten",
         "rsa.misc.action": [
-            "accept",
-            "inea"
+            "inea",
+            "accept"
         ],
         "rsa.misc.category": "quam",
         "rsa.misc.client": "oreseo",
@@ -5072,9 +5180,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4342",
+        "related.hosts": [
+            "riaturE1644.www5.example"
+        ],
         "related.ip": [
-            "10.162.114.52",
-            "10.215.144.167"
+            "10.215.144.167",
+            "10.162.114.52"
         ],
         "related.user": [
             "erspici"
@@ -5160,6 +5271,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.6452",
+        "related.hosts": [
+            "mdolo7008.api.corp"
+        ],
         "related.ip": [
             "10.162.128.87",
             "10.78.75.82"
@@ -5247,9 +5361,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
+            "10.75.198.93",
             "10.137.36.151",
-            "10.51.106.43",
-            "10.75.198.93"
+            "10.51.106.43"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -5376,9 +5490,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.5718",
+        "related.hosts": [
+            "itse5466.api.example"
+        ],
         "related.ip": [
-            "10.26.4.3",
-            "10.217.209.221"
+            "10.217.209.221",
+            "10.26.4.3"
         ],
         "related.user": [
             "ciduntut"
@@ -5388,8 +5505,8 @@
         "rsa.investigations.event_vcat": "santiumd",
         "rsa.misc.OS": "oris",
         "rsa.misc.action": [
-            "rsitame",
-            "deny"
+            "deny",
+            "rsitame"
         ],
         "rsa.misc.category": "agnaal",
         "rsa.misc.client": "urmagn",
@@ -5464,6 +5581,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.6603",
+        "related.hosts": [
+            "dquiac6194.api.lan"
+        ],
         "related.ip": [
             "10.241.140.241",
             "10.180.162.174"
@@ -5476,8 +5596,8 @@
         "rsa.investigations.event_vcat": "luptatev",
         "rsa.misc.OS": "emipsu",
         "rsa.misc.action": [
-            "accept",
-            "ido"
+            "ido",
+            "accept"
         ],
         "rsa.misc.category": "litse",
         "rsa.misc.client": "evita",
@@ -5552,9 +5672,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.2052",
+        "related.hosts": [
+            "amco1592.mail.host"
+        ],
         "related.ip": [
-            "10.62.140.108",
-            "10.110.99.222"
+            "10.110.99.222",
+            "10.62.140.108"
         ],
         "related.user": [
             "moenimi"
@@ -5564,8 +5687,8 @@
         "rsa.investigations.event_vcat": "atvolupt",
         "rsa.misc.OS": "riosam",
         "rsa.misc.action": [
-            "deny",
-            "ssitasp"
+            "ssitasp",
+            "deny"
         ],
         "rsa.misc.category": "enimadmi",
         "rsa.misc.client": "uatDui",
@@ -5640,9 +5763,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.2691",
+        "related.hosts": [
+            "dicta7226.mail.example"
+        ],
         "related.ip": [
-            "10.4.244.115",
-            "10.53.50.77"
+            "10.53.50.77",
+            "10.4.244.115"
         ],
         "related.user": [
             "idolo"
@@ -5652,8 +5778,8 @@
         "rsa.investigations.event_vcat": "cupidata",
         "rsa.misc.OS": "ficiade",
         "rsa.misc.action": [
-            "accept",
-            "lorem"
+            "lorem",
+            "accept"
         ],
         "rsa.misc.category": "iac",
         "rsa.misc.client": "tlabo",
@@ -5728,8 +5854,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.236.211.111",
-            "10.221.100.157",
-            "10.120.212.78"
+            "10.120.212.78",
+            "10.221.100.157"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -5792,9 +5918,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.3052",
+        "related.hosts": [
+            "pidatatn2627.www.localdomain"
+        ],
         "related.ip": [
-            "10.208.231.15",
-            "10.210.82.202"
+            "10.210.82.202",
+            "10.208.231.15"
         ],
         "related.user": [
             "riatur"
@@ -5879,8 +6008,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.226.255.3",
             "10.123.59.69",
+            "10.226.255.3",
             "10.53.251.202"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -6008,9 +6137,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.95",
+        "related.hosts": [
+            "emveleu4029.api.local"
+        ],
         "related.ip": [
-            "10.236.175.163",
-            "10.126.11.186"
+            "10.126.11.186",
+            "10.236.175.163"
         ],
         "related.user": [
             "udantiu"
@@ -6020,8 +6152,8 @@
         "rsa.investigations.event_vcat": "ill",
         "rsa.misc.OS": "eabill",
         "rsa.misc.action": [
-            "cancel",
-            "atemqui"
+            "atemqui",
+            "cancel"
         ],
         "rsa.misc.category": "idatatno",
         "rsa.misc.client": "res",
@@ -6095,9 +6227,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.83.98.220",
+            "10.11.150.136",
             "10.171.60.173",
-            "10.11.150.136"
+            "10.83.98.220"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6159,9 +6291,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.74.88.209",
             "10.92.3.166",
-            "10.238.49.73"
+            "10.238.49.73",
+            "10.74.88.209"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6224,8 +6356,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.119.248.36",
-            "10.84.200.121",
-            "10.187.107.47"
+            "10.187.107.47",
+            "10.84.200.121"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6287,9 +6419,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
+            "10.135.213.17",
             "10.167.128.229",
-            "10.30.239.222",
-            "10.135.213.17"
+            "10.30.239.222"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6352,6 +6484,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.1028",
+        "related.hosts": [
+            "rspic5637.api.local"
+        ],
         "related.ip": [
             "10.169.133.219",
             "10.115.166.48"
@@ -6364,8 +6499,8 @@
         "rsa.investigations.event_vcat": "iumdol",
         "rsa.misc.OS": "min",
         "rsa.misc.action": [
-            "block",
-            "eleumiur"
+            "eleumiur",
+            "block"
         ],
         "rsa.misc.category": "ero",
         "rsa.misc.client": "gia",
@@ -6440,6 +6575,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4195",
+        "related.hosts": [
+            "rror3870.www5.local"
+        ],
         "related.ip": [
             "10.146.255.40",
             "10.226.39.82"
@@ -6591,9 +6729,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
+            "10.66.149.234",
             "10.186.253.240",
-            "10.233.128.7",
-            "10.66.149.234"
+            "10.233.128.7"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6655,9 +6793,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.173.140.201",
             "10.227.133.134",
-            "10.46.11.114"
+            "10.46.11.114",
+            "10.173.140.201"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6719,9 +6857,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.205.18.11",
             "10.69.130.207",
-            "10.170.236.123"
+            "10.170.236.123",
+            "10.205.18.11"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6784,6 +6922,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.2682",
+        "related.hosts": [
+            "velill3821.mail.invalid"
+        ],
         "related.ip": [
             "10.97.254.192",
             "10.124.34.251"
@@ -6796,8 +6937,8 @@
         "rsa.investigations.event_vcat": "lica",
         "rsa.misc.OS": "taedi",
         "rsa.misc.action": [
-            "imide",
-            "deny"
+            "deny",
+            "imide"
         ],
         "rsa.misc.category": "iurere",
         "rsa.misc.client": "ollitan",
@@ -6871,9 +7012,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
+            "10.9.41.221",
             "10.81.58.91",
-            "10.204.98.238",
-            "10.9.41.221"
+            "10.204.98.238"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -6975,8 +7116,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.212.208.70",
             "10.35.84.125",
+            "10.212.208.70",
             "10.37.120.29"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -7039,8 +7180,8 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "related.ip": [
-            "10.207.207.106",
             "10.199.201.26",
+            "10.207.207.106",
             "10.143.65.84"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
@@ -7104,8 +7245,8 @@
         "observer.vendor": "Fortinet",
         "related.ip": [
             "10.41.61.88",
-            "10.163.236.253",
-            "10.204.27.48"
+            "10.204.27.48",
+            "10.163.236.253"
         ],
         "rsa.internal.messageid": "generic_fortinetmgr_1",
         "rsa.misc.action": [
@@ -7233,6 +7374,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.802",
+        "related.hosts": [
+            "cupida6106.www5.local"
+        ],
         "related.ip": [
             "10.146.77.206",
             "10.109.172.90"
@@ -7245,8 +7389,8 @@
         "rsa.investigations.event_vcat": "lupt",
         "rsa.misc.OS": "etdolo",
         "rsa.misc.action": [
-            "allow",
-            "amnihilm"
+            "amnihilm",
+            "allow"
         ],
         "rsa.misc.category": "ntin",
         "rsa.misc.client": "xcep",
@@ -7321,9 +7465,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.2314",
+        "related.hosts": [
+            "unt2122.internal.local"
+        ],
         "related.ip": [
-            "10.38.18.72",
-            "10.202.250.141"
+            "10.202.250.141",
+            "10.38.18.72"
         ],
         "related.user": [
             "maperia"
@@ -7333,8 +7480,8 @@
         "rsa.investigations.event_vcat": "rure",
         "rsa.misc.OS": "iquidexe",
         "rsa.misc.action": [
-            "allow",
-            "volu"
+            "volu",
+            "allow"
         ],
         "rsa.misc.category": "ium",
         "rsa.misc.client": "liquip",
@@ -7409,9 +7556,12 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.4674",
+        "related.hosts": [
+            "luptat2613.internal.localhost"
+        ],
         "related.ip": [
-            "10.139.144.75",
-            "10.182.124.88"
+            "10.182.124.88",
+            "10.139.144.75"
         ],
         "related.user": [
             "modo"
@@ -7421,8 +7571,8 @@
         "rsa.investigations.event_vcat": "tfug",
         "rsa.misc.OS": "imipsam",
         "rsa.misc.action": [
-            "block",
-            "utodi"
+            "utodi",
+            "block"
         ],
         "rsa.misc.category": "cid",
         "rsa.misc.client": "mquaerat",
@@ -7497,6 +7647,9 @@
         "observer.type": "Configuration",
         "observer.vendor": "Fortinet",
         "observer.version": "1.1386",
+        "related.hosts": [
+            "neavo4796.internal.domain"
+        ],
         "related.ip": [
             "10.188.124.185",
             "10.35.10.19"
diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml
index 68b88a27df5f..e9d408c7b229 100644
--- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml
+++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml
index 3ff3b353c282..a51475c05880 100644
--- a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.hostname}}'
+        allow_duplicates: false
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json
index 555b06cb1da7..7894d6ff3172 100644
--- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json
@@ -19,9 +19,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "radipis5408.mail.local"
+        ],
         "related.ip": [
-            "10.70.155.35",
-            "10.81.122.126"
+            "10.81.122.126",
+            "10.70.155.35"
         ],
         "related.user": [
             "magn",
@@ -105,14 +108,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ccusan7572.api.home"
+        ],
         "related.ip": [
-            "10.159.182.171",
-            "10.58.116.231"
+            "10.58.116.231",
+            "10.159.182.171"
         ],
         "related.user": [
-            "qua",
+            "temUten",
             "uradi",
-            "temUten"
+            "qua"
         ],
         "rsa.counters.dclass_c1": 3626,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -160,13 +166,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "elaudant5931.internal.invalid"
+        ],
         "related.ip": [
-            "10.18.124.28",
-            "10.232.27.250"
+            "10.232.27.250",
+            "10.18.124.28"
         ],
         "related.user": [
-            "lapariat",
             "modocons",
+            "lapariat",
             "mquidol"
         ],
         "rsa.counters.dclass_c1": 6564,
@@ -221,14 +230,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "amest4147.mail.host"
+        ],
         "related.ip": [
-            "10.197.250.10",
-            "10.6.137.200"
+            "10.6.137.200",
+            "10.197.250.10"
         ],
         "related.user": [
             "oluptas",
-            "intoc",
-            "occae"
+            "occae",
+            "intoc"
         ],
         "rsa.counters.event_counter": 7243,
         "rsa.db.database": "tNequepo",
@@ -287,14 +299,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "eratv6205.internal.lan"
+        ],
         "related.ip": [
             "10.179.124.125",
             "10.36.194.106"
         ],
         "related.user": [
-            "acommod",
+            "ncidid",
             "reme",
-            "ncidid"
+            "acommod"
         ],
         "rsa.counters.event_counter": 2462,
         "rsa.db.database": "uaUteni",
@@ -351,14 +366,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "didunt1355.corp"
+        ],
         "related.ip": [
-            "10.211.105.204",
-            "10.129.149.43"
+            "10.129.149.43",
+            "10.211.105.204"
         ],
         "related.user": [
-            "orema",
+            "eveli",
             "labor",
-            "eveli"
+            "orema"
         ],
         "rsa.counters.dclass_c1": 6855,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -410,13 +428,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "pora6854.www5.home"
+        ],
         "related.ip": [
             "10.214.191.180",
             "10.112.250.193"
         ],
         "related.user": [
-            "ide",
             "Exc",
+            "ide",
             "ipsumdol"
         ],
         "rsa.counters.dclass_c1": 6852,
@@ -468,14 +489,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ptasn6599.www.localhost"
+        ],
         "related.ip": [
-            "10.251.20.13",
-            "10.192.34.76"
+            "10.192.34.76",
+            "10.251.20.13"
         ],
         "related.user": [
-            "ovol",
+            "iquipe",
             "tnonpro",
-            "iquipe"
+            "ovol"
         ],
         "rsa.counters.dclass_c1": 3645,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -523,14 +547,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ptasnu6684.mail.lan"
+        ],
         "related.ip": [
             "10.74.105.218",
             "10.59.138.212"
         ],
         "related.user": [
-            "boree",
             "idunt",
-            "archite"
+            "archite",
+            "boree"
         ],
         "rsa.counters.dclass_c1": 248,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -582,6 +609,9 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "rinre2977.api.corp"
+        ],
         "related.ip": [
             "10.230.173.4",
             "10.168.159.13"
@@ -641,14 +671,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "atevelit2450.local"
+        ],
         "related.ip": [
             "10.41.21.204",
             "10.49.167.57"
         ],
         "related.user": [
-            "tali",
+            "ccaeca",
             "sau",
-            "ccaeca"
+            "tali"
         ],
         "rsa.counters.dclass_c1": 6818,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -702,22 +735,25 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "itla658.api.localhost"
+        ],
         "related.ip": [
             "10.62.147.186",
             "10.216.125.252"
         ],
         "related.user": [
-            "lorsita",
             "dolore",
-            "llamco"
+            "llamco",
+            "lorsita"
         ],
         "rsa.counters.event_counter": 4603,
         "rsa.db.database": "uptate",
         "rsa.internal.event_desc": "aquae",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "quasia",
-            "accept"
+            "accept",
+            "quasia"
         ],
         "rsa.misc.category": "boreetdo",
         "rsa.misc.disposition": "aturve",
@@ -769,22 +805,25 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "umdolor4389.api.home"
+        ],
         "related.ip": [
             "10.52.125.9",
             "10.204.128.215"
         ],
         "related.user": [
             "nci",
-            "rum",
-            "paquioff"
+            "paquioff",
+            "rum"
         ],
         "rsa.counters.event_counter": 332,
         "rsa.db.database": "isau",
         "rsa.internal.event_desc": "rumet",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "deny",
-            "texpli"
+            "texpli",
+            "deny"
         ],
         "rsa.misc.category": "verita",
         "rsa.misc.disposition": "sectet",
@@ -832,14 +871,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "rationev6444.localhost"
+        ],
         "related.ip": [
             "10.34.148.166",
             "10.200.68.129"
         ],
         "related.user": [
             "icabo",
-            "untutlab",
-            "miu"
+            "miu",
+            "untutlab"
         ],
         "rsa.counters.dclass_c1": 5427,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -887,14 +929,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ipi7727.www5.domain"
+        ],
         "related.ip": [
             "10.134.5.40",
             "10.226.101.180"
         ],
         "related.user": [
             "siu",
-            "licabo",
-            "conse"
+            "conse",
+            "licabo"
         ],
         "rsa.counters.dclass_c1": 6356,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -946,14 +991,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "spernatu5539.domain"
+        ],
         "related.ip": [
-            "10.126.26.131",
-            "10.30.98.10"
+            "10.30.98.10",
+            "10.126.26.131"
         ],
         "related.user": [
             "dipisci",
-            "velite",
-            "olori"
+            "olori",
+            "velite"
         ],
         "rsa.counters.dclass_c1": 7717,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1005,9 +1053,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "nimid372.api.corp"
+        ],
         "related.ip": [
-            "10.190.10.219",
-            "10.233.120.207"
+            "10.233.120.207",
+            "10.190.10.219"
         ],
         "related.user": [
             "item",
@@ -1092,14 +1143,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "maliquam2147.internal.home"
+        ],
         "related.ip": [
             "10.100.98.56",
             "10.248.184.200"
         ],
         "related.user": [
-            "boru",
             "ritati",
-            "proident"
+            "proident",
+            "boru"
         ],
         "rsa.counters.dclass_c1": 5923,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1151,14 +1205,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "olabor2983.internal.localhost"
+        ],
         "related.ip": [
-            "10.82.28.220",
-            "10.197.6.245"
+            "10.197.6.245",
+            "10.82.28.220"
         ],
         "related.user": [
-            "aecatcup",
+            "oluptat",
             "dtempo",
-            "oluptat"
+            "aecatcup"
         ],
         "rsa.counters.dclass_c1": 3071,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1210,9 +1267,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "hitec2111.mail.corp"
+        ],
         "related.ip": [
-            "10.6.27.103",
-            "10.167.252.183"
+            "10.167.252.183",
+            "10.6.27.103"
         ],
         "related.user": [
             "redol",
@@ -1271,22 +1331,25 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "adminim2559.www5.invalid"
+        ],
         "related.ip": [
             "10.81.184.7",
             "10.88.45.111"
         ],
         "related.user": [
-            "undeomni",
+            "lmole",
             "iameaque",
-            "lmole"
+            "undeomni"
         ],
         "rsa.counters.event_counter": 6344,
         "rsa.db.database": "nderi",
         "rsa.internal.event_desc": "iae",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "deny",
-            "illu"
+            "illu",
+            "deny"
         ],
         "rsa.misc.category": "quido",
         "rsa.misc.disposition": "emip",
@@ -1336,14 +1399,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "dolorem6882.api.local"
+        ],
         "related.ip": [
-            "10.214.3.140",
-            "10.29.119.245"
+            "10.29.119.245",
+            "10.214.3.140"
         ],
         "related.user": [
-            "taliqui",
             "edolorin",
-            "scipitl"
+            "scipitl",
+            "taliqui"
         ],
         "rsa.counters.dclass_c1": 5140,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1397,14 +1463,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "temaccu5302.test"
+        ],
         "related.ip": [
-            "10.218.123.234",
-            "10.110.133.7"
+            "10.110.133.7",
+            "10.218.123.234"
         ],
         "related.user": [
-            "etconsec",
+            "caboNem",
             "pta",
-            "caboNem"
+            "etconsec"
         ],
         "rsa.counters.event_counter": 5347,
         "rsa.db.database": "urExcept",
@@ -1462,14 +1531,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "nder347.www.corp"
+        ],
         "related.ip": [
-            "10.182.152.242",
-            "10.105.190.170"
+            "10.105.190.170",
+            "10.182.152.242"
         ],
         "related.user": [
+            "litan",
             "mquisn",
-            "doeiu",
-            "litan"
+            "doeiu"
         ],
         "rsa.counters.dclass_c1": 3474,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1523,14 +1595,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "idunt4633.internal.host"
+        ],
         "related.ip": [
             "10.59.188.188",
             "10.123.166.197"
         ],
         "related.user": [
             "emUte",
-            "min",
-            "liquam"
+            "liquam",
+            "min"
         ],
         "rsa.counters.event_counter": 7102,
         "rsa.db.database": "oluptat",
@@ -1587,13 +1662,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ectob4634.mail.localhost"
+        ],
         "related.ip": [
             "10.72.75.207",
             "10.201.168.116"
         ],
         "related.user": [
-            "eufug",
             "eFini",
+            "eufug",
             "urau"
         ],
         "rsa.counters.dclass_c1": 3348,
@@ -1646,14 +1724,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "snu6436.www.local"
+        ],
         "related.ip": [
             "10.9.46.123",
             "10.58.133.175"
         ],
         "related.user": [
+            "oco",
             "mfu",
-            "nde",
-            "oco"
+            "nde"
         ],
         "rsa.counters.dclass_c1": 3795,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1705,13 +1786,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "lore7099.www.host"
+        ],
         "related.ip": [
             "10.169.50.59",
             "10.70.29.203"
         ],
         "related.user": [
-            "veniamq",
             "mquisnos",
+            "veniamq",
             "pta"
         ],
         "rsa.counters.dclass_c1": 2358,
@@ -1764,14 +1848,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "lesti6939.api.local"
+        ],
         "related.ip": [
-            "10.165.182.111",
-            "10.137.85.123"
+            "10.137.85.123",
+            "10.165.182.111"
         ],
         "related.user": [
+            "ames",
             "Bonorum",
-            "sis",
-            "ames"
+            "sis"
         ],
         "rsa.counters.dclass_c1": 6401,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -1853,14 +1940,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "upt6017.api.localdomain"
+        ],
         "related.ip": [
             "10.64.184.196",
             "10.173.178.109"
         ],
         "related.user": [
-            "uian",
+            "tam",
             "nesci",
-            "tam"
+            "uian"
         ],
         "rsa.counters.event_counter": 4493,
         "rsa.db.database": "sin",
@@ -1918,13 +2008,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "turQuis4046.api.test"
+        ],
         "related.ip": [
-            "10.168.225.209",
-            "10.90.50.149"
+            "10.90.50.149",
+            "10.168.225.209"
         ],
         "related.user": [
-            "olupta",
             "aUtenima",
+            "olupta",
             "olu"
         ],
         "rsa.counters.dclass_c1": 1127,
@@ -1977,13 +2070,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "con6049.internal.lan"
+        ],
         "related.ip": [
             "10.59.182.36",
             "10.18.150.82"
         ],
         "related.user": [
-            "luptat",
             "mtota",
+            "luptat",
             "qua"
         ],
         "rsa.counters.dclass_c1": 6112,
@@ -2063,13 +2159,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "tatnonp1371.www.invalid"
+        ],
         "related.ip": [
-            "10.228.229.144",
-            "10.151.240.35"
+            "10.151.240.35",
+            "10.228.229.144"
         ],
         "related.user": [
-            "ama",
             "ametcons",
+            "ama",
             "lam"
         ],
         "rsa.counters.dclass_c1": 4325,
@@ -2118,14 +2217,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "tium3542.internal.invalid"
+        ],
         "related.ip": [
             "10.242.48.203",
             "10.147.142.242"
         ],
         "related.user": [
+            "ese",
             "quisn",
-            "quasi",
-            "ese"
+            "quasi"
         ],
         "rsa.counters.dclass_c1": 3970,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2179,13 +2281,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "radipis3991.mail.invalid"
+        ],
         "related.ip": [
-            "10.254.10.98",
-            "10.213.165.165"
+            "10.213.165.165",
+            "10.254.10.98"
         ],
         "related.user": [
-            "eufugia",
             "civeli",
+            "eufugia",
             "ttenb"
         ],
         "rsa.counters.event_counter": 7365,
@@ -2193,8 +2298,8 @@
         "rsa.internal.event_desc": "culpaq",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "uptasn",
-            "cancel"
+            "cancel",
+            "uptasn"
         ],
         "rsa.misc.category": "quamq",
         "rsa.misc.disposition": "usan",
@@ -2274,14 +2379,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ihi7294.www5.localhost"
+        ],
         "related.ip": [
-            "10.116.1.130",
-            "10.169.28.157"
+            "10.169.28.157",
+            "10.116.1.130"
         ],
         "related.user": [
             "reseo",
-            "eturadip",
-            "amco"
+            "amco",
+            "eturadip"
         ],
         "rsa.counters.event_counter": 1295,
         "rsa.db.database": "ons",
@@ -2339,14 +2447,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "caecat4920.api.host"
+        ],
         "related.ip": [
             "10.29.138.31",
             "10.45.69.152"
         ],
         "related.user": [
             "volupta",
-            "tsunt",
-            "umq"
+            "umq",
+            "tsunt"
         ],
         "rsa.counters.dclass_c1": 744,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2398,13 +2509,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "setquas6188.internal.local"
+        ],
         "related.ip": [
             "10.100.113.11",
             "10.152.213.228"
         ],
         "related.user": [
-            "itationu",
             "ptatev",
+            "itationu",
             "velillum"
         ],
         "rsa.counters.dclass_c1": 7245,
@@ -2485,9 +2599,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "nibusBo3674.www5.localhost"
+        ],
         "related.ip": [
-            "10.248.102.129",
-            "10.208.33.55"
+            "10.208.33.55",
+            "10.248.102.129"
         ],
         "related.user": [
             "mremaper",
@@ -2544,14 +2661,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "totamr7676.www5.home"
+        ],
         "related.ip": [
-            "10.109.230.216",
-            "10.203.164.132"
+            "10.203.164.132",
+            "10.109.230.216"
         ],
         "related.user": [
-            "ibus",
             "mporin",
-            "ectobea"
+            "ectobea",
+            "ibus"
         ],
         "rsa.counters.dclass_c1": 547,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2603,14 +2723,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "idents7231.mail.home"
+        ],
         "related.ip": [
             "10.151.203.60",
             "10.117.81.75"
         ],
         "related.user": [
             "iconsequ",
-            "dol",
-            "exeac"
+            "exeac",
+            "dol"
         ],
         "rsa.counters.dclass_c1": 484,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2662,14 +2785,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "tat50.mail.host"
+        ],
         "related.ip": [
-            "10.45.152.205",
-            "10.224.217.153"
+            "10.224.217.153",
+            "10.45.152.205"
         ],
         "related.user": [
             "eriti",
-            "imav",
-            "utlabo"
+            "utlabo",
+            "imav"
         ],
         "rsa.counters.dclass_c1": 922,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2722,6 +2848,9 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "mips3283.corp"
+        ],
         "related.ip": [
             "10.1.193.187",
             "10.60.164.100"
@@ -2786,14 +2915,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "aliquip7229.mail.domain"
+        ],
         "related.ip": [
-            "10.146.228.234",
-            "10.248.244.203"
+            "10.248.244.203",
+            "10.146.228.234"
         ],
         "related.user": [
-            "sum",
             "mquamei",
-            "eiusm"
+            "eiusm",
+            "sum"
         ],
         "rsa.counters.dclass_c1": 3058,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2841,6 +2973,9 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "fde7756.mail.corp"
+        ],
         "related.ip": [
             "10.122.127.237",
             "10.86.121.152"
@@ -2900,14 +3035,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "agnama5013.internal.example"
+        ],
         "related.ip": [
             "10.201.223.119",
             "10.204.223.184"
         ],
         "related.user": [
+            "rcit",
             "teni",
-            "tuserror",
-            "rcit"
+            "tuserror"
         ],
         "rsa.counters.dclass_c1": 4113,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -2959,14 +3097,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "edictas4693.home"
+        ],
         "related.ip": [
             "10.223.56.33",
             "10.200.12.126"
         ],
         "related.user": [
-            "elitsedd",
+            "magnido",
             "Nequepo",
-            "magnido"
+            "elitsedd"
         ],
         "rsa.counters.dclass_c1": 3243,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3020,22 +3161,25 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "nibu2565.api.local"
+        ],
         "related.ip": [
-            "10.65.225.101",
-            "10.94.89.177"
+            "10.94.89.177",
+            "10.65.225.101"
         ],
         "related.user": [
+            "tuserror",
             "citation",
-            "emquel",
-            "tuserror"
+            "emquel"
         ],
         "rsa.counters.event_counter": 2513,
         "rsa.db.database": "rspiciat",
         "rsa.internal.event_desc": "atuse",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "cancel",
-            "eruntmol"
+            "eruntmol",
+            "cancel"
         ],
         "rsa.misc.category": "imad",
         "rsa.misc.disposition": "tura",
@@ -3084,14 +3228,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "tsun7120.home"
+        ],
         "related.ip": [
             "10.65.174.196",
             "10.191.184.105"
         ],
         "related.user": [
+            "iin",
             "tione",
-            "uta",
-            "iin"
+            "uta"
         ],
         "rsa.counters.dclass_c1": 5836,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3141,22 +3288,25 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "lumquid6940.mail.localdomain"
+        ],
         "related.ip": [
-            "10.224.148.48",
-            "10.41.181.179"
+            "10.41.181.179",
+            "10.224.148.48"
         ],
         "related.user": [
-            "iosamn",
             "equepor",
-            "niam"
+            "niam",
+            "iosamn"
         ],
         "rsa.counters.event_counter": 7468,
         "rsa.db.database": "erspicia",
         "rsa.internal.event_desc": "ibusB",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "deny",
-            "rumwr"
+            "rumwr",
+            "deny"
         ],
         "rsa.misc.category": "rporis",
         "rsa.misc.disposition": "etco",
@@ -3206,14 +3356,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "amcorp7299.api.example"
+        ],
         "related.ip": [
-            "10.21.61.134",
-            "10.21.208.103"
+            "10.21.208.103",
+            "10.21.61.134"
         ],
         "related.user": [
+            "ostr",
             "imidest",
-            "mipsa",
-            "ostr"
+            "mipsa"
         ],
         "rsa.counters.dclass_c1": 7766,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3265,14 +3418,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "magnama868.api.local"
+        ],
         "related.ip": [
-            "10.221.192.116",
-            "10.23.6.216"
+            "10.23.6.216",
+            "10.221.192.116"
         ],
         "related.user": [
-            "tevelite",
+            "iarchit",
             "iamquisn",
-            "iarchit"
+            "tevelite"
         ],
         "rsa.counters.dclass_c1": 639,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3326,22 +3482,25 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "tionevol3157.mail.invalid"
+        ],
         "related.ip": [
-            "10.240.62.238",
-            "10.191.142.143"
+            "10.191.142.143",
+            "10.240.62.238"
         ],
         "related.user": [
+            "nofde",
             "modtempo",
-            "animide",
-            "nofde"
+            "animide"
         ],
         "rsa.counters.event_counter": 7580,
         "rsa.db.database": "Lore",
         "rsa.internal.event_desc": "nto",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "cancel",
-            "ali"
+            "ali",
+            "cancel"
         ],
         "rsa.misc.category": "sciv",
         "rsa.misc.disposition": "tlabo",
@@ -3392,14 +3551,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "mquis319.api.local"
+        ],
         "related.ip": [
-            "10.111.22.134",
-            "10.178.79.217"
+            "10.178.79.217",
+            "10.111.22.134"
         ],
         "related.user": [
+            "ccusan",
             "inibusBo",
-            "tqui",
-            "ccusan"
+            "tqui"
         ],
         "rsa.counters.event_counter": 3538,
         "rsa.db.database": "sequun",
@@ -3456,14 +3618,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "urad5712.api.host"
+        ],
         "related.ip": [
             "10.161.225.172",
             "10.77.86.215"
         ],
         "related.user": [
-            "rcit",
+            "xerc",
             "meaqu",
-            "xerc"
+            "rcit"
         ],
         "rsa.counters.dclass_c1": 7286,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3514,9 +3679,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "enbyCic4659.www5.example"
+        ],
         "related.ip": [
-            "10.211.161.187",
-            "10.186.133.184"
+            "10.186.133.184",
+            "10.211.161.187"
         ],
         "related.user": [
             "boriosa",
@@ -3568,14 +3736,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "inBCSed5308.api.corp"
+        ],
         "related.ip": [
-            "10.160.147.230",
-            "10.254.198.47"
+            "10.254.198.47",
+            "10.160.147.230"
         ],
         "related.user": [
-            "illoin",
             "nimvenia",
-            "ndeomnis"
+            "ndeomnis",
+            "illoin"
         ],
         "rsa.counters.dclass_c1": 5988,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3623,14 +3794,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "reseo2067.api.localdomain"
+        ],
         "related.ip": [
-            "10.40.24.93",
-            "10.182.197.243"
+            "10.182.197.243",
+            "10.40.24.93"
         ],
         "related.user": [
-            "orisnis",
             "exerci",
-            "mSecti"
+            "mSecti",
+            "orisnis"
         ],
         "rsa.counters.dclass_c1": 4129,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3682,14 +3856,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "itte6905.mail.invalid"
+        ],
         "related.ip": [
-            "10.108.130.106",
-            "10.249.13.159"
+            "10.249.13.159",
+            "10.108.130.106"
         ],
         "related.user": [
             "uisautei",
-            "colab",
-            "exeacomm"
+            "exeacomm",
+            "colab"
         ],
         "rsa.counters.dclass_c1": 1044,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3743,13 +3920,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "caboNemo274.www.host"
+        ],
         "related.ip": [
-            "10.64.94.174",
-            "10.39.244.49"
+            "10.39.244.49",
+            "10.64.94.174"
         ],
         "related.user": [
-            "Sedut",
             "iunt",
+            "Sedut",
             "estiae"
         ],
         "rsa.counters.event_counter": 7128,
@@ -3863,14 +4043,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "qui5978.api.test"
+        ],
         "related.ip": [
-            "10.134.135.22",
-            "10.115.203.143"
+            "10.115.203.143",
+            "10.134.135.22"
         ],
         "related.user": [
+            "involu",
             "orpori",
-            "utoditau",
-            "involu"
+            "utoditau"
         ],
         "rsa.counters.dclass_c1": 7868,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -3922,9 +4105,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "iamq2577.internal.corp"
+        ],
         "related.ip": [
-            "10.251.212.166",
-            "10.43.244.252"
+            "10.43.244.252",
+            "10.251.212.166"
         ],
         "related.user": [
             "uptat",
@@ -4009,14 +4195,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "usB4127.localhost"
+        ],
         "related.ip": [
             "10.88.189.164",
             "10.20.231.188"
         ],
         "related.user": [
-            "mqu",
             "tesseq",
-            "uatDuisa"
+            "uatDuisa",
+            "mqu"
         ],
         "rsa.counters.dclass_c1": 1623,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4096,14 +4285,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "abor3266.mail.home"
+        ],
         "related.ip": [
-            "10.231.77.26",
-            "10.225.11.197"
+            "10.225.11.197",
+            "10.231.77.26"
         ],
         "related.user": [
+            "ineavol",
             "volu",
-            "rehe",
-            "ineavol"
+            "rehe"
         ],
         "rsa.counters.dclass_c1": 3064,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4153,14 +4345,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "eprehe2455.www.home"
+        ],
         "related.ip": [
-            "10.106.166.105",
-            "10.148.3.197"
+            "10.148.3.197",
+            "10.106.166.105"
         ],
         "related.user": [
-            "avolup",
             "olupt",
-            "usa"
+            "usa",
+            "avolup"
         ],
         "rsa.counters.dclass_c1": 2658,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4208,14 +4403,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "destla2110.www5.localdomain"
+        ],
         "related.ip": [
-            "10.172.121.239",
-            "10.57.169.205"
+            "10.57.169.205",
+            "10.172.121.239"
         ],
         "related.user": [
-            "ctas",
+            "ipsu",
             "iuta",
-            "ipsu"
+            "ctas"
         ],
         "rsa.counters.dclass_c1": 392,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4267,14 +4465,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "exerc3694.api.home"
+        ],
         "related.ip": [
-            "10.42.218.103",
-            "10.129.234.200"
+            "10.129.234.200",
+            "10.42.218.103"
         ],
         "related.user": [
-            "dquia",
             "tevelit",
-            "tisundeo"
+            "tisundeo",
+            "dquia"
         ],
         "rsa.counters.dclass_c1": 6709,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4326,14 +4527,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ididu5928.www5.local"
+        ],
         "related.ip": [
-            "10.111.132.221",
-            "10.76.121.224"
+            "10.76.121.224",
+            "10.111.132.221"
         ],
         "related.user": [
+            "oloremi",
             "scive",
-            "ali",
-            "oloremi"
+            "ali"
         ],
         "rsa.counters.dclass_c1": 6155,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4385,9 +4589,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "boriosa7066.www.corp"
+        ],
         "related.ip": [
-            "10.17.214.21",
-            "10.195.8.141"
+            "10.195.8.141",
+            "10.17.214.21"
         ],
         "related.user": [
             "dolo",
@@ -4444,14 +4651,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "ssusc1892.internal.host"
+        ],
         "related.ip": [
-            "10.173.13.179",
-            "10.179.60.167"
+            "10.179.60.167",
+            "10.173.13.179"
         ],
         "related.user": [
-            "isn",
+            "apar",
             "ptasn",
-            "apar"
+            "isn"
         ],
         "rsa.counters.dclass_c1": 758,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4503,9 +4713,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "iatisund424.mail.localdomain"
+        ],
         "related.ip": [
-            "10.42.135.34",
-            "10.178.190.123"
+            "10.178.190.123",
+            "10.42.135.34"
         ],
         "related.user": [
             "tiset",
@@ -4590,14 +4803,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "uidolo7626.local"
+        ],
         "related.ip": [
-            "10.8.147.176",
-            "10.207.198.239"
+            "10.207.198.239",
+            "10.8.147.176"
         ],
         "related.user": [
-            "aUteni",
             "incididu",
-            "Loremips"
+            "Loremips",
+            "aUteni"
         ],
         "rsa.counters.dclass_c1": 3043,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4648,14 +4864,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "dmini3435.internal.domain"
+        ],
         "related.ip": [
-            "10.206.221.180",
-            "10.116.26.185"
+            "10.116.26.185",
+            "10.206.221.180"
         ],
         "related.user": [
             "oNe",
-            "nseq",
-            "litesseq"
+            "litesseq",
+            "nseq"
         ],
         "rsa.counters.dclass_c1": 3218,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4703,14 +4922,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "nibusBo1864.domain"
+        ],
         "related.ip": [
             "10.253.127.130",
             "10.86.180.150"
         ],
         "related.user": [
             "mnisis",
-            "etconsec",
-            "itasper"
+            "itasper",
+            "etconsec"
         ],
         "rsa.counters.dclass_c1": 4564,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4764,13 +4986,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "inv6528.www5.example"
+        ],
         "related.ip": [
-            "10.158.161.5",
-            "10.220.175.201"
+            "10.220.175.201",
+            "10.158.161.5"
         ],
         "related.user": [
-            "dolo",
-            "rrors"
+            "rrors",
+            "dolo"
         ],
         "rsa.counters.event_counter": 4098,
         "rsa.db.database": "tsed",
@@ -4855,14 +5080,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "nisiutal4437.www.example"
+        ],
         "related.ip": [
             "10.150.27.144",
             "10.248.16.82"
         ],
         "related.user": [
+            "res",
             "ditautf",
-            "tuserror",
-            "res"
+            "tuserror"
         ],
         "rsa.counters.dclass_c1": 4367,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -4914,13 +5142,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "tqui5172.www.local"
+        ],
         "related.ip": [
-            "10.173.19.140",
-            "10.146.131.76"
+            "10.146.131.76",
+            "10.173.19.140"
         ],
         "related.user": [
-            "olo",
             "orsi",
+            "olo",
             "Except"
         ],
         "rsa.counters.dclass_c1": 5844,
@@ -4972,9 +5203,12 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "intocca6708.mail.corp"
+        ],
         "related.ip": [
-            "10.69.5.227",
-            "10.171.175.165"
+            "10.171.175.165",
+            "10.69.5.227"
         ],
         "related.user": [
             "rumw",
@@ -5027,13 +5261,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "isetqu2843.www.invalid"
+        ],
         "related.ip": [
             "10.213.214.118",
             "10.253.175.129"
         ],
         "related.user": [
-            "ate",
             "nrep",
+            "ate",
             "epteurs"
         ],
         "rsa.counters.dclass_c1": 6260,
@@ -5088,22 +5325,25 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "commodo6041.mail.localhost"
+        ],
         "related.ip": [
             "10.149.91.130",
             "10.89.26.170"
         ],
         "related.user": [
+            "atus",
             "aboris",
-            "orumetMa",
-            "atus"
+            "orumetMa"
         ],
         "rsa.counters.event_counter": 5863,
         "rsa.db.database": "inventor",
         "rsa.internal.event_desc": "loi",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "atcupi",
-            "block"
+            "block",
+            "atcupi"
         ],
         "rsa.misc.category": "tation",
         "rsa.misc.disposition": "seddoe",
@@ -5154,14 +5394,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "gitse6744.api.local"
+        ],
         "related.ip": [
-            "10.52.106.68",
-            "10.81.108.232"
+            "10.81.108.232",
+            "10.52.106.68"
         ],
         "related.user": [
+            "uaturve",
             "neavolup",
-            "aco",
-            "uaturve"
+            "aco"
         ],
         "rsa.counters.event_counter": 5098,
         "rsa.db.database": "lapa",
@@ -5221,14 +5464,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "par3605.internal.localdomain"
+        ],
         "related.ip": [
             "10.230.48.97",
             "10.223.10.28"
         ],
         "related.user": [
-            "usmodte",
+            "erit",
             "untex",
-            "erit"
+            "usmodte"
         ],
         "rsa.counters.event_counter": 4029,
         "rsa.db.database": "ommodi",
@@ -5286,6 +5532,9 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "isau4356.www.home"
+        ],
         "related.ip": [
             "10.115.42.231",
             "10.161.212.150"
@@ -5347,13 +5596,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "labo3477.www5.domain"
+        ],
         "related.ip": [
             "10.226.75.20",
             "10.247.108.144"
         ],
         "related.user": [
-            "tema",
             "maccusan",
+            "tema",
             "fugia"
         ],
         "rsa.counters.event_counter": 3711,
@@ -5411,14 +5663,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "itseddo2209.mail.domain"
+        ],
         "related.ip": [
             "10.97.22.61",
             "10.192.15.65"
         ],
         "related.user": [
-            "nimides",
+            "illumd",
             "rExcep",
-            "illumd"
+            "nimides"
         ],
         "rsa.counters.dclass_c1": 4173,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -5468,13 +5723,16 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "duntutl3396.api.host"
+        ],
         "related.ip": [
             "10.197.254.133",
             "10.116.76.161"
         ],
         "related.user": [
-            "ide",
             "trudex",
+            "ide",
             "idu"
         ],
         "rsa.counters.event_counter": 2608,
@@ -5482,8 +5740,8 @@
         "rsa.internal.event_desc": "ritat",
         "rsa.internal.messageid": "Imperva",
         "rsa.misc.action": [
-            "cancel",
-            "quid"
+            "quid",
+            "cancel"
         ],
         "rsa.misc.category": "dipi",
         "rsa.misc.disposition": "asnulapa",
@@ -5532,14 +5790,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "colabo6686.internal.invalid"
+        ],
         "related.ip": [
             "10.144.14.15",
             "10.28.77.79"
         ],
         "related.user": [
+            "rspic",
             "upta",
-            "utlab",
-            "rspic"
+            "utlab"
         ],
         "rsa.counters.dclass_c1": 4810,
         "rsa.counters.dclass_c1_str": "Affected Rows",
@@ -5590,14 +5851,17 @@
         "observer.product": "Secure",
         "observer.type": "WAF",
         "observer.vendor": "Imperva",
+        "related.hosts": [
+            "tsunti1164.www.example"
+        ],
         "related.ip": [
-            "10.248.177.182",
-            "10.18.15.43"
+            "10.18.15.43",
+            "10.248.177.182"
         ],
         "related.user": [
-            "quaturve",
             "quei",
-            "caecat"
+            "caecat",
+            "quaturve"
         ],
         "rsa.counters.dclass_c1": 983,
         "rsa.counters.dclass_c1_str": "Affected Rows",
diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml
index 35ad775a3aad..b464486074b6 100644
--- a/x-pack/filebeat/module/infoblox/nios/config/input.yml
+++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml
index 3b42b82526b6..dd46c730477b 100644
--- a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
+  - append:
+        field: related.hosts
+        value: '{{rsa.misc.event_source}}'
+        allow_duplicates: false
+        if: ctx?.rsa?.misc?.event_source != null && ctx.rsa?.misc?.event_source != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json
index 9552bff05b5c..9d1e178db5ad 100644
--- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json
@@ -12,6 +12,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.5191",
+        "related.hosts": [
+            "volup208.invalid"
+        ],
         "rsa.db.index": "mwritten",
         "rsa.internal.messageid": "openvpn-master",
         "rsa.misc.event_source": "volup208.invalid",
@@ -38,6 +41,10 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "atio5608.www5.localhost",
+            "com1060.api.example"
+        ],
         "related.ip": [
             "10.202.204.154"
         ],
@@ -73,6 +80,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ptass3168.www5.example"
+        ],
         "related.ip": [
             "10.13.70.213"
         ],
@@ -100,6 +110,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "mcolabor1656.www5.corp"
+        ],
         "rsa.internal.data": "veleumi",
         "rsa.internal.event_desc": "tia",
         "rsa.internal.messageid": "acpid",
@@ -124,6 +137,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "Cice513.api.local"
+        ],
         "rsa.db.index": "occ",
         "rsa.internal.event_desc": "ect",
         "rsa.internal.messageid": "openvpn-member",
@@ -148,6 +164,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "obeataev7086.mail.invalid"
+        ],
         "rsa.internal.event_desc": "natura",
         "rsa.internal.messageid": "speedstep_control",
         "rsa.misc.event_source": "obeataev7086.mail.invalid",
@@ -170,6 +189,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "nibusBon7400.localhost"
+        ],
         "rsa.internal.messageid": "ErrorMsg",
         "rsa.misc.event_source": "nibusBon7400.localhost",
         "rsa.misc.result": "success",
@@ -192,6 +214,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "iat1852.api.localdomain"
+        ],
         "rsa.internal.event_desc": "ntpd exiting",
         "rsa.internal.messageid": "ntpd_initres",
         "rsa.misc.event_source": "iat1852.api.localdomain",
@@ -214,6 +239,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "mquisnos5771.example"
+        ],
         "related.ip": [
             "10.104.111.129"
         ],
@@ -244,6 +272,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.3162",
+        "related.hosts": [
+            "ite996.host"
+        ],
         "rsa.email.email_src": "umdolore",
         "rsa.internal.data": "umdo",
         "rsa.internal.messageid": "kernel",
@@ -268,6 +299,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "enim2780.www.lan"
+        ],
         "rsa.internal.data": "eriame",
         "rsa.internal.event_desc": "lorema",
         "rsa.internal.messageid": "rc6",
@@ -292,6 +326,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "emporinc5075.internal.host"
+        ],
         "rsa.internal.data": "atcu",
         "rsa.internal.messageid": "watchdog",
         "rsa.misc.event_source": "emporinc5075.internal.host",
@@ -315,6 +352,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "strude910.internal.local"
+        ],
         "rsa.internal.event_desc": "shutting down for system reboot",
         "rsa.internal.messageid": "shutdown",
         "rsa.misc.event_source": "strude910.internal.local",
@@ -357,6 +397,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "itaut7095.invalid"
+        ],
         "rsa.internal.messageid": "rc",
         "rsa.misc.client": "ritatis",
         "rsa.misc.event_source": "itaut7095.invalid",
@@ -379,6 +422,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "colabor1552.www5.local"
+        ],
         "rsa.internal.event_desc": "lorumw",
         "rsa.internal.messageid": "phonehome",
         "rsa.misc.event_source": "colabor1552.www5.local",
@@ -401,6 +447,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "inima5444.www5.lan"
+        ],
         "rsa.internal.data": "nihi",
         "rsa.internal.event_desc": "Lor",
         "rsa.internal.messageid": "validate_dhcpd",
@@ -424,6 +473,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "erc3217.internal.lan"
+        ],
         "rsa.internal.data": "olupt",
         "rsa.internal.event_desc": "modoco",
         "rsa.internal.messageid": "debug_mount",
@@ -449,6 +501,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "uames499.internal.host"
+        ],
         "related.ip": [
             "10.45.25.68"
         ],
@@ -482,6 +537,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.2299",
+        "related.hosts": [
+            "iineavo951.internal.test"
+        ],
         "rsa.internal.data": "intoccae",
         "rsa.internal.messageid": "rcsysinit",
         "rsa.misc.event_source": "iineavo951.internal.test",
@@ -505,6 +563,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "Loremip6417.mail.test"
+        ],
         "rsa.db.index": "emoeni",
         "rsa.internal.event_desc": "oenimips",
         "rsa.internal.messageid": "syslog",
@@ -528,6 +589,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "mnisist2347.mail.host"
+        ],
         "rsa.internal.data": "temveleu",
         "rsa.internal.event_desc": "Sent mail for colabo (eme)",
         "rsa.internal.messageid": "sSMTP",
@@ -552,6 +616,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.2807",
+        "related.hosts": [
+            "datatn5076.internal.example"
+        ],
         "rsa.internal.event_desc": "ihilm",
         "rsa.internal.messageid": "snmptrapd",
         "rsa.misc.event_source": "datatn5076.internal.example",
@@ -575,6 +642,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ercit2385.internal.home"
+        ],
         "rsa.internal.data": "run",
         "rsa.internal.event_desc": "building file list",
         "rsa.internal.messageid": "rsyncd",
@@ -598,6 +668,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "quisnos4590.mail.domain"
+        ],
         "rsa.internal.event_desc": "eritqu",
         "rsa.internal.messageid": "httpd",
         "rsa.misc.event_source": "quisnos4590.mail.domain",
@@ -620,6 +693,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "wri2784.api.domain"
+        ],
         "rsa.db.index": "hitect",
         "rsa.internal.event_desc": "dol",
         "rsa.internal.messageid": "restarting",
@@ -643,6 +719,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "asun1250.api.localdomain"
+        ],
         "rsa.internal.data": "oluptate",
         "rsa.internal.event_desc": "onseq",
         "rsa.internal.messageid": "rc3",
@@ -667,6 +746,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "intoc2428.domain"
+        ],
         "rsa.internal.data": "dantiumt",
         "rsa.internal.messageid": "scheduled_backups",
         "rsa.misc.device_name": "luptasn",
@@ -690,6 +772,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ento4488.www5.localhost"
+        ],
         "rsa.internal.event_desc": "amre",
         "rsa.internal.messageid": "rc6",
         "rsa.misc.event_source": "ento4488.www5.localhost",
@@ -712,6 +797,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "boris5916.www5.example"
+        ],
         "rsa.internal.data": "uioffi",
         "rsa.internal.event_desc": "Distribution Complete",
         "rsa.internal.messageid": "controld",
@@ -735,6 +823,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "temqu3331.api.host"
+        ],
         "rsa.internal.event_desc": "reseos",
         "rsa.internal.messageid": "phonehome",
         "rsa.misc.event_source": "temqu3331.api.host",
@@ -782,6 +873,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "radi1512.mail.example"
+        ],
         "rsa.db.index": "ris",
         "rsa.internal.event_desc": "uamqu",
         "rsa.internal.messageid": "openvpn-member",
@@ -806,6 +900,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "onsecte7184.mail.domain"
+        ],
         "rsa.internal.event_desc": "reme",
         "rsa.internal.messageid": "syslog-ng",
         "rsa.misc.event_source": "onsecte7184.mail.domain",
@@ -828,6 +925,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "eveli265.www5.localdomain"
+        ],
         "rsa.db.index": "nse",
         "rsa.internal.messageid": "ipmievd",
         "rsa.misc.event_source": "eveli265.www5.localdomain",
@@ -853,6 +953,10 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "uptatema6843.www.host",
+            "derit4688.mail.localhost"
+        ],
         "related.ip": [
             "10.74.104.215"
         ],
@@ -887,6 +991,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "evolup4403.local"
+        ],
         "rsa.internal.data": "smo",
         "rsa.internal.messageid": "INFOBLOX-Grid",
         "rsa.misc.event_source": "evolup4403.local",
@@ -909,6 +1016,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "nonn839.api.corp"
+        ],
         "rsa.internal.event_desc": "temquiav",
         "rsa.internal.messageid": "smart_check_io",
         "rsa.misc.event_source": "nonn839.api.corp",
@@ -931,6 +1041,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "adm7744.mail.domain"
+        ],
         "rsa.internal.event_desc": "isc",
         "rsa.internal.messageid": "rcsysinit",
         "rsa.misc.event_source": "adm7744.mail.domain",
@@ -955,6 +1068,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "process.pid": 845,
+        "related.hosts": [
+            "ios6980.example"
+        ],
         "rsa.internal.messageid": "watchdog",
         "rsa.misc.action": [
             "deny"
@@ -979,6 +1095,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "osquira6030.internal.corp"
+        ],
         "rsa.internal.data": "com",
         "rsa.internal.event_desc": "tnulapa",
         "rsa.internal.messageid": "diskcheck",
@@ -1002,6 +1121,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "squirati63.mail.lan"
+        ],
         "rsa.internal.data": "nbyCic",
         "rsa.internal.event_desc": "utlabor",
         "rsa.internal.messageid": "watchdog",
@@ -1025,6 +1147,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "lup2134.www.localhost"
+        ],
         "rsa.internal.data": "upida",
         "rsa.internal.messageid": "rc",
         "rsa.misc.client": "tvolupt",
@@ -1048,6 +1173,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "umdo4017.www.local"
+        ],
         "rsa.internal.data": "ati",
         "rsa.internal.event_desc": "uine",
         "rsa.internal.messageid": "snmptrapd",
@@ -1071,6 +1199,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "loreme853.www5.localdomain"
+        ],
         "rsa.internal.event_desc": "con",
         "rsa.internal.messageid": "snmptrapd",
         "rsa.misc.event_source": "loreme853.www5.localdomain",
@@ -1094,6 +1225,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "orumSe728.internal.test"
+        ],
         "rsa.db.index": "evit",
         "rsa.internal.data": "itess",
         "rsa.internal.event_desc": "runtm",
@@ -1119,6 +1253,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "oremi7400.www.local"
+        ],
         "rsa.internal.data": "ineavo",
         "rsa.internal.event_desc": "pexe",
         "rsa.internal.messageid": "acpid",
@@ -1142,6 +1279,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ess651.test"
+        ],
         "related.ip": [
             "10.143.187.97"
         ],
@@ -1171,6 +1311,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "epre6970.www.example"
+        ],
         "related.user": [
             "temUt"
         ],
@@ -1202,6 +1345,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "tali7803.www.localdomain"
+        ],
         "rsa.internal.event_desc": "ender",
         "rsa.internal.messageid": "httpd",
         "rsa.misc.event_source": "tali7803.www.localdomain",
@@ -1225,6 +1371,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "uradi6198.test"
+        ],
         "rsa.internal.event_desc": "frequency initialized from file",
         "rsa.internal.messageid": "ntpd",
         "rsa.misc.event_source": "uradi6198.test",
@@ -1248,6 +1397,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "umSe1918.local"
+        ],
         "rsa.counters.dclass_c1": 2836,
         "rsa.internal.event_desc": "ntpd exiting on signal",
         "rsa.internal.messageid": "ntpd",
@@ -1271,6 +1423,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "odoconse228.mail.localdomain"
+        ],
         "rsa.internal.event_desc": "tenim",
         "rsa.internal.messageid": "syslog-ng",
         "rsa.misc.event_source": "odoconse228.mail.localdomain",
@@ -1293,6 +1448,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "cteturad4074.mail.host"
+        ],
         "rsa.internal.event_desc": "tetu",
         "rsa.internal.messageid": "validate_dhcpd",
         "rsa.misc.event_source": "cteturad4074.mail.host",
@@ -1315,6 +1473,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "itation6137.home"
+        ],
         "rsa.internal.event_desc": "sequat",
         "rsa.internal.messageid": "debug_mount",
         "rsa.misc.event_source": "itation6137.home",
@@ -1359,6 +1520,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "dun1276.api.localdomain"
+        ],
         "rsa.internal.event_desc": "time slew duraion",
         "rsa.internal.messageid": "ntpd",
         "rsa.misc.event_source": "dun1276.api.localdomain",
@@ -1382,6 +1546,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "iquidexe304.mail.test"
+        ],
         "rsa.internal.event_desc": "oreetd",
         "rsa.internal.messageid": "smart_check_io",
         "rsa.misc.event_source": "iquidexe304.mail.test",
@@ -1405,6 +1572,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "preh2690.api.localdomain"
+        ],
         "rsa.internal.data": "mac",
         "rsa.internal.event_desc": "qui",
         "rsa.internal.messageid": "captured_dns_uploader",
@@ -1430,6 +1600,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.7214",
+        "related.hosts": [
+            "rem3032.mail.domain"
+        ],
         "rsa.email.email_src": "ica",
         "rsa.internal.messageid": "kernel",
         "rsa.misc.event_source": "rem3032.mail.domain",
@@ -1455,6 +1628,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.7727",
+        "related.hosts": [
+            "tetur2694.mail.local"
+        ],
         "rsa.db.index": "itinv",
         "rsa.internal.messageid": "openvpn-member",
         "rsa.misc.event_source": "tetur2694.mail.local",
@@ -1478,6 +1654,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "utaliqu6138.mail.localhost"
+        ],
         "rsa.internal.event_desc": "can't read sid",
         "rsa.internal.messageid": "pidof",
         "rsa.misc.client": "oremi",
@@ -1501,6 +1680,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "tame4953.mail.localhost"
+        ],
         "rsa.db.index": "prehen",
         "rsa.internal.event_desc": "ntutlabo",
         "rsa.internal.messageid": "restarting",
@@ -1525,6 +1707,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "loi7596.www5.home"
+        ],
         "rsa.internal.data": "deserun",
         "rsa.internal.messageid": "scheduled_backups",
         "rsa.misc.device_name": "esseq",
@@ -1548,6 +1733,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "mmodoc4947.internal.test"
+        ],
         "rsa.internal.data": "atu",
         "rsa.internal.messageid": "ErrorMsg",
         "rsa.misc.event_source": "mmodoc4947.internal.test",
@@ -1571,6 +1759,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "olorem2760.www5.test"
+        ],
         "rsa.internal.event_desc": "ntpd exiting",
         "rsa.internal.messageid": "ntpd_initres",
         "rsa.misc.event_source": "olorem2760.www5.test",
@@ -1593,6 +1784,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "dol3346.www.lan"
+        ],
         "rsa.internal.data": "olorese",
         "rsa.internal.event_desc": "Scheduled backup to the FTP server failed",
         "rsa.internal.messageid": "scheduled_ftp_backups",
@@ -1619,6 +1813,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ercit6496.api.local"
+        ],
         "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful",
         "rsa.internal.messageid": "scheduled_scp_backups",
         "rsa.misc.device_name": "midestl",
@@ -1662,6 +1859,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "col3570.www.invalid"
+        ],
         "rsa.email.email_dst": "tsed",
         "rsa.internal.messageid": "sSMTP",
         "rsa.misc.event_source": "col3570.www.invalid",
@@ -1685,6 +1885,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "mipsamvo4282.api.home"
+        ],
         "rsa.internal.event_desc": "oreveri",
         "rsa.internal.messageid": "init",
         "rsa.misc.event_source": "mipsamvo4282.api.home",
@@ -1707,6 +1910,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "umq1309.api.test"
+        ],
         "rsa.internal.event_desc": "mve",
         "rsa.internal.messageid": "debug",
         "rsa.misc.event_source": "umq1309.api.test",
@@ -1729,6 +1935,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ugit5828.www5.test"
+        ],
         "rsa.internal.data": "asnu",
         "rsa.internal.messageid": "rc",
         "rsa.misc.client": "hitec",
@@ -1772,6 +1981,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "archite1843.mail.home"
+        ],
         "rsa.internal.event_desc": "uta",
         "rsa.internal.messageid": "radiusd",
         "rsa.misc.event_source": "archite1843.mail.home",
@@ -1794,6 +2006,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "derit5270.mail.local"
+        ],
         "rsa.internal.event_desc": "ntexpl",
         "rsa.internal.messageid": "rcsysinit",
         "rsa.misc.event_source": "derit5270.mail.local",
@@ -1816,6 +2031,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "itanim4024.api.example"
+        ],
         "related.ip": [
             "10.156.34.19"
         ],
@@ -1873,6 +2091,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ataevi1984.internal.host"
+        ],
         "related.ip": [
             "10.17.87.79"
         ],
@@ -1900,6 +2121,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "tionula1586.host"
+        ],
         "rsa.internal.data": "idolor",
         "rsa.internal.event_desc": "ntpd exiting",
         "rsa.internal.messageid": "ntpd_initres",
@@ -1923,6 +2147,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "llam1884.www.corp"
+        ],
         "rsa.internal.event_desc": "time slew duraion",
         "rsa.internal.messageid": "ntpd",
         "rsa.misc.event_source": "llam1884.www.corp",
@@ -1946,6 +2173,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ore5643.api.lan"
+        ],
         "rsa.internal.data": "edolorin",
         "rsa.internal.event_desc": "dolorem",
         "rsa.internal.messageid": "acpid",
@@ -1969,6 +2199,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "exeacomm79.api.corp"
+        ],
         "rsa.internal.data": "mides",
         "rsa.internal.event_desc": "ciun",
         "rsa.internal.messageid": "rc3",
@@ -1993,6 +2226,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "lorsita6602.mail.local"
+        ],
         "rsa.internal.messageid": "watchdog",
         "rsa.misc.event_source": "lorsita6602.mail.local",
         "rsa.misc.result_code": "npr",
@@ -2015,6 +2251,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "ratv2649.www.host"
+        ],
         "rsa.internal.data": "tali",
         "rsa.internal.event_desc": "BCS",
         "rsa.internal.messageid": "speedstep_control",
@@ -2038,6 +2277,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "abor4353.www5.host"
+        ],
         "rsa.internal.event_desc": "tesseq",
         "rsa.internal.messageid": "python",
         "rsa.misc.event_source": "abor4353.www5.host",
@@ -2062,6 +2304,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.388",
+        "related.hosts": [
+            "rerepre6748.internal.domain"
+        ],
         "rsa.db.index": "sinto",
         "rsa.internal.data": "tdolore",
         "rsa.internal.messageid": "openvpn-member",
@@ -2086,6 +2331,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "qui3176.internal.example"
+        ],
         "rsa.internal.messageid": "rc",
         "rsa.misc.client": "amvolu",
         "rsa.misc.event_source": "qui3176.internal.example",
@@ -2109,6 +2357,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "der7349.invalid"
+        ],
         "rsa.internal.event_desc": "eiusmod",
         "rsa.internal.messageid": "monitor",
         "rsa.misc.event_source": "der7349.invalid",
@@ -2132,6 +2383,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "veleum3833.internal.test"
+        ],
         "rsa.internal.event_desc": "iusmodt",
         "rsa.internal.messageid": "diskcheck",
         "rsa.misc.event_source": "veleum3833.internal.test",
@@ -2154,6 +2408,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "aquio6685.internal.test"
+        ],
         "rsa.internal.data": "aquio",
         "rsa.internal.event_desc": "riatu",
         "rsa.internal.messageid": "rc6",
@@ -2177,6 +2434,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "tanimid4871.internal.domain"
+        ],
         "rsa.internal.data": "abor",
         "rsa.internal.event_desc": "nBCSe",
         "rsa.internal.messageid": "debug",
@@ -2200,6 +2460,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "icta82.internal.lan"
+        ],
         "rsa.internal.data": "uei",
         "rsa.internal.event_desc": "can't read sid",
         "rsa.internal.messageid": "pidof",
@@ -2224,6 +2487,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "dol6197.mail.localdomain"
+        ],
         "rsa.internal.data": "inBCSe",
         "rsa.internal.event_desc": "otamrem",
         "rsa.internal.messageid": "speedstep_control",
@@ -2247,6 +2513,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "lumqu617.www.test"
+        ],
         "rsa.internal.event_desc": "time slew duraion",
         "rsa.internal.messageid": "ntpd",
         "rsa.misc.event_source": "lumqu617.www.test",
@@ -2270,6 +2539,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "uido492.www5.home"
+        ],
         "rsa.internal.data": "uid",
         "rsa.internal.messageid": "pidof",
         "rsa.misc.client": "snostrum",
@@ -2294,6 +2566,9 @@
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
         "observer.version": "1.6198",
+        "related.hosts": [
+            "reseosqu1629.mail.lan"
+        ],
         "rsa.internal.event_desc": "ommo",
         "rsa.internal.messageid": "snmptrapd",
         "rsa.misc.event_source": "reseosqu1629.mail.lan",
@@ -2317,6 +2592,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "itseddoe5595.internal.localhost"
+        ],
         "rsa.internal.data": "ehende",
         "rsa.internal.event_desc": "tutla",
         "rsa.internal.messageid": "smart_check_io",
@@ -2340,6 +2618,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "olu5333.www.domain"
+        ],
         "rsa.internal.event_desc": "dolor",
         "rsa.internal.messageid": "diskcheck",
         "rsa.misc.event_source": "olu5333.www.domain",
@@ -2362,6 +2643,9 @@
         "observer.product": "Network",
         "observer.type": "IPAM",
         "observer.vendor": "Infoblox",
+        "related.hosts": [
+            "dtemp1362.internal.example"
+        ],
         "rsa.internal.event_desc": "itae",
         "rsa.internal.messageid": "init",
         "rsa.misc.event_source": "dtemp1362.internal.example",
diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml
index 95d8bf8a4774..ac3e93cc4857 100644
--- a/x-pack/filebeat/module/juniper/junos/config/input.yml
+++ b/x-pack/filebeat/module/juniper/junos/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml
index afa4b02bec47..bc38869e537f 100644
--- a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.hostname}}'
+        allow_duplicates: false
+        if: ctx?.host?.hostname && ctx.host?.hostname != ''
+  - append:
+        field: related.hosts
+        value: '{{server.domain}}'
+        allow_duplicates: false
+        if: ctx?.server?.domain && ctx.server?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml
index 9b4a5566a9b9..0fde2181329f 100644
--- a/x-pack/filebeat/module/juniper/netscreen/config/input.yml
+++ b/x-pack/filebeat/module/juniper/netscreen/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
index 5108ebdad073..f69e14d5f97c 100644
--- a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
+++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
@@ -40,4 +40,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
index 392f3a441a73..0f35c753092f 100644
--- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
@@ -279,6 +279,11 @@ processors:
     field: related.hash
     value: '{{file.hash.sha256}}'
     if: ctx.file?.hash?.sha256 != null
+- append:
+    field: related.hosts
+    value: '{{host.hostname}}'
+    if: ctx.host?.hostname != null && ctx.host?.hostname != ''
+    allow_duplicates: false
 
