Add event.provider to API events (#631)

Author: gabriellandau

custom_subsets/elastic_endpoint/api/api.yaml

@@ -38,6 +38,7 @@ fields:
       hash: {}
       id: {}
       ingested: {}
+      provider: {}
       outcome: {}
       start: {}
       type: {}

package/endpoint/data_stream/api/fields/fields.yml

@@ -1068,6 +1068,14 @@
 
         Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense.'
       example: success
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Source of the event.
+
+        Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).'
+      example: kernel
     - name: start
       level: extended
       type: date