[Feature Request][Fleet] Add ability to give Fleet agents nicknames

[aarju]

Describe the feature: A Fleet user would be able to add a custom 'nickname' or 'comment' field to an agent to help them better manage the fleet systems. The nickname field should be appended to any event collected from that agent and should be displayed in the host administration views in Fleet and the Security App. Ideally the nickname field could also eventually be set via an API so host nicknames could be programatically set.

Describe a specific use case for the feature: Example 1: Within our fleet of systems we have almost 2000 Macbook Pros and the hostnames and usernames are set by the users. We have over 50 hosts named Mike's MacBook Pro with a primary user of mike. Most of our Windows systems have the automated naming convention of DESKTOP-XXXXXX which doesn't help much either. With a nickname feature and an API capability we could use the intune or jamf inventory information that we ingest into the stack to set the email address of the system owner as the nickname of that system.

Example 2: We use fleet to manage Endpoint security on tens of thousands of cloud based systems that are programatically provisioned and deprovisioned. The hostnames of those systems are not very descriptive so we could have the provisioning scripts add the team name, cloud provider, and purpose of the server to the nickname field.

[mostlyjason]

@aarju Would that be confusing if the agent names in Fleet didn't match the device name on the host or in active directory? Why not change the device name to something more meaningful? That has the advantage of making all your systems more useful from network hostnames to active directory, etc?

Edit: It seems there 3 separate names to consider: the hostname, the device name, and the agent name. I think they all match by default?

If the desired behavior is to be able to tell them apart, and its still advantageous to have consistency between these names, what about adding more metadata fields with these properties? This would let you query/filter on those values as well.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[aarju]

@mostlyjason unfortunately 99% of the time the Infosec team has no control over the naming conventions used in the enterprise and the larger the organization the less likely they are to have really useful hostnames. At my last org the hostnames didn't mean much but the 'comment' field within the computer object was used to describe what the system was for.

I think the host.name value should always match the true host names. This feature request may require a change to ECS to add a host.comment field to allow for adding comments to the hosts. Since this 'comment' is already an Active Directory attribute this could be useful in scenarios outside of fleet as well.

[mostlyjason]

Adding a comment field sounds like a great idea. Tagging @bradenlpreston to help prioritize this from a security use case perspective.

[bradenlpreston]

The "nickname" portion of this seems similar to the tagging/grouping concepts we've discussed in past roadmap discussions. The "comment" field should likely be considered separate as it would have more information than a nickname/tag.

On the security side we see both as valuable management features. Endgame customer found the tagging and grouping functions implemented valuable.