 #############
 ## Cleanup ##
diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
index b7b2b12ff404..0423289d6ace 100644
--- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
+++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
@@ -40,6 +40,9 @@
         "observer.name": "WindowsDefenderAv",
         "observer.product": "Defender ATP",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "testserver4"
+        ],
         "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
         "service.type": "microsoft",
         "tags": [
@@ -102,6 +105,9 @@
             "b6d237154f2e528f0b503b58b025862d66b02b73",
             "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77"
         ],
+        "related.hosts": [
+            "testserver4"
+        ],
         "related.user": [
             "administrator1"
         ],
@@ -157,6 +163,9 @@
         "observer.name": "WindowsDefenderAtp",
         "observer.product": "Defender ATP",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "testserver4"
+        ],
         "related.user": [
             "administrator1"
         ],
@@ -215,6 +224,9 @@
             "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281",
             "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356"
         ],
+        "related.hosts": [
+            "testserver4"
+        ],
         "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.",
         "service.type": "microsoft",
         "tags": [
diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml
index e8e683f9022a..83985fba51d1 100644
--- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml
+++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml
index 7c917d05c81c..6ba5eef30321 100644
--- a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.hostname}}'
+        allow_duplicates: false
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
+  - append:
+        field: related.hosts
+        value: '{{source.address}}'
+        allow_duplicates: false
+        if: ctx?.source?.address != null && ctx.source?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json
index a350394d3bd6..48ad613503de 100644
--- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json
@@ -12,6 +12,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ciade5699.domain"
+        ],
         "related.ip": [
             "10.124.22.221"
         ],
@@ -41,6 +44,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "orev6153.internal.domain"
+        ],
         "related.ip": [
             "10.103.162.55"
         ],
@@ -70,6 +76,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "uatDuis2964.test"
+        ],
         "related.ip": [
             "10.58.0.245"
         ],
@@ -99,6 +108,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "untNequ5075.www5.domain"
+        ],
         "related.ip": [
             "10.163.217.10"
         ],
@@ -130,6 +142,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "idexea3181.www.local"
+        ],
         "related.ip": [
             "10.111.27.193"
         ],
@@ -159,6 +174,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "etM953.api.domain"
+        ],
         "related.ip": [
             "10.97.38.141"
         ],
@@ -188,6 +206,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "inv5716.mail.invalid"
+        ],
         "related.ip": [
             "10.17.21.125"
         ],
@@ -217,6 +238,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "uines6355.internal.localdomain"
+        ],
         "related.ip": [
             "10.73.69.75"
         ],
@@ -246,6 +270,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "rehender4535.www5.test"
+        ],
         "related.ip": [
             "10.45.25.68"
         ],
@@ -275,6 +302,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "mporain2624.www.localhost"
+        ],
         "related.ip": [
             "10.68.93.6"
         ],
@@ -304,6 +334,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tutla2716.www.domain"
+        ],
         "related.ip": [
             "10.192.110.182"
         ],
@@ -333,6 +366,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "conseq557.mail.lan"
+        ],
         "related.ip": [
             "10.148.153.201"
         ],
@@ -362,6 +398,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "etconse7424.internal.lan"
+        ],
         "related.ip": [
             "10.213.147.241"
         ],
@@ -391,6 +430,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tMalor7410.www.localhost"
+        ],
         "related.ip": [
             "10.183.233.5"
         ],
@@ -422,6 +464,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "equat2243.www5.localdomain"
+        ],
         "related.ip": [
             "10.52.186.29"
         ],
@@ -451,6 +496,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ectio2175.www.localhost"
+        ],
         "related.ip": [
             "10.194.114.58"
         ],
@@ -480,6 +528,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "liqui6106.internal.home"
+        ],
         "related.ip": [
             "10.212.42.224"
         ],
@@ -509,6 +560,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "eratv6205.internal.lan"
+        ],
         "related.ip": [
             "10.244.144.198"
         ],
@@ -540,6 +594,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "piscin6866.internal.host"
+        ],
         "related.ip": [
             "10.90.86.89"
         ],
@@ -569,6 +626,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "riosamn7650.api.test"
+        ],
         "related.ip": [
             "10.158.237.92"
         ],
@@ -601,6 +661,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "aper5651.test"
+        ],
         "related.ip": [
             "10.20.147.134"
         ],
@@ -633,6 +696,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "inventor6088.www.invalid"
+        ],
         "related.ip": [
             "10.213.145.202"
         ],
@@ -662,6 +728,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "cipitlab6201.www5.example"
+        ],
         "related.ip": [
             "10.76.10.73"
         ],
@@ -691,6 +760,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "Nemoenim2039.api.localhost"
+        ],
         "related.ip": [
             "10.226.199.190"
         ],
@@ -721,6 +793,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "iquipe2458.api.host"
+        ],
         "related.ip": [
             "10.20.129.206"
         ],
@@ -750,6 +825,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "intoc1426.mail.lan"
+        ],
         "related.ip": [
             "10.22.110.210"
         ],
@@ -779,6 +857,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "rsitvolu3751.mail.lan"
+        ],
         "related.ip": [
             "10.218.87.174"
         ],
@@ -808,6 +889,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tqu4367.www5.localhost"
+        ],
         "related.ip": [
             "10.140.113.244"
         ],
@@ -837,6 +921,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "inci5738.www5.invalid"
+        ],
         "related.ip": [
             "10.159.181.29"
         ],
@@ -866,6 +953,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "itecto1300.internal.corp"
+        ],
         "related.ip": [
             "10.178.173.128"
         ],
@@ -895,6 +985,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "siut1579.www.domain"
+        ],
         "related.ip": [
             "10.217.38.30"
         ],
@@ -924,6 +1017,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ame6223.www5.localhost"
+        ],
         "related.ip": [
             "10.178.49.161"
         ],
@@ -953,6 +1049,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "aturve1647.mail.localhost"
+        ],
         "related.ip": [
             "10.175.103.215"
         ],
@@ -982,6 +1081,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "aco6894.mail.home"
+        ],
         "related.ip": [
             "10.192.21.74"
         ],
@@ -1013,6 +1115,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tetu2485.internal.invalid"
+        ],
         "related.ip": [
             "10.142.25.100"
         ],
@@ -1043,6 +1148,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "doloreme60.www5.localhost"
+        ],
         "related.ip": [
             "10.162.114.217"
         ],
@@ -1074,6 +1182,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "luptat7214.domain"
+        ],
         "related.ip": [
             "10.0.132.176"
         ],
@@ -1104,6 +1215,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "amcor5091.internal.corp"
+        ],
         "related.ip": [
             "10.22.187.69"
         ],
@@ -1135,6 +1249,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ncidid5410.internal.domain"
+        ],
         "related.ip": [
             "10.2.128.234"
         ],
@@ -1165,6 +1282,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "nofd988.api.example"
+        ],
         "related.ip": [
             "10.223.160.140"
         ],
@@ -1197,6 +1317,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "borisnis6159.www5.localdomain"
+        ],
         "related.ip": [
             "10.137.14.180"
         ],
@@ -1226,6 +1349,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "dminima4348.mail.home"
+        ],
         "related.ip": [
             "10.192.182.230"
         ],
@@ -1256,6 +1382,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "oluptas6981.www5.localhost"
+        ],
         "related.ip": [
             "10.95.241.28"
         ],
@@ -1288,6 +1417,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "equ4808.www.localhost"
+        ],
         "related.ip": [
             "10.74.240.121"
         ],
@@ -1320,6 +1452,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "nsec923.internal.local"
+        ],
         "related.ip": [
             "10.139.127.232"
         ],
@@ -1351,6 +1486,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "emoe4059.api.localdomain"
+        ],
         "related.ip": [
             "10.170.6.54"
         ],
@@ -1380,6 +1518,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "equun6662.home"
+        ],
         "related.ip": [
             "10.46.115.216"
         ],
@@ -1409,6 +1550,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "dtempori5735.www5.local"
+        ],
         "related.ip": [
             "10.226.5.189"
         ],
@@ -1438,6 +1582,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "cupi7581.internal.local"
+        ],
         "related.ip": [
             "10.0.20.5"
         ],
@@ -1468,6 +1615,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "quasiar5281.mail.invalid"
+        ],
         "related.ip": [
             "10.180.101.232"
         ],
@@ -1500,6 +1650,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tionula1586.host"
+        ],
         "related.ip": [
             "10.141.158.225"
         ],
@@ -1529,6 +1682,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ore5643.api.lan"
+        ],
         "related.ip": [
             "10.94.88.5"
         ],
@@ -1559,6 +1715,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ciun39.localdomain"
+        ],
         "related.ip": [
             "10.155.18.139"
         ],
@@ -1591,6 +1750,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "iutali7297.www.domain"
+        ],
         "related.ip": [
             "10.85.48.117"
         ],
@@ -1620,6 +1782,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "docon5398.mail.host"
+        ],
         "related.ip": [
             "10.224.146.6"
         ],
@@ -1649,6 +1814,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "destlabo7803.mail.localhost"
+        ],
         "related.ip": [
             "10.182.152.242"
         ],
@@ -1678,6 +1846,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "fugits1163.host"
+        ],
         "related.ip": [
             "10.225.157.110"
         ],
@@ -1707,6 +1878,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "adol170.internal.example"
+        ],
         "related.ip": [
             "10.236.185.102"
         ],
@@ -1736,6 +1910,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "red5516.localhost"
+        ],
         "related.ip": [
             "10.146.72.62"
         ],
@@ -1767,6 +1944,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "qui3176.internal.example"
+        ],
         "related.ip": [
             "10.221.7.206"
         ],
@@ -1796,6 +1976,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "luptat2979.internal.local"
+        ],
         "related.ip": [
             "10.196.35.130"
         ],
@@ -1825,6 +2008,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "prehe1037.api.example"
+        ],
         "related.ip": [
             "10.182.219.241"
         ],
@@ -1854,6 +2040,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "abor1370.www.domain"
+        ],
         "related.ip": [
             "10.101.163.40"
         ],
@@ -1883,6 +2072,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "atDuis5759.internal.test"
+        ],
         "related.ip": [
             "10.141.39.190"
         ],
@@ -1912,6 +2104,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ict2699.internal.localhost"
+        ],
         "related.ip": [
             "10.41.89.217"
         ],
@@ -1941,6 +2136,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "cive2292.api.local"
+        ],
         "related.ip": [
             "10.86.44.130"
         ],
@@ -1971,6 +2169,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "aconsequ2331.www5.localhost"
+        ],
         "related.ip": [
             "10.209.71.69"
         ],
@@ -2004,6 +2205,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "rsitvolu3596.www.test"
+        ],
         "related.ip": [
             "10.48.104.137"
         ],
@@ -2036,6 +2240,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "elites6366.mail.lan"
+        ],
         "related.ip": [
             "10.225.255.211"
         ],
@@ -2068,6 +2275,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "orumSe4514.www.corp"
+        ],
         "related.ip": [
             "10.137.103.62"
         ],
@@ -2097,6 +2307,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "fdeFi6975.www5.local"
+        ],
         "related.ip": [
             "10.156.88.51"
         ],
@@ -2126,6 +2339,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "dol3000.www5.local"
+        ],
         "related.ip": [
             "10.7.99.47"
         ],
@@ -2155,6 +2371,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "umd5182.mail.host"
+        ],
         "related.ip": [
             "10.243.252.157"
         ],
@@ -2186,6 +2405,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "expl2616.www.test"
+        ],
         "related.ip": [
             "10.95.73.196"
         ],
@@ -2215,6 +2437,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "risni1535.example"
+        ],
         "related.ip": [
             "10.145.104.170"
         ],
@@ -2244,6 +2469,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "umtotamr7221.mail.host"
+        ],
         "related.ip": [
             "10.18.152.236"
         ],
@@ -2273,6 +2501,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "teir7585.www5.localdomain"
+        ],
         "related.ip": [
             "10.15.240.220"
         ],
@@ -2302,6 +2533,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tur4536.localdomain"
+        ],
         "related.ip": [
             "10.147.130.71"
         ],
@@ -2331,6 +2565,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ffic6926.home"
+        ],
         "related.ip": [
             "10.203.146.137"
         ],
@@ -2360,6 +2597,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ate4386.api.localhost"
+        ],
         "related.ip": [
             "10.5.98.182"
         ],
@@ -2389,6 +2629,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "iameaque5093.api.corp"
+        ],
         "related.ip": [
             "10.6.180.90"
         ],
@@ -2418,6 +2661,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tatisetq3237.www5.corp"
+        ],
         "related.ip": [
             "10.111.93.224"
         ],
@@ -2447,6 +2693,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "rvelill32.internal.corp"
+        ],
         "related.ip": [
             "10.196.157.28"
         ],
@@ -2476,6 +2725,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ectetura2657.www.localdomain"
+        ],
         "related.ip": [
             "10.143.0.78"
         ],
@@ -2505,6 +2757,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ico3220.api.test"
+        ],
         "related.ip": [
             "10.184.187.32"
         ],
@@ -2534,6 +2789,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "Duisa7769.test"
+        ],
         "related.ip": [
             "10.30.87.51"
         ],
@@ -2563,6 +2821,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ptatev6552.www.test"
+        ],
         "related.ip": [
             "10.180.62.222"
         ],
@@ -2593,6 +2854,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "olore6487.www5.local"
+        ],
         "related.ip": [
             "10.198.9.209"
         ],
@@ -2625,6 +2889,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "nvol548.corp"
+        ],
         "related.ip": [
             "10.41.217.115"
         ],
@@ -2656,6 +2923,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "pteursi466.www.localdomain"
+        ],
         "related.ip": [
             "10.212.196.228"
         ],
@@ -2685,6 +2955,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "olupt1936.host"
+        ],
         "related.ip": [
             "10.166.180.119"
         ],
@@ -2714,6 +2987,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "uisaut2157.corp"
+        ],
         "related.ip": [
             "10.7.142.212"
         ],
@@ -2744,6 +3020,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "ecte882.www5.host"
+        ],
         "related.ip": [
             "10.209.237.97"
         ],
@@ -2776,6 +3055,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "doloreeu4417.example"
+        ],
         "related.ip": [
             "10.61.26.207"
         ],
@@ -2806,6 +3088,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "tper4341.lan"
+        ],
         "related.ip": [
             "10.139.88.194"
         ],
@@ -2837,6 +3122,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "nimve4965.mail.corp"
+        ],
         "related.ip": [
             "10.86.134.125"
         ],
@@ -2866,6 +3154,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "mquisno5146.home"
+        ],
         "related.ip": [
             "10.41.78.169"
         ],
@@ -2895,6 +3186,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "imaveni4500.api.localdomain"
+        ],
         "related.ip": [
             "10.69.181.95"
         ],
@@ -2925,6 +3219,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "veleu2874.www5.localhost"
+        ],
         "related.ip": [
             "10.222.6.52"
         ],
@@ -2956,6 +3253,9 @@
         "observer.product": "DHCP",
         "observer.type": "Application",
         "observer.vendor": "Microsoft",
+        "related.hosts": [
+            "nemul5083.api.localdomain"
+        ],
         "related.ip": [
             "10.218.41.80"
         ],
diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml
index ec1e377e5cdb..dbbca93154b6 100644
--- a/x-pack/filebeat/module/netscout/sightline/config/input.yml
+++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml
index ed3d089bb283..258dda2c70d0 100644
--- a/x-pack/filebeat/module/panw/panos/config/input.yml
+++ b/x-pack/filebeat/module/panw/panos/config/input.yml
@@ -195,4 +195,4 @@ processors:
   - add_fields:
       target: ''
       fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
index 412ddeb5c581..a958993a61c0 100644
--- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -472,6 +472,12 @@ processors:
      value: "{{panw.panos.file.hash}}"
      if: "ctx?.panw?.panos?.file?.hash != null"
 
