zeek: map conn reverse-DNS hostnames to OCSF src/dst endpoint hostname fields

[cepolation-datadog]

What does this PR do?

Maps Corelight-enhanced conn log fields id.orig_h_name and id.resp_h_name (reverse-DNS PTR lookups) to ocsf.src_endpoint.hostname and ocsf.dst_endpoint.hostname in the Network Activity [4001] OCSF class.

Motivation

Corelight enriches conn logs with reverse-DNS hostname resolution for both the originator and responder. Previously this data was not surfaced in the OCSF output. Mapping it to hostname_t fields on the endpoint objects makes it queryable and consistent with how other log sources (e.g. TLS server_name) populate endpoint hostnames.

The source fields are arrays (vals: ["hostname"]) since a single IP can have multiple PTR records. We map the first entry via dot-index notation (id.orig_h_name.vals.0).

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Add qa/required if this PR needs QA validation, or qa/skip-qa if it does not. Exactly one of the two is required.
• If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

[datadog-prod-us1-4]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Validate repository | Run Validations / Validate     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

PR #23885 is missing an Agent-release QA decision label. Must set 'qa/required' or 'qa/skip-qa'.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: c114995 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Validation Report

All 21 validations passed.

Show details

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and code coverage settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
config	Validate default configuration files against spec.yaml	✅
dep	Verify dependency pins are consistent and Agent-compatible	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
license-headers	Validate Python files have proper license headers	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
models	Validate configuration data models match spec.yaml	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
qa-label	Validate the pull request declares whether it needs QA for the next Agent release	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅
version	Validate version consistency between package and changelog	✅

View full run