fix: DNS and Hosts network tables support multiple process attributions

[wmetcalf]

Summary

When multiple processes query the same hostname or connect to the same IP (e.g. both javaw.exe and python.exe resolve pypi.org), the DNS and Hosts tables previously showed only the first attributed process. This PR renders one badge per attributed process.

Companion to the network_etw module changes where ProcessFlowIndex._dns_host_to_pid was changed from a single-value dict to a list, and for_host_all() was added to return all attributions. DNS records now include a processes list field alongside the legacy process_name/process_id fields.

Changes

• _dns.html / _dns_not_ajax.html: Iterate p.processes for the Process Name (PID) column; fall back to legacy single-field render for analyses that predate this change.
• _hosts_not_ajax.html: Sync multi-process badge iteration to match the AJAX version (which already supported it).

Test plan

• Submit a sample where multiple processes make DNS queries (e.g. Java + Python stealer) and verify multiple badges appear per DNS row
• Verify fallback render still works for old analyses without p.processes

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request updates the network analysis templates to support displaying multiple processes per entry using badges and improves the visual consistency of empty fields. Feedback was provided regarding the logic for constructing the tooltip title in the hosts template, which could result in leading separators or ambiguous port displays when certain process attributes are missing.

[gemini-code-assist]

The logic for constructing the title attribute has a couple of issues that can lead to a confusing tooltip:

1. If the first attribute (p.source) is not present, but a subsequent one is (e.g., p.resolved_hostname), the title will start with a | separator, like | resolved via example.com.
2. If p.protocol is not present but p.dst_port is, the port will be appended to the preceding text without a space or context, which could be misleading (e.g., source: behavior:8080).

The suggested change ensures that separators are only placed between elements and that the port is always displayed with its protocol.

{% spaceless %}title="{% if p.source %}source: {{ p.source }}{% endif %}{% if p.resolved_hostname %}{% if p.source %} | {% endif %}resolved via {{ p.resolved_hostname }}{% endif %}{% if p.protocol %}{% if p.source or p.resolved_hostname %} | {% endif %}{{ p.protocol }}{% if p.dst_port %}:{{ p.dst_port }}{% endif %}{% endif %}"{% endspaceless %}

[Copilot]

Pull request overview

Updates CAPEv2’s analysis UI templates so DNS and Hosts network tables can display multiple process attributions per row (while preserving a fallback for older analyses that only have process_name / process_id).

Changes:

• Render one badge per attributed process when processes is present on DNS/Hosts records.
• Keep legacy single-attribution rendering as a fallback when processes is absent.
• Normalize “missing value” rendering for ASN and process columns using a muted -.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
web/templates/analysis/network/_hosts_not_ajax.html	Align non-AJAX Hosts table with the multi-process badge rendering used elsewhere; improve empty ASN/process display.
web/templates/analysis/network/_dns.html	Add multi-process badge iteration for DNS rows with legacy fallback.
web/templates/analysis/network/_dns_not_ajax.html	Mirror the DNS multi-process badge rendering for non-AJAX views with legacy fallback.