+ - append:
+     field: related.hosts
+     value: "{{observer.hostname}}"
+     if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''"
+     allow_duplicates: false
+
 # Remove temporary fields.
  - remove:
      field:
diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
index 20c28165a42d..93fe08f75d9b 100644
--- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json
@@ -73,6 +73,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -171,6 +174,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -269,6 +275,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -367,6 +376,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -465,6 +477,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -563,6 +578,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -661,6 +679,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -759,6 +780,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -857,6 +881,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -955,6 +982,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1053,6 +1083,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1151,6 +1184,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1249,6 +1285,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1347,6 +1386,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1445,6 +1487,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1543,6 +1588,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1641,6 +1689,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1739,6 +1790,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1837,6 +1891,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -1935,6 +1992,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2033,6 +2093,9 @@
         "panw.panos.threat.resource": "b.scorecardresearch.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.137.131",
@@ -2131,6 +2194,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2229,6 +2295,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2327,6 +2396,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2425,6 +2497,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2523,6 +2598,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2621,6 +2699,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2719,6 +2800,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2817,6 +2901,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -2915,6 +3002,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -3013,6 +3103,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -3111,6 +3204,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -3209,6 +3305,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -3307,6 +3406,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -3405,6 +3507,9 @@
         "panw.panos.threat.resource": "consent.cmp.oath.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "152.195.55.192",
@@ -3503,6 +3608,9 @@
         "panw.panos.threat.resource": "cdn.taboola.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "151.101.2.2",
@@ -3604,6 +3712,9 @@
         "panw.panos.threat.resource": "rules.quantcount.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.192.7.152",
@@ -3705,6 +3816,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -3806,6 +3920,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -3907,6 +4024,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4008,6 +4128,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4109,6 +4232,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4210,6 +4336,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4311,6 +4440,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4412,6 +4544,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4513,6 +4648,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4614,6 +4752,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4715,6 +4856,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4816,6 +4960,9 @@
         "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.4.120.175",
@@ -4917,6 +5064,9 @@
         "panw.panos.threat.resource": "www.googleadservices.com/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "216.58.194.98",
@@ -5015,6 +5165,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5113,6 +5266,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5211,6 +5367,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5309,6 +5468,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5407,6 +5569,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5505,6 +5670,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5603,6 +5771,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5701,6 +5872,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5799,6 +5973,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5897,6 +6074,9 @@
         "panw.panos.threat.resource": "service.maxymiser.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.72.145.245",
@@ -5998,6 +6178,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6099,6 +6282,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6200,6 +6386,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6301,6 +6490,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6402,6 +6594,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6503,6 +6698,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6604,6 +6802,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6705,6 +6906,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6806,6 +7010,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -6907,6 +7114,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -7008,6 +7218,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -7109,6 +7322,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -7210,6 +7426,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -7311,6 +7530,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -7412,6 +7634,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
@@ -7513,6 +7738,9 @@
         "panw.panos.threat.resource": "segment-data.zqtk.net/",
         "panw.panos.type": "THREAT",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.209.101.70",
diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json
index 60e5c4a2b29e..5f979092c4b4 100644
--- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json
+++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json
@@ -79,6 +79,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "184.51.253.152",
@@ -185,6 +188,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -294,6 +300,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "17.253.3.202",
@@ -400,6 +409,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -509,6 +521,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.196",
             "216.58.194.99",
@@ -615,6 +630,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "web-advertisements",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "209.234.224.22",
@@ -721,6 +739,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -827,6 +848,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "172.217.2.238",
@@ -933,6 +957,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "8.8.8.8",
@@ -1039,6 +1066,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "8.8.8.8",
@@ -1145,6 +1175,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "17.249.60.78",
@@ -1251,6 +1284,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "8.8.8.8",
@@ -1357,6 +1393,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "8.8.8.8",
@@ -1463,6 +1502,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "8.8.8.8",
@@ -1569,6 +1611,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "8.8.8.8",
@@ -1675,6 +1720,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -1781,6 +1829,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -1887,6 +1938,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "web-advertisements",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "98.138.49.44",
@@ -1993,6 +2047,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "web-advertisements",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "72.30.3.43",
@@ -2099,6 +2156,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.196",
             "8.8.8.8",
@@ -2205,6 +2265,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "172.217.9.142",
@@ -2311,6 +2374,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.207",
             "8.8.8.8",
@@ -2420,6 +2486,9 @@
         "panw.panos.sub_type": "start",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.84.80.198",
@@ -2527,6 +2596,9 @@
         "panw.panos.sub_type": "drop",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "199.167.55.52",
@@ -2633,6 +2705,9 @@
         "panw.panos.sub_type": "deny",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -2735,6 +2810,9 @@
         "panw.panos.source.zone": "trust",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.210",
             "8.8.8.8",
@@ -2838,6 +2916,9 @@
         "panw.panos.sub_type": "test",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "172.217.9.142",
@@ -2944,6 +3025,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "151.101.2.2",
@@ -3053,6 +3137,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "216.58.194.66",
@@ -3159,6 +3246,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -3265,6 +3355,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.210",
             "8.8.8.8",
@@ -3371,6 +3464,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "web-advertisements",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "184.51.253.193",
@@ -3477,6 +3573,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -3584,6 +3683,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "199.167.55.52",
@@ -3693,6 +3795,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "199.167.52.219",
@@ -3802,6 +3907,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.71.117.196",
@@ -3908,6 +4016,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -4014,6 +4125,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -4123,6 +4237,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "insufficient-content",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "35.186.194.41",
@@ -4228,6 +4345,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "insufficient-content",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "35.201.124.9",
@@ -4337,6 +4457,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "100.24.131.237",
@@ -4443,6 +4566,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "184.51.252.247",
@@ -4552,6 +4678,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "35.190.88.148",
@@ -4661,6 +4790,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "35.186.243.83",
@@ -4767,6 +4899,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -4873,6 +5008,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -4982,6 +5120,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "100.24.165.74",
@@ -5088,6 +5229,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "184.51.252.247",
@@ -5193,6 +5337,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "35.201.94.140",
@@ -5295,6 +5442,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -5401,6 +5551,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -5507,6 +5660,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -5613,6 +5769,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -5719,6 +5878,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -5825,6 +5987,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -5931,6 +6096,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6037,6 +6205,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.196",
             "8.8.8.8",
@@ -6143,6 +6314,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6249,6 +6423,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6355,6 +6532,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6461,6 +6641,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6567,6 +6750,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6673,6 +6859,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6782,6 +6971,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "66.28.0.45",
@@ -6888,6 +7080,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -6994,6 +7189,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -7100,6 +7298,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -7206,6 +7407,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -7312,6 +7516,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -7421,6 +7628,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "computer-and-internet-info",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "23.52.174.25",
@@ -7527,6 +7737,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -7633,6 +7846,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -7742,6 +7958,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "54.230.5.228",
@@ -7848,6 +8067,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -7954,6 +8176,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -8060,6 +8285,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -8166,6 +8394,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.195",
             "208.83.246.20",
@@ -8271,6 +8502,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.196",
             "8.8.8.8",
@@ -8376,6 +8610,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -8481,6 +8718,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -8588,6 +8828,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "35.185.88.112",
@@ -8694,6 +8937,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -8800,6 +9046,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -8906,6 +9155,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -9015,6 +9267,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "50.19.85.24",
@@ -9124,6 +9379,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "50.19.85.24",
@@ -9233,6 +9491,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "50.19.85.24",
@@ -9339,6 +9600,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "web-advertisements",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "104.254.150.9",
@@ -9448,6 +9712,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "business-and-economy",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "50.19.85.24",
@@ -9557,6 +9824,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.0.218.108",
@@ -9666,6 +9936,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "52.6.117.19",
@@ -9775,6 +10048,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "34.238.96.22",
@@ -9884,6 +10160,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "130.211.47.17",
@@ -9990,6 +10269,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -10096,6 +10378,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -10202,6 +10487,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -10308,6 +10596,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -10414,6 +10705,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -10520,6 +10814,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
@@ -10626,6 +10923,9 @@
         "panw.panos.sub_type": "end",
         "panw.panos.type": "TRAFFIC",
         "panw.panos.url.category": "any",
+        "related.hosts": [
+            "PA-220"
+        ],
         "related.ip": [
             "192.168.15.224",
             "8.8.8.8",
diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml
index 0598b8e63d14..05fe8a00db05 100644
--- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml
+++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml
index 5618f330e7c1..a5eafc083d99 100644
--- a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
+  - append:
+        field: related.hosts
+        value: '{{destination.address}}'
+        allow_duplicates: false
+        if: ctx?.destination?.address != null && ctx.destination?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json
index ea2fb8b73043..f9043afa34aa 100644
--- a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json
@@ -89,6 +89,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
         "process.pid": 3391,
+        "related.hosts": [
+            "tenbyCic5882.api.home"
+        ],
         "related.ip": [
             "10.69.20.77"
         ],
@@ -247,6 +250,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
         "process.pid": 7183,
+        "related.hosts": [
+            "ommod3671.mail.domain"
+        ],
         "rsa.email.email_src": "dexeaco",
         "rsa.internal.messageid": "queued-reinject",
         "rsa.misc.client": "emaperi",
@@ -477,6 +483,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
         "process.pid": 4499,
+        "related.hosts": [
+            "ersp3536.www5.lan"
+        ],
         "rsa.db.index": "mod",
         "rsa.email.email_dst": "fugiatn",
         "rsa.internal.messageid": "queued-aglife",
@@ -666,6 +675,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
         "process.pid": 3866,
+        "related.hosts": [
+            "sit6590.lan"
+        ],
         "related.ip": [
             "10.123.143.188"
         ],
@@ -1256,6 +1268,9 @@
         "observer.product": "Email",
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
+        "related.hosts": [
+            "lors7553.api.local"
+        ],
         "rsa.internal.messageid": "dkimv_run",
         "rsa.misc.client": "uido",
         "rsa.misc.log_session_id": "tiaecon",
@@ -1473,6 +1488,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
         "process.pid": 2861,
+        "related.hosts": [
+            "str4641.domain"
+        ],
         "related.ip": [
             "10.151.31.58"
         ],
@@ -2407,6 +2425,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
         "process.pid": 3274,
+        "related.hosts": [
+            "Sedutper7794.www5.domain"
+        ],
         "related.ip": [
             "10.154.22.241"
         ],
@@ -2533,6 +2554,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Proofpoint",
         "process.pid": 4250,
+        "related.hosts": [
+            "estla4081.corp"
+        ],
         "rsa.internal.messageid": "queued-default",
         "rsa.misc.client": "queued-default",
         "rsa.network.host_dst": "estla4081.corp",
diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml
index 24f226db8f32..e978b0234254 100644
--- a/x-pack/filebeat/module/radware/defensepro/config/input.yml
+++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml
index cd99c6e04daa..f36e381ab96a 100644
--- a/x-pack/filebeat/module/snort/log/config/input.yml
+++ b/x-pack/filebeat/module/snort/log/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml
index 0db6047881b2..640c5b2556a9 100644
--- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml
@@ -53,6 +53,11 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json
index 62a15952dd8a..f0150dcb87fb 100644
--- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json
@@ -12,6 +12,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "quid2184.invalid"
+        ],
         "related.ip": [
             "10.202.72.124"
         ],
@@ -54,6 +57,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "uptatev4292.www.invalid"
+        ],
         "related.ip": [
             "10.212.11.114",
             "10.38.77.13"
@@ -100,6 +106,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "tlabo6088.www.localdomain"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "itecto",
         "rsa.misc.result": "failure",
@@ -127,6 +136,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "eporroqu4200.domain"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "suntinc",
         "rsa.misc.result": "success",
@@ -153,6 +165,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "conseq557.mail.lan"
+        ],
         "related.user": [
             "aaliquaU"
         ],
@@ -193,9 +208,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "itame189.domain"
+        ],
         "related.ip": [
-            "10.182.199.231",
-            "10.24.67.250"
+            "10.24.67.250",
+            "10.182.199.231"
         ],
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "oei",
@@ -238,6 +256,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "vitaedi1318.corp"
+        ],
         "related.user": [
             "temqu"
         ],
@@ -268,6 +289,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "itatione1916.www.host"
+        ],
         "related.user": [
             "oluptate"
         ],
@@ -306,9 +330,12 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.4418",
+        "related.hosts": [
+            "its7829.localhost"
+        ],
         "related.ip": [
-            "10.110.31.190",
-            "10.157.18.252"
+            "10.157.18.252",
+            "10.110.31.190"
         ],
         "rsa.crypto.sig_type": "rQu",
         "rsa.internal.messageid": "5979",
@@ -351,6 +378,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "aec3673.internal.host"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "niamq",
         "rsa.misc.result": "failure",
@@ -378,6 +408,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "inibu2292.www.invalid"
+        ],
         "related.user": [
             "isetquas"
         ],
@@ -412,6 +445,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ori1241.www.corp"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "ercit",
         "rsa.misc.result": "failure",
@@ -438,6 +474,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ueipsa748.localdomain"
+        ],
         "related.user": [
             "aparia"
         ],
@@ -470,6 +509,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "oluptat548.www5.invalid"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "dolorem",
         "rsa.misc.result": "failure",
@@ -496,6 +538,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "loremag6816.www5.lan"
+        ],
         "related.user": [
             "inrepreh"
         ],
@@ -528,6 +573,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "tionemu5269.internal.localhost"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "occaec",
         "rsa.misc.result": "failure",
@@ -554,6 +602,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "onulamco7734.www.local"
+        ],
         "related.user": [
             "uptat"
         ],
@@ -586,6 +637,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "luptatem3834.lan"
+        ],
         "rsa.counters.dclass_c1_str": " The number of intrusion events",
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "tise",
@@ -618,6 +672,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "exercita2068.api.invalid"
+        ],
         "related.ip": [
             "10.169.84.140"
         ],
@@ -651,6 +708,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "orumS757.www5.corp"
+        ],
         "related.ip": [
             "10.130.231.129"
         ],
@@ -685,6 +745,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "sedquian4212.www5.domain"
+        ],
         "rsa.counters.dclass_c1_str": " The number of intrusion events",
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "eca",
@@ -718,6 +781,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "oinBCSed3444.api.local"
+        ],
         "related.user": [
             "smodtem"
         ],
@@ -756,6 +822,9 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.6724",
+        "related.hosts": [
+            "apari5002.api.test"
+        ],
         "related.ip": [
             "10.9.200.197",
             "10.182.213.195"
@@ -810,9 +879,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "tper4341.lan"
+        ],
         "related.ip": [
-            "10.210.180.142",
-            "10.111.33.70"
+            "10.111.33.70",
+            "10.210.180.142"
         ],
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "animi",
@@ -856,6 +928,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "antiu3533.internal.domain"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "lapari",
         "rsa.misc.result": "success",
@@ -884,6 +959,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "cidu921.internal.lan"
+        ],
         "related.ip": [
             "10.222.183.123",
             "10.165.33.19"
@@ -924,9 +1002,12 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.890",
+        "related.hosts": [
+            "unturmag6190.api.lan"
+        ],
         "related.ip": [
-            "10.238.223.171",
-            "10.52.190.18"
+            "10.52.190.18",
+            "10.238.223.171"
         ],
         "rsa.crypto.sig_type": "Finibus",
         "rsa.internal.messageid": "16539",
@@ -974,6 +1055,9 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.3902",
+        "related.hosts": [
+            "conseq6079.www.corp"
+        ],
         "related.ip": [
             "10.68.233.163",
             "10.160.178.109"
@@ -1018,6 +1102,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "tvol3402.www.local"
+        ],
         "related.ip": [
             "10.162.109.83"
         ],
@@ -1050,6 +1137,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "xcep3783.internal.localhost"
+        ],
         "related.user": [
             "serro"
         ],
@@ -1081,6 +1171,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ciatisun7378.www5.invalid"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "riaturEx",
         "rsa.misc.result": "unknown",
@@ -1112,9 +1205,12 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.6627",
+        "related.hosts": [
+            "iqu4858.mail.invalid"
+        ],
         "related.ip": [
-            "10.116.175.84",
-            "10.213.100.153"
+            "10.213.100.153",
+            "10.116.175.84"
         ],
         "rsa.crypto.sig_type": "exercit",
         "rsa.internal.messageid": "11634",
@@ -1156,6 +1252,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ionu3320.api.localhost"
+        ],
         "related.user": [
             "estq"
         ],
@@ -1186,6 +1285,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ollitan5079.www.lan"
+        ],
         "related.user": [
             "deriti"
         ],
@@ -1218,6 +1320,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "nihilmol1849.api.local"
+        ],
         "rsa.counters.dclass_c1_str": "Number of Files",
         "rsa.internal.messageid": "connection_events",
         "rsa.misc.action": [
@@ -1247,6 +1352,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ota4562.local"
+        ],
         "related.user": [
             "epteurs"
         ],
@@ -1278,6 +1386,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "gnama5033.www5.home"
+        ],
         "related.user": [
             "ction"
         ],
@@ -1309,6 +1420,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "sum6106.www.home"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "doe",
         "rsa.misc.result": "failure",
@@ -1335,6 +1449,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "squa2763.www.lan"
+        ],
         "related.user": [
             "trude"
         ],
@@ -1375,9 +1492,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "stiae3403.internal.localhost"
+        ],
         "related.ip": [
-            "10.240.144.78",
-            "10.251.159.118"
+            "10.251.159.118",
+            "10.240.144.78"
         ],
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "ostrudex",
@@ -1421,6 +1541,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "setq5996.corp"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "odi",
         "rsa.misc.result": "success",
@@ -1448,6 +1571,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "quiano3025.api.localhost"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "sequatD",
         "rsa.misc.result": "unknown",
@@ -1475,6 +1601,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "qui7797.www.host"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "umet",
         "rsa.misc.result": "failure",
@@ -1510,6 +1639,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "urau1660.www.lan"
+        ],
         "related.ip": [
             "10.201.132.114",
             "10.140.209.249"
@@ -1555,6 +1687,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "edutpers3482.www5.corp"
+        ],
         "related.user": [
             "mnisis"
         ],
@@ -1592,6 +1727,9 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.2633",
+        "related.hosts": [
+            "nofde7732.internal.test"
+        ],
         "related.ip": [
             "10.198.44.231",
             "10.36.122.169"
@@ -1644,9 +1782,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "evita850.localdomain"
+        ],
         "related.ip": [
-            "10.144.162.122",
-            "10.77.86.215"
+            "10.77.86.215",
+            "10.144.162.122"
         ],
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "eav",
@@ -1689,6 +1830,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "aturau3002.api.corp"
+        ],
         "related.user": [
             "sci"
         ],
@@ -1720,6 +1864,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ntiumt238.internal.corp"
+        ],
         "rsa.counters.dclass_c1_str": " The number of intrusion events",
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "odite",
@@ -1753,6 +1900,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "atu2951.test"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "pitlab",
         "rsa.misc.result": "success",
@@ -1779,6 +1929,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "uipe5295.api.localhost"
+        ],
         "related.user": [
             "mwrit"
         ],
@@ -1810,6 +1963,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "tatiset5041.www5.local"
+        ],
         "rsa.counters.dclass_c1_str": " The number of intrusion events",
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "Utenim",
@@ -1842,6 +1998,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "esse2198.mail.example"
+        ],
         "related.user": [
             "uaturvel"
         ],
@@ -1873,6 +2032,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "pitlab5165.localdomain"
+        ],
         "related.ip": [
             "10.17.172.91"
         ],
@@ -1906,6 +2068,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "uinesci6041.api.local"
+        ],
         "related.user": [
             "pers"
         ],
@@ -1944,6 +2109,9 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.2115",
+        "related.hosts": [
+            "uovol2459.www5.invalid"
+        ],
         "related.ip": [
             "10.60.137.215",
             "10.28.105.106"
@@ -1988,6 +2156,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ptate7215.www5.home"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "ssequa",
         "rsa.misc.result": "failure",
@@ -2015,6 +2186,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "metc7395.lan"
+        ],
         "rsa.counters.dclass_c1_str": "Number of Files",
         "rsa.internal.messageid": "connection_events",
         "rsa.misc.action": [
@@ -2051,11 +2225,14 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "Loremips5368.www5.corp"
+        ],
         "related.ip": [
-            "10.20.167.114",
             "10.49.190.163",
             "10.166.40.137",
-            "10.65.144.119"
+            "10.65.144.119",
+            "10.20.167.114"
         ],
         "rsa.internal.event_desc": "Offloaded TCP Flow for connection",
         "rsa.internal.messageid": "FTD_events",
@@ -2095,9 +2272,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "mexer1548.www5.example"
+        ],
         "related.ip": [
-            "10.162.128.87",
-            "10.104.78.147"
+            "10.104.78.147",
+            "10.162.128.87"
         ],
         "rsa.internal.messageid": "MALWARE",
         "rsa.misc.checksum": "emu",
@@ -2132,6 +2312,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "emulla6625.www5.corp"
+        ],
         "related.ip": [
             "10.237.43.87",
             "10.82.180.46"
@@ -2174,6 +2357,9 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.4189",
+        "related.hosts": [
+            "magn3657.api.invalid"
+        ],
         "related.ip": [
             "10.180.28.156",
             "10.234.234.205"
@@ -2221,6 +2407,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "nis3942.mail.example"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "architec",
         "rsa.misc.result": "success",
@@ -2256,9 +2445,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "upta788.invalid"
+        ],
         "related.ip": [
-            "10.40.250.209",
-            "10.166.10.187"
+            "10.166.10.187",
+            "10.40.250.209"
         ],
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "high-temUte",
@@ -2302,6 +2494,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "consequu3962.api.localdomain"
+        ],
         "rsa.counters.dclass_c1_str": "Number of Files",
         "rsa.internal.messageid": "connection_events",
         "rsa.misc.action": [
@@ -2333,9 +2528,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ita7851.localhost"
+        ],
         "related.ip": [
-            "10.198.202.72",
-            "10.78.180.219"
+            "10.78.180.219",
+            "10.198.202.72"
         ],
         "rsa.internal.messageid": "MALWARE",
         "rsa.misc.checksum": "equaturv",
@@ -2376,6 +2574,9 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.2390",
+        "related.hosts": [
+            "laparia5374.api.domain"
+        ],
         "related.ip": [
             "10.147.155.100",
             "10.232.67.182"
@@ -2427,9 +2628,12 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.1034",
+        "related.hosts": [
+            "onse3711.api.domain"
+        ],
         "related.ip": [
-            "10.95.152.78",
-            "10.4.147.70"
+            "10.4.147.70",
+            "10.95.152.78"
         ],
         "rsa.crypto.sig_type": "cid",
         "rsa.internal.messageid": "9193",
@@ -2472,6 +2676,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "iac7016.api.lan"
+        ],
         "related.user": [
             "antiu"
         ],
@@ -2502,6 +2709,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "tte4006.www5.test"
+        ],
         "related.user": [
             "lors"
         ],
@@ -2534,6 +2744,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "equatD1241.www5.host"
+        ],
         "rsa.counters.dclass_c1_str": " The number of intrusion events",
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "econs",
@@ -2568,6 +2781,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "essequ121.localdomain"
+        ],
         "related.ip": [
             "10.216.14.36",
             "10.224.250.83"
@@ -2608,6 +2824,9 @@
         "observer.type": "IDS",
         "observer.vendor": "Snort",
         "observer.version": "1.6298",
+        "related.hosts": [
+            "borios1685.www.localhost"
+        ],
         "related.ip": [
             "10.231.10.63",
             "10.38.22.60"
@@ -2663,9 +2882,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "Bonoru5658.mail.invalid"
+        ],
         "related.ip": [
-            "10.46.57.181",
-            "10.29.231.11"
+            "10.29.231.11",
+            "10.46.57.181"
         ],
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "remape",
@@ -2708,6 +2930,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ueipsa6797.mail.home"
+        ],
         "related.user": [
             "agnaal"
         ],
@@ -2738,6 +2963,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "iono5161.www5.localhost"
+        ],
         "related.user": [
             "ita"
         ],
@@ -2770,6 +2998,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "untut3537.domain"
+        ],
         "rsa.counters.dclass_c1_str": "Number of Files",
         "rsa.internal.messageid": "connection_events",
         "rsa.misc.action": [
@@ -2808,6 +3039,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "reetd7201.invalid"
+        ],
         "related.ip": [
             "10.135.250.25",
             "10.107.144.80"
@@ -2854,6 +3088,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "tnula4380.mail.test"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "olupta",
         "rsa.misc.result": "failure",
@@ -2880,6 +3117,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "apar2567.www.localhost"
+        ],
         "related.user": [
             "iscing"
         ],
@@ -2916,6 +3156,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "onsecte5119.www.invalid"
+        ],
         "related.ip": [
             "10.198.207.31",
             "10.5.88.183"
@@ -2952,6 +3195,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "iutali3143.host"
+        ],
         "related.user": [
             "ect"
         ],
@@ -2983,6 +3229,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "orro7466.www5.lan"
+        ],
         "related.user": [
             "issu"
         ],
@@ -3013,6 +3262,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "epre7710.www.domain"
+        ],
         "related.user": [
             "aria"
         ],
@@ -3044,6 +3296,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "nsequatu2799.www5.invalid"
+        ],
         "related.user": [
             "mape"
         ],
@@ -3076,6 +3331,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "scingel1634.api.home"
+        ],
         "rsa.counters.dclass_c1_str": " The number of intrusion events",
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "meaq",
@@ -3109,6 +3367,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "inBCSe364.www.corp"
+        ],
         "rsa.counters.dclass_c1_str": " The number of intrusion events",
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "high-tsedquia",
@@ -3150,9 +3411,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "onofdeFi1149.www5.domain"
+        ],
         "related.ip": [
-            "10.154.87.98",
-            "10.186.68.87"
+            "10.186.68.87",
+            "10.154.87.98"
         ],
         "rsa.internal.messageid": "NGIPS_events",
         "rsa.internal.msg_id": "uptate",
@@ -3204,6 +3468,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "lumdol5252.internal.test"
+        ],
         "related.ip": [
             "10.35.59.140",
             "10.67.211.63"
@@ -3250,6 +3517,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "quianonn2762.api.localhost"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "eeufugia",
         "rsa.misc.result": "unknown",
@@ -3276,6 +3546,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "atn2219.api.invalid"
+        ],
         "related.user": [
             "radip"
         ],
@@ -3308,6 +3581,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "equu1159.internal.localhost"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "atcup",
         "rsa.misc.result": "failure",
@@ -3335,6 +3611,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "urQuisau2442.mail.invalid"
+        ],
         "related.user": [
             "uptate"
         ],
@@ -3370,9 +3649,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "cididu3187.home"
+        ],
         "related.ip": [
-            "10.179.27.185",
-            "10.14.46.141"
+            "10.14.46.141",
+            "10.179.27.185"
         ],
         "rsa.internal.messageid": "MALWARE",
         "rsa.misc.checksum": "llumdolo",
@@ -3406,6 +3688,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "aliqua4025.www.localdomain"
+        ],
         "related.user": [
             "deFinibu"
         ],
@@ -3439,6 +3724,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "citati1297.api.domain"
+        ],
         "related.user": [
             "emp"
         ],
@@ -3471,6 +3759,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "nreprehe2138.www5.domain"
+        ],
         "rsa.internal.messageid": "HMNOTIFY",
         "rsa.misc.event_type": "eursi",
         "rsa.misc.result": "success",
@@ -3498,6 +3789,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "idolore6589.api.localdomain"
+        ],
         "related.user": [
             "ctobea"
         ],
@@ -3538,6 +3832,9 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "erunt3957.internal.lan"
+        ],
         "related.ip": [
             "10.118.103.185",
             "10.32.195.34",
@@ -3582,9 +3879,12 @@
         "observer.product": "IDS",
         "observer.type": "IDS",
         "observer.vendor": "Snort",
+        "related.hosts": [
+            "ntNe7144.api.lan"
+        ],
         "related.ip": [
-            "10.188.88.133",
-            "10.111.130.177"
+            "10.111.130.177",
+            "10.188.88.133"
         ],
         "rsa.internal.messageid": "MALWARE",
         "rsa.misc.checksum": "numqu",
diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml
index 91bbc2d960fa..b0bed38d214e 100644
--- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml
+++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml
index 921b02b96ead..01202648b26b 100644
--- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml
@@ -53,6 +53,26 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
+  - append:
+        field: related.hosts
+        value: '{{host.hostname}}'
+        allow_duplicates: false
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
+  - append:
+        field: related.hosts
+        value: '{{source.address}}'
+        allow_duplicates: false
+        if: ctx?.source?.address != null && ctx.source?.address != ''
+  - append:
+        field: related.hosts
+        value: '{{destination.address}}'
+        allow_duplicates: false
+        if: ctx?.destination?.address != null && ctx.destination?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json
index 56ba3e6e78d4..5b84648b930d 100644
--- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json
@@ -18,9 +18,13 @@
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
+        "related.hosts": [
+            "nostrud4819.mail.test",
+            "oreetdol1714.internal.corp"
+        ],
         "related.ip": [
-            "10.92.136.230",
-            "10.49.111.67"
+            "10.49.111.67",
+            "10.92.136.230"
         ],
         "rsa.internal.messageid": "914",
         "rsa.internal.msg": "lupt",
@@ -81,9 +85,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
+            "10.227.15.1",
             "10.149.203.46",
-            "10.150.156.22",
-            "10.227.15.1"
+            "10.150.156.22"
         ],
         "rsa.internal.event_desc": "ctetur",
         "rsa.internal.messageid": "1369",
@@ -416,9 +420,12 @@
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
+        "related.hosts": [
+            "fugi4637.www.lan"
+        ],
         "related.ip": [
-            "10.30.196.102",
-            "10.241.178.107"
+            "10.241.178.107",
+            "10.30.196.102"
         ],
         "rsa.internal.messageid": "353",
         "rsa.internal.msg": "onproide",
@@ -471,8 +478,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.157.161.103",
-            "10.78.151.178"
+            "10.78.151.178",
+            "10.157.161.103"
         ],
         "rsa.internal.event_desc": "taut",
         "rsa.internal.messageid": "24",
@@ -504,8 +511,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.204.11.20",
-            "10.239.201.234"
+            "10.239.201.234",
+            "10.204.11.20"
         ],
         "rsa.internal.messageid": "87",
         "rsa.internal.msg": "Loremip",
@@ -544,8 +551,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.245.200.97",
             "10.34.161.166",
+            "10.245.200.97",
             "10.219.116.137"
         ],
         "rsa.internal.event_desc": "rehend",
@@ -592,8 +599,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.252.122.195",
-            "10.118.80.140"
+            "10.118.80.140",
+            "10.252.122.195"
         ],
         "rsa.internal.messageid": "401",
         "rsa.internal.msg": "inesci",
@@ -781,8 +788,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.237.163.139",
-            "10.135.187.104"
+            "10.135.187.104",
+            "10.237.163.139"
         ],
         "rsa.internal.messageid": "882",
         "rsa.internal.msg": "itatio",
@@ -838,8 +845,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.60.129.15",
-            "10.248.101.25"
+            "10.248.101.25",
+            "10.60.129.15"
         ],
         "rsa.internal.messageid": "372",
         "rsa.internal.msg": "ommodico",
@@ -1207,9 +1214,13 @@
         "observer.product": "Firewalls",
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
+        "related.hosts": [
+            "tiaec5551.www.local",
+            "ise5905.www.local"
+        ],
         "related.ip": [
-            "10.53.113.23",
-            "10.97.124.211"
+            "10.97.124.211",
+            "10.53.113.23"
         ],
         "rsa.identity.user_sid_dst": "iumdol",
         "rsa.internal.messageid": "1154",
@@ -1420,9 +1431,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.113.100.237",
+            "10.108.84.24",
             "10.251.248.228",
-            "10.108.84.24"
+            "10.113.100.237"
         ],
         "rsa.internal.event_desc": "volupt",
         "rsa.internal.messageid": "606",
@@ -1635,8 +1646,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.104.49.142",
-            "10.102.166.19"
+            "10.102.166.19",
+            "10.104.49.142"
         ],
         "rsa.internal.messageid": "252",
         "rsa.internal.msg": "eprehend",
@@ -1766,8 +1777,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.191.242.168",
-            "10.165.48.224"
+            "10.165.48.224",
+            "10.191.242.168"
         ],
         "rsa.internal.event_desc": "equep",
         "rsa.internal.messageid": "995",
@@ -1852,8 +1863,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.219.42.212",
-            "10.57.85.98"
+            "10.57.85.98",
+            "10.219.42.212"
         ],
         "rsa.internal.event_desc": "mquisno",
         "rsa.internal.messageid": "995",
@@ -1906,8 +1917,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.195.223.82",
-            "10.135.70.159"
+            "10.135.70.159",
+            "10.195.223.82"
         ],
         "rsa.internal.messageid": "351",
         "rsa.internal.msg": "CSe",
@@ -2057,8 +2068,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.12.54.142",
-            "10.56.10.84"
+            "10.56.10.84",
+            "10.12.54.142"
         ],
         "rsa.internal.messageid": "658",
         "rsa.internal.msg": "osquirat",
@@ -2176,8 +2187,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.57.255.4",
-            "10.200.122.184"
+            "10.200.122.184",
+            "10.57.255.4"
         ],
         "rsa.identity.user_sid_dst": "sBon",
         "rsa.internal.event_desc": "fic",
@@ -2318,8 +2329,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.78.29.246",
-            "10.125.85.128"
+            "10.125.85.128",
+            "10.78.29.246"
         ],
         "rsa.internal.messageid": "355",
         "rsa.internal.msg": "labo",
@@ -2449,8 +2460,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.245.216.15",
-            "10.110.208.170"
+            "10.110.208.170",
+            "10.245.216.15"
         ],
         "rsa.internal.messageid": "931",
         "rsa.internal.msg": "aecatcup",
@@ -2673,8 +2684,8 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sonicwall",
         "related.ip": [
-            "10.219.228.115",
-            "10.179.3.247"
+            "10.179.3.247",
+            "10.219.228.115"
         ],
         "rsa.internal.messageid": "373",
         "rsa.misc.action": [
diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml
index c2774be98468..865b6e271199 100644
--- a/x-pack/filebeat/module/sophos/utm/config/input.yml
+++ b/x-pack/filebeat/module/sophos/utm/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml
index 777046121c72..62aaa2a3c305 100644
--- a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
+  - append:
+        field: related.hosts
+        value: '{{destination.address}}'
+        allow_duplicates: false
+        if: ctx?.destination?.address != null && ctx.destination?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json
index d820157c77c1..b57ab7067ab7 100644
--- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json
@@ -51,14 +51,17 @@
         "observer.vendor": "Sophos",
         "observer.version": "1.5102",
         "process.pid": 5716,
+        "related.hosts": [
+            "ercit2385.internal.home"
+        ],
         "related.ip": [
             "10.47.202.102",
             "10.57.170.140"
         ],
         "related.user": [
-            "dexeac",
             "sunt",
-            "icistatuscode=giatquov"
+            "icistatuscode=giatquov",
+            "dexeac"
         ],
         "rsa.db.index": "run",
         "rsa.identity.logon_type": "nofdeF",
@@ -119,6 +122,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 3905,
+        "related.hosts": [
+            "eirure7587.internal.localhost"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "aaliquaU",
         "rsa.misc.result": "No form context found",
@@ -150,12 +156,15 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "observer.version": "1.3129",
+        "related.hosts": [
+            "data4478.api.lan"
+        ],
         "related.ip": [
             "10.106.239.55"
         ],
         "related.user": [
-            "eaq",
-            "itquiin"
+            "itquiin",
+            "eaq"
         ],
         "rsa.identity.logon_type": "stquidol",
         "rsa.internal.event_desc": "bor",
@@ -196,6 +205,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 7692,
+        "related.hosts": [
+            "ctetura3009.www5.corp"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "corp",
         "rsa.misc.event_id": "AH00292",
@@ -275,6 +287,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 945,
+        "related.hosts": [
+            "ptasnu6684.mail.lan"
+        ],
         "related.ip": [
             "10.18.13.211"
         ],
@@ -306,6 +321,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "ssecillu7166.internal.lan"
+        ],
         "rsa.internal.event_desc": "barnyard:Initializing daemon mode",
         "rsa.internal.messageid": "barnyard",
         "rsa.network.alias_host": [
@@ -333,6 +351,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 2164,
+        "related.hosts": [
+            "ore5643.api.lan"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "acom",
         "rsa.misc.severity": "high",
@@ -362,6 +383,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 4006,
+        "related.hosts": [
+            "ciun39.localdomain"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.context": "Unclean shutdown",
         "rsa.misc.event_id": "AH00098",
@@ -392,6 +416,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 1263,
+        "related.hosts": [
+            "atatnon6064.www.invalid"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_id": "AH00291",
         "rsa.misc.event_log": "adol",
@@ -420,6 +447,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "gitse2463.www5.invalid"
+        ],
         "related.user": [
             "agnaaliq"
         ],
@@ -475,6 +505,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "oriosam6277.mail.localdomain"
+        ],
         "related.ip": [
             "10.169.5.162"
         ],
@@ -509,6 +542,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 5996,
+        "related.hosts": [
+            "ptate3830.internal.localhost"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_id": "AH02572",
         "rsa.misc.event_log": "ntut",
@@ -538,6 +574,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 3340,
+        "related.hosts": [
+            "nvo6105.invalid"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "isn",
         "rsa.misc.event_id": "AH00020",
@@ -592,6 +631,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "observer.version": "1.5889",
+        "related.hosts": [
+            "edic2758.api.domain"
+        ],
         "related.ip": [
             "10.54.169.175"
         ],
@@ -698,6 +740,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 170,
+        "related.hosts": [
+            "ectobeat3157.mail.local"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "ditau",
         "rsa.misc.event_id": "AH02312",
@@ -733,6 +778,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 873,
+        "related.hosts": [
+            "ident2323.internal.corp"
+        ],
         "related.ip": [
             "10.144.21.112"
         ],
@@ -764,6 +812,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "ttenb4581.www.host"
+        ],
         "rsa.internal.event_desc": "httpproxy:shutdown finished, exiting.",
         "rsa.internal.messageid": "httpproxy",
         "rsa.network.alias_host": [
@@ -789,6 +840,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "lapari5763.api.invalid"
+        ],
         "related.ip": [
             "10.103.2.48"
         ],
@@ -829,6 +883,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "elites4713.www.localhost"
+        ],
         "related.ip": [
             "10.161.51.135",
             "10.52.190.18"
@@ -878,6 +935,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 3338,
+        "related.hosts": [
+            "sam1795.invalid"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "animide",
         "rsa.misc.event_id": "AH02312",
@@ -968,13 +1028,17 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "observer.version": "1.5146",
+        "related.hosts": [
+            "nostrum6305.internal.localhost",
+            "Duis583.api.local"
+        ],
         "related.ip": [
             "10.17.51.153",
             "10.89.41.97"
         ],
         "related.user": [
-            "tio",
             "tcustatuscode=eumiu",
+            "tio",
             "pteurs"
         ],
         "rsa.db.index": "eavolupt",
@@ -1037,6 +1101,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "xeaco7887.www.localdomain"
+        ],
         "related.user": [
             "uptate"
         ],
@@ -1071,6 +1138,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 5430,
+        "related.hosts": [
+            "iscivel3512.invalid"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.operation_id": "eriti",
         "rsa.network.host_dst": "iscivel3512.invalid",
@@ -1119,6 +1189,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "dolor5799.home"
+        ],
         "rsa.internal.event_desc": "afcd: IM/P2P Classifier configuration reloaded successfully.",
         "rsa.internal.messageid": "afcd",
         "rsa.network.alias_host": [
@@ -1147,6 +1220,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 6691,
+        "related.hosts": [
+            "oreseosq1859.api.lan"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "essequam",
         "rsa.misc.result": "Virus daemon connection problem",
@@ -1203,6 +1279,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 1121,
+        "related.hosts": [
+            "autodit272.www.localhost"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "imadmin",
         "rsa.misc.severity": "very-high",
@@ -1234,6 +1313,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 3705,
+        "related.hosts": [
+            "rporis6787.www5.localdomain"
+        ],
         "related.ip": [
             "10.148.21.7"
         ],
@@ -1268,6 +1350,10 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "reprehe5661.www.lan",
+            "ntore4333.api.invalid"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.context": "iumd",
         "rsa.misc.operation_id": "equam",
@@ -1298,6 +1384,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 2384,
+        "related.hosts": [
+            "sequatD163.internal.example"
+        ],
         "related.ip": [
             "10.151.206.38"
         ],
@@ -1331,6 +1420,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "elillu5777.www5.lan"
+        ],
         "related.ip": [
             "10.230.4.70"
         ],
@@ -1362,6 +1454,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "ecatcup3022.mail.invalid"
+        ],
         "rsa.db.index": "nproide",
         "rsa.internal.event_desc": "xl2tpd:xl2tpd Software copyright.",
         "rsa.internal.messageid": "xl2tpd",
@@ -1388,6 +1483,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "qui7797.www.host"
+        ],
         "rsa.internal.event_desc": "ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]...",
         "rsa.internal.messageid": "ipsec_starter",
         "rsa.network.alias_host": [
@@ -1416,6 +1514,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 3994,
+        "related.hosts": [
+            "nofdeFin2037.mail.example"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "nevol",
         "rsa.misc.result": "Cannot read reply",
@@ -1471,6 +1572,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 4074,
+        "related.hosts": [
+            "eFinib2403.api.example"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "ecatcu",
         "rsa.misc.event_log": "sun",
@@ -1506,8 +1610,8 @@
             "10.244.96.61"
         ],
         "related.user": [
-            "iumt",
-            "itsedqui"
+            "itsedqui",
+            "iumt"
         ],
         "rsa.identity.logon_type": "psamvolu",
         "rsa.internal.event_desc": "orroqui",
@@ -1572,6 +1676,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 1853,
+        "related.hosts": [
+            "obeatae2042.www.domain"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "ula",
         "rsa.misc.event_id": "AH01110",
@@ -1602,6 +1709,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "aerat1267.www5.example"
+        ],
         "rsa.internal.event_desc": "pop3proxy:Master started.",
         "rsa.internal.messageid": "pop3proxy",
         "rsa.network.alias_host": [
@@ -1630,6 +1740,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 478,
+        "related.hosts": [
+            "writt2238.internal.localdomain"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "aed",
         "rsa.misc.severity": "low",
@@ -1660,6 +1773,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 7721,
+        "related.hosts": [
+            "siutaliq4937.api.lan"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.comments": "server certificate has a different hostname from actual hostname",
         "rsa.misc.event_log": "urvel",
@@ -1731,14 +1847,17 @@
         "observer.vendor": "Sophos",
         "observer.version": "1.3726",
         "process.pid": 1090,
+        "related.hosts": [
+            "tenbyCi4371.www5.localdomain"
+        ],
         "related.ip": [
             "10.98.126.206",
             "10.214.167.164"
         ],
         "related.user": [
             "hen",
-            "amremapstatuscode=dolorsit",
-            "isnostru"
+            "isnostru",
+            "amremapstatuscode=dolorsit"
         ],
         "rsa.db.index": "spernatu",
         "rsa.identity.logon_type": "untutl",
@@ -1853,6 +1972,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 7755,
+        "related.hosts": [
+            "ectob5542.www5.corp"
+        ],
         "related.ip": [
             "10.231.77.26"
         ],
@@ -1902,15 +2024,19 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "observer.version": "1.2707",
+        "related.hosts": [
+            "iusmo901.www.home",
+            "tenima5715.api.example"
+        ],
         "related.ip": [
             "10.2.24.156",
             "10.92.93.236"
         ],
         "related.user": [
             "ulpaq",
-            "ntoccae",
+            "Sedutper",
             "dolorsistatuscode=acc",
-            "Sedutper"
+            "ntoccae"
         ],
         "rsa.db.index": "snisiut",
         "rsa.identity.logon_type": "umdol",
@@ -1919,8 +2045,8 @@
         "rsa.investigations.event_cat": 1901000000,
         "rsa.investigations.event_cat_name": "Other.Default",
         "rsa.misc.action": [
-            "block",
-            "icons"
+            "icons",
+            "block"
         ],
         "rsa.misc.comments": "porincid",
         "rsa.misc.content_type": "temvele",
@@ -1990,14 +2116,17 @@
         "observer.vendor": "Sophos",
         "observer.version": "1.3155",
         "process.pid": 6463,
+        "related.hosts": [
+            "mni4032.lan"
+        ],
         "related.ip": [
             "10.180.169.49",
             "10.202.65.2"
         ],
         "related.user": [
-            "tasu",
+            "atatno",
             "iscivelistatuscode=urve",
-            "atatno"
+            "tasu"
         ],
         "rsa.db.index": "amrem",
         "rsa.identity.logon_type": "nulamcol",
@@ -2057,6 +2186,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 5350,
+        "related.hosts": [
+            "iscing6960.api.invalid"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.context": "SSL Library Error",
         "rsa.misc.event_log": "incidu",
@@ -2090,6 +2222,9 @@
         "observer.vendor": "Sophos",
         "observer.version": "1.6420",
         "process.pid": 793,
+        "related.hosts": [
+            "olupta3647.host"
+        ],
         "rsa.internal.event_desc": "imvenia",
         "rsa.internal.messageid": "httpd",
         "rsa.misc.event_log": "ruredo",
@@ -2124,6 +2259,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 6633,
+        "related.hosts": [
+            "iavolu7814.www5.localhost"
+        ],
         "related.ip": [
             "10.194.12.83"
         ],
@@ -2172,14 +2310,17 @@
         "observer.vendor": "Sophos",
         "observer.version": "1.4256",
         "process.pid": 5792,
+        "related.hosts": [
+            "obea2960.mail.corp"
+        ],
         "related.ip": [
             "10.33.138.154",
             "10.45.12.53"
         ],
         "related.user": [
+            "eturadip",
             "umqustatuscode=ntexpli",
-            "porincid",
-            "eturadip"
+            "porincid"
         ],
         "rsa.db.index": "dolor",
         "rsa.identity.logon_type": "eturadi",
@@ -2269,6 +2410,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 212,
+        "related.hosts": [
+            "olli5982.www.test"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "uatDui",
         "rsa.misc.result": "virus daemon error",
@@ -2300,6 +2444,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 3136,
+        "related.hosts": [
+            "nsecte3644.internal.test"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "isund",
         "rsa.misc.severity": "high",
@@ -2334,8 +2481,8 @@
             "10.32.85.21"
         ],
         "related.user": [
-            "etconsec",
-            "antium"
+            "antium",
+            "etconsec"
         ],
         "rsa.identity.logon_type": "umiurere",
         "rsa.internal.event_desc": "serro",
@@ -2371,6 +2518,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "econseq7119.www.home"
+        ],
         "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER",
         "rsa.internal.messageid": "sshd",
         "rsa.network.alias_host": [
@@ -2399,6 +2549,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 3669,
+        "related.hosts": [
+            "ant2543.www5.lan"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "lapa",
         "rsa.misc.result": "Cannot read reply",
@@ -2471,15 +2624,18 @@
         "observer.vendor": "Sophos",
         "observer.version": "1.7641",
         "process.pid": 6562,
+        "related.hosts": [
+            "nisiuta4810.api.test"
+        ],
         "related.ip": [
-            "10.210.175.52",
-            "10.85.200.58"
+            "10.85.200.58",
+            "10.210.175.52"
         ],
         "related.user": [
-            "reetd",
-            "inimastatuscode=emipsum",
             "Loremi",
-            "rExce"
+            "rExce",
+            "reetd",
+            "inimastatuscode=emipsum"
         ],
         "rsa.db.index": "apa",
         "rsa.identity.logon_type": "sedquia",
@@ -2547,9 +2703,12 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "itametc1599.api.test"
+        ],
         "related.ip": [
-            "10.115.166.48",
-            "10.133.45.45"
+            "10.133.45.45",
+            "10.115.166.48"
         ],
         "rsa.internal.event_desc": "Authentication",
         "rsa.internal.messageid": "ulogd",
@@ -2594,6 +2753,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "tiumt5462.mail.localhost"
+        ],
         "rsa.internal.event_desc": "sshd:Invalid user admin.",
         "rsa.internal.messageid": "sshd",
         "rsa.network.alias_host": [
@@ -2619,6 +2781,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "vol1450.internal.host"
+        ],
         "related.ip": [
             "10.71.184.162"
         ],
@@ -2675,6 +2840,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 5943,
+        "related.hosts": [
+            "rporissu573.api.test"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "nihi",
         "rsa.misc.event_id": "AH02312",
@@ -2705,6 +2873,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "nostru774.corp"
+        ],
         "rsa.internal.messageid": "URID",
         "rsa.misc.action": [
             "allow"
@@ -2759,6 +2930,9 @@
         "observer.vendor": "Sophos",
         "observer.version": "1.7102",
         "process.pid": 5037,
+        "related.hosts": [
+            "lorsita2216.www5.example"
+        ],
         "rsa.internal.event_desc": "olorsita",
         "rsa.internal.messageid": "httpd",
         "rsa.misc.event_log": "iadese",
@@ -2795,6 +2969,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 4346,
+        "related.hosts": [
+            "sum2208.host"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "nia",
         "rsa.misc.severity": "medium",
@@ -2824,6 +3001,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 5126,
+        "related.hosts": [
+            "ore6843.local"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.comments": "No signature on cookie",
         "rsa.misc.event_log": "aveniam",
@@ -2857,6 +3037,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 7442,
+        "related.hosts": [
+            "Sedu1610.mail.corp"
+        ],
         "related.ip": [
             "10.177.35.133"
         ],
@@ -2892,6 +3075,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 6600,
+        "related.hosts": [
+            "corpo6737.example"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "aliquide",
         "rsa.misc.result": "failure",
@@ -2942,6 +3128,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "eratvol314.www.home"
+        ],
         "rsa.internal.event_desc": "pop3proxy:Master started.",
         "rsa.internal.messageid": "pop3proxy",
         "rsa.network.alias_host": [
@@ -2971,6 +3160,10 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 2389,
+        "related.hosts": [
+            "utemvele1838.mail.test",
+            "seosquir715.local"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.comments": "rci",
         "rsa.misc.event_log": "aco",
@@ -3008,6 +3201,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 2237,
+        "related.hosts": [
+            "ulapari2656.local"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.event_log": "non",
         "rsa.misc.result": "failure",
@@ -3120,6 +3316,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 7766,
+        "related.hosts": [
+            "stla2856.host"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.disposition": "configured",
         "rsa.misc.event_log": "adolo",
@@ -3150,6 +3349,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 2404,
+        "related.hosts": [
+            "peri6748.www5.domain"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.context": "Unclean shutdown",
         "rsa.misc.event_id": "AH00098",
@@ -3181,6 +3383,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 6108,
+        "related.hosts": [
+            "tnon5442.internal.test"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.action": [
             "accept"
@@ -3215,6 +3420,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 7690,
+        "related.hosts": [
+            "ariatu2606.www.host"
+        ],
         "rsa.internal.messageid": "reverseproxy",
         "rsa.misc.context": "Not all file sent to client",
         "rsa.misc.event_log": "umquid",
@@ -3251,6 +3459,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "imv1805.api.host"
+        ],
         "related.ip": [
             "10.248.62.55",
             "10.96.243.231"
@@ -3303,6 +3514,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 7650,
+        "related.hosts": [
+            "rita600.www5.localdomain"
+        ],
         "related.ip": [
             "10.132.101.158"
         ],
@@ -3359,6 +3573,9 @@
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
         "process.pid": 1817,
+        "related.hosts": [
+            "admini1122.www.local"
+        ],
         "related.ip": [
             "10.96.193.132"
         ],
@@ -3402,8 +3619,8 @@
             "10.96.200.83"
         ],
         "related.user": [
-            "acommod",
-            "lapariat"
+            "lapariat",
+            "acommod"
         ],
         "rsa.identity.logon_type": "remeumf",
         "rsa.internal.event_desc": "dol",
@@ -3439,6 +3656,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "emvel4391.localhost"
+        ],
         "rsa.internal.event_desc": "sshd: Did not receive identification string.",
         "rsa.internal.messageid": "sshd",
         "rsa.network.alias_host": [
@@ -3489,6 +3709,9 @@
         "observer.product": "UTM",
         "observer.type": "Firewall",
         "observer.vendor": "Sophos",
+        "related.hosts": [
+            "untinc5531.www5.test"
+        ],
         "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER",
         "rsa.internal.messageid": "sshd",
         "rsa.network.alias_host": [
diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml
index ac3923253205..5ce8949c381a 100644
--- a/x-pack/filebeat/module/squid/log/config/input.yml
+++ b/x-pack/filebeat/module/squid/log/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml
index 96b12b89731b..9a8f547c6d1c 100644
--- a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{server.domain}}'
+        allow_duplicates: false
+        if: ctx?.server?.domain != null && ctx.server?.domain != ''
+  - append:
+        field: related.hosts
+        value: '{{url.domain}}'
+        allow_duplicates: false
+        if: ctx?.url?.domain != null && ctx.url?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
index 3bd7adbce314..26b891ba4f12 100644
--- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
+++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json
@@ -21,6 +21,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "login.yahoo.com"
+        ],
         "related.ip": [
             "209.73.177.115",
             "10.105.21.199"
@@ -82,9 +85,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
-            "207.58.145.61",
-            "10.105.21.199"
+            "10.105.21.199",
+            "207.58.145.61"
         ],
         "related.user": [
             "badeyek"
@@ -145,6 +151,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
             "10.105.21.199",
             "207.58.145.61"
@@ -196,6 +205,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
@@ -208,8 +220,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_HIT",
-            "GET"
+            "GET",
+            "TCP_HIT"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "200",
@@ -246,6 +258,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.google-analytics.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
@@ -307,6 +322,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
             "10.105.21.199",
             "207.58.145.61"
@@ -320,8 +338,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -367,9 +385,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.google-analytics.com"
+        ],
         "related.ip": [
-            "66.102.9.147",
-            "10.105.21.199"
+            "10.105.21.199",
+            "66.102.9.147"
         ],
         "related.user": [
             "badeyek"
@@ -380,8 +401,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -430,6 +451,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
             "207.58.145.61",
             "10.105.21.199"
@@ -443,8 +467,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -493,9 +517,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
-            "207.58.145.61",
-            "10.105.21.199"
+            "10.105.21.199",
+            "207.58.145.61"
         ],
         "related.user": [
             "badeyek"
@@ -556,6 +583,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
             "207.58.145.61",
             "10.105.21.199"
@@ -569,8 +599,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -607,6 +637,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
@@ -619,8 +652,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_HIT"
+            "TCP_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -669,6 +702,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "as.casalemedia.com"
+        ],
         "related.ip": [
             "10.105.21.199",
             "209.85.16.38"
@@ -682,8 +718,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -726,6 +762,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.bc.yahoo.com"
+        ],
         "related.ip": [
             "10.105.21.199",
             "68.142.213.132"
@@ -738,8 +777,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "CONNECT"
+            "CONNECT",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "200",
@@ -785,9 +824,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "impgb.tradedoubler.com"
+        ],
         "related.ip": [
-            "217.212.240.172",
-            "10.105.21.199"
+            "10.105.21.199",
+            "217.212.240.172"
         ],
         "related.user": [
             "badeyek"
@@ -798,8 +840,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "302",
@@ -848,9 +890,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "4.adbrite.com"
+        ],
         "related.ip": [
-            "206.169.136.22",
-            "10.105.21.199"
+            "10.105.21.199",
+            "206.169.136.22"
         ],
         "related.user": [
             "badeyek"
@@ -861,8 +906,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -899,6 +944,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
@@ -911,8 +959,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_HIT",
-            "GET"
+            "GET",
+            "TCP_HIT"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -961,9 +1009,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
-            "10.105.21.199",
-            "207.58.145.61"
+            "207.58.145.61",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -974,8 +1025,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -1024,9 +1075,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.goonernews.com"
+        ],
         "related.ip": [
-            "10.105.21.199",
-            "207.58.145.61"
+            "207.58.145.61",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -1037,8 +1091,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_HIT",
-            "GET"
+            "GET",
+            "TCP_REFRESH_HIT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -1082,9 +1136,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "4.adbrite.com"
+        ],
         "related.ip": [
-            "64.127.126.178",
-            "10.105.21.199"
+            "10.105.21.199",
+            "64.127.126.178"
         ],
         "related.user": [
             "badeyek"
@@ -1145,6 +1202,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "ff.connextra.com"
+        ],
         "related.ip": [
             "213.160.98.161",
             "10.105.21.199"
@@ -1208,6 +1268,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "dd.connextra.com"
+        ],
         "related.ip": [
             "213.160.98.160",
             "10.105.21.199"
@@ -1258,6 +1321,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "hi5.com"
+        ],
         "related.ip": [
             "10.105.47.218"
         ],
@@ -1270,8 +1336,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_DENIED",
-            "GET"
+            "GET",
+            "TCP_DENIED"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -1316,9 +1382,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "login.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.21.199",
-            "209.73.177.115"
+            "209.73.177.115",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -1328,8 +1397,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "CONNECT",
-            "TCP_MISS"
+            "TCP_MISS",
+            "CONNECT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "200",
@@ -1366,6 +1435,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "update.messenger.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -1378,8 +1450,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -1424,6 +1496,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "shttp.msg.yahoo.com"
+        ],
         "related.ip": [
             "216.155.194.239",
             "10.105.33.214"
@@ -1436,8 +1511,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "POST"
+            "POST",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/plain",
         "rsa.misc.result_code": "200",
@@ -1485,9 +1560,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "hi5.com"
+        ],
         "related.ip": [
-            "204.13.51.238",
-            "10.105.47.218"
+            "10.105.47.218",
+            "204.13.51.238"
         ],
         "related.user": [
             "nazsoau"
@@ -1498,8 +1576,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -1548,6 +1626,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "hi5.com"
+        ],
         "related.ip": [
             "10.105.47.218",
             "204.13.51.238"
@@ -1561,8 +1642,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "200",
@@ -1607,6 +1688,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "shttp.msg.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214",
             "216.155.194.239"
@@ -1657,6 +1741,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "rms.adobe.com"
+        ],
         "related.ip": [
             "10.105.37.58"
         ],
@@ -1669,8 +1756,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_DENIED",
-            "GET"
+            "GET",
+            "TCP_DENIED"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -1707,6 +1794,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "images.hi5.com"
+        ],
         "related.ip": [
             "10.105.47.218"
         ],
@@ -1757,6 +1847,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "images.hi5.com"
+        ],
         "related.ip": [
             "10.105.47.218"
         ],
@@ -1769,8 +1862,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_IMS_HIT"
+            "TCP_IMS_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "304",
@@ -1818,9 +1911,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "hi5.com"
+        ],
         "related.ip": [
-            "10.105.47.218",
-            "204.13.51.238"
+            "204.13.51.238",
+            "10.105.47.218"
         ],
         "related.user": [
             "nazsoau"
@@ -1881,9 +1977,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "hi5.com"
+        ],
         "related.ip": [
-            "204.13.51.238",
-            "10.105.47.218"
+            "10.105.47.218",
+            "204.13.51.238"
         ],
         "related.user": [
             "nazsoau"
@@ -1894,8 +1993,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "200",
@@ -1940,6 +2039,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "shttp.msg.yahoo.com"
+        ],
         "related.ip": [
             "216.155.194.239",
             "10.105.33.214"
@@ -1952,8 +2054,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "POST"
+            "POST",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "text/plain",
         "rsa.misc.result_code": "200",
@@ -1996,9 +2098,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "insider.msg.yahoo.com"
+        ],
         "related.ip": [
-            "68.142.194.14",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.194.14"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2056,6 +2161,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214",
             "68.142.219.132"
@@ -2069,8 +2177,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -2115,6 +2223,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "shttp.msg.yahoo.com"
+        ],
         "related.ip": [
             "216.155.194.239",
             "10.105.33.214"
@@ -2127,8 +2238,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "POST",
-            "TCP_MISS"
+            "TCP_MISS",
+            "POST"
         ],
         "rsa.misc.content_type": "text/plain",
         "rsa.misc.result_code": "200",
@@ -2172,9 +2283,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "address.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "209.191.93.51"
+            "209.191.93.51",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2235,6 +2349,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "fxfeeds.mozilla.org"
+        ],
         "related.ip": [
             "63.245.209.21",
             "10.105.21.199"
@@ -2294,9 +2411,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "insider.msg.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "68.142.231.252"
+            "68.142.231.252",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2307,8 +2427,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/xml",
         "rsa.misc.result_code": "200",
@@ -2351,9 +2471,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "insider.msg.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "68.142.194.14"
+            "68.142.194.14",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2401,6 +2524,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.37.17"
         ],
@@ -2412,8 +2538,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "CONNECT",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "CONNECT"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -2450,6 +2576,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.37.17"
         ],
@@ -2499,6 +2628,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.37.17"
         ],
@@ -2547,6 +2679,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.37.17"
         ],
@@ -2558,8 +2693,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_DENIED",
-            "CONNECT"
+            "CONNECT",
+            "TCP_DENIED"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -2605,9 +2740,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2618,8 +2756,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -2655,6 +2793,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.37.17"
         ],
@@ -2666,8 +2807,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "CONNECT",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "CONNECT"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -2713,9 +2854,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2726,8 +2870,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_REFRESH_HIT"
+            "TCP_REFRESH_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "304",
@@ -2772,9 +2916,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "shttp.msg.yahoo.com"
+        ],
         "related.ip": [
-            "216.155.194.239",
-            "10.105.33.214"
+            "10.105.33.214",
+            "216.155.194.239"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -2831,6 +2978,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "68.142.219.132",
             "10.105.33.214"
@@ -2891,6 +3041,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214",
             "68.142.219.132"
@@ -2942,6 +3095,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.47.191"
         ],
@@ -2953,8 +3109,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "POST",
-            "TCP_DENIED"
+            "TCP_DENIED",
+            "POST"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -2991,6 +3147,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.47.191"
         ],
@@ -3049,6 +3208,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "68.142.219.132",
             "10.105.33.214"
@@ -3109,6 +3271,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "68.142.219.132",
             "10.105.33.214"
@@ -3169,9 +3334,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3229,9 +3397,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3280,6 +3451,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -3330,6 +3504,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -3342,8 +3519,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_IMS_HIT"
+            "TCP_IMS_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "304",
@@ -3380,6 +3557,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.i1.yimg.com"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -3392,8 +3572,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_HIT",
-            "GET"
+            "GET",
+            "TCP_HIT"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -3439,9 +3619,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "newsrss.bbc.co.uk"
+        ],
         "related.ip": [
-            "10.105.21.199",
-            "212.58.226.33"
+            "212.58.226.33",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -3452,8 +3635,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_REFRESH_MISS",
-            "GET"
+            "GET",
+            "TCP_REFRESH_MISS"
         ],
         "rsa.misc.content_type": "application/xml",
         "rsa.misc.result_code": "200",
@@ -3499,6 +3682,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "insider.msg.yahoo.com"
+        ],
         "related.ip": [
             "68.142.231.252",
             "10.105.33.214"
@@ -3550,6 +3736,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.ent1.yimg.com"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -3600,6 +3789,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.news1.yimg.com"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -3612,8 +3804,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_HIT"
+            "TCP_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "image/jpeg",
         "rsa.misc.result_code": "200",
@@ -3659,6 +3851,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "68.142.219.132",
             "10.105.33.214"
@@ -3721,9 +3916,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.news1.yimg.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "213.160.98.159"
+            "213.160.98.159",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3734,8 +3932,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "image/jpeg",
         "rsa.misc.result_code": "200",
@@ -3781,9 +3979,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.music.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "68.142.219.132"
+            "68.142.219.132",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3841,6 +4042,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.music.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214",
             "68.142.219.132"
@@ -3901,9 +4105,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -3914,8 +4121,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "200",
@@ -3952,6 +4159,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "natrocket.kmip.net"
+        ],
         "related.ip": [
             "10.105.37.65"
         ],
@@ -3964,8 +4174,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_DENIED",
-            "GET"
+            "GET",
+            "TCP_DENIED"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -4002,6 +4212,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "natrocket.kmip.net"
+        ],
         "related.ip": [
             "10.105.37.65"
         ],
@@ -4064,9 +4277,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.news1.yimg.com"
+        ],
         "related.ip": [
-            "213.160.98.159",
-            "10.105.33.214"
+            "10.105.33.214",
+            "213.160.98.159"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4124,6 +4340,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
             "68.142.219.132",
             "10.105.33.214"
@@ -4137,8 +4356,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "302",
@@ -4184,9 +4403,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4247,9 +4469,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.a2.yimg.com"
+        ],
         "related.ip": [
-            "213.160.98.152",
-            "10.105.33.214"
+            "10.105.33.214",
+            "213.160.98.152"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4260,8 +4485,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "application/x-shockwave-flash",
         "rsa.misc.result_code": "200",
@@ -4307,9 +4532,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "radio.launch.yahoo.com"
+        ],
         "related.ip": [
-            "68.142.219.132",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.219.132"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4365,6 +4593,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.bc.yahoo.com"
+        ],
         "related.ip": [
             "10.105.33.214",
             "68.142.213.132"
@@ -4423,9 +4654,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "insider.msg.yahoo.com"
+        ],
         "related.ip": [
-            "68.142.194.14",
-            "10.105.33.214"
+            "10.105.33.214",
+            "68.142.194.14"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4480,9 +4714,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "pclick.internal.yahoo.com"
+        ],
         "related.ip": [
-            "216.109.124.55",
-            "10.105.33.214"
+            "10.105.33.214",
+            "216.109.124.55"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4530,6 +4767,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -4592,6 +4832,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
             "10.105.33.214",
             "213.160.98.159"
@@ -4605,8 +4848,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "text/css",
         "rsa.misc.result_code": "304",
@@ -4655,6 +4898,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
             "10.105.33.214",
             "213.160.98.159"
@@ -4668,8 +4914,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "304",
@@ -4714,6 +4960,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "login.yahoo.com"
+        ],
         "related.ip": [
             "209.73.177.115",
             "10.105.21.199"
@@ -4726,8 +4975,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "CONNECT",
-            "TCP_MISS"
+            "TCP_MISS",
+            "CONNECT"
         ],
         "rsa.misc.content_type": "-",
         "rsa.misc.result_code": "200",
@@ -4776,9 +5025,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
-            "213.160.98.167",
-            "10.105.33.214"
+            "10.105.33.214",
+            "213.160.98.167"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4839,9 +5091,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "213.160.98.159"
+            "213.160.98.159",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -4852,8 +5107,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "304",
@@ -4890,6 +5145,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
             "10.105.33.214"
         ],
@@ -4902,8 +5160,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_IMS_HIT"
+            "TCP_IMS_HIT",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "304",
@@ -4952,9 +5210,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
-            "213.160.98.167",
-            "10.105.33.214"
+            "10.105.33.214",
+            "213.160.98.167"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -5015,6 +5276,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
             "213.160.98.159",
             "10.105.33.214"
@@ -5078,6 +5342,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "a1568.g.akamai.net"
+        ],
         "related.ip": [
             "10.105.33.214",
             "213.160.98.167"
@@ -5091,8 +5358,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "304",
@@ -5129,6 +5396,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "www.google.com"
+        ],
         "related.ip": [
             "10.105.37.180"
         ],
@@ -5179,6 +5449,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.mcafee.com"
+        ],
         "related.ip": [
             "10.105.47.191"
         ],
@@ -5191,8 +5464,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_DENIED",
-            "GET"
+            "GET",
+            "TCP_DENIED"
         ],
         "rsa.misc.content_type": "text/html",
         "rsa.misc.result_code": "407",
@@ -5236,9 +5509,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "launch.adserver.yahoo.com"
+        ],
         "related.ip": [
-            "10.105.33.214",
-            "216.109.125.112"
+            "216.109.125.112",
+            "10.105.33.214"
         ],
         "related.user": [
             "adeolaegbedokun"
@@ -5249,8 +5525,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "GET",
-            "TCP_MISS"
+            "TCP_MISS",
+            "GET"
         ],
         "rsa.misc.content_type": "image/gif",
         "rsa.misc.result_code": "200",
@@ -5296,6 +5572,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "uk.f250.mail.yahoo.com"
+        ],
         "related.ip": [
             "217.12.10.96",
             "10.105.21.199"
@@ -5346,6 +5625,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "login.live.com"
+        ],
         "related.ip": [
             "10.105.37.180"
         ],
@@ -5407,9 +5689,12 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.js2.yimg.com"
+        ],
         "related.ip": [
-            "10.105.21.199",
-            "213.160.98.169"
+            "213.160.98.169",
+            "10.105.21.199"
         ],
         "related.user": [
             "badeyek"
@@ -5458,6 +5743,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.js1.yimg.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
@@ -5520,6 +5808,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.js2.yimg.com"
+        ],
         "related.ip": [
             "10.105.21.199",
             "213.160.98.169"
@@ -5533,8 +5824,8 @@
         "rsa.investigations.ec_subject": "NetworkComm",
         "rsa.investigations.ec_theme": "ALM",
         "rsa.misc.action": [
-            "TCP_MISS",
-            "GET"
+            "GET",
+            "TCP_MISS"
         ],
         "rsa.misc.content_type": "application/x-javascript",
         "rsa.misc.result_code": "200",
@@ -5571,6 +5862,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.js1.yimg.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
@@ -5621,6 +5915,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.js2.yimg.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
@@ -5671,6 +5968,9 @@
         "observer.product": "Proxy",
         "observer.type": "Proxies",
         "observer.vendor": "Squid",
+        "related.hosts": [
+            "us.i1.yimg.com"
+        ],
         "related.ip": [
             "10.105.21.199"
         ],
diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
index 226b7f9c6c2b..01ed5accbe69 100644
--- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
@@ -333,6 +333,11 @@ processors:
       field: file.x509.not_before
       value: '{{tls.server.not_before}}'
       ignore_empty_value: true
+  - append:
+      field: related.hosts
+      value: '{{url.domain}}'
+      if: ctx.url?.domain != null && ctx.url?.domain != ''
+      allow_duplicates: false
   - remove:
       field:
         - suricata.eve.app_proto
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
index b7bc49cb9e00..68412b504dc4 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
@@ -41,6 +41,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "example.net"
+        ],
         "related.ip": [
             "192.168.1.146",
             "93.184.216.34"
@@ -118,6 +121,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "example.net"
+        ],
         "related.ip": [
             "192.168.1.146",
             "93.184.216.34"
@@ -195,6 +201,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "example.net"
+        ],
         "related.ip": [
             "192.168.1.146",
             "93.184.216.34"
@@ -272,6 +281,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "example.org"
+        ],
         "related.ip": [
             "192.168.1.146",
             "93.184.216.34"
@@ -349,6 +361,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "example.org"
+        ],
         "related.ip": [
             "192.168.1.146",
             "93.184.216.34"
@@ -426,6 +441,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "example.org"
+        ],
         "related.ip": [
             "192.168.1.146",
             "93.184.216.34"
@@ -503,6 +521,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "security.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.88.152"
@@ -580,6 +601,9 @@
         "network.packets": 7,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -657,6 +681,9 @@
         "network.packets": 11,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -734,6 +761,9 @@
         "network.packets": 126,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "security.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.88.152"
@@ -811,6 +841,9 @@
         "network.packets": 185,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "security.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.88.152"
@@ -888,6 +921,9 @@
         "network.packets": 377,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "security.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.88.152"
@@ -965,6 +1001,9 @@
         "network.packets": 131,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -1042,6 +1081,9 @@
         "network.packets": 210,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -1119,6 +1161,9 @@
         "network.packets": 412,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -1196,6 +1241,9 @@
         "network.packets": 504,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -1273,6 +1321,9 @@
         "network.packets": 916,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -1350,6 +1401,9 @@
         "network.packets": 921,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -1426,6 +1480,9 @@
         "network.packets": 1503,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
@@ -1502,6 +1559,9 @@
         "network.packets": 1654,
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "archive.ubuntu.com"
+        ],
         "related.ip": [
             "192.168.1.146",
             "91.189.91.23"
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
index cbc0f39eb765..5d113c8d370b 100644
--- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
+++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json
@@ -130,6 +130,9 @@
         "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=",
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "192.168.86.28"
+        ],
         "related.ip": [
             "192.168.86.85",
             "192.168.86.28"
@@ -182,6 +185,9 @@
         "network.community_id": "1:XhhAO/Twj86+bD+1fV8FnpLIEDs=",
         "network.protocol": "http",
         "network.transport": "tcp",
+        "related.hosts": [
+            "192.168.86.28"
+        ],
         "related.ip": [
             "192.168.86.28",
             "192.168.86.85"
diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml
index a735b86e766c..b888ca3989d5 100644
--- a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml
+++ b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml
index 26f7511d6c8e..cf257ba5d64c 100644
--- a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml
@@ -53,6 +53,26 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
+  - append:
+        field: related.hosts
+        value: '{{host.hostname}}'
+        allow_duplicates: false
+        if: ctx?.host?.hostname != null && ctx.host?.hostname != ''
+  - append:
+        field: related.hosts
+        value: '{{source.address}}'
+        allow_duplicates: false
+        if: ctx?.source?.address != null && ctx.source?.address != ''
+  - append:
+        field: related.hosts
+        value: '{{destination.address}}'
+        allow_duplicates: false
+        if: ctx?.destination?.address != null && ctx.destination?.address != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json
index c35bd2dbb664..9b9183fe35a9 100644
--- a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json
@@ -12,6 +12,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "exe7309.internal.local"
+        ],
         "rsa.internal.event_desc": "rsitam",
         "rsa.internal.messageid": "302776834",
         "rsa.misc.event_source": "reprehe",
@@ -41,6 +44,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "llam2073.internal.localdomain",
+            "sitas4259.mail.corp"
+        ],
         "rsa.internal.event_desc": "aboreetd",
         "rsa.internal.messageid": "303235083",
         "rsa.misc.event_source": "iumto",
@@ -72,6 +79,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "olupt3702.www.localhost"
+        ],
         "rsa.internal.event_desc": "colabor",
         "rsa.internal.messageid": "302450432",
         "rsa.misc.event_source": "tectobe",
@@ -99,6 +109,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "onse254.www5.localdomain",
+            "tat6349.internal.lan"
+        ],
         "rsa.db.index": "uiineavo",
         "rsa.internal.event_desc": "Invalid log record",
         "rsa.internal.messageid": "Invalid",
@@ -146,6 +160,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "mdolore2062.mail.host"
+        ],
         "rsa.internal.event_desc": "tutla",
         "rsa.internal.messageid": "302449409",
         "rsa.misc.event_source": "den",
@@ -175,6 +192,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "nisi6901.mail.home"
+        ],
         "related.user": [
             "rem"
         ],
@@ -208,6 +228,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "dutp6197.www.test"
+        ],
         "rsa.internal.event_desc": "tconsect",
         "rsa.internal.messageid": "303235076",
         "rsa.misc.event_source": "siut",
@@ -237,6 +260,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "umSe1918.local",
+            "nBCSedut1502.www5.example"
+        ],
         "rsa.internal.event_desc": "oditautf",
         "rsa.internal.messageid": "302449410",
         "rsa.misc.event_source": "fugia",
@@ -270,6 +297,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "olupt2189.lan",
+            "temporin7150.mail.local"
+        ],
         "rsa.internal.event_desc": "rem",
         "rsa.internal.messageid": "302449169",
         "rsa.misc.event_source": "rationev",
@@ -303,6 +334,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "emq6633.domain"
+        ],
         "related.user": [
             "tinvolup"
         ],
@@ -336,6 +370,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "Except6889.www.corp"
+        ],
         "rsa.internal.event_desc": "umq",
         "rsa.internal.messageid": "302452736",
         "rsa.misc.event_source": "asper",
@@ -363,6 +400,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "quatD1370.invalid"
+        ],
         "rsa.internal.event_desc": "veniamqu",
         "rsa.internal.messageid": "302452802",
         "rsa.misc.event_source": "iruredol",
@@ -392,6 +432,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "iatqu6203.mail.corp",
+            "quaeab2653.mail.localdomain"
+        ],
         "rsa.db.index": "itat",
         "rsa.internal.event_desc": "aco",
         "rsa.internal.messageid": "303235080",
@@ -428,6 +472,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "redol124.mail.invalid"
+        ],
         "rsa.internal.event_desc": "orinrep",
         "rsa.internal.messageid": "302450688",
         "rsa.misc.event_source": "ctetu",
@@ -455,6 +502,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "enim5999.mail.localhost"
+        ],
         "rsa.internal.event_desc": "orroquis",
         "rsa.internal.messageid": "303169538",
         "rsa.misc.event_source": "iame",
@@ -484,6 +534,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "reseosqu1629.mail.lan",
+            "rsitvolu3596.www.test"
+        ],
         "rsa.internal.event_desc": "gelitsed",
         "rsa.internal.messageid": "302449410",
         "rsa.misc.event_source": "adm",
@@ -515,6 +569,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "tan3170.api.example"
+        ],
         "rsa.internal.event_desc": "dolorsi",
         "rsa.internal.messageid": "303235081",
         "rsa.misc.checksum": "dtemp",
@@ -543,6 +600,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "eseruntm4247.mail.local",
+            "magnaal5792.www5.domain"
+        ],
         "rsa.counters.dclass_c1": 7519,
         "rsa.counters.dclass_c1_str": "Number of Virus Cleaned.",
         "rsa.internal.event_desc": "Cleaned up downloaded content.",
@@ -571,6 +632,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "itatio6735.api.example"
+        ],
         "rsa.internal.event_desc": "rumSec",
         "rsa.internal.messageid": "302452801",
         "rsa.misc.event_source": "rsin",
@@ -598,6 +662,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "radip163.mail.invalid"
+        ],
         "rsa.internal.event_desc": "miurerep",
         "rsa.internal.messageid": "302449166",
         "rsa.misc.event_source": "ainc",
@@ -632,10 +699,14 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "vol866.api.domain",
+            "bore5546.www.local"
+        ],
         "related.ip": [
             "10.7.164.113",
-            "10.207.125.114",
-            "10.175.83.138"
+            "10.175.83.138",
+            "10.207.125.114"
         ],
         "related.user": [
             "remip"
@@ -679,6 +750,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "inc5923.www.test",
+            "tatemseq5797.home"
+        ],
         "rsa.internal.event_desc": "eufugi",
         "rsa.internal.messageid": "302452817",
         "rsa.misc.event_source": "oremip",
@@ -716,9 +791,13 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "enima7673.api.localhost",
+            "sequ6424.www.invalid"
+        ],
         "related.ip": [
-            "10.217.91.49",
-            "10.139.207.36"
+            "10.139.207.36",
+            "10.217.91.49"
         ],
         "related.user": [
             "lumqui"
@@ -766,6 +845,10 @@
         "observer.vendor": "Symantec",
         "process.parent.name": "mquis",
         "process.ppid": 5040,
+        "related.hosts": [
+            "tnulapa7580.www.domain",
+            "madminim6826.www.host"
+        ],
         "related.ip": [
             "10.249.243.41"
         ],
@@ -820,6 +903,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ici182.invalid",
+            "caecat4678.www.home"
+        ],
         "rsa.internal.event_desc": "rem",
         "rsa.internal.messageid": "302449415",
         "rsa.misc.event_source": "quisn",
@@ -851,6 +938,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "beat2952.internal.localhost"
+        ],
         "rsa.internal.event_desc": "iarchite",
         "rsa.internal.messageid": "302449410",
         "rsa.misc.event_source": "qua",
@@ -880,6 +970,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ured3428.www.corp",
+            "uames7663.internal.local"
+        ],
         "rsa.internal.event_desc": "taspe",
         "rsa.internal.messageid": "302776321",
         "rsa.misc.event_source": "oreeu",
@@ -911,6 +1005,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "velillum6639.www5.local"
+        ],
         "rsa.internal.event_desc": "itinvo",
         "rsa.internal.messageid": "302449153",
         "rsa.misc.event_source": "Mal",
@@ -940,6 +1037,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "dictasun3408.internal.invalid",
+            "onoru5767.internal.domain"
+        ],
         "rsa.internal.event_desc": "uam",
         "rsa.internal.messageid": "303235079",
         "rsa.misc.event_source": "dipisciv",
@@ -1002,6 +1103,11 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "uipe6805.www5.domain",
+            "atisu6579.test",
+            "tqui1142.www5.domain"
+        ],
         "related.ip": [
             "10.209.205.25",
             "10.185.64.46"
@@ -1091,9 +1197,14 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
         "observer.version": "1.7457",
+        "related.hosts": [
+            "udexerci6630.mail.test",
+            "isiut4530.localdomain",
+            "deomn904.www.home"
+        ],
         "related.ip": [
-            "10.35.89.51",
-            "10.202.55.203"
+            "10.202.55.203",
+            "10.35.89.51"
         ],
         "related.user": [
             "Quis"
@@ -1149,6 +1260,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "niamqui7696.mail.test",
+            "taliqu701.www.localhost"
+        ],
         "rsa.internal.event_desc": "Traffic Redirection disabled.",
         "rsa.internal.messageid": "Traffic",
         "rsa.network.alias_host": [
@@ -1181,6 +1296,10 @@
         "observer.vendor": "Symantec",
         "process.parent.name": "onnu",
         "process.ppid": 724,
+        "related.hosts": [
+            "ngelits6213.internal.test",
+            "lumd4298.mail.localdomain"
+        ],
         "related.ip": [
             "10.139.89.148"
         ],
@@ -1263,9 +1382,13 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "tuserror810.www5.corp",
+            "uptate5787.api.local"
+        ],
         "related.ip": [
-            "10.87.92.95",
-            "10.247.21.74"
+            "10.247.21.74",
+            "10.87.92.95"
         ],
         "related.user": [
             "Sedutper"
@@ -1313,6 +1436,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ruredolo7392.internal.host",
+            "mipsu3757.www5.home"
+        ],
         "rsa.db.index": "oris",
         "rsa.internal.event_desc": "labor",
         "rsa.internal.messageid": "303235080",
@@ -1365,6 +1492,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ntmo4076.lan"
+        ],
         "rsa.internal.event_desc": "doconse",
         "rsa.internal.messageid": "302449158",
         "rsa.misc.event_source": "ationula",
@@ -1414,6 +1544,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "amni48.internal.localdomain",
+            "alo6036.www5.local"
+        ],
         "rsa.internal.event_desc": "ita",
         "rsa.internal.messageid": "302710785",
         "rsa.misc.event_source": "mdolore",
@@ -1447,6 +1581,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "tenatus4129.www.local",
+            "uredo4613.home"
+        ],
         "rsa.internal.event_desc": "olupta",
         "rsa.internal.messageid": "303235082",
         "rsa.misc.event_source": "upi",
@@ -1498,6 +1636,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "mini3181.api.test"
+        ],
         "rsa.internal.event_desc": "mwrit",
         "rsa.internal.messageid": "302452819",
         "rsa.misc.event_source": "ommodoc",
@@ -1533,6 +1674,10 @@
         "observer.vendor": "Symantec",
         "observer.version": "1.3638",
         "process.name": "remap",
+        "related.hosts": [
+            "rsitam2337.mail.localdomain",
+            "iduntu7302.www.invalid"
+        ],
         "related.ip": [
             "10.8.143.229"
         ],
@@ -1557,8 +1702,8 @@
         "rsa.misc.version": "1.3638",
         "rsa.misc.virusname": "isqu",
         "rsa.network.alias_host": [
-            "rsitam2337.mail.localdomain",
-            "assit1598.www5.invalid"
+            "assit1598.www5.invalid",
+            "rsitam2337.mail.localdomain"
         ],
         "rsa.network.domain": "ema7531.api.example",
         "rsa.threat.threat_category": "isqu",
@@ -1589,6 +1734,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "equu7361.www5.localdomain"
+        ],
         "rsa.internal.event_desc": "pta",
         "rsa.internal.messageid": "302449178",
         "rsa.misc.event_source": "non",
@@ -1623,6 +1771,10 @@
         "observer.vendor": "Symantec",
         "process.parent.name": "ipsum",
         "process.ppid": 885,
+        "related.hosts": [
+            "uisno4545.www5.corp",
+            "iono5777.invalid"
+        ],
         "related.ip": [
             "10.137.5.67"
         ],
@@ -1726,6 +1878,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "adminima6097.corp",
+            "agnamali3222.example"
+        ],
         "related.ip": [
             "10.66.203.117",
             "10.92.93.236"
@@ -1777,6 +1933,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "equ2353.internal.local",
+            "eratv6521.example"
+        ],
         "rsa.internal.event_desc": "dolorsi",
         "rsa.internal.messageid": "302452807",
         "rsa.misc.event_source": "tlaboree",
@@ -1810,6 +1970,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "bori7611.invalid",
+            "iset1992.internal.example"
+        ],
         "rsa.internal.event_desc": "imadmini",
         "rsa.internal.messageid": "302776321",
         "rsa.misc.event_source": "ffic",
@@ -1860,6 +2024,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ntin2655.www.localdomain"
+        ],
         "rsa.internal.event_desc": "epo",
         "rsa.internal.messageid": "302449413",
         "rsa.misc.event_source": "itasper",
@@ -1887,6 +2054,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "siuta395.home"
+        ],
         "rsa.internal.event_desc": "iumdolor",
         "rsa.internal.messageid": "302449414",
         "rsa.misc.event_source": "fugiat",
@@ -1914,6 +2084,9 @@
         "observer.product": "oluptate",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "umdolore5014.api.lan"
+        ],
         "rsa.internal.event_desc": "Configuration Change",
         "rsa.internal.messageid": "Configuration",
         "rsa.misc.severity": "low",
@@ -1939,6 +2112,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "tisund4302.www5.local",
+            "vel1911.lan"
+        ],
         "related.ip": [
             "10.147.225.53"
         ],
@@ -2032,6 +2209,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "evelites2448.www.host",
+            "quisnost7124.api.domain"
+        ],
         "rsa.internal.event_desc": "odtem",
         "rsa.internal.messageid": "303169540",
         "rsa.misc.event_source": "uidexea",
@@ -2076,6 +2257,11 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
         "observer.version": "1.132",
+        "related.hosts": [
+            "iatquovo4868.test",
+            "madmi2948.internal.lan",
+            "edi6108.internal.domain"
+        ],
         "related.ip": [
             "10.72.200.11",
             "10.132.171.142"
@@ -2137,6 +2323,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "reverita794.mail.domain"
+        ],
         "related.user": [
             "nis"
         ],
@@ -2170,6 +2359,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "lillumq4387.www5.localhost"
+        ],
         "rsa.internal.event_desc": "sse",
         "rsa.internal.messageid": "302452743",
         "rsa.misc.event_source": "turExce",
@@ -2199,6 +2391,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ipi563.api.lan"
+        ],
         "related.user": [
             "anti"
         ],
@@ -2232,6 +2427,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "uptatemU1147.mail.corp",
+            "mqu3327.internal.host"
+        ],
         "rsa.internal.event_desc": "Connection reset.",
         "rsa.internal.messageid": "Connection",
         "rsa.network.alias_host": [
@@ -2260,6 +2459,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "emp42.mail.test",
+            "ecatcupi4759.internal.local"
+        ],
         "rsa.internal.event_desc": "ritati",
         "rsa.internal.messageid": "302452736",
         "rsa.misc.event_source": "tenb",
@@ -2312,6 +2515,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ipsu7538.www5.host"
+        ],
         "rsa.internal.event_desc": "squa",
         "rsa.internal.messageid": "302450944",
         "rsa.misc.event_source": "lamc",
@@ -2368,9 +2574,13 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "iusmo5734.internal.invalid",
+            "dita2048.www5.home"
+        ],
         "related.ip": [
-            "10.40.133.90",
-            "10.171.13.85"
+            "10.171.13.85",
+            "10.40.133.90"
         ],
         "related.user": [
             "bor"
@@ -2441,6 +2651,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ngelits2743.www5.host",
+            "inrepr7369.www.domain"
+        ],
         "rsa.internal.event_desc": "tatemac",
         "rsa.internal.messageid": "302452816",
         "rsa.misc.event_source": "lore",
@@ -2474,6 +2688,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "olupt717.invalid",
+            "alorum1804.mail.test"
+        ],
         "rsa.internal.event_desc": "ano",
         "rsa.internal.messageid": "302452808",
         "rsa.misc.event_source": "psum",
@@ -2507,6 +2725,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "queporr7029.internal.test"
+        ],
         "related.user": [
             "unti"
         ],
@@ -2569,9 +2790,13 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "upidat1328.internal.localhost",
+            "urExcep6087.www5.localhost"
+        ],
         "related.ip": [
-            "10.31.231.57",
-            "10.155.163.6"
+            "10.155.163.6",
+            "10.31.231.57"
         ],
         "related.user": [
             "norumetM"
@@ -2641,6 +2866,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "tesseci33.internal.example"
+        ],
         "rsa.internal.event_desc": "nost",
         "rsa.internal.messageid": "302452816",
         "rsa.misc.event_source": "met",
@@ -2668,6 +2896,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "alo7567.www5.test"
+        ],
         "rsa.internal.event_desc": "quisnos",
         "rsa.internal.messageid": "302452736",
         "rsa.misc.event_source": "proident",
@@ -2695,6 +2926,9 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
         "process.name": "sumq.exe",
+        "related.hosts": [
+            "idest4209.api.domain"
+        ],
         "rsa.internal.event_desc": "The process can not lock the process status table",
         "rsa.internal.messageid": "275",
         "rsa.misc.reference_id": "275",
@@ -2730,9 +2964,14 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "exer3621.www5.test",
+            "tisetqua6007.api.home",
+            "its1301.www.test"
+        ],
         "related.ip": [
-            "10.216.134.62",
-            "10.134.6.246"
+            "10.134.6.246",
+            "10.216.134.62"
         ],
         "related.user": [
             "ntexpl"
@@ -2789,6 +3028,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ventorev7571.www5.corp",
+            "Remote:"
+        ],
         "related.ip": [
             "10.202.96.232"
         ],
@@ -2832,6 +3075,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "umSectio5136.www.local",
+            "untexpli391.internal.domain"
+        ],
         "rsa.internal.event_desc": "ipitlabo",
         "rsa.internal.messageid": "302449156",
         "rsa.misc.event_source": "num",
@@ -2874,6 +3121,11 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "quide2790.mail.invalid",
+            "eniamqu1863.api.lan",
+            "quipex2615.www5.localhost"
+        ],
         "related.ip": [
             "10.56.95.160",
             "10.29.149.77"
@@ -2941,6 +3193,11 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ugia146.www5.corp",
+            "tionul7555.www5.lan",
+            "remipsum5485.api.local"
+        ],
         "related.ip": [
             "10.173.98.74",
             "10.70.185.238"
@@ -2998,6 +3255,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ilmoles4582.api.lan"
+        ],
         "related.user": [
             "dolor"
         ],
@@ -3031,6 +3291,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "giatquo3267.www.lan",
+            "quiado6095.mail.localhost"
+        ],
         "rsa.internal.event_desc": "Connected to Management Server",
         "rsa.internal.messageid": "Connected",
         "rsa.network.alias_host": [
@@ -3059,6 +3323,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "odite7850.internal.corp",
+            "cidun7605.www5.example"
+        ],
         "related.ip": [
             "10.201.112.171"
         ],
@@ -3111,6 +3379,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "ssitasp7492.test"
+        ],
         "rsa.internal.event_desc": "eserun",
         "rsa.internal.messageid": "302448900",
         "rsa.misc.event_source": "ssitaspe",
@@ -3140,6 +3411,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "estq2131.api.localdomain",
+            "rem6392.internal.domain"
+        ],
         "rsa.internal.event_desc": "did",
         "rsa.internal.messageid": "302452802",
         "rsa.misc.event_source": "upt",
@@ -3173,6 +3448,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "giatq7007.www.domain",
+            "upi3.www.home"
+        ],
         "rsa.internal.event_desc": "caecatc",
         "rsa.internal.messageid": "303235079",
         "rsa.misc.event_source": "iquaUt",
@@ -3207,9 +3486,13 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "itess2258.api.lan",
+            "ianonnu4387.www.domain"
+        ],
         "related.ip": [
-            "10.59.140.108",
-            "10.90.66.238"
+            "10.90.66.238",
+            "10.59.140.108"
         ],
         "related.user": [
             "nulap"
@@ -3270,6 +3553,11 @@
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
         "observer.version": "1.6400",
+        "related.hosts": [
+            "epteur5858.www5.local",
+            "rin5257.www5.test",
+            "ess3012.mail.test"
+        ],
         "related.ip": [
             "10.38.136.160",
             "10.45.116.216"
@@ -3326,6 +3614,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "aed3193.api.lan"
+        ],
         "rsa.internal.event_desc": "equa",
         "rsa.internal.messageid": "302449409",
         "rsa.misc.event_source": "sunti",
@@ -3373,6 +3664,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "rumSec5271.home"
+        ],
         "rsa.internal.event_desc": "unt",
         "rsa.internal.messageid": "302449166",
         "rsa.misc.event_source": "evolupt",
@@ -3402,6 +3696,9 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "volu7499.www5.localhost"
+        ],
         "related.user": [
             "sedqui"
         ],
@@ -3437,6 +3734,10 @@
         "observer.product": "Endpoint",
         "observer.type": "Anti-Virus",
         "observer.vendor": "Symantec",
+        "related.hosts": [
+            "oNem5850.www.example",
+            "gnama2349.mail.domain"
+        ],
         "rsa.internal.event_desc": "ccusan",
         "rsa.internal.messageid": "302449409",
         "rsa.misc.event_source": "ntiu",
diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml
index 256f657133fd..d9f1e4a14520 100644
--- a/x-pack/filebeat/module/tomcat/log/config/input.yml
+++ b/x-pack/filebeat/module/tomcat/log/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml
index 9983081e8386..64e1d82943a6 100644
--- a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml
@@ -53,6 +53,21 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{rsa.web.fqdn}}'
+        allow_duplicates: false
+        if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != ''
+  - append:
+        field: related.hosts
+        value: '{{rsa.web.web_ref_domain}}'
+        allow_duplicates: false
+        if: ctx?.rsa?.web?.web_ref_domain != null && ctx.rsa?.web?.web_ref_domain != ''
+  - append:
+        field: related.hosts
+        value: '{{url.domain}}'
+        allow_duplicates: false
+        if: ctx?.url?.domain != null && ctx.url?.domain != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json
index eb9298f3d1b4..51d46cc753a9 100644
--- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json
@@ -14,6 +14,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.com/illumqui/ventore.html?min=ite#utl",
+            "mail.example.net",
+            "example.com"
+        ],
         "related.ip": [
             "10.251.224.219"
         ],
@@ -68,6 +73,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev",
+            "mail.example.com",
+            "www5.example.net"
+        ],
         "related.ip": [
             "10.196.153.12"
         ],
@@ -121,6 +131,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat",
+            "www.example.com",
+            "internal.example.com"
+        ],
         "related.ip": [
             "10.156.194.38"
         ],
@@ -177,6 +192,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu",
+            "mail.example.com",
+            "www5.example.org"
+        ],
         "related.ip": [
             "10.196.118.192"
         ],
@@ -231,6 +251,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn",
+            "internal.example.net",
+            "internal.example.com"
+        ],
         "related.ip": [
             "10.246.209.145"
         ],
@@ -285,6 +310,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu",
+            "www5.example.org",
+            "internal.example.com"
+        ],
         "related.ip": [
             "10.114.191.225"
         ],
@@ -340,6 +370,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat",
+            "api.example.com",
+            "www5.example.net"
+        ],
         "related.ip": [
             "10.38.77.13"
         ],
@@ -397,6 +432,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/idexea/riat.txt?tvol=moll#tatione",
+            "mail.example.org",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.11.201.109"
         ],
@@ -453,6 +493,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan",
+            "example.org",
+            "api.example.org"
+        ],
         "related.ip": [
             "10.182.166.181"
         ],
@@ -507,6 +552,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq",
+            "internal.example.com",
+            "mail.example.net"
+        ],
         "related.ip": [
             "10.185.126.247"
         ],
@@ -560,6 +610,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf",
+            "mail.example.net",
+            "example.com"
+        ],
         "related.ip": [
             "10.72.114.23"
         ],
@@ -617,6 +672,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun",
+            "internal.example.net",
+            "example.net"
+        ],
         "related.ip": [
             "10.129.241.147"
         ],
@@ -674,6 +734,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol",
+            "internal.example.net",
+            "www5.example.com"
+        ],
         "related.ip": [
             "10.185.101.76"
         ],
@@ -730,6 +795,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati",
+            "www.example.org",
+            "example.net"
+        ],
         "related.ip": [
             "10.57.170.140"
         ],
@@ -784,6 +854,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip",
+            "internal.example.net",
+            "internal.example.com"
+        ],
         "related.ip": [
             "10.33.153.47"
         ],
@@ -839,6 +914,10 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla",
+            "internal.example.net"
+        ],
         "related.ip": [
             "10.116.104.101"
         ],
@@ -895,6 +974,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame",
+            "example.com",
+            "internal.example.com"
+        ],
         "related.ip": [
             "10.202.194.67"
         ],
@@ -950,6 +1034,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.com/etconse/tincu.txt?lit=asun#estia",
+            "www.example.com",
+            "www5.example.com"
+        ],
         "related.ip": [
             "10.153.111.103"
         ],
@@ -1006,6 +1095,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex",
+            "internal.example.net",
+            "www5.example.org"
+        ],
         "related.ip": [
             "10.52.186.29"
         ],
@@ -1061,6 +1155,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela",
+            "example.net",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.209.182.237"
         ],
@@ -1118,6 +1217,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn",
+            "api.example.org",
+            "mail.example.net"
+        ],
         "related.ip": [
             "10.63.194.87"
         ],
@@ -1174,6 +1278,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli",
+            "www5.example.org",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.62.191.18"
         ],
@@ -1228,6 +1337,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer",
+            "example.org",
+            "example.net"
+        ],
         "related.ip": [
             "10.238.164.29"
         ],
@@ -1282,6 +1396,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius",
+            "example.com",
+            "internal.example.com"
+        ],
         "related.ip": [
             "10.155.230.17"
         ],
@@ -1337,6 +1456,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/officiad/itam.html?madmi=tur#roi",
+            "mail.example.net",
+            "example.net"
+        ],
         "related.ip": [
             "10.102.229.102"
         ],
@@ -1394,6 +1518,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon",
+            "www5.example.org",
+            "mail.example.org"
+        ],
         "related.ip": [
             "10.194.14.7"
         ],
@@ -1450,6 +1579,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp",
+            "example.com",
+            "api.example.net"
+        ],
         "related.ip": [
             "10.99.0.226"
         ],
@@ -1504,6 +1638,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut",
+            "api.example.org",
+            "www.example.net"
+        ],
         "related.ip": [
             "10.107.174.213"
         ],
@@ -1559,6 +1698,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem",
+            "www.example.org",
+            "mail.example.org"
+        ],
         "related.ip": [
             "10.84.25.23"
         ],
@@ -1615,6 +1759,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab",
+            "api.example.com",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.193.143.108"
         ],
@@ -1670,6 +1819,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.com/mexe/its.htm?ice=oles#edic",
+            "example.org",
+            "example.com"
+        ],
         "related.ip": [
             "10.190.51.22"
         ],
@@ -1727,6 +1881,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.com/velitess/naali.htm?nre=veli#volupta",
+            "www5.example.com",
+            "www.example.com"
+        ],
         "related.ip": [
             "10.194.90.130"
         ],
@@ -1779,6 +1938,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita",
+            "internal.example.com",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.10.213.83"
         ],
@@ -1834,6 +1998,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon",
+            "mail.example.net",
+            "api.example.org"
+        ],
         "related.ip": [
             "10.52.125.9"
         ],
@@ -1890,6 +2059,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun",
+            "www5.example.org",
+            "api.example.net"
+        ],
         "related.ip": [
             "10.19.17.202"
         ],
@@ -1945,6 +2119,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal",
+            "api.example.com",
+            "mail.example.org"
+        ],
         "related.ip": [
             "10.195.64.5"
         ],
@@ -2002,6 +2181,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur",
+            "mail.example.com",
+            "internal.example.com"
+        ],
         "related.ip": [
             "10.209.77.194"
         ],
@@ -2058,6 +2242,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/ites/isetq.gif?nisiut=tur#avolupt",
+            "mail.example.org",
+            "example.net"
+        ],
         "related.ip": [
             "10.168.6.90"
         ],
@@ -2112,6 +2301,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu",
+            "api.example.org",
+            "mail.example.com"
+        ],
         "related.ip": [
             "10.89.137.238"
         ],
@@ -2166,6 +2360,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat",
+            "www5.example.net",
+            "example.org"
+        ],
         "related.ip": [
             "10.246.61.213"
         ],
@@ -2221,6 +2420,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo",
+            "www5.example.net",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.117.44.138"
         ],
@@ -2277,6 +2481,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov",
+            "www.example.net",
+            "example.net"
+        ],
         "related.ip": [
             "10.69.30.196"
         ],
@@ -2329,6 +2538,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq",
+            "example.org",
+            "api.example.com"
+        ],
         "related.ip": [
             "10.135.91.88"
         ],
@@ -2384,6 +2598,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor",
+            "api.example.org",
+            "example.net"
+        ],
         "related.ip": [
             "10.81.45.174"
         ],
@@ -2440,6 +2659,10 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.87.179.233"
         ],
@@ -2494,6 +2717,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir",
+            "example.com",
+            "api.example.net"
+        ],
         "related.ip": [
             "10.198.57.130"
         ],
@@ -2548,6 +2776,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu",
+            "www.example.org",
+            "www.example.net"
+        ],
         "related.ip": [
             "10.218.0.197"
         ],
@@ -2603,6 +2836,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem",
+            "example.com",
+            "mail.example.com"
+        ],
         "related.ip": [
             "10.123.199.198"
         ],
@@ -2660,6 +2898,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu",
+            "example.org",
+            "internal.example.net"
+        ],
         "related.ip": [
             "10.29.119.245"
         ],
@@ -2717,6 +2960,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom",
+            "www.example.org",
+            "mail.example.net"
+        ],
         "related.ip": [
             "10.130.175.17"
         ],
@@ -2773,6 +3021,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat",
+            "internal.example.org",
+            "mail.example.net"
+        ],
         "related.ip": [
             "10.166.90.130"
         ],
@@ -2828,6 +3081,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui",
+            "internal.example.org",
+            "api.example.org"
+        ],
         "related.ip": [
             "10.248.111.207"
         ],
@@ -2884,6 +3142,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore",
+            "api.example.net",
+            "internal.example.net"
+        ],
         "related.ip": [
             "10.185.37.32"
         ],
@@ -2938,6 +3201,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.org/pisc/urEx.html?rautod=olest#eataev",
+            "internal.example.com",
+            "example.org"
+        ],
         "related.ip": [
             "10.5.194.202"
         ],
@@ -2993,6 +3261,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation",
+            "www.example.org",
+            "www5.example.com"
+        ],
         "related.ip": [
             "10.183.34.1"
         ],
@@ -3049,6 +3322,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema",
+            "internal.example.com",
+            "mail.example.net"
+        ],
         "related.ip": [
             "10.101.163.40"
         ],
@@ -3104,6 +3382,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve",
+            "internal.example.com",
+            "www5.example.com"
+        ],
         "related.ip": [
             "10.216.188.152"
         ],
@@ -3160,6 +3443,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna",
+            "mail.example.net",
+            "www5.example.org"
+        ],
         "related.ip": [
             "10.94.140.77"
         ],
@@ -3212,6 +3500,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo",
+            "mail.example.org",
+            "www.example.com"
+        ],
         "related.ip": [
             "10.223.205.204"
         ],
@@ -3267,6 +3560,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula",
+            "example.com",
+            "mail.example.org"
+        ],
         "related.ip": [
             "10.85.137.156"
         ],
@@ -3324,6 +3622,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS",
+            "www5.example.net",
+            "mail.example.com"
+        ],
         "related.ip": [
             "10.12.54.142"
         ],
@@ -3380,6 +3683,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/labori/porai.gif?utali=sed#xeac",
+            "internal.example.org",
+            "example.net"
+        ],
         "related.ip": [
             "10.158.6.52"
         ],
@@ -3435,6 +3743,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni",
+            "example.com",
+            "www5.example.org"
+        ],
         "related.ip": [
             "10.195.160.182"
         ],
@@ -3491,6 +3804,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat",
+            "example.net",
+            "mail.example.com"
+        ],
         "related.ip": [
             "10.20.68.117"
         ],
@@ -3546,6 +3864,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex",
+            "www5.example.org",
+            "www5.example.com"
+        ],
         "related.ip": [
             "10.94.136.235"
         ],
@@ -3603,6 +3926,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol",
+            "example.com",
+            "www.example.net"
+        ],
         "related.ip": [
             "10.152.11.26"
         ],
@@ -3656,6 +3984,10 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip",
+            "www5.example.com"
+        ],
         "related.ip": [
             "10.82.118.95"
         ],
@@ -3712,6 +4044,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita",
+            "www5.example.net",
+            "www.example.net"
+        ],
         "related.ip": [
             "10.187.152.213"
         ],
@@ -3767,6 +4104,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo",
+            "internal.example.net",
+            "www.example.net"
+        ],
         "related.ip": [
             "10.98.71.45"
         ],
@@ -3823,6 +4165,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent",
+            "www5.example.org",
+            "www5.example.net"
+        ],
         "related.ip": [
             "10.86.123.33"
         ],
@@ -3877,6 +4224,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi",
+            "api.example.net",
+            "www5.example.net"
+        ],
         "related.ip": [
             "10.6.112.183"
         ],
@@ -3932,6 +4284,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu",
+            "www5.example.org",
+            "example.net"
+        ],
         "related.ip": [
             "10.227.156.143"
         ],
@@ -3985,6 +4342,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu",
+            "example.net",
+            "example.org"
+        ],
         "related.ip": [
             "10.124.129.248"
         ],
@@ -4042,6 +4404,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa",
+            "www5.example.net",
+            "www5.example.org"
+        ],
         "related.ip": [
             "10.173.125.112"
         ],
@@ -4098,6 +4465,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit",
+            "api.example.net",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.37.156.140"
         ],
@@ -4150,6 +4522,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex",
+            "www5.example.org",
+            "example.com"
+        ],
         "related.ip": [
             "10.121.225.135"
         ],
@@ -4204,6 +4581,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN",
+            "mail.example.net",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.123.68.56"
         ],
@@ -4259,6 +4641,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.net/itesse/expl.html?prehende=lup#tpers",
+            "mail.example.net",
+            "api.example.net"
+        ],
         "related.ip": [
             "10.63.56.164"
         ],
@@ -4316,6 +4703,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/deritinv/evelite.html?iav=odico#rsint",
+            "example.com",
+            "example.net"
+        ],
         "related.ip": [
             "10.62.10.137"
         ],
@@ -4373,6 +4765,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB",
+            "api.example.net",
+            "example.org"
+        ],
         "related.ip": [
             "10.89.154.115"
         ],
@@ -4429,6 +4826,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus",
+            "api.example.org",
+            "www5.example.com"
+        ],
         "related.ip": [
             "10.122.252.130"
         ],
@@ -4483,6 +4885,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun",
+            "www.example.net",
+            "api.example.com"
+        ],
         "related.ip": [
             "10.195.152.53"
         ],
@@ -4534,6 +4941,10 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa",
+            "mail.example.com"
+        ],
         "related.ip": [
             "10.9.255.204"
         ],
@@ -4591,6 +5002,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor",
+            "internal.example.net",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.214.235.133"
         ],
@@ -4648,6 +5064,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu",
+            "api.example.org",
+            "api.example.com"
+        ],
         "related.ip": [
             "10.5.134.204"
         ],
@@ -4704,6 +5125,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.org/rep/mveni.txt?utpers=num#ctetura",
+            "internal.example.com",
+            "example.org"
+        ],
         "related.ip": [
             "10.144.111.42"
         ],
@@ -4758,6 +5184,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.net/adm/snostr.jpg?tec=itaspe#con",
+            "www.example.com",
+            "example.net"
+        ],
         "related.ip": [
             "10.122.0.80"
         ],
@@ -4813,6 +5244,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec",
+            "www.example.net",
+            "mail.example.com"
+        ],
         "related.ip": [
             "10.165.33.19"
         ],
@@ -4870,6 +5306,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa",
+            "internal.example.org",
+            "mail.example.org"
+        ],
         "related.ip": [
             "10.87.92.17"
         ],
@@ -4926,6 +5367,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.com/lorese/olupta.jpg?onsec=idestl#litani",
+            "internal.example.org",
+            "example.com"
+        ],
         "related.ip": [
             "10.51.52.203"
         ],
@@ -4981,6 +5427,10 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN",
+            "internal.example.net"
+        ],
         "related.ip": [
             "10.0.211.86"
         ],
@@ -5037,6 +5487,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet",
+            "example.net",
+            "mail.example.net"
+        ],
         "related.ip": [
             "10.106.34.244"
         ],
@@ -5091,6 +5546,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu",
+            "example.net",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.191.210.188"
         ],
@@ -5145,6 +5605,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.com/bori/dipi.gif?utf=dolor#dexe",
+            "www.example.org",
+            "www.example.com"
+        ],
         "related.ip": [
             "10.2.38.49"
         ],
@@ -5196,6 +5661,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.com/iat/tqui.gif?utaliqui=emse#emqui",
+            "mail.example.com",
+            "example.com"
+        ],
         "related.ip": [
             "10.66.92.90"
         ],
@@ -5253,6 +5723,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost",
+            "mail.example.com",
+            "example.com"
+        ],
         "related.ip": [
             "10.97.108.108"
         ],
@@ -5310,6 +5785,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni",
+            "www5.example.org",
+            "api.example.net"
+        ],
         "related.ip": [
             "10.147.147.248"
         ],
@@ -5367,6 +5847,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed",
+            "api.example.com",
+            "www.example.org"
+        ],
         "related.ip": [
             "10.152.190.61"
         ],
@@ -5424,6 +5909,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti",
+            "api.example.org",
+            "www.example.net"
+        ],
         "related.ip": [
             "10.129.232.105"
         ],
@@ -5480,6 +5970,11 @@
         "observer.product": "TomCat",
         "observer.type": "Web",
         "observer.vendor": "Apache",
+        "related.hosts": [
+            "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui",
+            "api.example.net",
+            "internal.example.org"
+        ],
         "related.ip": [
             "10.12.173.112"
         ],
diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml
index eb6515c6171e..8a79295724fb 100644
--- a/x-pack/filebeat/module/zeek/connection/config/connection.yml
+++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml
@@ -90,7 +90,6 @@ processors:
         kind: event
         category:
           - network
-{{ if .community_id }}
   - if:
       equals.network.transport: icmp
     then:
@@ -100,7 +99,6 @@ processors:
           icmp_code: zeek.connection.icmp.code
     else:
       community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/connection/manifest.yml b/x-pack/filebeat/module/zeek/connection/manifest.yml
index 0acad34d69c7..08f79bc28caf 100644
--- a/x-pack/filebeat/module/zeek/connection/manifest.yml
+++ b/x-pack/filebeat/module/zeek/connection/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/conn.log
   - name: tags
     default: [zeek.connection]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/connection.yml
diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml
index e99deb6c68f2..45010e089733 100644
--- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml
+++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml
@@ -54,9 +54,7 @@ processors:
           - connection
           - protocol
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml b/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml
index 21ba27eac969..01bef572b679 100644
--- a/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml
+++ b/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/dce_rpc.log
   - name: tags
     default: [zeek.dce_rpc]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/dce_rpc.yml
diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml
index e0eb1831b774..f1a2f0ced3a1 100644
--- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml
+++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml
@@ -116,9 +116,7 @@ processors:
           - connection
           - protocol
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/dhcp/manifest.yml b/x-pack/filebeat/module/zeek/dhcp/manifest.yml
index 7cb434b19554..ee4a7c24f3b7 100644
--- a/x-pack/filebeat/module/zeek/dhcp/manifest.yml
+++ b/x-pack/filebeat/module/zeek/dhcp/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/dhcp.log
   - name: tags
     default: [zeek.dhcp]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/dhcp.yml
diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml
index 33890a55071b..7730d2b6d85a 100644
--- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml
+++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml
@@ -64,9 +64,7 @@ processors:
           - connection
           - protocol
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml
index 5585d24327e7..e104312e1e13 100644
--- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml
@@ -23,14 +23,6 @@ processors:
 - lowercase:
     field: event.action
     ignore_missing: true
-- append:
-    field: related.ip
-    value: '{{source.ip}}'
-    if: ctx?.source?.ip != null
-- append:
-    field: related.ip
-    value: '{{destination.ip}}'
-    if: ctx?.destination?.ip != null
 - geoip:
     field: destination.ip
     target_field: destination.geo
@@ -69,6 +61,14 @@ processors:
     field: destination.as.organization_name
     target_field: destination.as.organization.name
     ignore_missing: true
+- append:
+    field: related.ip
+    value: '{{source.ip}}'
+    if: ctx?.source?.ip != null
+- append:
+    field: related.ip
+    value: '{{destination.ip}}'
+    if: ctx?.destination?.ip != null
 on_failure:
 - set:
     field: error.message
diff --git a/x-pack/filebeat/module/zeek/dnp3/manifest.yml b/x-pack/filebeat/module/zeek/dnp3/manifest.yml
index 98de1c3af82a..97829b3d0d0d 100644
--- a/x-pack/filebeat/module/zeek/dnp3/manifest.yml
+++ b/x-pack/filebeat/module/zeek/dnp3/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/dnp3.log
   - name: tags
     default: [zeek.dnp3]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/dnp3.yml
diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml
index 82d0306ea63a..86a2022d695e 100644
--- a/x-pack/filebeat/module/zeek/dns/config/dns.yml
+++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml
@@ -193,9 +193,7 @@ processors:
           - connection
           - info
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - drop_fields:
       ignore_missing: true
       fields:
diff --git a/x-pack/filebeat/module/zeek/dns/manifest.yml b/x-pack/filebeat/module/zeek/dns/manifest.yml
index 0c81ed95c2d6..4ff46df94b9d 100644
--- a/x-pack/filebeat/module/zeek/dns/manifest.yml
+++ b/x-pack/filebeat/module/zeek/dns/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/dns.log
   - name: tags
     default: [zeek.dns]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/dns.yml
diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml
index 49e69972ef66..acc6defd4df2 100644
--- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml
+++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml
@@ -53,9 +53,7 @@ processors:
         type:
           - connection
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/dpd/manifest.yml b/x-pack/filebeat/module/zeek/dpd/manifest.yml
index aeba0ef31fc1..854eadbf4914 100644
--- a/x-pack/filebeat/module/zeek/dpd/manifest.yml
+++ b/x-pack/filebeat/module/zeek/dpd/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/dpd.log
   - name: tags
     default: [zeek.dpd]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/dpd.yml
diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml
index 9be20cbd85b4..51a3c0535767 100644
--- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml
+++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml
@@ -82,9 +82,7 @@ processors:
           - connection
           - info
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/ftp/manifest.yml b/x-pack/filebeat/module/zeek/ftp/manifest.yml
index cf51575cf845..1f37ead03d0a 100644
--- a/x-pack/filebeat/module/zeek/ftp/manifest.yml
+++ b/x-pack/filebeat/module/zeek/ftp/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/ftp.log
   - name: tags
     default: [zeek.ftp]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/ftp.yml
diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml
index 6f517c693201..4c7c812d0ccb 100644
--- a/x-pack/filebeat/module/zeek/http/config/http.yml
+++ b/x-pack/filebeat/module/zeek/http/config/http.yml
@@ -89,9 +89,7 @@ processors:
           - connection
           - info
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/http/manifest.yml b/x-pack/filebeat/module/zeek/http/manifest.yml
index ddd253bb2187..acf134c2333e 100644
--- a/x-pack/filebeat/module/zeek/http/manifest.yml
+++ b/x-pack/filebeat/module/zeek/http/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/http.log
   - name: tags
     default: [zeek.http]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/http.yml
diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml
index 4d35472f3ead..5b73833ea352 100644
--- a/x-pack/filebeat/module/zeek/intel/config/intel.yml
+++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml
@@ -63,9 +63,7 @@ processors:
         kind: alert
         type:
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/intel/manifest.yml b/x-pack/filebeat/module/zeek/intel/manifest.yml
index 281f6ed65fed..a84788f4d757 100644
--- a/x-pack/filebeat/module/zeek/intel/manifest.yml
+++ b/x-pack/filebeat/module/zeek/intel/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/intel.log
   - name: tags
     default: [zeek.intel]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/intel.yml
diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml
index 5125e82fac2c..54aaa9d4f4b3 100644
--- a/x-pack/filebeat/module/zeek/irc/config/irc.yml
+++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml
@@ -68,9 +68,7 @@ processors:
           - connection
           - protocol
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/irc/manifest.yml b/x-pack/filebeat/module/zeek/irc/manifest.yml
index 3bf899fd2c02..36cf10a5bb32 100644
--- a/x-pack/filebeat/module/zeek/irc/manifest.yml
+++ b/x-pack/filebeat/module/zeek/irc/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/irc.log
   - name: tags
     default: [zeek.irc]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/irc.yml
diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml
index dbb0c364ea8d..f557da8ba7fa 100644
--- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml
+++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml
@@ -100,9 +100,7 @@ processors:
       tokenizer: "%{user.name}/%{user.domain}"
       field: zeek.kerberos.client
       target_prefix: ""
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/kerberos/manifest.yml b/x-pack/filebeat/module/zeek/kerberos/manifest.yml
index 4a94434f1d48..3f527b150137 100644
--- a/x-pack/filebeat/module/zeek/kerberos/manifest.yml
+++ b/x-pack/filebeat/module/zeek/kerberos/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/kerberos.log
   - name: tags
     default: [zeek.kerberos]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/kerberos.yml
diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml
index c6a6c3bf9e12..d656ad0ab6ac 100644
--- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml
+++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml
@@ -69,9 +69,7 @@ processors:
           target: event
           fields:
             outcome: success
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/modbus/manifest.yml b/x-pack/filebeat/module/zeek/modbus/manifest.yml
index e20412fadc62..c4afd6315d4e 100644
--- a/x-pack/filebeat/module/zeek/modbus/manifest.yml
+++ b/x-pack/filebeat/module/zeek/modbus/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/modbus.log
   - name: tags
     default: [zeek.modbus]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/modbus.yml
diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml
index b3fd2c5484f4..4c6e70d9f1cf 100644
--- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml
+++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml
@@ -68,9 +68,7 @@ processors:
           target: event
           fields:
             outcome: failure
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/mysql/manifest.yml b/x-pack/filebeat/module/zeek/mysql/manifest.yml
index 1b7ec4edb198..bba253a418e9 100644
--- a/x-pack/filebeat/module/zeek/mysql/manifest.yml
+++ b/x-pack/filebeat/module/zeek/mysql/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/mysql.log
   - name: tags
     default: [zeek.mysql]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/mysql.yml
diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml
index fa1cc38b31b4..649d3f3ba970 100644
--- a/x-pack/filebeat/module/zeek/notice/config/notice.yml
+++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml
@@ -100,9 +100,7 @@ processors:
           - intrusion_detection
         type:
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/notice/manifest.yml b/x-pack/filebeat/module/zeek/notice/manifest.yml
index e2bdf6950277..e14f72220656 100644
--- a/x-pack/filebeat/module/zeek/notice/manifest.yml
+++ b/x-pack/filebeat/module/zeek/notice/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/notice.log
   - name: tags
     default: [zeek.notice]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/notice.yml
diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml
index dcf1cb46f6fa..c67f66b54b9f 100644
--- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml
+++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml
@@ -82,9 +82,7 @@ processors:
           target: event
           fields:
             outcome: failure
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/ntlm/manifest.yml b/x-pack/filebeat/module/zeek/ntlm/manifest.yml
index 545bef85aaa1..e16e6ec8b3aa 100644
--- a/x-pack/filebeat/module/zeek/ntlm/manifest.yml
+++ b/x-pack/filebeat/module/zeek/ntlm/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/ntlm.log
   - name: tags
     default: [zeek.ntlm]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/ntlm.yml
diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml
index d133dbc014cd..66fccaa3f5ce 100644
--- a/x-pack/filebeat/module/zeek/radius/config/radius.yml
+++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml
@@ -54,9 +54,7 @@ processors:
         type:
           - info
           - connection
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/radius/manifest.yml b/x-pack/filebeat/module/zeek/radius/manifest.yml
index f881f404d7a8..d3bdee065b05 100644
--- a/x-pack/filebeat/module/zeek/radius/manifest.yml
+++ b/x-pack/filebeat/module/zeek/radius/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/radius.log
   - name: tags
     default: [zeek.radius]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/radius.yml
diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml
index 1ea1c28520cf..de71448fb1b0 100644
--- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml
+++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml
@@ -84,9 +84,7 @@ processors:
         type:
           - protocol
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/rdp/manifest.yml b/x-pack/filebeat/module/zeek/rdp/manifest.yml
index b0c76c9f3a37..0a2bc7b77ecb 100644
--- a/x-pack/filebeat/module/zeek/rdp/manifest.yml
+++ b/x-pack/filebeat/module/zeek/rdp/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/rdp.log
   - name: tags
     default: [zeek.rdp]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/rdp.yml
diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml
index d0eade39d0eb..3adb14c55bf9 100644
--- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml
+++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml
@@ -69,9 +69,7 @@ processors:
         type:
           - connection
           - info
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/rfb/manifest.yml b/x-pack/filebeat/module/zeek/rfb/manifest.yml
index 2b9daaab1078..4bba4f4f37c2 100644
--- a/x-pack/filebeat/module/zeek/rfb/manifest.yml
+++ b/x-pack/filebeat/module/zeek/rfb/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/rfb.log
   - name: tags
     default: [zeek.rfb]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/rfb.yml
diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml
index 7355ba353c7d..7aa30034de24 100644
--- a/x-pack/filebeat/module/zeek/sip/config/sip.yml
+++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml
@@ -91,9 +91,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/sip/manifest.yml b/x-pack/filebeat/module/zeek/sip/manifest.yml
index 8da0cc443dda..2186e6b0f3fe 100644
--- a/x-pack/filebeat/module/zeek/sip/manifest.yml
+++ b/x-pack/filebeat/module/zeek/sip/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/sip.log
   - name: tags
     default: [zeek.sip]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/sip.yml
diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml
index 693c439454ad..763379a7d888 100644
--- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml
+++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml
@@ -97,9 +97,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml b/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml
index a4ad3a78ce1e..331cafae30fc 100644
--- a/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml
+++ b/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/smb_cmd.log
   - name: tags
     default: [zeek.smb_cmd]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/smb_cmd.yml
diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml
index 16fb3d369645..c5f7c2e53e79 100644
--- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml
+++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml
@@ -57,9 +57,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/smb_files/manifest.yml b/x-pack/filebeat/module/zeek/smb_files/manifest.yml
index f59a04153a50..bdbf0324fd9c 100644
--- a/x-pack/filebeat/module/zeek/smb_files/manifest.yml
+++ b/x-pack/filebeat/module/zeek/smb_files/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/smb_files.log
   - name: tags
     default: [zeek.smb_files]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/smb_files.yml
diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml
index 168458ba1d05..624454ed1715 100644
--- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml
+++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml
@@ -53,9 +53,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml b/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml
index 7382e529b271..f4afd881b540 100644
--- a/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml
+++ b/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/smb_mapping.log
   - name: tags
     default: [zeek.smb_mapping]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/smb_mapping.yml
diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml
index acc02bf91df2..5b2f6595df2f 100644
--- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml
+++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml
@@ -63,9 +63,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/smtp/manifest.yml b/x-pack/filebeat/module/zeek/smtp/manifest.yml
index 6d69b3b5e3e9..bc0d180278b8 100644
--- a/x-pack/filebeat/module/zeek/smtp/manifest.yml
+++ b/x-pack/filebeat/module/zeek/smtp/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/smtp.log
   - name: tags
     default: [zeek.smtp]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/smtp.yml
diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml
index 684ecd01d066..0c7e05ce6db7 100644
--- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml
+++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml
@@ -65,9 +65,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/snmp/manifest.yml b/x-pack/filebeat/module/zeek/snmp/manifest.yml
index b980b6fb82e1..e25fb364b1ed 100644
--- a/x-pack/filebeat/module/zeek/snmp/manifest.yml
+++ b/x-pack/filebeat/module/zeek/snmp/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/snmp.log
   - name: tags
     default: [zeek.snmp]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/snmp.yml
diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml
index 9ce64d99076c..f834e5d1bccc 100644
--- a/x-pack/filebeat/module/zeek/socks/config/socks.yml
+++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml
@@ -63,9 +63,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/socks/manifest.yml b/x-pack/filebeat/module/zeek/socks/manifest.yml
index 68fea837fde1..55c4a387524b 100644
--- a/x-pack/filebeat/module/zeek/socks/manifest.yml
+++ b/x-pack/filebeat/module/zeek/socks/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/socks.log
   - name: tags
     default: [zeek.socks]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/socks.yml
diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml
index 453c6b0fae5b..c855d49dff2d 100644
--- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml
+++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml
@@ -72,9 +72,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/ssh/manifest.yml b/x-pack/filebeat/module/zeek/ssh/manifest.yml
index 60249e25c217..9d2f39212b55 100644
--- a/x-pack/filebeat/module/zeek/ssh/manifest.yml
+++ b/x-pack/filebeat/module/zeek/ssh/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/ssh.log
   - name: tags
     default: [zeek.ssh]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/ssh.yml
diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml
index 897db4b9fff5..c3ecbd94be94 100644
--- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml
+++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml
@@ -75,9 +75,7 @@ processors:
         type:
           - connection
           - protocol
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/ssl/manifest.yml b/x-pack/filebeat/module/zeek/ssl/manifest.yml
index 0b3da1331ff4..49e474dfadc2 100644
--- a/x-pack/filebeat/module/zeek/ssl/manifest.yml
+++ b/x-pack/filebeat/module/zeek/ssl/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/ssl.log
   - name: tags
     default: [zeek.ssl]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/ssl.yml
diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml
index 16c6ebb6187a..a89601cb717b 100644
--- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml
+++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml
@@ -53,9 +53,7 @@ processors:
       target: event
       fields:
         kind: event
-{{ if .community_id }}
   - community_id:
-{{ end }}
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/zeek/syslog/manifest.yml b/x-pack/filebeat/module/zeek/syslog/manifest.yml
index 8db76ab5b36c..03a80586303e 100644
--- a/x-pack/filebeat/module/zeek/syslog/manifest.yml
+++ b/x-pack/filebeat/module/zeek/syslog/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/syslog.log
   - name: tags
     default: [zeek.syslog]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/syslog.yml
diff --git a/x-pack/filebeat/module/zeek/x509/manifest.yml b/x-pack/filebeat/module/zeek/x509/manifest.yml
index 674610886fcf..a183f7dbc3d4 100644
--- a/x-pack/filebeat/module/zeek/x509/manifest.yml
+++ b/x-pack/filebeat/module/zeek/x509/manifest.yml
@@ -10,8 +10,6 @@ var:
       - /usr/local/var/logs/current/x509.log
   - name: tags
     default: [zeek.x509]
-  - name: community_id
-    default: true
 
