add destination.domain as part of the alert (#650)

ricardo-estc · web-flow · commit b1a5059ee6e3 · 2025-08-06T11:35:15.000-04:00
diff --git a/custom_documentation/doc/endpoint/alerts/windows/windows_malicious_behavior_alert.md b/custom_documentation/doc/endpoint/alerts/windows/windows_malicious_behavior_alert.md
@@ -54,6 +54,7 @@ This alert occurs when a Malicious Behavior alert occurs.
 | data_stream.dataset |
 | data_stream.namespace |
 | data_stream.type |
+| destination.domain |
 | destination.ip |
 | destination.port |
 | dll.*<br /><br />dll contains dll data from the primary event in Events. It can contain any fields that any other events includes within the dll fieldset. |
diff --git a/custom_documentation/src/endpoint/data_stream/alerts/windows/windows_malicious_behavior_alert.yaml b/custom_documentation/src/endpoint/data_stream/alerts/windows/windows_malicious_behavior_alert.yaml
@@ -59,6 +59,7 @@ fields:
   - data_stream.dataset
   - data_stream.namespace
   - data_stream.type
+  - destination.domain
   - destination.ip
   - destination.port
   - dll.*
diff --git a/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml b/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml
@@ -8,6 +8,7 @@ fields:
         fields: "*"
   destination:
     fields:
+      domain: {}
       geo:
         fields: "*"
   base:
diff --git a/package/endpoint/data_stream/alerts/fields/fields.yml b/package/endpoint/data_stream/alerts/fields/fields.yml
@@ -2898,6 +2898,14 @@
   type: group
   default_field: true
   fields:
+    - name: domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the destination system.
+
+        This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.'
+      example: foo.example.com
     - name: geo.city_name
       level: core
       type: keyword
diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
@@ -421,6 +421,7 @@ sent by the endpoint.
 | data_stream.dataset | Data stream dataset name. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
 | destination.geo.city_name | City name. | keyword |
 | destination.geo.continent_code | Two-letter code representing continent's name. | keyword |
 | destination.geo.continent_name | Name of the continent. | keyword |
diff --git a/schemas/v1/alerts/rule_detection_event.yaml b/schemas/v1/alerts/rule_detection_event.yaml
