[Meta] support new ECS 1.6 fields

[leehinman]

Support new ECS 1.6 fields

add support for new ECS fields from elastic/ecs#930 1.6.0 Changelog

Describe the enhancement: elastic/ecs#762 ECS added support for storing common core fields of X509 certificates. The following data sources should be looked at to see if they can take advantage of the new fields:

• [x] Filebeat checkpoint/firewall
• [x] Filebeat fortinet/firewall
• [x] Filebeat santa/log
• [x] Filebeat suricata/eve
• [x] Filebeat zeek/kerberos
• [x] Filebeat zeek/ssl
• [x] Filebeat zeek/x509
• [x] Heartbeat (was done)
• [x] Packetbeat (most of the work already done)
• [ ] Winlogbeat (CA event logs, Certificate lifecycle, etc.)
• [ ] review others to double check we didn't miss anything

Describe the enhancement: elastic/ecs#763 added architecture & imphash for PE field set

• [X] Winlogbeat sysmon imphash

Describe the enhancement: elastic/ecs#816 Added more account and project cloud metadata.

• [x] AWS
• [x] GCP
• [x] Azure

Describe the enhancement: elastic/ecs#907 Added event.reason for the reason why an event's outcome or action was taken.

Describe the enhancement: elastic/ecs#913 Added related.hosts to capture all hostnames and host identifiers on an event.

• [x] rsa2elk modules
• [x] Filebeat panw
• [x] Filebeat osquery
• [x] Filebeat system
• [x] Filebeat microsoft/defender_atp
• [x] Filebeat suricat
• [x] Filebeat cisco

Describe the enhancement: elastic/ecs#917 Added user.roles to capture a list of role names that apply to the user.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andrewkroh]

It looks like we have made all of the necessary changes to support 1.6. I think we should now bump the ecs.version on all the modules that did not need changes.

[andrewkroh]

I opened https://github.com/elastic/beats/pull/21455/ to update the version in Filebeat modules that required no changes, Winlogbeat, Auditbeat, and Packetbeat.