 ingest_pipeline: ingest/pipeline.yml
 input: config/x509.yml
diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml
index 05e5f5c886ec..f2963a231f14 100644
--- a/x-pack/filebeat/module/zscaler/zia/config/input.yml
+++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml
@@ -42,4 +42,4 @@ processors:
 - add_fields:
     target: ''
     fields:
-        ecs.version: 1.5.0
+        ecs.version: 1.6.0
diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml
index aae73dd9dedc..f60a8a2e9dea 100644
--- a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml
@@ -53,6 +53,16 @@ processors:
         field: destination.as.organization_name
         target_field: destination.as.organization.name
         ignore_missing: true
+  - append:
+        field: related.hosts
+        value: '{{rsa.web.fqdn}}'
+        allow_duplicates: false
+        if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != ''
+  - append:
+        field: related.hosts
+        value: '{{host.name}}'
+        allow_duplicates: false
+        if: ctx?.host?.name != null && ctx.host?.name != ''
 on_failure:
   - append:
         field: error.message
diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json
index ea74e1c3b31a..b7bd436496b9 100644
--- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json
+++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json
@@ -22,9 +22,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "rci737.www5.example"
+        ],
         "related.ip": [
-            "10.206.191.17",
-            "10.176.10.114"
+            "10.176.10.114",
+            "10.206.191.17"
         ],
         "related.user": [
             "sumdo"
@@ -93,9 +96,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "eosquir5191.www.example"
+        ],
         "related.ip": [
-            "10.173.22.152",
-            "10.26.46.95"
+            "10.26.46.95",
+            "10.173.22.152"
         ],
         "related.user": [
             "eataevi"
@@ -166,6 +172,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "orsitame3262.domain"
+        ],
         "related.ip": [
             "10.254.146.57",
             "10.204.86.149"
@@ -239,6 +248,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tempor4496.www.localdomain"
+        ],
         "related.ip": [
             "10.252.125.53",
             "10.103.246.190"
@@ -312,9 +324,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ore2933.www.test"
+        ],
         "related.ip": [
-            "10.136.153.149",
-            "10.61.78.108"
+            "10.61.78.108",
+            "10.136.153.149"
         ],
         "related.user": [
             "ercit"
@@ -328,8 +343,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "inim",
         "rsa.misc.action": [
-            "Blocked",
-            "reetdolo"
+            "reetdolo",
+            "Blocked"
         ],
         "rsa.misc.category": "osquir",
         "rsa.misc.filter": "ipit",
@@ -385,9 +400,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ollit4105.mail.localdomain"
+        ],
         "related.ip": [
-            "10.66.250.92",
-            "10.183.16.166"
+            "10.183.16.166",
+            "10.66.250.92"
         ],
         "related.user": [
             "tessec"
@@ -458,9 +476,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "cup1793.local"
+        ],
         "related.ip": [
-            "10.123.104.59",
-            "10.243.224.205"
+            "10.243.224.205",
+            "10.123.104.59"
         ],
         "related.user": [
             "xercitat"
@@ -531,9 +552,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "icab4668.local"
+        ],
         "related.ip": [
-            "10.119.185.63",
-            "10.74.17.5"
+            "10.74.17.5",
+            "10.119.185.63"
         ],
         "related.user": [
             "erc"
@@ -547,8 +571,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tame",
         "rsa.misc.action": [
-            "Blocked",
-            "nsec"
+            "nsec",
+            "Blocked"
         ],
         "rsa.misc.category": "emaperi",
         "rsa.misc.filter": "rehe",
@@ -604,9 +628,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "aperia4409.www5.invalid"
+        ],
         "related.ip": [
-            "10.25.192.202",
-            "10.78.151.178"
+            "10.78.151.178",
+            "10.25.192.202"
         ],
         "related.user": [
             "quip"
@@ -620,8 +647,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "atquovo",
         "rsa.misc.action": [
-            "Allowed",
-            "amvolup"
+            "amvolup",
+            "Allowed"
         ],
         "rsa.misc.category": "hil",
         "rsa.misc.filter": "deFinibu",
@@ -677,6 +704,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "sitvolup368.internal.host"
+        ],
         "related.ip": [
             "10.135.225.244",
             "10.71.170.37"
@@ -750,6 +780,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ite2026.www.invalid"
+        ],
         "related.ip": [
             "10.19.145.131",
             "10.223.247.86"
@@ -766,8 +799,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "sci",
         "rsa.misc.action": [
-            "emseq",
-            "Allowed"
+            "Allowed",
+            "emseq"
         ],
         "rsa.misc.category": "exercit",
         "rsa.misc.filter": "taevit",
@@ -823,6 +856,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "radipisc7020.home"
+        ],
         "related.ip": [
             "10.2.53.125",
             "10.181.80.139"
@@ -896,9 +932,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "uamei2493.www.test"
+        ],
         "related.ip": [
-            "10.167.98.76",
-            "10.31.240.6"
+            "10.31.240.6",
+            "10.167.98.76"
         ],
         "related.user": [
             "ratvolu"
@@ -969,9 +1008,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "piscin6866.internal.host"
+        ],
         "related.ip": [
-            "10.0.55.9",
-            "10.135.160.125"
+            "10.135.160.125",
+            "10.0.55.9"
         ],
         "related.user": [
             "volupta"
@@ -985,8 +1027,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "iurer",
         "rsa.misc.action": [
-            "Allowed",
-            "ionevo"
+            "ionevo",
+            "Allowed"
         ],
         "rsa.misc.category": "tinvolu",
         "rsa.misc.filter": "idex",
@@ -1042,6 +1084,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "spi3544.www.host"
+        ],
         "related.ip": [
             "10.63.250.128",
             "10.111.187.12"
@@ -1058,8 +1103,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "nnum",
         "rsa.misc.action": [
-            "Allowed",
-            "ntoccae"
+            "ntoccae",
+            "Allowed"
         ],
         "rsa.misc.category": "tium",
         "rsa.misc.filter": "uteirure",
@@ -1115,9 +1160,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tlab5981.www.host"
+        ],
         "related.ip": [
-            "10.252.124.150",
-            "10.5.126.127"
+            "10.5.126.127",
+            "10.252.124.150"
         ],
         "related.user": [
             "inibusB"
@@ -1188,6 +1236,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "upida508.example"
+        ],
         "related.ip": [
             "10.201.171.120",
             "10.91.126.231"
@@ -1204,8 +1255,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "umdo",
         "rsa.misc.action": [
-            "Blocked",
-            "orumSe"
+            "orumSe",
+            "Blocked"
         ],
         "rsa.misc.category": "tanimid",
         "rsa.misc.filter": "itam",
@@ -1261,6 +1312,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "oditem5255.api.localdomain"
+        ],
         "related.ip": [
             "10.107.251.87",
             "10.135.82.97"
@@ -1277,8 +1331,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "quid",
         "rsa.misc.action": [
-            "Allowed",
-            "itecto"
+            "itecto",
+            "Allowed"
         ],
         "rsa.misc.category": "quam",
         "rsa.misc.filter": "adeser",
@@ -1334,6 +1388,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "uamei2389.internal.example"
+        ],
         "related.ip": [
             "10.215.205.216",
             "10.31.198.58"
@@ -1407,6 +1464,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "eacommod1930.internal.lan"
+        ],
         "related.ip": [
             "10.229.83.165",
             "10.29.155.171"
@@ -1423,8 +1483,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "vitaedi",
         "rsa.misc.action": [
-            "Allowed",
-            "llitanim"
+            "llitanim",
+            "Allowed"
         ],
         "rsa.misc.category": "apariat",
         "rsa.misc.filter": "tasnulap",
@@ -1480,6 +1540,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tem6984.www5.domain"
+        ],
         "related.ip": [
             "10.161.148.64",
             "10.129.192.145"
@@ -1553,6 +1616,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "lapariat7287.internal.host"
+        ],
         "related.ip": [
             "10.203.65.161",
             "10.7.200.140"
@@ -1569,8 +1635,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tdol",
         "rsa.misc.action": [
-            "nte",
-            "Allowed"
+            "Allowed",
+            "nte"
         ],
         "rsa.misc.category": "adeseru",
         "rsa.misc.filter": "mac",
@@ -1626,9 +1692,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "licabo1493.api.corp"
+        ],
         "related.ip": [
-            "10.218.98.29",
-            "10.86.22.67"
+            "10.86.22.67",
+            "10.218.98.29"
         ],
         "related.user": [
             "olori"
@@ -1699,6 +1768,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "stenatu4844.www.invalid"
+        ],
         "related.ip": [
             "10.39.31.115",
             "10.24.111.229"
@@ -1772,6 +1844,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "sitam5077.internal.host"
+        ],
         "related.ip": [
             "10.32.39.220",
             "10.179.210.218"
@@ -1845,9 +1920,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "dquia107.www.test"
+        ],
         "related.ip": [
-            "10.88.172.34",
-            "10.128.173.19"
+            "10.128.173.19",
+            "10.88.172.34"
         ],
         "related.user": [
             "agnaaliq"
@@ -1861,8 +1939,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ntNeq",
         "rsa.misc.action": [
-            "Blocked",
-            "dtempo"
+            "dtempo",
+            "Blocked"
         ],
         "rsa.misc.category": "ipsu",
         "rsa.misc.filter": "iqu",
@@ -1918,9 +1996,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "lloin4019.www.localhost"
+        ],
         "related.ip": [
-            "10.238.224.49",
-            "10.130.241.232"
+            "10.130.241.232",
+            "10.238.224.49"
         ],
         "related.user": [
             "onse"
@@ -1934,8 +2015,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "mnisiut",
         "rsa.misc.action": [
-            "Allowed",
-            "mod"
+            "mod",
+            "Allowed"
         ],
         "rsa.misc.category": "uiinea",
         "rsa.misc.filter": "aturQu",
@@ -1991,9 +2072,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tamet6317.www.host"
+        ],
         "related.ip": [
-            "10.115.53.31",
-            "10.2.67.127"
+            "10.2.67.127",
+            "10.115.53.31"
         ],
         "related.user": [
             "Cic"
@@ -2007,8 +2091,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "quatD",
         "rsa.misc.action": [
-            "Allowed",
-            "tatem"
+            "tatem",
+            "Allowed"
         ],
         "rsa.misc.category": "aincidun",
         "rsa.misc.filter": "uela",
@@ -2064,9 +2148,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "saquaea6344.www.invalid"
+        ],
         "related.ip": [
-            "10.204.214.251",
-            "10.101.38.213"
+            "10.101.38.213",
+            "10.204.214.251"
         ],
         "related.user": [
             "ueipsa"
@@ -2137,9 +2224,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "utaliqu4248.www.localhost"
+        ],
         "related.ip": [
-            "10.101.85.169",
-            "10.18.226.72"
+            "10.18.226.72",
+            "10.101.85.169"
         ],
         "related.user": [
             "rroqu"
@@ -2210,6 +2300,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "mdolore473.internal.test"
+        ],
         "related.ip": [
             "10.242.182.193",
             "10.87.100.240"
@@ -2283,9 +2376,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tatio6513.www.invalid"
+        ],
         "related.ip": [
-            "10.229.242.223",
-            "10.80.57.247"
+            "10.80.57.247",
+            "10.229.242.223"
         ],
         "related.user": [
             "itasp"
@@ -2356,6 +2452,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "lapar1599.www.lan"
+        ],
         "related.ip": [
             "10.193.66.155",
             "10.106.77.138"
@@ -2372,8 +2471,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "uteir",
         "rsa.misc.action": [
-            "Section",
-            "Allowed"
+            "Allowed",
+            "Section"
         ],
         "rsa.misc.category": "cididu",
         "rsa.misc.filter": "Utenima",
@@ -2429,6 +2528,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "aquioff3853.www.localdomain"
+        ],
         "related.ip": [
             "10.54.159.1",
             "10.236.230.136"
@@ -2445,8 +2547,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tec",
         "rsa.misc.action": [
-            "Allowed",
-            "tatema"
+            "tatema",
+            "Allowed"
         ],
         "rsa.misc.category": "emullamc",
         "rsa.misc.filter": "emveleum",
@@ -2502,6 +2604,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ura675.mail.localdomain"
+        ],
         "related.ip": [
             "10.131.246.134",
             "10.49.242.174"
@@ -2518,8 +2623,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tvolup",
         "rsa.misc.action": [
-            "Allowed",
-            "utemvel"
+            "utemvel",
+            "Allowed"
         ],
         "rsa.misc.category": "untutlab",
         "rsa.misc.filter": "dol",
@@ -2575,6 +2680,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "iamea478.www5.host"
+        ],
         "related.ip": [
             "10.142.120.198",
             "10.166.10.42"
@@ -2648,9 +2756,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "eaque6543.api.domain"
+        ],
         "related.ip": [
-            "10.138.188.201",
-            "10.128.184.241"
+            "10.128.184.241",
+            "10.138.188.201"
         ],
         "related.user": [
             "etur"
@@ -2721,6 +2832,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "eufug1756.mail.corp"
+        ],
         "related.ip": [
             "10.53.101.131",
             "10.213.57.165"
@@ -2737,8 +2851,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "ese",
         "rsa.misc.action": [
-            "litanim",
-            "Allowed"
+            "Allowed",
+            "litanim"
         ],
         "rsa.misc.category": "idata",
         "rsa.misc.filter": "urerepre",
@@ -2794,9 +2908,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "orp5697.www.invalid"
+        ],
         "related.ip": [
-            "10.55.81.14",
-            "10.243.6.41"
+            "10.243.6.41",
+            "10.55.81.14"
         ],
         "related.user": [
             "eiusmo"
@@ -2867,6 +2984,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "pariatur7238.www5.invalid"
+        ],
         "related.ip": [
             "10.202.224.79",
             "10.33.144.10"
@@ -2883,8 +3003,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "lit",
         "rsa.misc.action": [
-            "quu",
-            "Blocked"
+            "Blocked",
+            "quu"
         ],
         "rsa.misc.category": "oluptate",
         "rsa.misc.filter": "exercita",
@@ -2940,6 +3060,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "fficia2304.www5.home"
+        ],
         "related.ip": [
             "10.20.124.138",
             "10.158.18.51"
@@ -2956,8 +3079,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "Loremip",
         "rsa.misc.action": [
-            "Allowed",
-            "quid"
+            "quid",
+            "Allowed"
         ],
         "rsa.misc.category": "mini",
         "rsa.misc.filter": "uisnos",
@@ -3013,6 +3136,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "mquisnos7453.home"
+        ],
         "related.ip": [
             "10.134.128.27",
             "10.118.177.136"
@@ -3086,9 +3212,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "aquio748.www.localhost"
+        ],
         "related.ip": [
-            "10.125.120.97",
-            "10.68.8.143"
+            "10.68.8.143",
+            "10.125.120.97"
         ],
         "related.user": [
             "reet"
@@ -3102,8 +3231,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "amni",
         "rsa.misc.action": [
-            "edutp",
-            "Allowed"
+            "Allowed",
+            "edutp"
         ],
         "rsa.misc.category": "ames",
         "rsa.misc.filter": "dmi",
@@ -3159,9 +3288,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "remagnam796.mail.corp"
+        ],
         "related.ip": [
-            "10.143.0.78",
-            "10.137.164.122"
+            "10.137.164.122",
+            "10.143.0.78"
         ],
         "related.user": [
             "orissus"
@@ -3175,8 +3307,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "etdol",
         "rsa.misc.action": [
-            "Blocked",
-            "mwrit"
+            "mwrit",
+            "Blocked"
         ],
         "rsa.misc.category": "inim",
         "rsa.misc.filter": "aturQu",
@@ -3232,9 +3364,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "etdolore4227.internal.corp"
+        ],
         "related.ip": [
-            "10.156.177.53",
-            "10.30.87.51"
+            "10.30.87.51",
+            "10.156.177.53"
         ],
         "related.user": [
             "psaquaea"
@@ -3248,8 +3383,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tatno",
         "rsa.misc.action": [
-            "Blocked",
-            "ptatev"
+            "ptatev",
+            "Blocked"
         ],
         "rsa.misc.category": "udexerc",
         "rsa.misc.filter": "ptatemse",
@@ -3305,9 +3440,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "rors1935.api.domain"
+        ],
         "related.ip": [
-            "10.111.249.184",
-            "10.83.138.34"
+            "10.83.138.34",
+            "10.111.249.184"
         ],
         "related.user": [
             "dentsunt"
@@ -3378,9 +3516,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "idexeac1655.internal.test"
+        ],
         "related.ip": [
-            "10.180.150.47",
-            "10.141.195.13"
+            "10.141.195.13",
+            "10.180.150.47"
         ],
         "related.user": [
             "taliq"
@@ -3394,8 +3535,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "itesse",
         "rsa.misc.action": [
-            "uip",
-            "Allowed"
+            "Allowed",
+            "uip"
         ],
         "rsa.misc.category": "teturad",
         "rsa.misc.filter": "roquisqu",
@@ -3451,9 +3592,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "laboree3880.api.invalid"
+        ],
         "related.ip": [
-            "10.166.195.20",
-            "10.255.40.12"
+            "10.255.40.12",
+            "10.166.195.20"
         ],
         "related.user": [
             "lamcolab"
@@ -3522,6 +3666,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tecto708.www5.example"
+        ],
         "related.ip": [
             "10.22.122.43",
             "10.100.143.226"
@@ -3595,6 +3742,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ine3181.www.invalid"
+        ],
         "related.ip": [
             "10.119.53.68",
             "10.121.9.5"
@@ -3611,8 +3761,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "dexea",
         "rsa.misc.action": [
-            "Blocked",
-            "tinvolup"
+            "tinvolup",
+            "Blocked"
         ],
         "rsa.misc.category": "ende",
         "rsa.misc.filter": "onse",
@@ -3668,9 +3818,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tsunt3403.www5.test"
+        ],
         "related.ip": [
-            "10.237.0.173",
-            "10.31.153.177"
+            "10.31.153.177",
+            "10.237.0.173"
         ],
         "related.user": [
             "sci"
@@ -3684,8 +3837,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "eritqui",
         "rsa.misc.action": [
-            "Blocked",
-            "dolor"
+            "dolor",
+            "Blocked"
         ],
         "rsa.misc.category": "taspe",
         "rsa.misc.filter": "oremipsu",
@@ -3739,9 +3892,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "pitl6126.www.localdomain"
+        ],
         "related.ip": [
-            "10.243.182.229",
-            "10.229.102.140"
+            "10.229.102.140",
+            "10.243.182.229"
         ],
         "related.user": [
             "duntut"
@@ -3755,8 +3911,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "epor",
         "rsa.misc.action": [
-            "Allowed",
-            "etquasia"
+            "etquasia",
+            "Allowed"
         ],
         "rsa.misc.category": "iaturE",
         "rsa.misc.filter": "rep",
@@ -3808,6 +3964,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "remaper3297.internal.test"
+        ],
         "related.ip": [
             "10.120.138.109",
             "10.39.46.155"
@@ -3824,8 +3983,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "adipisc",
         "rsa.misc.action": [
-            "Blocked",
-            "exer"
+            "exer",
+            "Blocked"
         ],
         "rsa.misc.category": "remagna",
         "rsa.misc.filter": "emvel",
@@ -3881,6 +4040,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tamr1693.api.home"
+        ],
         "related.ip": [
             "10.53.191.49",
             "10.133.102.57"
@@ -3954,6 +4116,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "cia5990.api.localdomain"
+        ],
         "related.ip": [
             "10.89.41.97",
             "10.91.2.225"
@@ -4027,6 +4192,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "riatu2467.lan"
+        ],
         "related.ip": [
             "10.221.20.165",
             "10.7.18.226"
@@ -4100,9 +4268,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "pici1525.www5.corp"
+        ],
         "related.ip": [
-            "10.178.148.188",
-            "10.155.252.123"
+            "10.155.252.123",
+            "10.178.148.188"
         ],
         "related.user": [
             "inrepreh"
@@ -4173,9 +4344,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "dolo6418.internal.host"
+        ],
         "related.ip": [
-            "10.220.1.249",
-            "10.190.42.245"
+            "10.190.42.245",
+            "10.220.1.249"
         ],
         "related.user": [
             "olup"
@@ -4189,8 +4363,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "uamquaer",
         "rsa.misc.action": [
-            "aerat",
-            "Blocked"
+            "Blocked",
+            "aerat"
         ],
         "rsa.misc.category": "quela",
         "rsa.misc.filter": "qui",
@@ -4244,9 +4418,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "imveni193.www5.host"
+        ],
         "related.ip": [
-            "10.112.190.154",
-            "10.55.38.153"
+            "10.55.38.153",
+            "10.112.190.154"
         ],
         "related.user": [
             "oremeu"
@@ -4260,8 +4437,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tin",
         "rsa.misc.action": [
-            "urau",
-            "Allowed"
+            "Allowed",
+            "urau"
         ],
         "rsa.misc.category": "isiut",
         "rsa.misc.filter": "cons",
@@ -4317,9 +4494,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ionu3320.api.localhost"
+        ],
         "related.ip": [
-            "10.195.153.42",
-            "10.250.48.82"
+            "10.250.48.82",
+            "10.195.153.42"
         ],
         "related.user": [
             "tsedquia"
@@ -4333,8 +4513,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tDuisaut",
         "rsa.misc.action": [
-            "Allowed",
-            "upidatat"
+            "upidatat",
+            "Allowed"
         ],
         "rsa.misc.category": "aliquide",
         "rsa.misc.filter": "deriti",
@@ -4390,6 +4570,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "remips1499.www.local"
+        ],
         "related.ip": [
             "10.252.164.230",
             "10.60.52.219"
@@ -4406,8 +4589,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "rroq",
         "rsa.misc.action": [
-            "Blocked",
-            "fdeFin"
+            "fdeFin",
+            "Blocked"
         ],
         "rsa.misc.category": "diduntut",
         "rsa.misc.filter": "ano",
@@ -4459,9 +4642,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "mdoloree96.domain"
+        ],
         "related.ip": [
-            "10.122.102.156",
-            "10.187.16.73"
+            "10.187.16.73",
+            "10.122.102.156"
         ],
         "related.user": [
             "emoen"
@@ -4532,6 +4718,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "iatnulap7662.internal.local"
+        ],
         "related.ip": [
             "10.120.215.174",
             "10.248.108.55"
@@ -4548,8 +4737,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "rema",
         "rsa.misc.action": [
-            "Allowed",
-            "uatDu"
+            "uatDu",
+            "Allowed"
         ],
         "rsa.misc.category": "ent",
         "rsa.misc.filter": "iscivel",
@@ -4603,9 +4792,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "sBonoru1929.example"
+        ],
         "related.ip": [
-            "10.15.254.181",
-            "10.51.161.245"
+            "10.51.161.245",
+            "10.15.254.181"
         ],
         "related.user": [
             "abo"
@@ -4619,8 +4811,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "modit",
         "rsa.misc.action": [
-            "uteiru",
-            "Allowed"
+            "Allowed",
+            "uteiru"
         ],
         "rsa.misc.category": "qua",
         "rsa.misc.filter": "saute",
@@ -4676,9 +4868,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "onorumet4871.lan"
+        ],
         "related.ip": [
-            "10.129.66.196",
-            "10.7.152.238"
+            "10.7.152.238",
+            "10.129.66.196"
         ],
         "related.user": [
             "equamn"
@@ -4749,9 +4944,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "onproi4354.www5.invalid"
+        ],
         "related.ip": [
-            "10.29.162.157",
-            "10.185.107.27"
+            "10.185.107.27",
+            "10.29.162.157"
         ],
         "related.user": [
             "evelite"
@@ -4822,9 +5020,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "beataevi7552.api.test"
+        ],
         "related.ip": [
-            "10.138.0.214",
-            "10.215.63.248"
+            "10.215.63.248",
+            "10.138.0.214"
         ],
         "related.user": [
             "eavolupt"
@@ -4838,8 +5039,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "odita",
         "rsa.misc.action": [
-            "Blocked",
-            "dqu"
+            "dqu",
+            "Blocked"
         ],
         "rsa.misc.category": "ipex",
         "rsa.misc.filter": "ine",
@@ -4895,9 +5096,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "rvelill1981.www.invalid"
+        ],
         "related.ip": [
-            "10.26.115.88",
-            "10.12.130.224"
+            "10.12.130.224",
+            "10.26.115.88"
         ],
         "related.user": [
             "Nequepo"
@@ -4911,8 +5115,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "tNequepo",
         "rsa.misc.action": [
-            "rmagnido",
-            "Allowed"
+            "Allowed",
+            "rmagnido"
         ],
         "rsa.misc.category": "luptatem",
         "rsa.misc.filter": "deritq",
@@ -4968,6 +5172,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "quia7214.example"
+        ],
         "related.ip": [
             "10.91.20.27",
             "10.193.152.42"
@@ -5041,6 +5248,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "aturExc7343.invalid"
+        ],
         "related.ip": [
             "10.146.69.38",
             "10.55.192.102"
@@ -5114,9 +5324,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "olo7317.www5.localhost"
+        ],
         "related.ip": [
-            "10.124.177.226",
-            "10.249.1.143"
+            "10.249.1.143",
+            "10.124.177.226"
         ],
         "related.user": [
             "isciveli"
@@ -5130,8 +5343,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "Utenim",
         "rsa.misc.action": [
-            "Allowed",
-            "onevo"
+            "onevo",
+            "Allowed"
         ],
         "rsa.misc.category": "tdolore",
         "rsa.misc.filter": "ptasn",
@@ -5187,9 +5400,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "uiin1342.mail.invalid"
+        ],
         "related.ip": [
-            "10.167.176.220",
-            "10.146.228.249"
+            "10.146.228.249",
+            "10.167.176.220"
         ],
         "related.user": [
             "estla"
@@ -5260,9 +5476,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "agna5654.www.corp"
+        ],
         "related.ip": [
-            "10.200.74.101",
-            "10.203.47.23"
+            "10.203.47.23",
+            "10.200.74.101"
         ],
         "related.user": [
             "litesse"
@@ -5333,6 +5552,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ites5711.internal.host"
+        ],
         "related.ip": [
             "10.162.78.48",
             "10.24.23.209"
@@ -5406,6 +5628,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "oluptat2848.api.home"
+        ],
         "related.ip": [
             "10.211.66.68",
             "10.55.151.53"
@@ -5479,9 +5704,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ngelitse7535.internal.lan"
+        ],
         "related.ip": [
-            "10.209.203.156",
-            "10.110.16.169"
+            "10.110.16.169",
+            "10.209.203.156"
         ],
         "related.user": [
             "mes"
@@ -5495,8 +5723,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "iamquisn",
         "rsa.misc.action": [
-            "lupta",
-            "Blocked"
+            "Blocked",
+            "lupta"
         ],
         "rsa.misc.category": "uasiarch",
         "rsa.misc.filter": "usBonor",
@@ -5552,9 +5780,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tiumtot3611.internal.localdomain"
+        ],
         "related.ip": [
-            "10.84.9.150",
-            "10.107.68.114"
+            "10.107.68.114",
+            "10.84.9.150"
         ],
         "related.user": [
             "sequatDu"
@@ -5568,8 +5799,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "omnis",
         "rsa.misc.action": [
-            "Allowed",
-            "uianonnu"
+            "uianonnu",
+            "Allowed"
         ],
         "rsa.misc.category": "Excepteu",
         "rsa.misc.filter": "enimadmi",
@@ -5625,9 +5856,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "gnaa4656.api.example"
+        ],
         "related.ip": [
-            "10.26.222.144",
-            "10.124.119.48"
+            "10.124.119.48",
+            "10.26.222.144"
         ],
         "related.user": [
             "nre"
@@ -5698,6 +5932,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "psaqu6066.www5.localhost"
+        ],
         "related.ip": [
             "10.164.190.2",
             "10.223.11.164"
@@ -5714,8 +5951,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "officiad",
         "rsa.misc.action": [
-            "antium",
-            "Allowed"
+            "Allowed",
+            "antium"
         ],
         "rsa.misc.category": "emoeni",
         "rsa.misc.filter": "itvo",
@@ -5771,9 +6008,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "iavol5202.api.example"
+        ],
         "related.ip": [
-            "10.14.37.8",
-            "10.121.181.243"
+            "10.121.181.243",
+            "10.14.37.8"
         ],
         "related.user": [
             "umwr"
@@ -5844,9 +6084,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "uame1361.api.local"
+        ],
         "related.ip": [
-            "10.10.93.133",
-            "10.90.20.202"
+            "10.90.20.202",
+            "10.10.93.133"
         ],
         "related.user": [
             "evita"
@@ -5917,6 +6160,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "rsitame4049.internal.corp"
+        ],
         "related.ip": [
             "10.77.102.206",
             "10.34.98.144"
@@ -5933,8 +6179,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "Exce",
         "rsa.misc.action": [
-            "ulapa",
-            "Allowed"
+            "Allowed",
+            "ulapa"
         ],
         "rsa.misc.category": "reprehen",
         "rsa.misc.filter": "itsedqui",
@@ -5990,6 +6236,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "elit912.www5.test"
+        ],
         "related.ip": [
             "10.176.233.249",
             "10.75.144.118"
@@ -6006,8 +6255,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "essequa",
         "rsa.misc.action": [
-            "odic",
-            "Blocked"
+            "Blocked",
+            "odic"
         ],
         "rsa.misc.category": "cto",
         "rsa.misc.filter": "odite",
@@ -6063,6 +6312,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "tat6671.www.local"
+        ],
         "related.ip": [
             "10.149.6.107",
             "10.236.55.236"
@@ -6079,8 +6331,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "uis",
         "rsa.misc.action": [
-            "mvele",
-            "Allowed"
+            "Allowed",
+            "mvele"
         ],
         "rsa.misc.category": "vitaedi",
         "rsa.misc.filter": "ndeomni",
@@ -6136,6 +6388,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "uis5050.www.local"
+        ],
         "related.ip": [
             "10.97.202.149",
             "10.13.125.101"
@@ -6209,9 +6464,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ficiad1312.api.host"
+        ],
         "related.ip": [
-            "10.230.61.102",
-            "10.141.66.163"
+            "10.141.66.163",
+            "10.230.61.102"
         ],
         "related.user": [
             "umdolo"
@@ -6225,8 +6483,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "itautf",
         "rsa.misc.action": [
-            "mini",
-            "Blocked"
+            "Blocked",
+            "mini"
         ],
         "rsa.misc.category": "gna",
         "rsa.misc.filter": "usmo",
@@ -6282,9 +6540,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "itaspe921.mail.invalid"
+        ],
         "related.ip": [
-            "10.224.249.228",
-            "10.10.25.145"
+            "10.10.25.145",
+            "10.224.249.228"
         ],
         "related.user": [
             "mnisiuta"
@@ -6355,6 +6616,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "archite4407.mail.invalid"
+        ],
         "related.ip": [
             "10.247.255.107",
             "10.234.34.40"
@@ -6371,8 +6635,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "neavolu",
         "rsa.misc.action": [
-            "Blocked",
-            "nofdeF"
+            "nofdeF",
+            "Blocked"
         ],
         "rsa.misc.category": "remagnam",
         "rsa.misc.filter": "maveniam",
@@ -6428,6 +6692,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "aria1424.mail.home"
+        ],
         "related.ip": [
             "10.250.102.42",
             "10.124.81.20"
@@ -6501,6 +6768,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "Bonoru7444.www5.example"
+        ],
         "related.ip": [
             "10.166.205.159",
             "10.154.188.132"
@@ -6570,9 +6840,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "icero1297.internal.domain"
+        ],
         "related.ip": [
-            "10.138.193.38",
-            "10.46.71.46"
+            "10.46.71.46",
+            "10.138.193.38"
         ],
         "related.user": [
             "sintocca"
@@ -6639,9 +6912,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "oloremeu5047.www5.invalid"
+        ],
         "related.ip": [
-            "10.254.119.31",
-            "10.172.159.251"
+            "10.172.159.251",
+            "10.254.119.31"
         ],
         "related.user": [
             "usm"
@@ -6655,8 +6931,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "imadmi",
         "rsa.misc.action": [
-            "Blocked",
-            "tatemacc"
+            "tatemacc",
+            "Blocked"
         ],
         "rsa.misc.category": "tutlabor",
         "rsa.misc.filter": "eturad",
@@ -6712,6 +6988,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "edutpe1255.internal.lan"
+        ],
         "related.ip": [
             "10.195.62.230",
             "10.98.126.206"
@@ -6728,8 +7007,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "isnost",
         "rsa.misc.action": [
-            "oriosa",
-            "Allowed"
+            "Allowed",
+            "oriosa"
         ],
         "rsa.misc.category": "uis",
         "rsa.misc.filter": "nemul",
@@ -6785,9 +7064,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "nderit1171.www5.domain"
+        ],
         "related.ip": [
-            "10.84.140.5",
-            "10.144.93.186"
+            "10.144.93.186",
+            "10.84.140.5"
         ],
         "related.user": [
             "eroi"
@@ -6858,6 +7140,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "nos4114.api.lan"
+        ],
         "related.ip": [
             "10.31.58.6",
             "10.198.84.190"
@@ -6931,6 +7216,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "oremeum4231.internal.host"
+        ],
         "related.ip": [
             "10.139.90.218",
             "10.131.81.172"
@@ -6947,8 +7235,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "rrorsi",
         "rsa.misc.action": [
-            "exe",
-            "Allowed"
+            "Allowed",
+            "exe"
         ],
         "rsa.misc.category": "mnihi",
         "rsa.misc.filter": "consequa",
@@ -7004,9 +7292,12 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "ueip6097.api.host"
+        ],
         "related.ip": [
-            "10.128.43.71",
-            "10.152.217.174"
+            "10.152.217.174",
+            "10.128.43.71"
         ],
         "related.user": [
             "mquiado"
@@ -7020,8 +7311,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "olupt",
         "rsa.misc.action": [
-            "temvele",
-            "Blocked"
+            "Blocked",
+            "temvele"
         ],
         "rsa.misc.category": "natuser",
         "rsa.misc.filter": "amnihil",
@@ -7077,6 +7368,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "fugiatqu7793.www.localdomain"
+        ],
         "related.ip": [
             "10.26.149.221",
             "10.217.193.148"
@@ -7150,6 +7444,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "onsequ3168.www.corp"
+        ],
         "related.ip": [
             "10.172.17.6",
             "10.109.192.53"
@@ -7166,8 +7463,8 @@
         "rsa.investigations.ec_theme": "Communication",
         "rsa.investigations.event_vcat": "temUte",
         "rsa.misc.action": [
-            "tassit",
-            "Blocked"
+            "Blocked",
+            "tassit"
         ],
         "rsa.misc.category": "ita",
         "rsa.misc.filter": "scive",
@@ -7223,6 +7520,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "oremquel3120.internal.localhost"
+        ],
         "related.ip": [
             "10.135.38.213",
             "10.119.106.108"
diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json
index 66ca65108fd2..bdf9957b55dc 100644
--- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json
+++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json
@@ -17,6 +17,9 @@
         "observer.product": "Internet",
         "observer.type": "Configuration",
         "observer.vendor": "Zscaler",
+        "related.hosts": [
+            "<hostname>"
+        ],
         "related.user": [
             "<username>"
         ],
diff --git a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc
index 3078bf3477b3..4666100a39e1 100644
--- a/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc
+++ b/x-pack/filebeat/processors/decode_cef/docs/decode_cef.asciidoc
@@ -28,7 +28,7 @@ The `decode_cef` processor has the following configuration settings.
 .Decode CEF options
 [options="header"]
 |======
-| Name             | Required | Default | Description
+| Name             | Required | Default | Description |
 | `field`          | no       | message | Source field containing the CEF message to be parsed.                        |
 | `target_field`   | no       | cef     | Target field where the parsed CEF object will be written.                    |
 | `ecs`            | no       | true    | Generate Elastic Common Schema (ECS) fields from the CEF data.
diff --git a/x-pack/functionbeat/provider/aws/aws/config.go b/x-pack/functionbeat/provider/aws/aws/config.go
index 604035522b5d..932b8a1bc521 100644
--- a/x-pack/functionbeat/provider/aws/aws/config.go
+++ b/x-pack/functionbeat/provider/aws/aws/config.go
@@ -153,6 +153,12 @@ func (b *bucket) Unpack(s string) error {
 		return fmt.Errorf("bucket name '%s' is too short, name need to be at least %d chars long", s, min)
 	}
 
