diff --git a/custom_documentation/doc/endpoint/alerts/windows/windows_malicious_behavior_alert.md b/custom_documentation/doc/endpoint/alerts/windows/windows_malicious_behavior_alert.md
index 4c3cce071..56c2c6ba5 100644
--- a/custom_documentation/doc/endpoint/alerts/windows/windows_malicious_behavior_alert.md
+++ b/custom_documentation/doc/endpoint/alerts/windows/windows_malicious_behavior_alert.md
@@ -54,6 +54,7 @@ This alert occurs when a Malicious Behavior alert occurs.
 | data_stream.dataset |
 | data_stream.namespace |
 | data_stream.type |
+| destination.domain |
 | destination.ip |
 | destination.port |
 | dll.*<br /><br />dll contains dll data from the primary event in Events. It can contain any fields that any other events includes within the dll fieldset. |
diff --git a/custom_documentation/src/endpoint/data_stream/alerts/windows/windows_malicious_behavior_alert.yaml b/custom_documentation/src/endpoint/data_stream/alerts/windows/windows_malicious_behavior_alert.yaml
index 4d134dae2..55db7b887 100644
--- a/custom_documentation/src/endpoint/data_stream/alerts/windows/windows_malicious_behavior_alert.yaml
+++ b/custom_documentation/src/endpoint/data_stream/alerts/windows/windows_malicious_behavior_alert.yaml
@@ -59,6 +59,7 @@ fields:
   - data_stream.dataset
   - data_stream.namespace
   - data_stream.type
+  - destination.domain
   - destination.ip
   - destination.port
   - dll.*
diff --git a/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml b/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml
index 97c597279..0af329e14 100644
--- a/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml
+++ b/custom_subsets/elastic_endpoint/alerts/rule_detection_event.yaml
@@ -8,6 +8,7 @@ fields:
         fields: "*"
   destination:
     fields:
+      domain: {}
       geo:
         fields: "*"
   base:
diff --git a/package/endpoint/data_stream/alerts/fields/fields.yml b/package/endpoint/data_stream/alerts/fields/fields.yml
index 0b8b65f4c..42688053c 100644
--- a/package/endpoint/data_stream/alerts/fields/fields.yml
+++ b/package/endpoint/data_stream/alerts/fields/fields.yml
@@ -2898,6 +2898,14 @@
   type: group
   default_field: true
   fields:
+    - name: domain
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'The domain name of the destination system.
+
+        This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment.'
+      example: foo.example.com
     - name: geo.city_name
       level: core
       type: keyword
diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md
index 79035db2d..81a872941 100644
--- a/package/endpoint/docs/README.md
+++ b/package/endpoint/docs/README.md
@@ -421,6 +421,7 @@ sent by the endpoint.
 | data_stream.dataset | Data stream dataset name. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
+| destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
 | destination.geo.city_name | City name. | keyword |
 | destination.geo.continent_code | Two-letter code representing continent's name. | keyword |
 | destination.geo.continent_name | Name of the continent. | keyword |
diff --git a/schemas/v1/alerts/rule_detection_event.yaml b/schemas/v1/alerts/rule_detection_event.yaml
index a3eee4046..e3a675804 100644
--- a/schemas/v1/alerts/rule_detection_event.yaml
+++ b/schemas/v1/alerts/rule_detection_event.yaml
@@ -268,6 +268,20 @@ Responses.result:
   normalize: []
   short: Response action result code
   type: long
+destination.domain:
+  dashed_name: destination-domain
+  description: 'The domain name of the destination system.
+
+    This value may be a host name, a fully qualified domain name, or another host
+    naming format. The value may derive from the original event or be added from enrichment.'
+  example: foo.example.com
+  flat_name: destination.domain
+  ignore_above: 1024
+  level: core
+  name: domain
+  normalize: []
+  short: The domain name of the destination.
+  type: keyword
 destination.geo.city_name:
   dashed_name: destination-geo-city-name
   description: City name.