- Look up hostnames similarly to domain names, including relationships
- Look up fields srcip/dstIp in additional to src_ip/dest_ip etc.
- Correctly quit if there are no valid public IP addresses in source alert
- Add source rule.id as rule_id to alert
- Look up URLs found in audit execve args
- Use a consistent field name for the stix object type: rename "entity_type" to "type"