+	const bucketNamePattern = "^[a-z0-9][a-z0-9.\\-]{1,61}[a-z0-9]$"
+	var bucketRE = regexp.MustCompile(bucketNamePattern)
+	if !bucketRE.MatchString(s) {
+		return fmt.Errorf("invalid bucket name: '%s', bucket name must match pattern: '%s'", s, bucketNamePattern)
+	}
+
 	*b = bucket(s)
 	return nil
 }
diff --git a/x-pack/functionbeat/provider/aws/aws/config_test.go b/x-pack/functionbeat/provider/aws/aws/config_test.go
index ac8e325804ef..ef1045f188ed 100644
--- a/x-pack/functionbeat/provider/aws/aws/config_test.go
+++ b/x-pack/functionbeat/provider/aws/aws/config_test.go
@@ -66,6 +66,36 @@ func TestBucket(t *testing.T) {
 		err := b.Unpack("he")
 		assert.Error(t, err)
 	})
+
+	t.Run("bucket regex pattern, disallows semi-colon", func(t *testing.T) {
+		b := bucket("")
+		err := b.Unpack("asdfdaf;dfadsfadsf")
+		assert.Error(t, err)
+	})
+
+	t.Run("bucket regex pattern, disallows slash", func(t *testing.T) {
+		b := bucket("")
+		err := b.Unpack("asdfdaf/dfadsfadsf")
+		assert.Error(t, err)
+	})
+
+	t.Run("bucket regex pattern, allows dots", func(t *testing.T) {
+		b := bucket("")
+		err := b.Unpack("this.is.a.bucket")
+		if !assert.NoError(t, err) {
+			return
+		}
+		assert.Equal(t, bucket("this.is.a.bucket"), b)
+	})
+
+	t.Run("bucket regex pattern, allows hyphens", func(t *testing.T) {
+		b := bucket("")
+		err := b.Unpack("this-is-a-bucket")
+		if !assert.NoError(t, err) {
+			return
+		}
+		assert.Equal(t, bucket("this-is-a-bucket"), b)
+	})
 }
 
 func TestNormalize(t *testing.T) {
diff --git a/x-pack/libbeat/common/cloudfoundry/events.go b/x-pack/libbeat/common/cloudfoundry/events.go
index f134585ac656..3a0f1756b6e5 100644
--- a/x-pack/libbeat/common/cloudfoundry/events.go
+++ b/x-pack/libbeat/common/cloudfoundry/events.go
@@ -492,15 +492,21 @@ func envelopMap(evt Event) common.MapStr {
 func baseMap(evt Event) common.MapStr {
 	return common.MapStr{
 		"cloudfoundry": common.MapStr{
-			"type": evt.String(),
-			evt.String(): common.MapStr{
-				"timestamp": evt.Timestamp(),
-			},
+			"type":     evt.String(),
 			"envelope": envelopMap(evt),
+			"tags":     dedotedTags(evt.Tags()),
 		},
 	}
 }
 
+func dedotedTags(tags map[string]string) common.MapStr {
+	result := common.MapStr{}
+	for name, value := range tags {
+		result[common.DeDot(name)] = value
+	}
+	return result
+}
+
 func baseMapWithApp(evt EventWithAppID) common.MapStr {
 	base := baseMap(evt)
 	appID := evt.AppGuid()
diff --git a/x-pack/libbeat/common/cloudfoundry/events_test.go b/x-pack/libbeat/common/cloudfoundry/events_test.go
index e4fe6f39caf4..7dfd9bdcbd7d 100644
--- a/x-pack/libbeat/common/cloudfoundry/events_test.go
+++ b/x-pack/libbeat/common/cloudfoundry/events_test.go
@@ -76,9 +76,6 @@ func TestEventTypeHttpAccess(t *testing.T) {
 	assert.Equal(t, common.MapStr{
 		"cloudfoundry": common.MapStr{
 			"type": "access",
-			"access": common.MapStr{
-				"timestamp": time.Unix(0, 1587469726082),
-			},
 			"envelope": common.MapStr{
 				"origin":     "origin",
 				"deployment": "deployment",
@@ -89,6 +86,9 @@ func TestEventTypeHttpAccess(t *testing.T) {
 			"app": common.MapStr{
 				"id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
 			},
+			"tags": common.MapStr{
+				"tag": "value",
+			},
 		},
 		"http": common.MapStr{
 			"response": common.MapStr{
@@ -148,7 +148,6 @@ func TestEventTypeLog(t *testing.T) {
 		"cloudfoundry": common.MapStr{
 			"type": "log",
 			"log": common.MapStr{
-				"timestamp": time.Unix(0, 1587469726082),
 				"source": common.MapStr{
 					"instance": evt.SourceID(),
 					"type":     evt.SourceType(),
@@ -164,6 +163,9 @@ func TestEventTypeLog(t *testing.T) {
 			"app": common.MapStr{
 				"id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
 			},
+			"tags": common.MapStr{
+				"tag": "value",
+			},
 		},
 		"message": "log message",
 		"stream":  "stdout",
@@ -200,10 +202,9 @@ func TestEventCounter(t *testing.T) {
 		"cloudfoundry": common.MapStr{
 			"type": "counter",
 			"counter": common.MapStr{
-				"timestamp": time.Unix(0, 1587469726082),
-				"name":      "name",
-				"delta":     uint64(10),
-				"total":     uint64(999),
+				"name":  "name",
+				"delta": uint64(10),
+				"total": uint64(999),
 			},
 			"envelope": common.MapStr{
 				"origin":     "origin",
@@ -212,6 +213,9 @@ func TestEventCounter(t *testing.T) {
 				"job":        "job",
 				"index":      "index",
 			},
+			"tags": common.MapStr{
+				"tag": "value",
+			},
 		},
 	}, evt.ToFields())
 }
@@ -246,10 +250,9 @@ func TestEventValueMetric(t *testing.T) {
 		"cloudfoundry": common.MapStr{
 			"type": "value",
 			"value": common.MapStr{
-				"timestamp": time.Unix(0, 1587469726082),
-				"name":      "name",
-				"value":     10.1,
-				"unit":      "unit",
+				"name":  "name",
+				"value": 10.1,
+				"unit":  "unit",
 			},
 			"envelope": common.MapStr{
 				"origin":     "origin",
@@ -258,6 +261,9 @@ func TestEventValueMetric(t *testing.T) {
 				"job":        "job",
 				"index":      "index",
 			},
+			"tags": common.MapStr{
+				"tag": "value",
+			},
 		},
 	}, evt.ToFields())
 }
@@ -304,7 +310,6 @@ func TestEventContainerMetric(t *testing.T) {
 		"cloudfoundry": common.MapStr{
 			"type": "container",
 			"container": common.MapStr{
-				"timestamp":          time.Unix(0, 1587469726082),
 				"instance_index":     int32(1),
 				"cpu.pct":            0.2,
 				"memory.bytes":       uint64(1024),
@@ -322,6 +327,9 @@ func TestEventContainerMetric(t *testing.T) {
 			"app": common.MapStr{
 				"id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
 			},
+			"tags": common.MapStr{
+				"tag": "value",
+			},
 		},
 	}, evt.ToFields())
 }
@@ -356,8 +364,7 @@ func TestEventError(t *testing.T) {
 		"cloudfoundry": common.MapStr{
 			"type": "error",
 			"error": common.MapStr{
-				"timestamp": time.Unix(0, 1587469726082),
-				"source":    "source",
+				"source": "source",
 			},
 			"envelope": common.MapStr{
 				"origin":     "origin",
@@ -366,6 +373,9 @@ func TestEventError(t *testing.T) {
 				"job":        "job",
 				"index":      "index",
 			},
+			"tags": common.MapStr{
+				"tag": "value",
+			},
 		},
 		"message": "message",
 		"code":    int32(100),
diff --git a/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml b/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml
index bd6e158bb368..33d63e362f81 100644
--- a/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml
+++ b/x-pack/libbeat/processors/add_cloudfoundry_metadata/_meta/fields.yml
@@ -11,29 +11,63 @@
         - name: app.id
           type: keyword
           description: >
-            Cloud Foundry application ID
+            Cloud Foundry application identifier.
 
         - name: app.name
           type: keyword
           description: >
-            Cloud Foundry application name
+            Cloud Foundry application name.
 
         - name: space.id
           type: keyword
           description: >
-            Cloud Foundry space name
+            Cloud Foundry space identifier.
 
         - name: space.name
           type: keyword
           description: >
-            Cloud Foundry space name
+            Cloud Foundry space name.
 
         - name: org.id
           type: keyword
           description: >
-            Cloud Foundry organization ID
+            Cloud Foundry organization identifier.
 
         - name: org.name
           type: keyword
           description: >
-            Cloud Foundry organization name
+            Cloud Foundry organization name.
+
+        - name: tags.*
+          type: object
+          object_type: keyword
+          description: >
+            Cloud Foundry tags.
+
+        - name: envelope
+          type: group
+          fields:
+            - name: deployment
+              type: keyword
+              description: >
+                Identifier of the Cloud Foundry deployment where this event was created.
+
+            - name: index
+              type: keyword
+              description: >
+                Envelope index.
+
+            - name: ip
+              type: ip
+              description: >
+                IP address of the node where the job that created this event is running.
+
+            - name: job
+              type: keyword
+              description: >
+                Job name.
+
+            - name: origin
+              type: keyword
+              description: >
+                Name of the deployment that created this event.
diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml
index 2c38df1fffc1..507d84924856 100644
--- a/x-pack/metricbeat/metricbeat.reference.yml
+++ b/x-pack/metricbeat/metricbeat.reference.yml
@@ -1106,6 +1106,16 @@ metricbeat.modules:
   # Store counter rates instead of original cumulative counters (experimental, default: false)
   #rate_counters: true
 
+# Metrics sent by a Prometheus server using remote_write option
+#- module: prometheus
+#  metricsets: ["remote_write"]
+#  host: "localhost"
+#  port: "9201"
+
+  # Secure settings for the server using TLS/SSL:
+  #ssl.certificate: "/etc/pki/server/cert.pem"
+  #ssl.key: "/etc/pki/server/cert.key"
+
   # Use Elasticsearch histogram type to store histograms (beta, default: false)
   # This will change the default layout and put metric type in the field name
   #use_types: true
@@ -1118,17 +1128,6 @@ metricbeat.modules:
   #  counter_patterns: []
   #  histogram_patterns: []
 
-
-# Metrics sent by a Prometheus server using remote_write option
-#- module: prometheus
-#  metricsets: ["remote_write"]
-#  host: "localhost"
-#  port: "9201"
-
-  # Secure settings for the server using TLS/SSL:
-  #ssl.certificate: "/etc/pki/server/cert.pem"
-  #ssl.key: "/etc/pki/server/cert.key"
-
 # Metrics that will be collected using a PromQL
 #- module: prometheus
 #  metricsets: ["query"]
diff --git a/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json b/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json
index 33dee279f767..faf25066393f 100644
--- a/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json
+++ b/x-pack/metricbeat/module/aws/_meta/kibana/7/dashboard/Metricbeat-aws-ec2-overview.json
@@ -1,778 +1,944 @@
 {
-    "objects": [
-        {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "EC2 DiskIO Write Bytes [Metricbeat AWS]",
-                "uiStateJSON": {},
-                "version": 1,
-                "visState": {
-                    "aggs": [],
-                    "params": {
-                        "annotations": [],
-                        "axis_formatter": "number",
-                        "axis_position": "left",
-                        "axis_scale": "normal",
-                        "background_color_rules": [
-                            {
-                                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "bar_color_rules": [
-                            {
-                                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "id": "61ca57f0-469d-11e7-af02-69e470af7417",
-                        "index_pattern": "metricbeat-*",
-                        "interval": "5m",
-                        "series": [
-                            {
-                                "axis_position": "right",
-                                "chart_type": "line",
-                                "color": "rgba(104,188,0,1)",
-                                "fill": "0",
-                                "filter": "",
-                                "formatter": "number",
-                                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
-                                "label": "AWS EC2 DiskIO Write Bytes",
-                                "line_width": 1,
-                                "metrics": [
-                                    {
-                                        "field": "aws.ec2.diskio.write.bytes",
-                                        "id": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                        "type": "avg"
-                                    }
-                                ],
-                                "point_size": 1,
-                                "separate_axis": 0,
-                                "series_drop_last_bucket": 1,
-                                "split_color_mode": "rainbow",
-                                "split_mode": "terms",
-                                "stacked": "none",
-                                "steps": 0,
-                                "terms_field": "cloud.instance.id",
-                                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                "terms_size": "5"
-                            }
-                        ],
-                        "show_grid": 1,
-                        "show_legend": 1,
-                        "time_field": "@timestamp",
-                        "type": "timeseries"
-                    },
-                    "title": "AWS EC2 DiskIO Write Bytes",
-                    "type": "metrics"
-                }
+  "objects": [
+    {
+      "attributes": {
+        "description": "Overview of AWS EC2 Metrics",
+        "hits": 0,
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "optionsJSON": {
+          "darkTheme": false,
+          "hidePanelTitles": false,
+          "useMargins": true
+        },
+        "panelsJSON": [
+          {
+            "embeddableConfig": {
+              "title": "DiskIO Write Bytes"
+            },
+            "gridData": {
+              "h": 15,
+              "i": "3",
+              "w": 24,
+              "x": 24,
+              "y": 16
+            },
+            "panelIndex": "3",
+            "panelRefName": "panel_0",
+            "title": "DiskIO Write Bytes",
+            "version": "7.9.1"
+          },
+          {
+            "embeddableConfig": {
+              "title": "Status Check"
+            },
+            "gridData": {
+              "h": 5,
+              "i": "5",
+              "w": 18,
+              "x": 6,
+              "y": 11
+            },
+            "panelIndex": "5",
+            "panelRefName": "panel_1",
+            "title": "Status Check",
+            "version": "7.9.1"
+          },
+          {
+            "embeddableConfig": {
+              "title": "Network In Bytes"
+            },
+            "gridData": {
+              "h": 15,
+              "i": "11",
+              "w": 24,
+              "x": 0,
+              "y": 31
+            },
+            "panelIndex": "11",
+            "panelRefName": "panel_2",
+            "title": "Network In Bytes",
+            "version": "7.9.1"
+          },
+          {
+            "embeddableConfig": {
+              "title": "Network Out Bytes"
+            },
+            "gridData": {
+              "h": 15,
+              "i": "12",
+              "w": 24,
+              "x": 24,
+              "y": 31
+            },
+            "panelIndex": "12",
+            "panelRefName": "panel_3",
+            "title": "Network Out Bytes",
+            "version": "7.9.1"
+          },
+          {
+            "embeddableConfig": {
+              "title": "DiskIO Read Bytes"
+            },
+            "gridData": {
+              "h": 15,
+              "i": "15",
+              "w": 24,
+              "x": 0,
+              "y": 16
+            },
+            "panelIndex": "15",
+            "panelRefName": "panel_4",
+            "title": "DiskIO Read Bytes",
+            "version": "7.9.1"
+          },
+          {
+            "embeddableConfig": {
+              "title": "CPU Utilization"
+            },
+            "gridData": {
+              "h": 16,
+              "i": "17",
+              "w": 24,
+              "x": 24,
+              "y": 0
+            },
+            "panelIndex": "17",
+            "panelRefName": "panel_5",
+            "title": "CPU Utilization",
+            "version": "7.9.1"
+          },
+          {
+            "embeddableConfig": {
+              "title": "Filters"
+            },
+            "gridData": {
+              "h": 16,
+              "i": "18",
+              "w": 6,
+              "x": 0,
+              "y": 0
+            },
+            "panelIndex": "18",
+            "panelRefName": "panel_6",
+            "title": "Filters",
+            "version": "7.9.1"
+          },
+          {
+            "embeddableConfig": {
+              "title": "Instance State"
             },
-            "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs",
-            "type": "visualization",
-            "updated_at": "2019-02-08T23:15:16.726Z",
-            "version": 6
+            "gridData": {
+              "h": 11,
+              "i": "19",
+              "w": 18,
+              "x": 6,
+              "y": 0
+            },
+            "panelIndex": "19",
+            "panelRefName": "panel_7",
+            "title": "Instance State",
+            "version": "7.9.1"
+          }
+        ],
+        "timeRestore": false,
+        "title": "[Metricbeat AWS] EC2 Overview",
+        "version": 1
+      },
+      "id": "c5846400-f7fb-11e8-af03-c999c9dea608-ecs",
+      "migrationVersion": {
+        "dashboard": "7.3.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs",
+          "name": "panel_0",
+          "type": "visualization"
         },
         {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "EC2 Status Check Failed [Metricbeat AWS]",
-                "uiStateJSON": {},
-                "version": 1,
-                "visState": {
-                    "aggs": [],
-                    "params": {
-                        "axis_formatter": "number",
-                        "axis_position": "left",
-                        "axis_scale": "normal",
-                        "background_color_rules": [
-                            {
-                                "id": "d13f6b50-f7f6-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "bar_color_rules": [
-                            {
-                                "id": "ad6d62d0-f7f7-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "gauge_color_rules": [
-                            {
-                                "id": "b0c5b590-f7f7-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "gauge_inner_width": 10,
-                        "gauge_style": "half",
-                        "gauge_width": 10,
-                        "id": "61ca57f0-469d-11e7-af02-69e470af7417",
-                        "index_pattern": "metricbeat-*",
-                        "interval": "auto",
-                        "series": [
-                            {
-                                "axis_position": "right",
-                                "chart_type": "line",
-                                "color": "#68BC00",
-                                "fill": 0.5,
-                                "formatter": "number",
-                                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
-                                "label": "EC2 Status Check Failed",
-                                "line_width": 1,
-                                "metrics": [
-                                    {
-                                        "field": "aws.ec2.status.check_failed",
-                                        "id": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                        "type": "sum"
-                                    }
-                                ],
-                                "point_size": 1,
-                                "separate_axis": 0,
-                                "split_mode": "everything",
-                                "stacked": "none",
-                                "terms_field": "cloud.instance.id",
-                                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417"
-                            }
-                        ],
-                        "show_grid": 1,
-                        "show_legend": 1,
-                        "time_field": "@timestamp",
-                        "type": "metric"
-                    },
-                    "title": "AWS EC2 Status Check Failed",
-                    "type": "metrics"
-                }
-            },
-            "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs",
-            "type": "visualization",
-            "updated_at": "2019-02-08T23:15:16.726Z",
-            "version": 6
+          "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs",
+          "name": "panel_1",
+          "type": "visualization"
         },
         {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "EC2 Network In Bytes [Metricbeat AWS]",
-                "uiStateJSON": {},
-                "version": 1,
-                "visState": {
-                    "aggs": [],
-                    "params": {
-                        "annotations": [],
-                        "axis_formatter": "number",
-                        "axis_position": "left",
-                        "axis_scale": "normal",
-                        "background_color_rules": [
-                            {
-                                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "bar_color_rules": [
-                            {
-                                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "id": "61ca57f0-469d-11e7-af02-69e470af7417",
-                        "index_pattern": "metricbeat-*",
-                        "interval": "5m",
-                        "series": [
-                            {
-                                "axis_position": "right",
-                                "chart_type": "line",
-                                "color": "rgba(104,188,0,1)",
-                                "fill": "0",
-                                "filter": "",
-                                "formatter": "number",
-                                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
-                                "label": "AWS EC2 Network In Bytes",
-                                "line_width": 1,
-                                "metrics": [
-                                    {
-                                        "field": "aws.ec2.network.in.bytes",
-                                        "id": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                        "type": "avg"
-                                    }
-                                ],
-                                "point_size": 1,
-                                "separate_axis": 0,
-                                "series_drop_last_bucket": 1,
-                                "split_color_mode": "rainbow",
-                                "split_mode": "terms",
-                                "stacked": "none",
-                                "steps": 0,
-                                "terms_field": "cloud.instance.id",
-                                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                "terms_size": "5"
-                            }
-                        ],
-                        "show_grid": 1,
-                        "show_legend": 1,
-                        "time_field": "@timestamp",
-                        "type": "timeseries"
-                    },
-                    "title": "AWS EC2 Network In Bytes",
-                    "type": "metrics"
-                }
-            },
-            "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs",
-            "type": "visualization",
-            "updated_at": "2019-02-08T23:15:16.726Z",
-            "version": 6
+          "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs",
+          "name": "panel_2",
+          "type": "visualization"
         },
         {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "EC2 Network Out Bytes [Metricbeat AWS]",
-                "uiStateJSON": {},
-                "version": 1,
-                "visState": {
-                    "aggs": [],
-                    "params": {
-                        "annotations": [],
-                        "axis_formatter": "number",
-                        "axis_position": "left",
-                        "axis_scale": "normal",
-                        "background_color_rules": [
-                            {
-                                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "bar_color_rules": [
-                            {
-                                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "id": "61ca57f0-469d-11e7-af02-69e470af7417",
-                        "index_pattern": "metricbeat-*",
-                        "interval": "5m",
-                        "series": [
-                            {
-                                "axis_position": "right",
-                                "chart_type": "line",
-                                "color": "rgba(104,188,0,1)",
-                                "fill": "0",
-                                "filter": "",
-                                "formatter": "number",
-                                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
-                                "label": "AWS EC2 Network Out Bytes",
-                                "line_width": 1,
-                                "metrics": [
-                                    {
-                                        "field": "aws.ec2.network.out.bytes",
-                                        "id": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                        "type": "avg"
-                                    }
-                                ],
-                                "point_size": 1,
-                                "separate_axis": 0,
-                                "series_drop_last_bucket": 1,
-                                "split_color_mode": "rainbow",
-                                "split_mode": "terms",
-                                "stacked": "none",
-                                "steps": 0,
-                                "terms_field": "cloud.instance.id",
-                                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                "terms_size": "5"
-                            }
-                        ],
-                        "show_grid": 1,
-                        "show_legend": 1,
-                        "time_field": "@timestamp",
-                        "type": "timeseries"
-                    },
-                    "title": "AWS EC2 Network Out Bytes",
-                    "type": "metrics"
-                }
-            },
-            "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs",
-            "type": "visualization",
-            "updated_at": "2019-02-08T23:15:16.726Z",
-            "version": 6
+          "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs",
+          "name": "panel_3",
+          "type": "visualization"
         },
         {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "EC2 DiskIO Read Bytes [Metricbeat AWS]",
-                "uiStateJSON": {},
-                "version": 1,
-                "visState": {
-                    "aggs": [],
-                    "params": {
-                        "annotations": [],
-                        "axis_formatter": "number",
-                        "axis_position": "left",
-                        "axis_scale": "normal",
-                        "background_color_rules": [
-                            {
-                                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "bar_color_rules": [
-                            {
-                                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "id": "61ca57f0-469d-11e7-af02-69e470af7417",
-                        "index_pattern": "metricbeat-*",
-                        "interval": "5m",
-                        "series": [
-                            {
-                                "axis_position": "right",
-                                "chart_type": "line",
-                                "color": "rgba(104,188,0,1)",
-                                "fill": "0",
-                                "filter": "",
-                                "formatter": "number",
-                                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
-                                "label": "AWS EC2 DiskIO Read Bytes",
-                                "line_width": 1,
-                                "metrics": [
-                                    {
-                                        "field": "aws.ec2.diskio.read.bytes",
-                                        "id": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                        "type": "avg"
-                                    }
-                                ],
-                                "point_size": 1,
-                                "separate_axis": 0,
-                                "series_drop_last_bucket": 1,
-                                "split_color_mode": "rainbow",
-                                "split_mode": "terms",
-                                "stacked": "none",
-                                "steps": 0,
-                                "terms_field": "cloud.instance.id",
-                                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                "terms_size": "5"
-                            }
-                        ],
-                        "show_grid": 1,
-                        "show_legend": 1,
-                        "time_field": "@timestamp",
-                        "type": "timeseries"
-                    },
-                    "title": "AWS EC2 DiskIO Read Bytes",
-                    "type": "metrics"
-                }
-            },
-            "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs",
-            "type": "visualization",
-            "updated_at": "2019-02-08T23:15:16.726Z",
-            "version": 6
+          "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs",
+          "name": "panel_4",
+          "type": "visualization"
         },
         {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "EC2 CPU Utilization [Metricbeat AWS]",
-                "uiStateJSON": {},
-                "version": 1,
-                "visState": {
-                    "aggs": [],
-                    "params": {
-                        "annotations": [],
-                        "axis_formatter": "number",
-                        "axis_position": "left",
-                        "axis_scale": "normal",
-                        "background_color_rules": [
-                            {
-                                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "bar_color_rules": [
-                            {
-                                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
-                            }
-                        ],
-                        "id": "61ca57f0-469d-11e7-af02-69e470af7417",
-                        "index_pattern": "metricbeat-*",
-                        "interval": "5m",
-                        "series": [
-                            {
-                                "axis_position": "right",
-                                "chart_type": "line",
-                                "color": "rgba(104,188,0,1)",
-                                "fill": "0",
-                                "filter": "",
-                                "formatter": "number",
-                                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
-                                "label": "AWS EC2 CPU Utilization",
-                                "line_width": 1,
-                                "metrics": [
-                                    {
-                                        "field": "aws.ec2.cpu.total.pct",
-                                        "id": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                        "type": "avg"
-                                    }
-                                ],
-                                "point_size": 1,
-                                "separate_axis": 0,
-                                "series_drop_last_bucket": 1,
-                                "split_color_mode": "rainbow",
-                                "split_mode": "terms",
-                                "stacked": "none",
-                                "steps": 0,
-                                "terms_field": "cloud.instance.id",
-                                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
-                                "terms_size": "5"
-                            }
-                        ],
-                        "show_grid": 1,
-                        "show_legend": 1,
-                        "time_field": "@timestamp",
-                        "type": "timeseries"
-                    },
-                    "title": "AWS EC2 CPU Utilization",
-                    "type": "metrics"
-                }
-            },
-            "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs",
-            "type": "visualization",
-            "updated_at": "2019-02-08T23:15:16.726Z",
-            "version": 6
+          "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs",
+          "name": "panel_5",
+          "type": "visualization"
         },
         {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "Filters [Metricbeat AWS]",
-                "uiStateJSON": {},
-                "version": 1,
-                "visState": {
-                    "aggs": [],
-                    "params": {
-                        "controls": [
-                            {
-                                "fieldName": "cloud.region",
-                                "id": "1549397251041",
-                                "indexPattern": "metricbeat-*",
-                                "label": "region",
-                                "options": {
-                                    "dynamicOptions": true,
-                                    "multiselect": true,
-                                    "order": "desc",
-                                    "size": 5,
-                                    "type": "terms"
-                                },
-                                "parent": "",
-                                "type": "list"
-                            },
-                            {
-                                "fieldName": "cloud.availability_zone",
-                                "id": "1549512126406",
-                                "indexPattern": "metricbeat-*",
-                                "label": "availability zone",
-                                "options": {
-                                    "dynamicOptions": true,
-                                    "multiselect": true,
-                                    "order": "desc",
-                                    "size": 5,
-                                    "type": "terms"
-                                },
-                                "parent": "",
-                                "type": "list"
-                            },
-                            {
-                                "fieldName": "cloud.machine.type",
-                                "id": "1549512142947",
-                                "indexPattern": "metricbeat-*",
-                                "label": "machine type",
-                                "options": {
-                                    "dynamicOptions": true,
-                                    "multiselect": true,
-                                    "order": "desc",
-                                    "size": 5,
-                                    "type": "terms"
-                                },
-                                "parent": "",
-                                "type": "list"
-                            }
-                        ],
-                        "pinFilters": false,
-                        "updateFiltersOnChange": true,
-                        "useTimeFilter": false
-                    },
-                    "title": "AWS Filters",
-                    "type": "input_control_vis"
-                }
-            },
-            "id": "deab0260-2981-11e9-86eb-a3a07a77f530",
-            "type": "visualization",
-            "updated_at": "2019-02-08T23:32:53.876Z",
-            "version": 12
+          "id": "deab0260-2981-11e9-86eb-a3a07a77f530",
+          "name": "panel_6",
+          "type": "visualization"
         },
         {
-            "attributes": {
-                "description": "",
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "index": "metricbeat-*",
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
-                },
-                "title": "EC2 Instance State [Metricbeat AWS]",
-                "uiStateJSON": {
-                    "vis": {
-                        "colors": {
-                            "16": "#629E51",
-                            "272": "#DEDAF7",
-                            "80": "#E24D42",
-                            "running": "#7EB26D",
-                            "stopped": "#E24D42"
-                        },
-                        "legendOpen": true
-                    }
+          "id": "09db13f0-2bdd-11e9-9fe1-cde861544141",
+          "name": "panel_7",
+          "type": "visualization"
+        }
+      ],
+      "type": "dashboard",
+      "updated_at": "2020-09-15T16:57:30.054Z",
+      "version": "WzEyNjksMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "title": "EC2 DiskIO Write Bytes [Metricbeat AWS]",
+        "uiStateJSON": {},
+        "version": 1,
+        "visState": {
+          "aggs": [],
+          "params": {
+            "annotations": [],
+            "axis_formatter": "number",
+            "axis_position": "left",
+            "axis_scale": "normal",
+            "background_color_rules": [
+              {
+                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "bar_color_rules": [
+              {
+                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "default_index_pattern": "metricbeat-*",
+            "default_timefield": "@timestamp",
+            "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+            "index_pattern": "metricbeat-*",
+            "interval": "5m",
+            "isModelInvalid": false,
+            "series": [
+              {
+                "axis_position": "right",
+                "chart_type": "line",
+                "color": "rgba(104,188,0,1)",
+                "fill": "0",
+                "filter": "",
+                "formatter": "number",
+                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+                "label": "AWS EC2 DiskIO Write Bytes",
+                "line_width": "2",
+                "metrics": [
+                  {
+                    "field": "aws.ec2.diskio.write.bytes",
+                    "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+                    "type": "avg"
+                  }
+                ],
+                "point_size": "3",
+                "separate_axis": 0,
+                "series_drop_last_bucket": 1,
+                "split_color_mode": "rainbow",
+                "split_mode": "terms",
+                "stacked": "none",
+                "steps": 0,
+                "terms_field": "cloud.instance.id",
+                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
+                "terms_size": "10"
+              }
+            ],
+            "show_grid": 1,
+            "show_legend": 1,
+            "time_field": "@timestamp",
+            "tooltip_mode": "show_all",
+            "type": "timeseries"
+          },
+          "title": "EC2 DiskIO Write Bytes [Metricbeat AWS]",
+          "type": "metrics"
+        }
+      },
+      "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:55:57.556Z",
+      "version": "WzEyNTQsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "title": "EC2 Status Check Failed [Metricbeat AWS]",
+        "uiStateJSON": {},
+        "version": 1,
+        "visState": {
+          "aggs": [],
+          "params": {
+            "axis_formatter": "number",
+            "axis_position": "left",
+            "axis_scale": "normal",
+            "background_color_rules": [
+              {
+                "id": "d13f6b50-f7f6-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "bar_color_rules": [
+              {
+                "id": "ad6d62d0-f7f7-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "gauge_color_rules": [
+              {
+                "id": "b0c5b590-f7f7-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "gauge_inner_width": 10,
+            "gauge_style": "half",
+            "gauge_width": 10,
+            "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+            "index_pattern": "metricbeat-*",
+            "interval": "auto",
+            "series": [
+              {
+                "axis_position": "right",
+                "chart_type": "line",
+                "color": "#68BC00",
+                "fill": 0.5,
+                "formatter": "number",
+                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+                "label": "EC2 Status Check Failed",
+                "line_width": 1,
+                "metrics": [
+                  {
+                    "field": "aws.ec2.status.check_failed",
+                    "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+                    "type": "sum"
+                  }
+                ],
+                "point_size": 1,
+                "separate_axis": 0,
+                "split_color_mode": "gradient",
+                "split_mode": "everything",
+                "stacked": "none",
+                "terms_field": "cloud.instance.id",
+                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417"
+              }
+            ],
+            "show_grid": 1,
+            "show_legend": 1,
+            "time_field": "@timestamp",
+            "type": "metric"
+          },
+          "title": "AWS EC2 Status Check Failed",
+          "type": "metrics"
+        }
+      },
+      "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:01:03.887Z",
+      "version": "WzEwMiwxXQ=="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "title": "EC2 Network In Bytes [Metricbeat AWS]",
+        "uiStateJSON": {},
+        "version": 1,
+        "visState": {
+          "aggs": [],
+          "params": {
+            "annotations": [],
+            "axis_formatter": "number",
+            "axis_position": "left",
+            "axis_scale": "normal",
+            "background_color_rules": [
+              {
+                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "bar_color_rules": [
+              {
+                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "default_index_pattern": "metricbeat-*",
+            "default_timefield": "@timestamp",
+            "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+            "index_pattern": "metricbeat-*",
+            "interval": "\u003e=5m",
+            "isModelInvalid": false,
+            "series": [
+              {
+                "axis_position": "right",
+                "chart_type": "line",
+                "color": "rgba(104,188,0,1)",
+                "fill": "0",
+                "filter": "",
+                "formatter": "number",
+                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+                "label": "AWS EC2 Network In Bytes",
+                "line_width": "2",
+                "metrics": [
+                  {
+                    "field": "aws.ec2.network.in.bytes",
+                    "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+                    "type": "avg"
+                  }
+                ],
+                "point_size": "3",
+                "separate_axis": 0,
+                "series_drop_last_bucket": 1,
+                "split_color_mode": "rainbow",
+                "split_mode": "terms",
+                "stacked": "none",
+                "steps": 0,
+                "terms_field": "cloud.instance.id",
+                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
+                "terms_size": "10"
+              }
+            ],
+            "show_grid": 1,
+            "show_legend": 1,
+            "time_field": "@timestamp",
+            "tooltip_mode": "show_all",
+            "type": "timeseries"
+          },
+          "title": "EC2 Network In Bytes [Metricbeat AWS]",
+          "type": "metrics"
+        }
+      },
+      "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:50:36.078Z",
+      "version": "WzExOTEsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "title": "EC2 Network Out Bytes [Metricbeat AWS]",
+        "uiStateJSON": {},
+        "version": 1,
+        "visState": {
+          "aggs": [],
+          "params": {
+            "annotations": [],
+            "axis_formatter": "number",
+            "axis_position": "left",
+            "axis_scale": "normal",
+            "background_color_rules": [
+              {
+                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "bar_color_rules": [
+              {
+                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "default_index_pattern": "metricbeat-*",
+            "default_timefield": "@timestamp",
+            "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+            "index_pattern": "metricbeat-*",
+            "interval": "\u003e=5m",
+            "isModelInvalid": false,
+            "series": [
+              {
+                "axis_position": "right",
+                "chart_type": "line",
+                "color": "rgba(104,188,0,1)",
+                "fill": "0",
+                "filter": "",
+                "formatter": "number",
+                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+                "label": "AWS EC2 Network Out Bytes",
+                "line_width": "2",
+                "metrics": [
+                  {
+                    "field": "aws.ec2.network.out.bytes",
+                    "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+                    "type": "avg"
+                  }
+                ],
+                "point_size": "3",
+                "separate_axis": 0,
+                "series_drop_last_bucket": 1,
+                "split_color_mode": "rainbow",
+                "split_mode": "terms",
+                "stacked": "none",
+                "steps": 0,
+                "terms_field": "cloud.instance.id",
+                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
+                "terms_size": "10"
+              }
+            ],
+            "show_grid": 1,
+            "show_legend": 1,
+            "time_field": "@timestamp",
+            "tooltip_mode": "show_all",
+            "type": "timeseries"
+          },
+          "title": "EC2 Network Out Bytes [Metricbeat AWS]",
+          "type": "metrics"
+        }
+      },
+      "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:50:59.719Z",
+      "version": "WzExOTMsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "title": "EC2 DiskIO Read Bytes [Metricbeat AWS]",
+        "uiStateJSON": {},
+        "version": 1,
+        "visState": {
+          "aggs": [],
+          "params": {
+            "annotations": [],
+            "axis_formatter": "number",
+            "axis_position": "left",
+            "axis_scale": "normal",
+            "background_color_rules": [
+              {
+                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "bar_color_rules": [
+              {
+                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "default_index_pattern": "metricbeat-*",
+            "default_timefield": "@timestamp",
+            "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+            "index_pattern": "metricbeat-*",
+            "interval": "\u003e=5m",
+            "isModelInvalid": false,
+            "series": [
+              {
+                "axis_position": "right",
+                "chart_type": "line",
+                "color": "rgba(104,188,0,1)",
+                "fill": "0",
+                "filter": {
+                  "language": "kuery",
+                  "query": ""
                 },
-                "version": 1,
-                "visState": {
-                    "aggs": [
-                        {
-                            "enabled": true,
-                            "id": "1",
-                            "params": {
-                                "customLabel": "EC2 Instance State"
-                            },
-                            "schema": "metric",
-                            "type": "count"
-                        },
-                        {
-                            "enabled": true,
-                            "id": "2",
-                            "params": {
-                                "customLabel": "",
-                                "field": "aws.ec2.instance.state.name",
-                                "missingBucket": false,
-                                "missingBucketLabel": "Missing",
-                                "order": "desc",
-                                "orderBy": "1",
-                                "otherBucket": false,
-                                "otherBucketLabel": "Other",
-                                "size": 5
-                            },
-                            "schema": "segment",
-                            "type": "terms"
-                        }
-                    ],
-                    "params": {
-                        "addLegend": true,
-                        "addTooltip": true,
-                        "isDonut": false,
-                        "labels": {
-                            "last_level": true,
-                            "show": true,
-                            "truncate": 100,
-                            "values": true
-                        },
-                        "legendPosition": "right",
-                        "type": "pie"
-                    },
-                    "title": "AWS EC2 Instance State",
-                    "type": "pie"
-                }
-            },
-            "id": "09db13f0-2bdd-11e9-9fe1-cde861544141",
-            "type": "visualization",
-            "updated_at": "2019-02-09T00:03:45.800Z",
-            "version": 5
+                "formatter": "number",
+                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+                "label": "AWS EC2 DiskIO Read Bytes",
+                "line_width": "2",
+                "metrics": [
+                  {
+                    "field": "aws.ec2.diskio.read.bytes",
+                    "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+                    "type": "avg"
+                  }
+                ],
+                "point_size": "3",
+                "separate_axis": 0,
+                "series_drop_last_bucket": 1,
+                "split_color_mode": "rainbow",
+                "split_mode": "terms",
+                "stacked": "none",
+                "steps": 0,
+                "terms_field": "cloud.instance.id",
+                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
+                "terms_size": "10"
+              }
+            ],
+            "show_grid": 1,
+            "show_legend": 1,
+            "time_field": "@timestamp",
+            "tooltip_mode": "show_all",
+            "type": "timeseries"
+          },
+          "title": "EC2 DiskIO Read Bytes [Metricbeat AWS]",
+          "type": "metrics"
+        }
+      },
+      "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:55:49.460Z",
+      "version": "WzEyNTMsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
         },
-        {
-            "attributes": {
-                "description": "Overview of AWS EC2 Metrics",
-                "hits": 0,
-                "kibanaSavedObjectMeta": {
-                    "searchSourceJSON": {
-                        "filter": [],
-                        "query": {
-                            "language": "kuery",
-                            "query": ""
-                        }
-                    }
+        "title": "EC2 CPU Utilization [Metricbeat AWS] ECS",
+        "uiStateJSON": {},
+        "version": 1,
+        "visState": {
+          "aggs": [],
+          "params": {
+            "annotations": [],
+            "axis_formatter": "number",
+            "axis_position": "left",
+            "axis_scale": "normal",
+            "background_color_rules": [
+              {
+                "id": "23428b30-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "bar_color_rules": [
+              {
+                "id": "2592bcc0-f7f2-11e8-bff8-21537b07dd44"
+              }
+            ],
+            "default_index_pattern": "metricbeat-*",
+            "default_timefield": "@timestamp",
+            "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+            "index_pattern": "metricbeat-*",
+            "interval": "\u003e=5m",
+            "isModelInvalid": false,
+            "series": [
+              {
+                "axis_position": "right",
+                "chart_type": "line",
+                "color": "rgba(104,188,0,1)",
+                "fill": "0",
+                "filter": "",
+                "formatter": "number",
+                "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+                "label": "AWS EC2 CPU Utilization ECS",
+                "line_width": "2",
+                "metrics": [
+                  {
+                    "field": "aws.ec2.cpu.total.pct",
+                    "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+                    "type": "avg"
+                  }
+                ],
+                "point_size": "3",
+                "separate_axis": 0,
+                "series_drop_last_bucket": 1,
+                "split_color_mode": "rainbow",
+                "split_mode": "terms",
+                "stacked": "none",
+                "steps": 0,
+                "terms_field": "cloud.instance.id",
+                "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417",
+                "terms_size": "10"
+              }
+            ],
+            "show_grid": 1,
+            "show_legend": 1,
+            "time_field": "@timestamp",
+            "tooltip_mode": "show_all",
+            "type": "timeseries"
+          },
+          "title": "EC2 CPU Utilization [Metricbeat AWS] ECS",
+          "type": "metrics"
+        }
+      },
+      "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:57:23.961Z",
+      "version": "WzEyNjgsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "title": "AWS Account Filter [Metricbeat AWS]",
+        "uiStateJSON": {},
+        "version": 1,
+        "visState": {
+          "aggs": [],
+          "params": {
+            "controls": [
+              {
+                "fieldName": "cloud.account.name",
+                "id": "1549397251041",
+                "indexPatternRefName": "control_0_index_pattern",
+                "label": "account name",
+                "options": {
+                  "dynamicOptions": true,
+                  "multiselect": true,
+                  "order": "desc",
+                  "size": 5,
+                  "type": "terms"
                 },
-                "optionsJSON": {
-                    "darkTheme": false,
-                    "hidePanelTitles": false,
-                    "useMargins": true
+                "parent": "",
+                "type": "list"
+              },
+              {
+                "fieldName": "cloud.region",
+                "id": "1600187617334",
+                "indexPatternRefName": "control_1_index_pattern",
+                "label": "region",
+                "options": {
+                  "dynamicOptions": true,
+                  "multiselect": true,
+                  "order": "desc",
+                  "size": 5,
+                  "type": "terms"
                 },
-                "panelsJSON": [
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 15,
-                            "i": "3",
-                            "w": 24,
-                            "x": 24,
-                            "y": 27
-                        },
-                        "id": "fed59380-f7f8-11e8-af03-c999c9dea608-ecs",
-                        "panelIndex": "3",
-                        "type": "visualization",
-                        "version": "6.5.0"
-                    },
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 12,
-                            "i": "5",
-                            "w": 12,
-                            "x": 36,
-                            "y": 0
-                        },
-                        "id": "9e8c6030-f7f8-11e8-af03-c999c9dea608-ecs",
-                        "panelIndex": "5",
-                        "type": "visualization",
-                        "version": "6.5.0"
-                    },
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 15,
-                            "i": "11",
-                            "w": 24,
-                            "x": 0,
-                            "y": 42
-                        },
-                        "id": "15818fd0-f7f9-11e8-af03-c999c9dea608-ecs",
-                        "panelIndex": "11",
-                        "type": "visualization",
-                        "version": "6.5.0"
-                    },
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 15,
-                            "i": "12",
-                            "w": 24,
-                            "x": 24,
-                            "y": 42
-                        },
-                        "id": "233b3400-f7f9-11e8-af03-c999c9dea608-ecs",
-                        "panelIndex": "12",
-                        "type": "visualization",
-                        "version": "6.5.0"
-                    },
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 15,
-                            "i": "15",
-                            "w": 24,
-                            "x": 0,
-                            "y": 27
-                        },
-                        "id": "f1db6ec0-f7f8-11e8-af03-c999c9dea608-ecs",
-                        "panelIndex": "15",
-                        "type": "visualization",
-                        "version": "6.5.0"
-                    },
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 15,
-                            "i": "17",
-                            "w": 48,
-                            "x": 0,
-                            "y": 12
-                        },
-                        "id": "be8828d0-f7f6-11e8-af03-c999c9dea608-ecs",
-                        "panelIndex": "17",
-                        "type": "visualization",
-                        "version": "6.5.0"
-                    },
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 12,
-                            "i": "18",
-                            "w": 17,
-                            "x": 0,
-                            "y": 0
-                        },
-                        "id": "deab0260-2981-11e9-86eb-a3a07a77f530",
-                        "panelIndex": "18",
-                        "type": "visualization",
-                        "version": "6.6.0"
-                    },
-                    {
-                        "embeddableConfig": {},
-                        "gridData": {
-                            "h": 12,
-                            "i": "19",
-                            "w": 19,
-                            "x": 17,
-                            "y": 0
-                        },
-                        "id": "09db13f0-2bdd-11e9-9fe1-cde861544141",
-                        "panelIndex": "19",
-                        "type": "visualization",
-                        "version": "6.6.0"
-                    }
-                ],
-                "timeRestore": false,
-                "title": "[Metricbeat AWS] EC2 Overview",
-                "version": 1
+                "parent": "",
+                "type": "list"
+              },
+              {
+                "fieldName": "cloud.instance.name",
+                "id": "1600187931107",
+                "indexPatternRefName": "control_2_index_pattern",
+                "label": "instance name",
+                "options": {
+                  "dynamicOptions": true,
+                  "multiselect": true,
+                  "order": "desc",
+                  "size": 5,
+                  "type": "terms"
+                },
+                "parent": "",
+                "type": "list"
+              }
+            ],
+            "pinFilters": false,
+            "updateFiltersOnChange": true,
+            "useTimeFilter": false
+          },
+          "title": "AWS Account Filter [Metricbeat AWS]",
+          "type": "input_control_vis"
+        }
+      },
+      "id": "deab0260-2981-11e9-86eb-a3a07a77f530",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "metricbeat-*",
+          "name": "control_0_index_pattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "metricbeat-*",
+          "name": "control_1_index_pattern",
+          "type": "index-pattern"
+        },
+        {
+          "id": "metricbeat-*",
+          "name": "control_2_index_pattern",
+          "type": "index-pattern"
+        }
+      ],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:39:11.261Z",
+      "version": "WzEwNjYsMV0="
+    },
+    {
+      "attributes": {
+        "description": "",
+        "kibanaSavedObjectMeta": {
+          "searchSourceJSON": {
+            "filter": [],
+            "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
+        },
+        "title": "EC2 Instance State [Metricbeat AWS] ECS",
+        "uiStateJSON": {
+          "vis": {
+            "colors": {
+              "16": "#629E51",
+              "272": "#DEDAF7",
+              "80": "#E24D42",
+              "running": "#7EB26D",
+              "stopped": "#E24D42"
+            },
+            "legendOpen": true
+          }
+        },
+        "version": 1,
+        "visState": {
+          "aggs": [
+            {
+              "enabled": true,
+              "id": "1",
+              "params": {
+                "customLabel": "EC2 Instance State"
+              },
+              "schema": "metric",
+              "type": "count"
+            },
+            {
+              "enabled": true,
+              "id": "2",
+              "params": {
+                "customLabel": "",
+                "field": "aws.ec2.instance.state.name",
+                "missingBucket": false,
+                "missingBucketLabel": "Missing",
+                "order": "desc",
+                "orderBy": "1",
+                "otherBucket": false,
+                "otherBucketLabel": "Other",
+                "size": 5
+              },
+              "schema": "segment",
+              "type": "terms"
+            }
+          ],
+          "params": {
+            "addLegend": true,
+            "addTooltip": true,
+            "isDonut": false,
+            "labels": {
+              "last_level": true,
+              "show": true,
+              "truncate": 100,
+              "values": true
             },
-            "id": "c5846400-f7fb-11e8-af03-c999c9dea608-ecs",
-            "type": "dashboard",
-            "updated_at": "2019-02-09T00:05:11.360Z",
-            "version": 9
+            "legendPosition": "right",
+            "type": "pie"
+          },
+          "title": "EC2 Instance State [Metricbeat AWS] ECS",
+          "type": "pie"
+        }
+      },
+      "id": "09db13f0-2bdd-11e9-9fe1-cde861544141",
+      "migrationVersion": {
+        "visualization": "7.8.0"
+      },
+      "namespaces": [
+        "default"
+      ],
+      "references": [
+        {
+          "id": "metricbeat-*",
+          "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+          "type": "index-pattern"
         }
-    ],
-    "version": "6.6.0"
+      ],
+      "type": "visualization",
+      "updated_at": "2020-09-15T16:01:08.017Z",
+      "version": "WzE0MywxXQ=="
+    }
+  ],
+  "version": "7.9.1"
 }
diff --git a/x-pack/metricbeat/module/aws/fields.go b/x-pack/metricbeat/module/aws/fields.go
index 12efc5c0cf98..31a766459c73 100644
--- a/x-pack/metricbeat/module/aws/fields.go
+++ b/x-pack/metricbeat/module/aws/fields.go
@@ -19,5 +19,5 @@ func init() {
 // AssetAws returns asset data.
 // This is the base64 encoded gzipped contents of module/aws.
 func AssetAws() string {
-	return "eJzsfd1zGzey73v+CtS+xE7JOo6dbN3Kw6nSlze6R5YVUV7njQvONEmsMMAYwFBmav/4W2gA8z0kh5yh5FPXD1sbkQR+/YFGd6PReEMeYf0boU/6B0IMMxx+I387+zL52w+ExKAjxVLDpPiN/PcPhBDyL/qk/0USGWccSCQ5h8hocvZlQhIpmJGKiQVJwCgWaTJXMsHPLrjM4idqouXpD4Qo4EA1/EYW9AdC5gx4rH/D0d8QQRMIaOw/s07tF5XMUv+XFlDVQcoDGbrQpz/lfw7jydm/ITKlP7s/TN2nj7B+kipu/3ia0DRlYuG/+7ef/lb6Xis29++BLuzAZEV5BiSlTHn+0CdNFGiZqQj0aYMC/f50lkWPYE7tfzcoaWLdgOGWJkDknFAyeU/8qI0JY5aA0EyKF8K4j6hMZVgNyD/+dOpV7vSn059+7Ik6ltmMwxigNTFLaogCkykBsZN3sRbI2d01+ZqBWjdJmjHOmVg0SCmvhC0Y/uXH+BeJpDCUCQsHCGjDEmogJtGSqgVoMpeKrGWmcKnSKJKZMISJ2qoN//LVOwNDS3+vL8EyNVdhzgs3ZeVLgTQuK/Q2qPtIv7EkSzoI8NgR/GkriItMKRDRunXypuo25r9qzBv5EUkmWMekE1ArFsFtde32mtcPgQMiqVaKSRcz2mGcJVIZ9hfEF1KbViB1xeoSaXlUmlhuNz4OQzYWVit5OTQSSW26xgxTWk53TtjOzG0zNoYMc51zEPFLZJkHdjSGVebrZNetVAnllq+fNV3AWRuuZ2ZcAZFkFuMxmNcxZzcfP4vZS1W8HNrRVK82YzfTLGv/yKgwzLRb+OdjGkr9q8d2FKZVZ+xkmjZUmWlMzf57kx2B2BFwZ1LW7YGVjQHsfmxFpltnBhEfNO+ViPeYFVVgGsOcCWbHGUxPHqGuc9uoaVD0sASiDYZP3mlMFWgQRhOKgYOllBKdQsTmDOJWnKXAZ522KeZQkKwLYsey0UQTSJXfs3UlkCDdbjnZHlCQHv55g6D/blBsTSyBbymXCpTDS2brIlDTDcc8yp3ig3zzYpiae56UI4cnUEB0pGgaooc8mv6CEcTTkkXLYoCWGNzKy5IUs/kclP0PS4dOaVT1FatBefi3yanPx9l3ETfFYTUuH7ak609LEC5SKvGf0JS1hK9rQRMZzw6SThjkSLKxP7zEKS/PDw21/NiDmbZJFkWg9Tzj9/A1A21uqLExzyld1aM10nNjbMqfeB2gK1B2C+NuLmtldI6DKAdEEyNzthEbAib0LymKP02MAprUWeGBZN6uldXMsARICorJ+LQ/QxL6bTSGhHDvJTLkk+BMwLWI4dsdqAiEoQu4U3KhQOtR1STNp7MMiWSScrC/cfaCEgFPZMHljHKiIZIipmpNmAVKmCYzsATT2DqXRhJKDJ1x6KbzTskV00wKiL8oZuCCpjRiZv1ZMDMunSJLZqAsjWmBgTxZECTyKNDL095LQEoI/t92+nei8h5o/NxEKqDx4DReSKGz5NgEBqNWENpGXOSxEbkC1b0cT1qn0ZKsZUYiKohRNHokS/lEkixa2tkwxVfmrVkqmS2WaWbscsg0bFjk3SzTWdLJspaUXg+G6Sz5Trl0ZPvQ1KxW2/D9MW103fqe+HQPKWcRtZQd0wcDTlMdKJ+BeQK7twqSpTHmnZmBhNA0BYoOBBPIsdzn0OhzWJvdOpMUYONKS5iz6CeEith52M2RqZBmCSr/hZ/M2/8t+3cL/47hsv2v4d+DokLTyNJ9IcWcs8iMpoBnXvkU2FDfc+kNhxWUvN04A+u4mQIX5XbxIjSd8zqSwh3UtOXVSDGcdMzQNAGcTvdjxUi2ShrKXyobztxxW5fLaBhnf+F6O4qhqkYD25zIDNFBbONvSy9tOzrcTGx1w3ox1Lbuab3Jnay1geRKKanG3Id7hq7OsC1AgGpmj90/KsjvDw935Ne3b4k21GR2Q4/hgAD3QoqYuXV1sYTo8QNl3Kq6Qz4icwp/bo5TEmoMJKnjVgpqLlVi13VA50S/YcHegYiZWJR2wgvUgmOQgLuR2/S8GKkCRGxAWIKaW1nrqLPMuJ8v6QqIkIaswZCZNXGlwQ70FGj8sFTSGA5XKxCjCfm+TfuROPgWAfqH0G3JWoccKEQO5I+t5r05UPKYOUuYac9mSUFoXlVFXmnrf1NdYYlwLHjdzQO07y9TD6o2fkxF8NveR/rNrgq90WU+zFQEh3lzfgS5YqOrGWC8ZDc0Krr3Mzc6005bSCxBo9GgacrXzuy8iSFBp9lySVs2tTNpk2Ut2PRgR7mxLtoLZlihEY7U9lC2ljOV8zKnyQepmswzBasjmupyrVKH20nj4AR4wDuoK9KT6Q0mvE0eX9zueEyBtPpiL1siDvKoInnRgnh+W/KRfitFGai/XXHVmAmMw+KpJVssoVG/5P41xqrp/hY978O4zhjteThXV8N2ppV/smGN7sm1vAZnVvad+h+Sw0wf8Xz86nxyWLnC0Afj/5Q8S3Bhnq+tNTs86A9JL83+QsUBGi3d+pCpjXeZFOUo1meh0UVMjXV5VwhJ2zCRRstwrHnLjJJvZtQaOCa0oSKCE/K0tPIxpYxCrbwn/LklCb4tYHaswaU3Km/cMvgumWP15lM6BGeswTGYJaz5gTlfNKZ+GxDtFw1LNuzYJTmOh7UmxAPB/pFBBjcgFmY5EN4aV+3mXte7PIn1RJlBDZTWpfAFCahZB5D0kEe8RXnFQLRVN6rr//pUlkMKym8p5NX1p7vJaxIDZytQ4KDnsrQfVna5uYuvfQ7v6nziF98p+WzX2RMzy3KdgRtgMrnM16gUfL2NLeUT6VFU1NdpbxC8Jq9EUd1tJHn369//p+YYvS6OEzdrwTC8Oc+UNueUWzs2ADcKTP/AnCsnd5lKpQaE9GqRvnt9QgoFJZ9SwxLkxu+Xl+SVNj+/dgdSF5KHv0U/v64S4+iNwS79ueUnLio6k5jpa9PSSEFsnc5XVtMsCILXYnIYlc+1+Rkh4MQKEspE6aBtZhnWuAzXrnJ4GIPJQSuwTamg/c2hW3Ha6olzfijnDXvuApeBzIsF4FJdR6aqsZqGJOs65scgaCNGV4cmpJefalLsnORsljBjymf/uY8evTvMR4/eHdNHv3h3mI8epdkpcvo0bRSGO+J1RDnE0zmXtP6FHWqLq5aEci4jPIO/uniHepcZKKcGqAJ/x89wG1SRTEM4Hw3OYvt9O0uIM0JTvPTTSsu2C48d9dG5Dl7cfc4tXb6wythwI7bfykqB7za8M7d5jIIYKN6DLQN3jBYF5iXVNmZVGcREM/sXZsgT1YTTTKDjjjadKlMvlikTozOV8kxPj0CUn6pKER5O4aFUYfIEyQRmjkqxhjMR9mcXd58vcAS/e/ub4kyTv0DJXSnVU3cPtJ43GIhUpKWVYLtWhDQkpSwmsXwSluSmvJ034MyKWWbWgEYZeos0zo8xHQntJAswT1I9njJxmlK7ae93mbid0rqV9zMQBRGwlVU9gTuXB0GYMKDmNALdWHpMhPYI1plpCwq7KZqmoKYaohEsYJO2kpuPttx6XTuTuZkimZkjCqk/+j2EVCLpf4uUmDidrc3ul/Kdi/4bafvRHuLDYY62wnC2o0jO0VWSW38St6vi8wvuaKvuGSU31IqLmX5k8tRGA8eTHEotLDLq3XxLRS4PbaSCIj+6oozjyYKR+8qtQehIcjsvyCqJa28KNxKDsduziK1c1nQUuZVIHVVwgbCS7PakcbsaynQwHwRFU6Qp6smZYy8wmW6WUn8KLzppG2KV9cnrtCrmeKJsZqSOu+TGFGWDtsNX3T6SdCW5p9ESosepK2sdiNR7SKUy2kbUWPpZQbqkmqRUY5GHNMvqh6FM2GLy1yeAaCyArn7mc8acakMSJjKzO5FTN96RaR2DkDDPM5DSLrFdick3i0gq+z9d7YmsW7eA+n2b/qk5qXxvsu07Vf4pS+gCTln7mti7p8L1ZTixw/FdsZORPqXWB1+RAT61Mhiw98O1iFmExeFBE2Iwruy9lHZmmoCwtqjDnOZAU8VW1MBpLPRUHNB9rSOR7EYnl7cT15fNs7cRGeyIktWrT7wm1v/cA9r13eoXQuNYgdaEai0jhrluPM3bC2s24ywai6E4eIOfO2qlhzYgFwPjPI4ra1xYRK7v8k9eWQa/JjOZuQ10H5biEjqNZNzOzb0NEY5b5+GJq4D/+e9vZsyQTGi2EJiJxkl2Qjq83FuRklepu6hC/kNUJoT7f3qZGcPE4g1ml/9DDKiECdTp/1iPBRsBhf8L8estFJmldW6dv2VN9VhbgZ8H3a2wLbQc9PHDOtYAP2azmqub9j41z1aMd06jRxDxhRTC+dwDXVyrijLKhy+zVUhTasbC1wS0oTPO9NI6m/72JTooksbEn0Sp3M9UsGDaYFVN0M0NtcG/PzzcXcgYpp7i6bs//xyYSrw99+7PP4kCnUqhwd2fC5fusFj1QNDvxwH9flTQv4wD+pdRQf86DuhfRwF9dXM+JpcjzqwNA2saELSuom6s0R0hj8hjDWoFahDI/o7ZMBc+64WRvv6xyKQg3MJaJrTrBi66SivKN9xEThnncgVqOOjNetlw/y636vmV+xlENNOuGlhnChtrgjuYt+Z+g44A5Wa5/l0Gph9636XK9KUbvlhg5VWHTj52G9lROyaWsnLx7BBgO9n8ChWcW7QC1Ou6trx6uCh/mtcXBK9QySyU2dIGH7pp/CxGFkkmhhXKcG1eCmlgXZrvSXJCmAiVbCfOLcSqXvuVpsOCDqAp7uw79reYepIJw3gjYaOMSzpoyD0fv4EsgcagNuwQeev1s5vzs8iwFRSenhPkMCwquqlXnD5fA0asWpb1lCIUxzi3uegQCTZ9vZy91Y/s96lagNmR/FD2fHPxeahy5zaqqyBrd71e3Vx8fl2+MXeW5g0FyI395flW3S7TdAtPx5OngKeGIMse+/GkeaekDRpgsAtEXST7A+0w3e5Cy/tgF189NFCtDnXEmLVE7osLX9tt2hiezguwZhc49sPN5BYW0jCah+tjuKYPN5MKkdj5u+w9+6AANS5mMUbzuTkglGjQGluKhrRplWDffIniROimbw4aph/YN4in937rm45B89xO8SbfXWkjY1FkK7aAvYeYKYjMKDCVH3wQgJ8Vn96whJnpFXbMgPiImCOZ8Vj8aKqXvsqBw+f7m3BMlcsFi8+tajn3xwYU3K4dZQcV5P/8z47h5/s//xyF1lJKxRFtsboYFKmWii0w/9phDHYP+MeD3xH2D4n/1zHxd+QABsX/9u2I+N++HRH4uzGBvxsR+Psxgb8fEfgvYwL/ZUjg13erv9cc7DH8qRbXuukk4C1xC2gz3BEzdHb4Iv2SVyL3yyC2hGljsPTZA7SXpja/IEGb9efepyvHENC2A7DWVGmVlCV2eXJ9F5jRLQ16SkM/bw67EEov/mccrlaUZ664bmhwGd+uLgu2Atf2zqXnlDWbvlGFJ4YKspTZhiU+QnZpr5zSpixp7XLAoQmJYpgjJiNu3aQvNBHxgcunIdNwG5IQcy6fNHlVPQB43bTx22x2Dfj04eJufPB2lxqNgJvJEQi4mYxGwOfLI0jg8+VwEvgebF8D8/i5tDr3rc4sqYj1kj4GN923J/YHvKLAUjS8D2G43Updtiwc8G10OAtTNJar2aE+Gz1Op0oho7NTE+kyLbi4R3Odu9f00DS9EEf5hDAR8QyPhh8u7v7r+m77iWIV+mgCaYFfVv1NTwygPL6LlV2myK9vp00bqLu4mzrbNb0HDUMmmJtFBxoMeXU/eXhdvSruLjDlBwByR9hXN+fPgnnfuh+L2SnTs7Pasdex2rH92apngrkr+rxIoVmMdQy+iOMZC0k2ocuLTJoREafJLKYHRUNuiCNGQjc4YWsU9IyvXl6LlT+dGd4VtFurdl7ePBPFsQrebfkGUWZcZU7Y0koPPbqP3WmtiMv/6R/o1Rk37lZePvSWQ0lfKD00kaxg4P7YLoHGN2AMqMFQfpCKUL0W0VJJIbH/TAB64q5w1OTk9LPy8gYWMFFBYJVvHDHQ+A1HqL48cJa5zXPDFn8J2jCBc1+6zorrD5TxTA1SDDIapTnonWjM1FBv4uC1nLwnoy9So6ZtJekURJz7XfjMpydi+4sXY66FWqEpxSaz/qGNDWcDxm78Up0N0vfT6oWTp38dwz+hna/T0CPCvTymnbL4lmn5PUsFkVRxiBa2sPYiD9ivcos1OJdzDShqL4vC0UIRwL3jsWFvt16MWmEqfQzUH3xz1C8Tcg+LltXoEBbg3Tu1lRgi0Oq/FUvxo285FsAXSZJogyNTajTaSu2wXk0vCREpKj1l96Yn2rnt+y4UofTIChQWBdn/4Iz6NeIatsn5NraSmK1YXDjy9XazHWQX/Qr7MqDszQx7MLGLLzOgJPOrAM9PkdXgmKqqhNy705x3ipBp30ay5TiDmgU18ETXhx1n5MN0OPFo2y+KV/Td04HRI8FGlZYFt2cPxI9hnXHqGoG43UK/NE8d8zfX4oOSScmfGlgpaj3K/Lot8yk/bi75Rxu6NBegJ8jW58Eb0n9MOIX/593FFsyfMvMgx+Zz3m7Ld3RugPeH/ruzGmGPyGl/NWIj2l7MLo7xz5w7Pu5pfuH040WtDkp2gXtVpJjHLkAoZ7N7I8aA8k4qc8ZDHeYoG0ldGbBU1D0a5HdzQoMjnkq1wYkODa1lNrIyeK8M35PFjqxQqqbxReLu2n5oBxRz/5cN+7lLB14qmY6BPmQbY4V3/1ss3lZoY+8hjV6yB+8iFeCjWLedMfcybh73yHtJoy3sELtJGfqoHB98R2m/YjLGLc/S8by3FvVqvq3WOoBW8WFPVKn4mE9U3V8e+ETVQe3vQ7NJ3+P+hw1S26U5ft+28f+/zf2x29zH1NAZ1TAtLa1RyAkT1S5SNV97zJHN8iZxp1SJVlB7dQzyLwrdh4d9b2kCr87ub1+jCrj30mK9HVTEqW7n1V6wLsoWpty+KrwpQUVMEkikWhelP4ghfPHyfFsr0xJ6FoMwbM4afYmGIIFasao3OktTziAuhF/MeuoewSz+QJgjPRPsawYWgNP3/Bt22F4kuv5+w5E38f0mHM6wPZWaTzGdU9rdp3OKRzvTGFKzbMV2cOtpmRlMLNkt5vqTJq8U0Pi/Kk+y6tflZ8Yong06B4bpx3bsoQPlVz51l4mmdAHCTP8tZ+NYDF81Mvnjhkzc7aUzOyGxE5bbgGxt2ThXAHTGYepWz1H7nRcJ2aIBqqIilkngugfViXyqjVR0ccSu0R2wPQ6i086edL4if5ppiKcY+7krjlMWD6kjofC/NAO5vgxvpmj3ZIrFcOoubAOeQ95JbRYKJn/ctIOX3HrvU//YP8LWXJopp4vTZDYgfE4XCzyT989QugudOGv+GbqZUuNZtwGVoJH/cnaDBiYPpXrRZ63AlMmt/YH3tD/hNcvSls/0ozsK7HwUsAspMgM536OLcdD52B8XH6L2eDJMyb1Ff+9lU9p8rJysni1ZaPTrfIny/lSWzcf15I+bE/KRKkYvz937NYW8KtN0eB76iabOP34mQ2ABuLXvioz9E1YVinFLd1GN3c4xQ5XbD+tdFca8ncqyzeByoae+YK0pzUMWICpmiRQbCpRMiZ2418rCrfX4S8vt6D3X1tcMFNtdffZC5+cojrq2gYqBxlxGj+PCymcJFQe5W7oNn2tijtvac60+v/lW6vvPMiVVxS5hMyacbBMhruU/69EC/0A6SkcdjPPwJEBNc/NS2kwbUB7qid0MJHZ9oob8+sb5eXnDt81kun74z0KnW5u4TGtk5nm3w8lE95DLiPJndhKDdlaNvYEklYqqtXtk3pUbWuO6TUu5XDCBneIzNbKp8kEGzlgcYG2zB8UrsaeRTBLWnmcbzNq7OfpY+RLAGDh0tFgfbjvCOXK73wddzMeFdnl5U7qW2wNYMjIwJjQoo09IlsbUgH/U0HGyF1I30DHA7iNgfzN2UHi53Qmt0kuvNuPDHPlRk9tTrI9u/Tv3QK61wOHUA5+XjJaVx0isdfY7K7rtdn/11rowXHuwYOpRDckKJiKZ2Hjx1b0b/HXBE0Xncxa1+OnlunBkV5RpIxNQhUMUfmxZF/Kll5P8z+iFWBNfOsyg+DpdHjvvzJUgmSHZIjOzkMiWBz/698MX6xqNsZjrVc/00T+a1XRStmLUwKHjcGkwk+Pm2MfkOIM6Ljo3xz7o0DMcF1zjxTcU8TaM3DeK7enRDJl18RBwCTWcHjS+CeOc+W6zm8no41mMRQMm62KYY8NAKQinYpFZWb26vLx5nfslfSnr4ZqMRdlG76UnPT0dmHFJCku6Jw29rPYAFAxl1AP+nhZ9LBlUjX5PGfS0+2PRUN0aetLQb3d4gYrUM9wczfJWItIdhYDHsz7HzjAB/Uz5lFKCWkZRljKX9JsxQdUaUyjBfU2ojUuaZw0uw6Y2HimUyK0feg174NWSby9NSOyEZM449Mu6l+DXjw1Gh3/QcUHpx/rUVbeNmuMKlQrlecO1X7HA96hFiHiLSo0QEW91bcvUzLiMHgd7jLOdnAoZ9Ux+ceHNIdl+9FAqGIlnUx/oT8coj9mz4CVkiv1zJxHl3Nk4H4AWpwD+m9sJVbJxxfAAui7PiR1QE84egXy5v364uidSkfurs8ur+5MhgYNYMAEDPx14RaNl5XBXZcLz3s134iirH+KWDnDxIr2J2gmgSOfUbynT0un2kOukfnStilProEHhGbyC99iQ3G0YkUxSatiMcWbWG863N8rKk7rgckb5NJ7lGwvE0/yUtNeeuoX067Lx+gdOSy69MajfiW09Ly0AFoXzqWKJ3WiL67Xtpzb+6WK0LtXv78gda7ZcAmwO6sh8KRRGQSztLubC1QBHlTni3IwaQw4ivexxYIXNUJSHq9E7kc7pwt23zOGIRQhpN+nDjg6lp9oPfjoinb545DD6KqfI+1A3Tei34Sgsl3pVSSo/iFgH72yxNenN4/HgLtQy+vuRysTApDLxEkid0egR7/JOoyUVC5i6Lg36NFLglqvqirIPrfjMpyZuat8gQhOcOvSfnbMV+HpP9zI21kJs25k6ycJn6gf1WCOTVfu3dZFVKebYnYAnJmL5dOrmGTTOmc9BgVWestb5hlsFFW7+/O1RT2/9812p4F25v0O1KdydpGYTTOuF64RyHp7M2ETyHBs3uB7Jrq9hmKijaM/VRfjCIRo9ZulUgbH+vRRT3xlxyG3/oaUThJs3r9HITzDD++06S1OpHJNSyYR5w8QbdCIV4OIgc6AmU4DeYvWAtFDaH3WYKCdwoyJUWKMFTfVSmmfjReTbtuKrVpwH8gIuZ2doS8iCxfYsBmxI3osBEY2WMF0yM0VX9HSW2dU3IO3Vq1jNpkG+x4u/B+Wmd6h2A+yacU01DLl8+4G+RwgazCbcPmbMUlynPeqJ+0ddubGp3NDCcnQfe5VfS+wofo711Mip9zhSF2Pqr3y6Z1V0zxTqogSwh+t4fzkpx8M5/UYSaZagiMD3OLz12LrRZWmoaJu6isGpu9L4XPbBLn93j3MtM5dfcoWM5R1hx3yGl6yvKeUwNyMRpyChDAP+0iUOTGNidV5LEWICVGfuFc56fV5ut99PY8r4OsjnhzrWPldr64PV7tniZ7kwxrx1O3l/2KXbWRY9gjnV7K/nKsHE2D3XV+fUuvyEx9aK23lLUzmfytm/ITLDr63StTQ3Qws2t4o4z0WN1xo7tM/vCYfqnR+mpHHhyYuXrGdhQ3Q3vEcUFr6mlG+/rqGLRA/I5W4n773sToiCBVUxB38RdZ127MM59sWgHkMN8z+uHmq4rXIF3WOijYYteNNsRLx3nwfHu+EIdhDIl1c3Vw9XQ6NedlVQDIL596uzy530eZsuSD2mMnya1LVhL5QbqjkOxVkgmVzdXF08kE8odLz7bQ3dwFrhKJnqiApx5Ms39Xq6sMl6LO7sZGd2HEK9ApOpl0J+AHMM+jkbc7VVo0s7l++3gNCR4s3eUyyfBJc0fh7JOLEUGHCx7bZlPy1BQfUhWVf6jGfOMxl33EfP0ucmNyAIb+ai21V6r8xiP+lvOcG1Bv/lW72T0YDq9su3b9VnZF1/CtcYdBe5uRVHixaxwDC0fkukIj9vJOzXMQn79du36vuyxyAs1JvNmdJmapWjx2nM4VVnKag3Qecw9ZNnRMLbzYVKYuvlcvezNhYY6bItlUWJrXuwpmgGueHdzA905EN0c1SWAKepdhU3HaxBWeFCLtgR3t6k4RMdusRvWrt5PCgO6+2lxTF7e01u23t7PWPn27sMu19O2F9DtIW3ahC6WiSgNV2AJmnmG2x295WbfJxM3AMV99QMBUT5vjylpy8mHycBF4ndawmsfgm1jOsWDd2n+UdPy11OyrAN+5q8sivA3fH2a+B2QoxMWbQD2ltpsNwKC1z8oxDjQS7Yy9eBqWG1tFPgDp1mdugZ9moXMZ479SXtA97dHYsuNAAl7P6msJGByL5oGTeWM5+yofuWViHXXtNdB1bjT8kcUZBUchbtpPpdNLy5FivKWXxmjGKzbKin2wahqvKGcBjnR0JzqJjBZ44A8sb1fftG7b59Uvlt/gvyfyefbl3j9UgqBZFxpYwJNRtb6W/l4q30tuW74aN7IkLIEjt70n8PsWIrEA/ykn8dlVqEisdvifTORsszO3uZnQfpyRifCmz3LH60nuSedEw+Tj5KYZYP8pIamKQgzOfJ5SCgoyVVC/fYgWN3tR8l1o5aLzbvZuiL0SPKQcQUr8qapb/843rWlXbptiOArwe6fF+P6vL9cWA7V9+VzPNjShe9jrAHuF6Tpkp+Ywk2GS/e73GwiJDijUs3x7lj5c94W1SycGK9cGPgdD1c8VXHIioDKioJ/NxYxtRsVKWAoi6yJIGYUQO8IyWS0yKkma6YZk3vdJhQu2oT3AZG5pwtlh05jRzZUVDV2WcUgxXlRfC3oz5YVRoXadDXXshCvDoutDy3OltbA8nzbkG+u4P3FYi7/bIFsm42cB5a5nEcNqMNPIQkNevQ/GKcVqE19pzdXQf24ctWzK1wx11CAwEdhWkgCnN79AP9RvS8G4/dR8Nei5n8MfE2szJu5d4XG+S5oepQez855If57p4dOsq7PTXmdPuK4a2b8d64yQ3vzpjyRyqO9DRFX2DDs6vyhMN+qPJnUs45jR6Xko/1zET+XkoRLa5JYhepda/ILExPlGz0aN4A+1be4/ePCDrsFAie0Drg/BhMH1r4hiPsbei0TACjixdr2S4o52M80eOvkkKMe3y1IZ7deV1dGaYdaRQhgE6M4QGAMXBi2JtjzcWU38Csg/T1muFrLj6ZM1GYpJglILR7tVlrGTHc2vDgrFCepqquUnGQoq5Ssbea/vPu9uXvwQ+ZEMAnZrhzh9KDAEAMDn+Kt/XsByyybNEn5C1hIsaLp5pcfvpyi3Hoz6U/fr5zvzr/x53/SfnTq8nD2fnN9eT3q0v85VvCdNF+jHLuy64RzIYEnSP/khq6ZXPdnf6a/1F+p8dqhOfIDoi27ap9ITWeQyrD+X8BAAD//8xXL/c="
+	return "eJzsfd1zGzey73v+CtS+xE7JOo6dbN3Kw6nSlze6R5YVUV7njQvONEmsMMAYwFBmav/4W2gA8z0kh5yh5FPXD1sbkQR+/YFGd6PReEMeYf0boU/6B0IMMxx+I387+zL52w+ExKAjxVLDpPiN/PcPhBDyL/qk/0USGWccSCQ5h8hocvZlQhIpmJGKiQVJwCgWaTJXMsHPLrjM4idqouXpD4Qo4EA1/EYW9AdC5gx4rH/D0d8QQRMIaOw/s07tF5XMUv+XFlDVQcoDGbrQpz/lfw7jydm/ITKlP7s/TN2nj7B+kipu/3ia0DRlYuG/+7ef/lb6Xis29++BLuzAZEV5BiSlTHn+0CdNFGiZqQj0aYMC/f50lkWPYE7tfzcoaWLdgOGWJkDknFAyeU/8qI0JY5aA0EyKF8K4j6hMZVgNyD/+dOpV7vSn059+7Ik6ltmMwxigNTFLaogCkykBsZN3sRbI2d01+ZqBWjdJmjHOmVg0SCmvhC0Y/uXH+BeJpDCUCQsHCGjDEmogJtGSqgVoMpeKrGWmcKnSKJKZMISJ2qoN//LVOwNDS3+vL8EyNVdhzgs3ZeVLgTQuK/Q2qPtIv7EkSzoI8NgR/GkriItMKRDRunXypuo25r9qzBv5EUkmWMekE1ArFsFtde32mtcPgQMiqVaKSRcz2mGcJVIZ9hfEF1KbViB1xeoSaXlUmlhuNz4OQzYWVit5OTQSSW26xgxTWk53TtjOzG0zNoYMc51zEPFLZJkHdjSGVebrZNetVAnllq+fNV3AWRuuZ2ZcAZFkFuMxmNcxZzcfP4vZS1W8HNrRVK82YzfTLGv/yKgwzLRb+OdjGkr9q8d2FKZVZ+xkmjZUmWlMzf57kx2B2BFwZ1LW7YGVjQHsfmxFpltnBhEfNO+ViPeYFVVgGsOcCWbHGUxPHqGuc9uoaVD0sASiDYZP3mlMFWgQRhOKgYOllBKdQsTmDOJWnKXAZ522KeZQkKwLYsey0UQTSJXfs3UlkCDdbjnZHlCQHv55g6D/blBsTSyBbymXCpTDS2brIlDTDcc8yp3ig3zzYpiae56UI4cnUEB0pGgaooc8mv6CEcTTkkXLYoCWGNzKy5IUs/kclP0PS4dOaVT1FatBefi3yanPx9l3ETfFYTUuH7ak609LEC5SKvGf0JS1hK9rQRMZzw6SThjkSLKxP7zEKS/PDw21/NiDmbZJFkWg9Tzj9/A1A21uqLExzyld1aM10nNjbMqfeB2gK1B2C+NuLmtldI6DKAdEEyNzthEbAib0LymKP02MAprUWeGBZN6uldXMsARICorJ+LQ/QxL6bTSGhHDvJTLkk+BMwLWI4dsdqAiEoQu4U3KhQOtR1STNp7MMiWSScrC/cfaCEgFPZMHljHKiIZIipmpNmAVKmCYzsATT2DqXRhJKDJ1x6KbzTskV00wKiL8oZuCCpjRiZv1ZMDMunSJLZqAsjWmBgTxZECTyKNDL095LQEoI/t92+nei8h5o/NxEKqDx4DReSKGz5NgEBqNWENpGXOSxEbkC1b0cT1qn0ZKsZUYiKohRNHokS/lEkixa2tkwxVfmrVkqmS2WaWbscsg0bFjk3SzTWdLJspaUXg+G6Sz5Trl0ZPvQ1KxW2/D9MW103fqe+HQPKWcRtZQd0wcDTlMdKJ+BeQK7twqSpTHmnZmBhNA0BYoOBBPIsdzn0OhzWJvdOpMUYONKS5iz6CeEith52M2RqZBmCSr/hZ/M2/8t+3cL/47hsv2v4d+DokLTyNJ9IcWcs8iMpoBnXvkU2FDfc+kNhxWUvN04A+u4mQIX5XbxIjSd8zqSwh3UtOXVSDGcdMzQNAGcTvdjxUi2ShrKXyobztxxW5fLaBhnf+F6O4qhqkYD25zIDNFBbONvSy9tOzrcTGx1w3ox1Lbuab3Jnay1geRKKanG3Id7hq7OsC1AgGpmj90/KsjvDw935Ne3b4k21GR2Q4/hgAD3QoqYuXV1sYTo8QNl3Kq6Qz4icwp/bo5TEmoMJKnjVgpqLlVi13VA50S/YcHegYiZWJR2wgvUgmOQgLuR2/S8GKkCRGxAWIKaW1nrqLPMuJ8v6QqIkIaswZCZNXGlwQ70FGj8sFTSGA5XKxCjCfm+TfuROPgWAfqH0G3JWoccKEQO5I+t5r05UPKYOUuYac9mSUFoXlVFXmnrf1NdYYlwLHjdzQO07y9TD6o2fkxF8NveR/rNrgq90WU+zFQEh3lzfgS5YqOrGWC8ZDc0Krr3Mzc6005bSCxBo9GgacrXzuy8iSFBp9lySVs2tTNpk2Ut2PRgR7mxLtoLZlihEY7U9lC2ljOV8zKnyQepmswzBasjmupyrVKH20nj4AR4wDuoK9KT6Q0mvE0eX9zueEyBtPpiL1siDvKoInnRgnh+W/KRfitFGai/XXHVmAmMw+KpJVssoVG/5P41xqrp/hY978O4zhjteThXV8N2ppV/smGN7sm1vAZnVvad+h+Sw0wf8Xz86nxyWLnC0Afj/5Q8S3Bhnq+tNTs86A9JL83+QsUBGi3d+pCpjXeZFOUo1meh0UVMjXV5VwhJ2zCRRstwrHnLjJJvZtQaOCa0oSKCE/K0tPIxpYxCrbwn/LklCb4tYHaswaU3Km/cMvgumWP15lM6BGeswTGYJaz5gTlfNKZ+GxDtFw1LNuzYJTmOh7UmxAPB/pFBBjcgFmY5EN4aV+3mXte7PIn1RJlBDZTWpfAFCahZB5D0kEe8RXnFQLRVN6rr//pUlkMKym8p5NX1p7vJaxIDZytQ4KDnsrQfVna5uYuvfQ7v6nziF98p+WzX2RMzy3KdgRtgMrnM16gUfL2NLeUT6VFU1NdpbxC8Jq9EUd1tJHn369//p+YYvS6OEzdrwTC8Oc+UNueUWzs2ADcKTP/AnCsnd5lKpQaE9GqRvnt9QgoFJZ9SwxLkxu+Xl+SVNj+/dgdSF5KHv0U/v64S4+iNwS79ueUnLio6k5jpa9PSSEFsnc5XVtMsCILXYnIYlc+1+Rkh4MQKEspE6aBtZhnWuAzXrnJ4GIPJQSuwTamg/c2hW3Ha6olzfijnDXvuApeBzIsF4FJdR6aqsZqGJOs65scgaCNGV4cmpJefalLsnORsljBjymf/uY8evTvMR4/eHdNHv3h3mI8epdkpcvo0bRSGO+J1RDnE0zmXtP6FHWqLq5aEci4jPIO/uniHepcZKKcGqAJ/x89wG1SRTEM4Hw3OYvt9O0uIM0JTvPTTSsu2C48d9dG5Dl7cfc4tXb6wythwI7bfykqB7za8M7d5jIIYKN6DLQN3jBYF5iXVNmZVGcREM/sXZsgT1YTTTKDjjjadKlMvlikTozOV8kxPj0CUn6pKER5O4aFUYfIEyQRmjkqxhjMR9mcXd58vcAS/e/ub4kyTv0DJXSnVU3cPtJ43GIhUpKWVYLtWhDQkpSwmsXwSluSmvJ034MyKWWbWgEYZeos0zo8xHQntJAswT1I9njJxmlK7ae93mbid0rqV9zMQBRGwlVU9gTuXB0GYMKDmNALdWHpMhPYI1plpCwq7KZqmoKYaohEsYJO2kpuPttx6XTuTuZkimZkjCqk/+j2EVCLpf4uUmDidrc3ul/Kdi/4bafvRHuLDYY62wnC2o0jO0VWSW38St6vi8wvuaKvuGSU31IqLmX5k8tRGA8eTHEotLDLq3XxLRS4PbaSCIj+6oozjyYKR+8qtQehIcjsvyCqJa28KNxKDsduziK1c1nQUuZVIHVVwgbCS7PakcbsaynQwHwRFU6Qp6smZYy8wmW6WUn8KLzppG2KV9cnrtCrmeKJsZqSOu+TGFGWDtsNX3T6SdCW5p9ESosepK2sdiNR7SKUy2kbUWPpZQbqkmqRUY5GHNMvqh6FM2GLy1yeAaCyArn7mc8acakMSJjKzO5FTN96RaR2DkDDPM5DSLrFdick3i0gq+z9d7YmsW7eA+n2b/qk5qXxvsu07Vf4pS+gCTln7mti7p8L1ZTixw/FdsZORPqXWB1+RAT61Mhiw98O1iFmExeFBE2Iwruy9lHZmmoCwtqjDnOZAU8VW1MBpLPRUHNB9rSOR7EYnl7cT15fNs7cRGeyIktWrT7wm1v/cA9r13eoXQuNYgdaEai0jhrluPM3bC2s24ywai6E4eIOfO2qlhzYgFwPjPI4ra1xYRK7v8k9eWQa/JjOZuQ10H5biEjqNZNzOzb0NEY5b5+GJq4D/+e9vZsyQTGi2EJiJxkl2Qjq83FuRklepu6hC/kNUJoT7f3qZGcPE4g1ml/9DDKiECdTp/1iPBRsBhf8L8estFJmldW6dv2VN9VhbgZ8H3a2wLbQc9PHDOtYAP2azmqub9j41z1aMd06jRxDxhRTC+dwDXVyrijLKhy+zVUhTasbC1wS0oTPO9NI6m/72JTooksbEn0Sp3M9UsGDaYFVN0M0NtcG/PzzcXcgYpp7i6bs//xyYSrw99+7PP4kCnUqhwd2fC5fusFj1QNDvxwH9flTQv4wD+pdRQf86DuhfRwF9dXM+JpcjzqwNA2saELSuom6s0R0hj8hjDWoFahDI/o7ZMBc+64WRvv6xyKQg3MJaJrTrBi66SivKN9xEThnncgVqOOjNetlw/y636vmV+xlENNOuGlhnChtrgjuYt+Z+g44A5Wa5/l0Gph9636XK9KUbvlhg5VWHTj52G9lROyaWsnLx7BBgO9n8ChWcW7QC1Ou6trx6uCh/mtcXBK9QySyU2dIGH7pp/CxGFkkmhhXKcG1eCmlgXZrvSXJCmAiVbCfOLcSqXvuVpsOCDqAp7uw79reYepIJw3gjYaOMSzpoyD0fv4EsgcagNuwQeev1s5vzs8iwFRSenhPkMCwquqlXnD5fA0asWpb1lCIUxzi3uegQCTZ9vZy91Y/s96lagNmR/FD2fHPxeahy5zaqqyBrd71e3Vx8fl2+MXeW5g0FyI395flW3S7TdAtPx5OngKeGIMse+/GkeaekDRpgsAtEXST7A+0w3e5Cy/tgF189NFCtDnXEmLVE7osLX9tt2hiezguwZhc49sPN5BYW0jCah+tjuKYPN5MKkdj5u+w9+6AANS5mMUbzuTkglGjQGluKhrRplWDffIniROimbw4aph/YN4in937rm45B89xO8SbfXWkjY1FkK7aAvYeYKYjMKDCVH3wQgJ8Vn96whJnpFXbMgPiImCOZ8Vj8aKqXvsqBw+f7m3BMlcsFi8+tajn3xwYU3K4dZQcV5P/8z47h5/s//xyF1lJKxRFtsboYFKmWii0w/9phDHYP+MeD3xH2D4n/1zHxd+QABsX/9u2I+N++HRH4uzGBvxsR+Psxgb8fEfgvYwL/ZUjg13erv9cc7DH8qRbXuukk4C1xC2gz3BEzdHb4Iv2SVyL3yyC2hGljsPTZA7SXpja/IEGb9efepyvHENC2A7DWVGmVlCV2eXJ9F5jRLQ16SkM/bw67EEov/mccrlaUZ664bmhwGd+uLgu2Atf2zqXnlDWbvlGFJ4YKspTZhiU+QnZpr5zSpixp7XLAoQmJYpgjJiNu3aQvNBHxgcunIdNwG5IQcy6fNHlVPQB43bTx22x2Dfj04eJufPB2lxqNgJvJEQi4mYxGwOfLI0jg8+VwEvgebF8D8/i5tDr3rc4sqYj1kj4GN923J/YHvKLAUjS8D2G43Updtiwc8G10OAtTNJar2aE+Gz1Op0oho7NTE+kyLbi4R3Odu9f00DS9EEf5hDAR8QyPhh8u7v7r+m77iWIV+mgCaYFfVv1NTwygPL6LlV2myK9vp00bqLu4mzrbNb0HDUMmmJtFBxoMeXU/eXhdvSruLjDlBwByR9hXN+fPgnnfuh+L2SnTs7Pasdex2rH92apngrkr+rxIoVmMdQy+iOMZC0k2ocuLTJoREafJLKYHRUNuiCNGQjc44cuKgq7Fyp/NDO8I2o1VOx9vnoniUAVvtnyDKDOuLidsaKVnHt3H7qxWxOX/9M/z6owbdycvH3rLkaQvkx6aSFYwcH9sl0DjGzAG1GAoP0hFqF6LaKmkkNh9JgA9cRc4anJy2ll5dwPLl6ggsMq3jRho/IYjVF8cOMvc1rlhg78EbZjAuS9dX8X1B8p4pgYpBRmN0hz0TjRmaqgXcfBSTt6R0ZeoUdO2knQKIs69Lnzk0xOx/b2LMddCrcyUYotZ/8zGhpMBY7d9qc4G6fpp9cLJ07+N4R/Qztdp6BDh3h3TTll8w7T8lqWCSKo4xApbWHuRh+tXucUanMu5BhSVl0XZaKEI4F7x2LCzWx9GrTCRPgbqD7416pcJuYdFy2p0CAvw7pXaSgQRaPXfiqX40TccC+CLFEm0wY0ptRltpXZYn6aXhIgUlY6ye9MT7dz0fReKUHpkBQpLgux/cEb9GnHt2uR8G1tJzFYsLtz4erPZDrKLboV9GVD2ZoY9ltjFlxlQkvlFgOenyGpwTFVVQu7Vac47Rci0byLZcphBzYIaeKLrww4z8mE6XHi07RfFG/ru4cDokWCbSsuC27MH4sewrjh1bUDcbqFb/fRnfJ0eszfX4oOSScmfGlgpah3K/Lot8yk/bC75Rxt6NBegJ8jW58Ebkn9MOIX/593FFsyfMvMgx+Zz3mzL93NugPdH/ruzGmGPyGl/MWIj2l7MLg7xz5w7Pu5ZfuH04zWtDkp2gXtVJJjHLj8o57J7I8aA8k4qc8ZDFeYoG0ldGbBQ1D0Z5HdzQoMjnkq1wYkO7axlNrIyeK8MX5PFfqxQqqXxJeLu0n5oBhRz/5cN+7lLBl4qmY6BPuQaY4U3/1ss3lZoY+8hjU6yB+8iFeCjWLedMfcybh73yHtJoynsELtJGfqoHB98R2m/YDLGHc/S4by3FvVavq3WOoBW8WEPVKn4mA9U3V8e+EDVQc3vQ6tJ3+H+hw1S26U1ft+m8f+/yf2xm9zH1NAZ1TAtLa1RyAkT1a5RNd96zJHN8hZxp1SJVlB79Qvy7wndh2d9b2kCr87ub1+jCrjX0mK9HVTEqW7n1V6wLsoWpty8KrwoQUVMEkikWheFP4ghfPHyfFsj0xJ6FoMwbM4aXYmGIIFasao3OktTziAuhF/MeuqewCz+QJgjPRPsawYWgNP3/Bt22F4kuu5+w5E38d0mHM6wPZVaTzGdU9rdpXOKRzvTGFKzbMV2cONpmRlMLNkt5vqTJq8U0Pi/Kg+y6tflR8Yong06B4bpx3bsof/kVz51V4mmdAHCTP8tZ+NYDF8zMvnjhkzc3aUzOyGxE5abgGxt2DhXAHTGYepWz1G7nRcJ2aL9qaIilkngugfViXyqjVR0ccSe0R2wPQ6i086OdL4ef5ppiKcY+7kLjlMWD6kjoey/NAO5vgwvpmj3YIrFcOquawOeQ95JbRYKJn/ctIOX3HrvU//UP8LWXJopp4vTZDYgfE4XCzyT949QuuucOGv+GbqZUuNZtwGVoJH/cnaDBiYPpXrRZ63AlMmt3YH3tD/hLcvSls/0ozsK7HwSsAspMgM536OHcdD52B8XH6L2eDJMyb1Ff+9lU9p8rJysni1ZaPPrfIny/lSWzcf15I+bE/KRKkYvz93rNYW8KtN0eB76iabOP34mQ2ABuLXvSoz9A1YVinFLd1GN3c4xQ5XbD+tdFca8ncqyzeByoae+XK0pzUMWICpmiRQbCpRMiZ2418rCrfX4S8vt6D3X1tcMFNtdffZC5+cojrq2gYqBxlxGj+PCymcJFQe5W7oNn2thjtvac60+v/lWqvvPMiVVxS5hKyacbBMhruE/69EA/0A6SkcdjPPwIEBNc/NC2kwbUB7qid0MJPZ8oob8+sb5eXm7t81kum74z0KnW5u4TGtk5nm3w8lE95DLiPJndhKDdlaNvYEklYqqtXti3pUbWuO6TUu5XDCBfeIzNbKp8kEGzlgcYG2zB8UbsaeRTBLWnmcbzNq7OfpY+RLAGDh0NFgfbjvCOXK73wddzMeFdnl5U7qU2wNYMjIwJjQoo09IlsbUgH/S0HGyF1I30DHA7iNgfy92UHi53QmN0ktvNuOzHPlRk9tTrI9u/Tv3PK61wOHUAx+XjJaVp0isdfY7K7rtdn/11rowXHuwYOpRDckKJiKZ2Hjx1b0b/HXBE0Xncxa1+OnlunBkV5RpIxNQhUMUfmxZF/Kll5P8z+iFWBNfOsyg+DZdHjvvzJUgmSHZIjOzkMiWBz/698MX6xqNsZjrVc/00T+Z1XRStmLUwKHjcGkwk+Pm2MfkOIM6Ljo3xz7o0DMcF1zjvTcU8TaM3LeJ7enRDJl18RBwCTWcHjS+CeOc+V6zm8no41mMRQMm62KYY7tAKQinYpFZWb26vLx5nfslfSnr4ZqMRdlG76UnPT0dmHFJCku6Jw29rPYAFAxl1AP+nhZ9LBlUjX5PGfS0+2PRUN0aetLQb3d4gYrUM9wczfJWItIdhYDHsz7HzjAB/Uz5lFKCWkZRljKX9JsxQdUaUyjBfU2ojUuaZw0uw6Y2HimUyK0feg174NWSby9NSOyEZM449Mu6l+DXjw1Gh3/QcUHpx/rUVbeNmuMKlQrlecO1X7HA16hFiHiLSo0QEW91bcvUzLiMHgd7irOdnAoZ9Ux+ceHNIdl+9FAqGIlnUx/oT8coj9mz4CVkiv1jJxHl3Nk4H4AWpwD+m9sJVbJxxfAAui7PiR1QE84egXy5v364uidSkfurs8ur+5MhgYNYMAEDPxx4RaNl5XBXZcLz3s134iirH+KWDnDxIr2J2gmgSOfUbynT0un2kOukfnStilProEHhEbyC99iO3G0YkUxSatiMcWbWG863N8rKk7rgckb5NJ7lGwvE0/yUtNeeuoX067Lx+gdOSy69MajfiW09Ly0AFoXzqWKJ3WiL67Xtpzb+4WK0LtXv78gda7ZcAmwO6sh8KRRGQSztLubC1QBHlTni3IwaQw4ivexxYIXNUJSHq9E7kc7pwt23zOGIRQhpN+nDjg6lp9oPfjoinb545DD6KqfI+1A3Tei34Sgsl3pVSSo/h1gH72yxNenN4/HgLtQy+vuRysTApDLxEkid0egR7/JOoyUVC5i6Lg36NFLglqvqirIPrfjMpyZuat8gQhOcOnSfnbMV+HpP9y421kJs25k6ycJH6gf1WCOTVbu3dZFVKebYnYAnJmL5dOrmGTTOmc9BgVWestb5dlsFFW7+/OVRT2/9812p4F25v0O1KdydpGYTTOuF64RyHh7M2ETyHBs3uA7JrqthmKijaM/VRfjCIRo9ZulUgbH+vRRT3xdxyG3/oaUThJs3r9HITzDD6+06S1OpHJNSyYR5w8QbdCIV4OIgc6AmU4DeYvWAtFDaH3WYKCdwoyJUWKMFTfVSmmfjReSbtuKbVpwH8gIuZ2doS8iCxfYsBmxH3osBEY2WMF0yM0VX9HSW2dU3IO3Vq1jNpkG+x4u/B+Wmd6h2A+yacU01DLl8+4G+RwgazCbcPmbMUlynPeqJ+0ddubGp3NDCcnQfe5XfSuwofo711Mip9zhSF2Pqr3y6Z1V0zxTqogSwh+t4fzkpx8M5/UYSaZagiMDXOLz12LrRZWmoaJu6isGpu9L4XPbBLn93j3MtM5dfcoWM5R1hx3yGl6yvKeUwNyMRpyChDAP+0iUOTGNidV5LEWICVGfuDc56fV5ut99PY8r4OsjnhzrWPldr64PV7tniZ7kwxrx1O3l/2KXbWRY9gjnV7K/nKsHE2D3XV+fUuvyEx9aK23lLUzmfytm/ITLDr63StTQ3Qws2t4o4z0WN1xo7tM/vCYfqnR+mpHHhwYuXrGdhQ3Q3vEcUFr6llG+/rqGLRA/I5W4n773sToiCBVUxB38RdZ127MM59sWgHkMN8z+uHmq4rXIF3WOijYYteNNsRLx3nwfHu+EIdhDIl1c3Vw9XQ6NedlVQDIL596uzy530eZsuSD2mMnya1LVhL5QbqjkOxVkgmVzdXF08kE8odLz7bQ3dwFrhKJnqiApx5Ms39Xq6sMl6LO7sZGd2HEK9ApOpl0J+AHMM+jkbc7VVo0s7l++3gNCR4s3eUyyfBJc0fh7JOLEUGHCx7bZlPy1BQfUZWVf6jGfOMxl33EfP0ucmNyAIL+ai21V6rcxiP+lvOcG1Bv/lW72T0YDq9su3b9VHZF1/CtcYdBe5uRVHixaxwDC0fkukIj9vJOzXMQn79du36uuyxyAs1JvNmdJmapWjx2nM4VVnKag3Qecw9ZNnRMLLzYVKYuvlcvezNhYY6bItlUWJrXuwpmgGueHdzA905EN0c1SWAKepdhU3HaxBWeFCLtgRXt6k4RMdusRvWrt5PCgO6+2lxTF7e01u23t7PWPn27sMu19O2F9DtIW3ahC6WiSgNV2AJmnmG2x295WbfJxM3AMV99QMBUT5vjylpy8mHycBF4ndawmsfgm1jOsWDd2n+UdPy11OyrAN+5q8sivA3fH2a+B2QoxMWbQD2ltpsNwKC1z8oxDjQS7Yy9eBqWG1tFPgDp1mdugZ9moXMZ479SXtA97dHYsuNAAl7P6msJGByL5oGTeWM5+yofuWViHX3tJdB1bjT8kcUZBUchbtpPpdNLy5FivKWXxmjGKzbKiH2wahqvKCcBjnR0JzqJjBZ44A8sb1fftG7b59Uvlt/gvyfyefbl3j9UgqBZFxpYwJNRtb6W/l4q30tuW74aN7IkLIEjt70n8PsWIrEA/ykn8dlVqEisdvifTORsszO3uZnQfpyRifCmz3LH60nuSedEw+Tj5KYZYP8pIamKQgzOfJ5SCgoyVVC/fYgWN3tR8l1o5aLzbvZuiL0SPKQcQUr8qapb/843rWlXbptiOArwe6fF+P6vL9cWA7V9+VzPNjShe9jrAHuF6Tpkp+Ywk2GS/e73GwiJDijUs3x7lj5c94W1SycGK9cGPgdD1c8VXHIioDKioJ/NxYxtRsVKWAoi6yJIGYUQO8IyWS0yKkma6YZk3vdJhQu2oT3AZG5pwtlh05jRzZUVDV2WcUgxXlRfC3oz5YVRoXadDXXshCvDoutDy3OltbA8nzbkG+u4P3FYi7/bIFsm42cB5a5nEcNqMNPIQkNevQ/GKcVqE19pzdXQf24ctWzK1wx11CAwEdhWkgCnN79AP9RvS8G4/dR8Nei5n8MfE2szJu5d4XG+S5oepQez855If57p4dOsq7PTXmdPuK4a2b8d64yQ3vzpjyRyqO9DRFX2DDs6vyhMN+qPJnUs45jR6Xko/1zET+XkoRLa5JYhepda/ILExPlGz0aN4A+1be4/ePCDrsFAie0Drg/BhMH1r4hiPsbei0TACjixdr2S4o52M80eOvkkKMe3y1IZ7deV1dGaYdaRQhgE6M4QGAMXBi2JtjzcWU38Csg/T1muFrLj6ZM1GYpJglILR7tVlrGTHc2vDgrFCepqquUnGQoq5Ssbea/vPu9uXvwQ+ZEMAnZrhzh9KDAEAMDn+Kt/XsByyybNEn5C1hIsaLp5pcfvpyi3Hoz6U/fr5zvzr/x53/SfnTq8nD2fnN9eT3q0v85VvCdNF+jHLuy64RzIYEnSP/khq6ZXPdnf6a/1F+p8dqhOfIDoi27ap9ITWeQyrD+X8BAAD//yKjLyM="
 }
diff --git a/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml b/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml
index 91becec6fef6..74db186c905d 100644
--- a/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml
+++ b/x-pack/metricbeat/module/aws/lambda/_meta/fields.yml
@@ -2,7 +2,7 @@
   type: group
   description: >
     `lambda` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS Lambda.
-  release: beta
+  release: ga
   fields:
     - name: metrics
       type: group
diff --git a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json
index e73bc6a1e5e1..78660789d5b5 100644
--- a/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json
+++ b/x-pack/metricbeat/module/azure/_meta/kibana/7/dashboard/Metricbeat-azure-vm-overview.json
@@ -19,7 +19,9 @@
         },
         "panelsJSON": [
           {
-            "embeddableConfig": {},
+            "embeddableConfig": {
+              "title": "VM Filters"
+            },
             "gridData": {
               "h": 12,
               "i": "aa881f9d-28d3-4722-822e-3e670021cf52",
@@ -29,7 +31,8 @@
             },
             "panelIndex": "aa881f9d-28d3-4722-822e-3e670021cf52",
             "panelRefName": "panel_0",
-            "version": "7.4.0"
+            "title": "VM Filters",
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -45,7 +48,7 @@
             "panelIndex": "e673f70c-f811-4290-9087-578c7dd13675",
             "panelRefName": "panel_1",
             "title": "VM CPU Utilization",
-            "version": "7.4.0"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -61,7 +64,7 @@
             "panelIndex": "2473ef72-c56c-4783-a36a-f4b8efd66ab7",
             "panelRefName": "panel_2",
             "title": "VM Available Memory",
-            "version": "7.4.0"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {},
@@ -74,7 +77,7 @@
             },
             "panelIndex": "14e225ef-6417-4377-b2cb-6b46b6693b78",
             "panelRefName": "panel_3",
-            "version": "7.4.0"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -90,7 +93,7 @@
             "panelIndex": "535d70b3-3f3c-4a84-85ba-ab671b6d144f",
             "panelRefName": "panel_4",
             "title": "VM Network In Total",
-            "version": "7.4.0"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -106,7 +109,7 @@
             "panelIndex": "6903a45e-bf11-4db2-9497-fd9692e83448",
             "panelRefName": "panel_5",
             "title": "VM Network Out Total",
-            "version": "7.4.0"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -122,7 +125,7 @@
             "panelIndex": "aa57fa8f-f6ea-45e3-9b2c-ba948d625813",
             "panelRefName": "panel_6",
             "title": "VM Disk Writes",
-            "version": "7.4.0"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -138,7 +141,7 @@
             "panelIndex": "8879143b-ed83-45ec-8c58-b10dc1597c22",
             "panelRefName": "panel_7",
             "title": "VM Disk Read Operations/s",
-            "version": "7.4.0"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -154,7 +157,7 @@
             "panelIndex": "4071f2bf-1794-45ff-b76d-58864226d8b7",
             "panelRefName": "panel_8",
             "title": "VM Disk Write Operations/s",
-            "version": "7.4.0"
+            "version": "7.9.1"
           }
         ],
         "timeRestore": false,
@@ -165,6 +168,9 @@
       "migrationVersion": {
         "dashboard": "7.3.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [
         {
           "id": "5031b220-eb61-11e9-90ec-112a988266d5",
@@ -213,8 +219,8 @@
         }
       ],
       "type": "dashboard",
-      "updated_at": "2019-10-15T11:53:03.300Z",
-      "version": "WzMxOTAsMV0="
+      "updated_at": "2020-09-15T16:10:59.501Z",
+      "version": "Wzg4NSwxXQ=="
     },
     {
       "attributes": {
@@ -291,8 +297,11 @@
       },
       "id": "5031b220-eb61-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [
         {
           "id": "metricbeat-*",
@@ -311,8 +320,8 @@
         }
       ],
       "type": "visualization",
-      "updated_at": "2019-10-11T06:35:45.645Z",
-      "version": "WzE0ODMsMV0="
+      "updated_at": "2020-09-15T16:21:47.113Z",
+      "version": "WzkyNywxXQ=="
     },
     {
       "attributes": {
@@ -387,12 +396,15 @@
       },
       "id": "db9a3490-ea8f-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:52:01.637Z",
-      "version": "WzMxODQsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzMzMywxXQ=="
     },
     {
       "attributes": {
@@ -445,6 +457,7 @@
                 ],
                 "point_size": 0,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "terms",
                 "stacked": "none",
                 "terms_field": "azure.resource.name",
@@ -462,12 +475,15 @@
       },
       "id": "7205a4f0-ea95-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:52:22.085Z",
-      "version": "WzMxODYsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzMzNCwxXQ=="
     },
     {
       "attributes": {
@@ -520,6 +536,7 @@
                 ],
                 "point_size": 0,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "terms",
                 "stacked": "none",
                 "terms_field": "azure.resource.name",
@@ -538,12 +555,15 @@
       },
       "id": "e8ca65c0-eb45-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:50:30.820Z",
-      "version": "WzMxNzgsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzMzNSwxXQ=="
     },
     {
       "attributes": {
@@ -596,6 +616,7 @@
                 ],
                 "point_size": 0,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "terms",
                 "stacked": "none",
                 "terms_field": "azure.resource.name",
@@ -613,12 +634,15 @@
       },
       "id": "8b6b9450-ea99-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:52:40.578Z",
-      "version": "WzMxODgsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzMzNiwxXQ=="
     },
     {
       "attributes": {
@@ -671,6 +695,7 @@
                 ],
                 "point_size": 0,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "terms",
                 "stacked": "none",
                 "terms_field": "azure.resource.name",
@@ -689,12 +714,15 @@
       },
       "id": "abd32c30-ea99-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:49:45.582Z",
-      "version": "WzMxNzQsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzMzNywxXQ=="
     },
     {
       "attributes": {
@@ -747,6 +775,7 @@
                 ],
                 "point_size": 0,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "terms",
                 "stacked": "none",
                 "terms_field": "azure.resource.name",
@@ -765,12 +794,15 @@
       },
       "id": "5c016810-ea9a-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:50:07.876Z",
-      "version": "WzMxNzYsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzMzOCwxXQ=="
     },
     {
       "attributes": {
@@ -823,6 +855,7 @@
                 ],
                 "point_size": 0,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "terms",
                 "stacked": "none",
                 "terms_field": "azure.resource.name",
@@ -841,12 +874,15 @@
       },
       "id": "3a50e950-eb46-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:50:55.337Z",
-      "version": "WzMxODAsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzMzOSwxXQ=="
     },
     {
       "attributes": {
@@ -899,6 +935,7 @@
                 ],
                 "point_size": 0,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "terms",
                 "stacked": "none",
                 "terms_field": "azure.resource.name",
@@ -917,13 +954,16 @@
       },
       "id": "0892eaa0-ea9a-11e9-90ec-112a988266d5",
       "migrationVersion": {
-        "visualization": "7.3.1"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2019-10-15T11:51:33.545Z",
-      "version": "WzMxODIsMV0="
+      "updated_at": "2020-09-15T16:01:27.530Z",
+      "version": "WzM0MCwxXQ=="
     }
   ],
-  "version": "7.4.0"
+  "version": "7.9.1"
 }
diff --git a/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json b/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json
index 3d1f51694e40..16a4f1ef128b 100644
--- a/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json
+++ b/x-pack/metricbeat/module/cloudfoundry/container/_meta/data.json
@@ -1,35 +1,31 @@
 {
-    "@timestamp": "2020-02-27T18:09:35.583Z",
+    "@timestamp": "2017-10-12T08:05:34.853Z",
     "cloudfoundry": {
+        "app": {
+            "id": "3ce55e14-de73-49af-836d-adc93f3fee39"
+        },
         "container": {
+            "cpu.pct": 0.19431789913648675,
+            "disk.bytes": 16678912,
+            "disk.quota.bytes": 33554432,
             "instance_index": 0,
-            "cpu.pct": 0.18815706013687805,
-            "memory.bytes": 23320985,
-            "memory.quota.bytes": 134217728,
-            "disk.bytes": 186187776,
-            "timestamp": "2020-02-27T18:09:35.583Z",
-            "type": "container",
-            "disk.quota.bytes": 2122136037
+            "memory.bytes": 8529920,
+            "memory.quota.bytes": 33554432
         },
         "envelope": {
-            "origin": "rep",
-            "deployment": "cf",
-            "ip": "10.144.0.13",
-            "job": "diego-cell",
-            "index": "3a0034ac-59ef-43e2-8b06-b14b32fe62f0"
+            "deployment": "cf-6b7aee31c8d07637ad78",
+            "index": "c2bcf5d6-7ff9-4876-890f-6f8fc6c58668",
+            "ip": "192.168.16.51",
+            "job": "diego_cell",
+            "origin": "rep"
         },
-        "app": {
-            "id": "8cfc6857-3576-45a9-b1cd-890b28aa9c4a"
-        }
-    },
-    "event": {
-        "dataset": "cloudfoundry.container",
-        "module": "cloudfoundry"
-    },
-    "metricset": {
-        "name": "container"
+        "tags": {
+            "product": "Pivotal Application Service",
+            "source_id": "3ce55e14-de73-49af-836d-adc93f3fee39"
+        },
+        "type": "container"
     },
     "service": {
         "type": "cloudfoundry"
     }
-}
+}
\ No newline at end of file
diff --git a/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go b/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go
index e871a5823fcf..605f7145f64a 100644
--- a/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go
+++ b/x-pack/metricbeat/module/cloudfoundry/container/container_integration_test.go
@@ -49,5 +49,6 @@ func TestData(t *testing.T) {
 	require.NotEmpty(t, events)
 
 	beatEvent := mbtest.StandardizeEvent(ms, events[0])
+	mtest.CleanFields(beatEvent)
 	mbtest.WriteEventToDataJSON(t, beatEvent, "")
 }
diff --git a/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json b/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json
index d6f155213af8..5889e632b6bf 100644
--- a/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json
+++ b/x-pack/metricbeat/module/cloudfoundry/counter/_meta/data.json
@@ -1,29 +1,27 @@
 {
-    "@timestamp": "2020-02-24T18:49:02.674Z",
+    "@timestamp": "2017-10-12T08:05:34.853Z",
     "cloudfoundry": {
         "counter": {
-            "total": 0,
-            "name": "promhttp_metric_handler_errors_total",
             "delta": 0,
-            "timestamp": "2020-02-24T18:49:02.674Z",
-            "type": "counter"
+            "name": "dropped",
+            "total": 0
         },
         "envelope": {
-            "origin": "loggregator_forwarder_agent",
-            "deployment": "cf",
-            "ip": "10.144.0.13",
-            "job": "diego-cell",
-            "index": "1e58e943-a498-4339-9d5f-2885bf223db9"
-        }
-    },
-    "event": {
-        "dataset": "cloudfoundry.counter",
-        "module": "cloudfoundry"
-    },
-    "metricset": {
-        "name": "counter"
+            "deployment": "cf-6b7aee31c8d07637ad78",
+            "index": "995eb273-f871-4fea-a834-dbc0a4a72efc",
+            "ip": "192.168.16.37",
+            "job": "syslog_adapter",
+            "origin": "loggregator.metron"
+        },
+        "tags": {
+            "direction": "ingress",
+            "metric_version": "2.0",
+            "product": "Pivotal Application Service",
+            "source_id": "metron"
+        },
+        "type": "counter"
     },
     "service": {
         "type": "cloudfoundry"
     }
-}
+}
\ No newline at end of file
diff --git a/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go b/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go
index 44cb4935e70a..f7c13b1a6035 100644
--- a/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go
+++ b/x-pack/metricbeat/module/cloudfoundry/counter/counter_integration_test.go
@@ -49,5 +49,6 @@ func TestData(t *testing.T) {
 	require.NotEmpty(t, events)
 
 	beatEvent := mbtest.StandardizeEvent(ms, events[0])
+	mtest.CleanFields(beatEvent)
 	mbtest.WriteEventToDataJSON(t, beatEvent, "")
 }
diff --git a/x-pack/metricbeat/module/cloudfoundry/mtest/config.go b/x-pack/metricbeat/module/cloudfoundry/mtest/config.go
index c0756c57cca4..8f98d528f586 100644
--- a/x-pack/metricbeat/module/cloudfoundry/mtest/config.go
+++ b/x-pack/metricbeat/module/cloudfoundry/mtest/config.go
@@ -7,6 +7,7 @@ package mtest
 import (
 	"testing"
 
+	"github.com/elastic/beats/v7/libbeat/beat"
 	cftest "github.com/elastic/beats/v7/x-pack/libbeat/common/cloudfoundry/test"
 )
 
@@ -19,3 +20,8 @@ func GetConfig(t *testing.T, metricset string) map[string]interface{} {
 
 	return config
 }
+
+// CleanFields removes fields that can contain data of real deployments
+func CleanFields(e beat.Event) {
+	e.Fields.Delete("cloudfoundry.tags.system_domain")
+}
diff --git a/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json b/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json
index bf70762fd387..1d17070a200c 100644
--- a/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json
+++ b/x-pack/metricbeat/module/cloudfoundry/value/_meta/data.json
@@ -1,29 +1,24 @@
 {
-    "@timestamp": "2020-02-27T18:20:48.379Z",
+    "@timestamp": "2017-10-12T08:05:34.853Z",
     "cloudfoundry": {
-        "value": {
-            "unit": "",
-            "value": 5.125735912782789e-05,
-            "timestamp": "2020-02-27T18:20:48.379Z",
-            "type": "value",
-            "name": "go_memstats_gc_cpu_fraction"
-        },
         "envelope": {
-            "origin": "loggregator_forwarder_agent",
-            "deployment": "cf",
-            "ip": "10.144.0.11",
-            "job": "scheduler",
-            "index": "d6b7bb59-ac57-4ed5-a0a7-0b23e19d9f8f"
+            "deployment": "cf-6b7aee31c8d07637ad78",
+            "index": "dffd1799-d03a-405a-9309-3fcce23f536f",
+            "ip": "192.168.16.15",
+            "job": "diego_database",
+            "origin": "silk-controller"
+        },
+        "tags": {
+            "source_id": "silk-controller"
+        },
+        "type": "value",
+        "value": {
+            "name": "LeasesIndexRequestTime",
+            "unit": "ms",
+            "value": 0.681265
         }
     },
-    "event": {
-        "dataset": "cloudfoundry.value",
-        "module": "cloudfoundry"
-    },
-    "metricset": {
-        "name": "value"
-    },
     "service": {
         "type": "cloudfoundry"
     }
-}
+}
\ No newline at end of file
diff --git a/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go b/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go
index 610a0a8e0295..af815a3d4b76 100644
--- a/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go
+++ b/x-pack/metricbeat/module/cloudfoundry/value/value_integration_test.go
@@ -49,5 +49,6 @@ func TestData(t *testing.T) {
 	require.NotEmpty(t, events)
 
 	beatEvent := mbtest.StandardizeEvent(ms, events[0])
+	mtest.CleanFields(beatEvent)
 	mbtest.WriteEventToDataJSON(t, beatEvent, "")
 }
diff --git a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json
index 1f6d0b168912..185905f94ae6 100644
--- a/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json
+++ b/x-pack/metricbeat/module/googlecloud/_meta/kibana/7/dashboard/Metricbeat-googlecloud-compute-overview.json
@@ -32,7 +32,7 @@
             "panelIndex": "28706ab2-1142-401d-9143-f4176a034c10",
             "panelRefName": "panel_0",
             "title": "Filters",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -48,7 +48,7 @@
             "panelIndex": "2034fcc8-5cd7-4ee8-8c8f-99054f025b05",
             "panelRefName": "panel_1",
             "title": "Instance Uptime",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -64,7 +64,7 @@
             "panelIndex": "5f6f2ecd-dcaf-4455-967c-ede6b38f431f",
             "panelRefName": "panel_2",
             "title": "CPU Utilization",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -80,7 +80,7 @@
             "panelIndex": "9c6f36f5-c2b2-40f5-8ee3-af6131168842",
             "panelRefName": "panel_3",
             "title": "Read I/O",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -96,7 +96,7 @@
             "panelIndex": "93906f63-42c9-4f30-9b2c-05041a9e1efe",
             "panelRefName": "panel_4",
             "title": "Write I/O",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -112,7 +112,7 @@
             "panelIndex": "e1a4e862-dd00-409f-8746-8a8e4bc82807",
             "panelRefName": "panel_5",
             "title": "Network Sent Bytes",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -128,7 +128,7 @@
             "panelIndex": "6f47ff85-3ec1-4f6f-a63b-1a56f0cfc9ce",
             "panelRefName": "panel_6",
             "title": "Network Received Bytes",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -144,7 +144,7 @@
             "panelIndex": "00689e12-4cb3-49ad-ac33-dbe4279f446e",
             "panelRefName": "panel_7",
             "title": "Firewall Dropped Bytes",
-            "version": "7.6.1"
+            "version": "7.9.1"
           },
           {
             "embeddableConfig": {
@@ -160,7 +160,7 @@
             "panelIndex": "901e7bf5-35f5-4c1a-9627-27f6c20d2514",
             "panelRefName": "panel_8",
             "title": "Firewall Dropped Packets",
-            "version": "7.6.1"
+            "version": "7.9.1"
           }
         ],
         "timeRestore": false,
@@ -171,6 +171,9 @@
       "migrationVersion": {
         "dashboard": "7.3.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [
         {
           "id": "3aa96470-5fc4-11ea-a4f6-717338406083",
@@ -219,8 +222,8 @@
         }
       ],
       "type": "dashboard",
-      "updated_at": "2020-03-17T15:46:32.321Z",
-      "version": "WzgwNiwyXQ=="
+      "updated_at": "2020-09-15T16:22:48.674Z",
+      "version": "Wzk1NCwxXQ=="
     },
     {
       "attributes": {
@@ -297,8 +300,11 @@
       },
       "id": "3aa96470-5fc4-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [
         {
           "id": "metricbeat-*",
@@ -317,14 +323,20 @@
         }
       ],
       "type": "visualization",
-      "updated_at": "2020-03-11T21:52:40.506Z",
-      "version": "Wzc4NywyXQ=="
+      "updated_at": "2020-09-15T16:22:42.806Z",
+      "version": "Wzk1MSwxXQ=="
     },
     {
       "attributes": {
         "description": "",
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": {}
+          "searchSourceJSON": {
+            "filter": [],
+            "query": {
+              "language": "kuery",
+              "query": ""
+            }
+          }
         },
         "title": "Compute Instance Uptime Gauge [Metricbeat Googlecloud]",
         "uiStateJSON": {},
@@ -347,7 +359,7 @@
             ],
             "default_index_pattern": "metricbeat-*",
             "default_timefield": "@timestamp",
-            "drop_last_bucket": 1,
+            "drop_last_bucket": 0,
             "filter": {
               "language": "kuery",
               "query": ""
@@ -364,7 +376,7 @@
             "gauge_width": 10,
             "id": "61ca57f0-469d-11e7-af02-69e470af7417",
             "index_pattern": "metricbeat-*",
-            "interval": "5m",
+            "interval": "\u003e=5m",
             "isModelInvalid": false,
             "series": [
               {
@@ -393,7 +405,7 @@
                   },
                   {
                     "id": "81dc6000-63e7-11ea-994d-3b2599babc53",
-                    "script": "params.uptime /60\n",
+                    "script": "params.uptime / 60\n",
                     "type": "math",
                     "variables": [
                       {
@@ -407,6 +419,7 @@
                 "override_index_pattern": 0,
                 "point_size": 1,
                 "separate_axis": 0,
+                "split_color_mode": "gradient",
                 "split_mode": "everything",
                 "stacked": "none",
                 "terms_field": "cloud.instance.name",
@@ -416,7 +429,9 @@
             ],
             "show_grid": 1,
             "show_legend": 1,
-            "time_field": "",
+            "time_field": "@timestamp",
+            "time_range_mode": "entire_time_range",
+            "tooltip_mode": "show_all",
             "type": "gauge"
           },
           "title": "Compute Instance Uptime Gauge [Metricbeat Googlecloud]",
@@ -425,12 +440,15 @@
       },
       "id": "da5bc460-63e1-11ea-b0ac-95d4ecb1fecd",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-11T22:29:03.883Z",
-      "version": "WzgwMiwyXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQzNCwxXQ=="
     },
     {
       "attributes": {
@@ -492,12 +510,15 @@
       },
       "id": "3f472ea0-5e47-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-09T17:22:26.247Z",
-      "version": "WzcwNCwxXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQzNSwxXQ=="
     },
     {
       "attributes": {
@@ -558,12 +579,15 @@
       },
       "id": "89513bc0-5e48-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-09T15:57:30.034Z",
-      "version": "WzM1NiwxXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQzNiwxXQ=="
     },
     {
       "attributes": {
@@ -624,12 +648,15 @@
       },
       "id": "95e1f050-5e48-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-09T15:57:30.034Z",
-      "version": "WzM1NywxXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQzNywxXQ=="
     },
     {
       "attributes": {
@@ -690,12 +717,15 @@
       },
       "id": "6f795e70-5e49-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-09T15:57:30.034Z",
-      "version": "WzM1OCwxXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQzOCwxXQ=="
     },
     {
       "attributes": {
@@ -756,12 +786,15 @@
       },
       "id": "43f45ba0-5e4a-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-09T15:57:30.034Z",
-      "version": "WzM1OSwxXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQzOSwxXQ=="
     },
     {
       "attributes": {
@@ -841,12 +874,15 @@
       },
       "id": "9d919d00-5e4d-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-11T22:23:01.173Z",
-      "version": "Wzc5NywyXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQ0MCwxXQ=="
     },
     {
       "attributes": {
@@ -927,13 +963,16 @@
       },
       "id": "ef1508c0-5e4c-11ea-a4f6-717338406083",
       "migrationVersion": {
-        "visualization": "7.4.2"
+        "visualization": "7.8.0"
       },
+      "namespaces": [
+        "default"
+      ],
       "references": [],
       "type": "visualization",
-      "updated_at": "2020-03-09T15:57:30.034Z",
-      "version": "WzM2MSwxXQ=="
+      "updated_at": "2020-09-15T16:01:39.831Z",
+      "version": "WzQ0MSwxXQ=="
     }
   ],
-  "version": "7.6.1"
+  "version": "7.9.1"
 }
diff --git a/x-pack/metricbeat/module/prometheus/_meta/config.yml b/x-pack/metricbeat/module/prometheus/_meta/config.yml
index cd54c01383a7..789e7937252f 100644
--- a/x-pack/metricbeat/module/prometheus/_meta/config.yml
+++ b/x-pack/metricbeat/module/prometheus/_meta/config.yml
@@ -20,6 +20,16 @@
   # Store counter rates instead of original cumulative counters (experimental, default: false)
   #rate_counters: true
 
+# Metrics sent by a Prometheus server using remote_write option
+#- module: prometheus
+#  metricsets: ["remote_write"]
+#  host: "localhost"
+#  port: "9201"
+
+  # Secure settings for the server using TLS/SSL:
+  #ssl.certificate: "/etc/pki/server/cert.pem"
+  #ssl.key: "/etc/pki/server/cert.key"
+
   # Use Elasticsearch histogram type to store histograms (beta, default: false)
   # This will change the default layout and put metric type in the field name
   #use_types: true
@@ -32,17 +42,6 @@
   #  counter_patterns: []
   #  histogram_patterns: []
 
-
-# Metrics sent by a Prometheus server using remote_write option
-#- module: prometheus
-#  metricsets: ["remote_write"]
-#  host: "localhost"
-#  port: "9201"
-
-  # Secure settings for the server using TLS/SSL:
-  #ssl.certificate: "/etc/pki/server/cert.pem"
-  #ssl.key: "/etc/pki/server/cert.key"
-
 # Metrics that will be collected using a PromQL
 #- module: prometheus
 #  metricsets: ["query"]
diff --git a/x-pack/metricbeat/module/prometheus/remote_write/data.go b/x-pack/metricbeat/module/prometheus/remote_write/data.go
index 5d8a101fbdd5..2258aba02709 100644
--- a/x-pack/metricbeat/module/prometheus/remote_write/data.go
+++ b/x-pack/metricbeat/module/prometheus/remote_write/data.go
@@ -122,16 +122,17 @@ func (g remoteWriteTypedGenerator) GenerateEvents(metrics model.Samples) map[str
 
 		promType := g.findMetricType(name, labels)
 
-		labelsHash := labels.String()
+		labelsHash := labels.String() + metric.Timestamp.Time().String()
 		labelsClone := labels.Clone()
 		labelsClone.Delete("le")
 		if promType == histogramType {
-			labelsHash = labelsClone.String()
+			labelsHash = labelsClone.String() + metric.Timestamp.Time().String()
 		}
 		// join metrics with same labels in a single event
 		if _, ok := eventList[labelsHash]; !ok {
 			eventList[labelsHash] = mb.Event{
 				ModuleFields: common.MapStr{},
+				Timestamp:    metric.Timestamp.Time(),
 			}
 
 			// Add labels
@@ -145,7 +146,6 @@ func (g remoteWriteTypedGenerator) GenerateEvents(metrics model.Samples) map[str
 		}
 
 		e := eventList[labelsHash]
-		e.Timestamp = metric.Timestamp.Time()
 		switch promType {
 		case counterType:
 			data = common.MapStr{
@@ -220,10 +220,11 @@ func (g *remoteWriteTypedGenerator) rateCounterFloat64(name string, labels commo
 // processPromHistograms receives a group of Histograms and converts each one to ES histogram
 func (g *remoteWriteTypedGenerator) processPromHistograms(eventList map[string]mb.Event, histograms map[string]histogram) {
 	for _, histogram := range histograms {
-		labelsHash := histogram.labels.String()
+		labelsHash := histogram.labels.String() + histogram.timestamp.String()
 		if _, ok := eventList[labelsHash]; !ok {
 			eventList[labelsHash] = mb.Event{
 				ModuleFields: common.MapStr{},
+				Timestamp:    histogram.timestamp,
 			}
 
 			// Add labels
@@ -233,7 +234,6 @@ func (g *remoteWriteTypedGenerator) processPromHistograms(eventList map[string]m
 		}
 
 		e := eventList[labelsHash]
-		e.Timestamp = histogram.timestamp
 
 		hist := dto.Histogram{
 			Bucket: histogram.buckets,
diff --git a/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go b/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go
index d5c07f0d2a97..6c031be5bba0 100644
--- a/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go
+++ b/x-pack/metricbeat/module/prometheus/remote_write/remote_write_test.go
@@ -28,10 +28,10 @@ func TestGenerateEventsCounter(t *testing.T) {
 		rateCounters: true,
 	}
 	g.counterCache.Start()
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"listener_name": model.LabelValue("http"),
 	}
-
 	// first fetch
 	metrics := model.Samples{
 		&model.Sample{
@@ -40,7 +40,7 @@ func TestGenerateEventsCounter(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -54,7 +54,7 @@ func TestGenerateEventsCounter(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 	// repeat in order to test the rate
@@ -65,7 +65,7 @@ func TestGenerateEventsCounter(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -79,7 +79,7 @@ func TestGenerateEventsCounter(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 }
@@ -94,6 +94,7 @@ func TestGenerateEventsCounterSameLabels(t *testing.T) {
 		rateCounters: true,
 	}
 	g.counterCache.Start()
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"listener_name": model.LabelValue("http"),
 	}
@@ -106,7 +107,7 @@ func TestGenerateEventsCounterSameLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -114,7 +115,7 @@ func TestGenerateEventsCounterSameLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(43),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -132,7 +133,7 @@ func TestGenerateEventsCounterSameLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 	// repeat in order to test the rate
@@ -143,7 +144,7 @@ func TestGenerateEventsCounterSameLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -151,7 +152,7 @@ func TestGenerateEventsCounterSameLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(47),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -169,7 +170,7 @@ func TestGenerateEventsCounterSameLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 }
@@ -184,6 +185,8 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 		rateCounters: true,
 	}
 	g.counterCache.Start()
+
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"listener_name": model.LabelValue("http"),
 	}
@@ -200,7 +203,7 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -208,7 +211,7 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(43),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -217,7 +220,7 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 				"device":        "eth0",
 			},
 			Value:     model.SampleValue(44),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -242,9 +245,9 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 2)
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected1)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
 
 	// repeat in order to test the rate
@@ -255,7 +258,7 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -263,7 +266,7 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(47),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -272,7 +275,7 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 				"device":        "eth0",
 			},
 			Value:     model.SampleValue(50),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -297,9 +300,9 @@ func TestGenerateEventsCounterDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 2)
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected1)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
 
 }
@@ -314,6 +317,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 		rateCounters: true,
 	}
 	g.counterCache.Start()
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"listener_name": model.LabelValue("http"),
 	}
@@ -330,7 +334,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -338,7 +342,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(43),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -347,7 +351,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"device":        "eth0",
 			},
 			Value:     model.SampleValue(44),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -356,7 +360,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"device":        "eth0",
 			},
 			Value:     model.SampleValue(49),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -384,9 +388,9 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 2)
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected1)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
 
 	// repeat in order to test the rate
@@ -397,7 +401,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -405,7 +409,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(47),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -414,7 +418,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"device":        "eth0",
 			},
 			Value:     model.SampleValue(50),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -423,7 +427,7 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 				"device":        "eth0",
 			},
 			Value:     model.SampleValue(59),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -451,9 +455,9 @@ func TestGenerateEventsGaugeDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 2)
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected1)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
 
 }
@@ -468,6 +472,8 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 		rateCounters: true,
 	}
 	g.counterCache.Start()
+
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"runtime":  model.LabelValue("linux"),
 		"quantile": model.LabelValue("0.25"),
@@ -489,7 +495,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"quantile": "0.25",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -498,7 +504,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"quantile": "0.50",
 			},
 			Value:     model.SampleValue(43),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -506,7 +512,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(44),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -514,7 +520,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -523,7 +529,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"quantile": "0.25",
 			},
 			Value:     model.SampleValue(46),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -556,11 +562,11 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 3)
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
-	e = events[labels3.String()]
+	e = events[labels3.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected3)
 
 	// repeat in order to test the rate
@@ -572,7 +578,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"quantile": "0.25",
 			},
 			Value:     model.SampleValue(52),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -581,7 +587,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"quantile": "0.50",
 			},
 			Value:     model.SampleValue(53),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -589,7 +595,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(54),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -597,7 +603,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(55),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -606,7 +612,7 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 				"quantile": "0.25",
 			},
 			Value:     model.SampleValue(56),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -639,11 +645,11 @@ func TestGenerateEventsQuantilesDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 3)
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
-	e = events[labels3.String()]
+	e = events[labels3.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected3)
 
 }
@@ -658,6 +664,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 		rateCounters: true,
 	}
 	g.counterCache.Start()
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"runtime": model.LabelValue("linux"),
 	}
@@ -674,7 +681,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.25",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -683,7 +690,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.50",
 			},
 			Value:     model.SampleValue(43),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -692,7 +699,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "+Inf",
 			},
 			Value:     model.SampleValue(44),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -700,7 +707,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -708,7 +715,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(46),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		// second histogram same label
 		&model.Sample{
@@ -718,7 +725,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.25",
 			},
 			Value:     model.SampleValue(52),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -727,7 +734,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.50",
 			},
 			Value:     model.SampleValue(53),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -736,7 +743,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "+Inf",
 			},
 			Value:     model.SampleValue(54),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -744,7 +751,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(55),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -752,7 +759,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(56),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		// third histogram different label
 		&model.Sample{
@@ -762,7 +769,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.25",
 			},
 			Value:     model.SampleValue(62),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -771,7 +778,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.50",
 			},
 			Value:     model.SampleValue(63),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -780,7 +787,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "+Inf",
 			},
 			Value:     model.SampleValue(64),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -788,7 +795,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "darwin",
 			},
 			Value:     model.SampleValue(65),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -796,7 +803,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "darwin",
 			},
 			Value:     model.SampleValue(66),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -851,9 +858,9 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, 2, len(events))
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
 
 	// repeat in order to test the rate
@@ -865,7 +872,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.25",
 			},
 			Value:     model.SampleValue(142),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -874,7 +881,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.50",
 			},
 			Value:     model.SampleValue(143),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -883,7 +890,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "+Inf",
 			},
 			Value:     model.SampleValue(144),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -891,7 +898,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(145),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -899,7 +906,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(146),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		// second histogram same label
 		&model.Sample{
@@ -909,7 +916,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.25",
 			},
 			Value:     model.SampleValue(252),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -918,7 +925,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.50",
 			},
 			Value:     model.SampleValue(253),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -927,7 +934,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "+Inf",
 			},
 			Value:     model.SampleValue(254),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -935,7 +942,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(255),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -943,7 +950,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "linux",
 			},
 			Value:     model.SampleValue(256),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		// third histogram different label
 		&model.Sample{
@@ -953,7 +960,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.25",
 			},
 			Value:     model.SampleValue(362),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -962,7 +969,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "0.50",
 			},
 			Value:     model.SampleValue(363),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -971,7 +978,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"le":       "+Inf",
 			},
 			Value:     model.SampleValue(364),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -979,7 +986,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "darwin",
 			},
 			Value:     model.SampleValue(365),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 		&model.Sample{
 			Metric: map[model.LabelName]model.LabelValue{
@@ -987,7 +994,7 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 				"runtime":  "darwin",
 			},
 			Value:     model.SampleValue(366),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -1042,9 +1049,9 @@ func TestGenerateEventsHistogramsDifferentLabels(t *testing.T) {
 	}
 
 	assert.Equal(t, 2, len(events))
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
-	e = events[labels2.String()]
+	e = events[labels2.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected2)
 }
 
@@ -1064,6 +1071,8 @@ func TestGenerateEventsCounterWithDefinedPattern(t *testing.T) {
 	}
 
 	g.counterCache.Start()
+
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"listener_name": model.LabelValue("http"),
 	}
@@ -1076,7 +1085,7 @@ func TestGenerateEventsCounterWithDefinedPattern(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -1090,7 +1099,7 @@ func TestGenerateEventsCounterWithDefinedPattern(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 	// repeat in order to test the rate
@@ -1101,7 +1110,7 @@ func TestGenerateEventsCounterWithDefinedPattern(t *testing.T) {
 				"listener_name": "http",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -1115,7 +1124,7 @@ func TestGenerateEventsCounterWithDefinedPattern(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 }
@@ -1136,6 +1145,7 @@ func TestGenerateEventsHistogramWithDefinedPattern(t *testing.T) {
 	}
 
 	g.counterCache.Start()
+	timestamp := model.Time(424242)
 	labels := common.MapStr{
 		"listener_name": model.LabelValue("http"),
 	}
@@ -1149,7 +1159,7 @@ func TestGenerateEventsHistogramWithDefinedPattern(t *testing.T) {
 				"le":            "20",
 			},
 			Value:     model.SampleValue(42),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events := g.GenerateEvents(metrics)
@@ -1165,7 +1175,7 @@ func TestGenerateEventsHistogramWithDefinedPattern(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e := events[labels.String()]
+	e := events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 	// repeat in order to test the rate
@@ -1177,7 +1187,7 @@ func TestGenerateEventsHistogramWithDefinedPattern(t *testing.T) {
 				"le":            "20",
 			},
 			Value:     model.SampleValue(45),
-			Timestamp: model.Time(424242),
+			Timestamp: timestamp,
 		},
 	}
 	events = g.GenerateEvents(metrics)
@@ -1193,7 +1203,7 @@ func TestGenerateEventsHistogramWithDefinedPattern(t *testing.T) {
 	}
 
 	assert.Equal(t, len(events), 1)
-	e = events[labels.String()]
+	e = events[labels.String()+timestamp.Time().String()]
 	assert.EqualValues(t, e.ModuleFields, expected)
 
 }
diff --git a/x-pack/metricbeat/modules.d/prometheus.yml.disabled b/x-pack/metricbeat/modules.d/prometheus.yml.disabled
index 5dbe163c62a9..d6e00936b2a5 100644
--- a/x-pack/metricbeat/modules.d/prometheus.yml.disabled
+++ b/x-pack/metricbeat/modules.d/prometheus.yml.disabled
@@ -23,6 +23,16 @@
   # Store counter rates instead of original cumulative counters (experimental, default: false)
   #rate_counters: true
 
+# Metrics sent by a Prometheus server using remote_write option
+#- module: prometheus
+#  metricsets: ["remote_write"]
+#  host: "localhost"
+#  port: "9201"
+
+  # Secure settings for the server using TLS/SSL:
+  #ssl.certificate: "/etc/pki/server/cert.pem"
+  #ssl.key: "/etc/pki/server/cert.key"
+
   # Use Elasticsearch histogram type to store histograms (beta, default: false)
   # This will change the default layout and put metric type in the field name
   #use_types: true
@@ -35,17 +45,6 @@
   #  counter_patterns: []
   #  histogram_patterns: []
 
-
-# Metrics sent by a Prometheus server using remote_write option
-#- module: prometheus
-#  metricsets: ["remote_write"]
-#  host: "localhost"
-#  port: "9201"
-
-  # Secure settings for the server using TLS/SSL:
-  #ssl.certificate: "/etc/pki/server/cert.pem"
-  #ssl.key: "/etc/pki/server/cert.key"
-
 # Metrics that will be collected using a PromQL
 #- module: prometheus
 #  metricsets: ["query"]