Adapt definitions of nested subfields to current Fleet implementation (…

…elastic#11016) These mappings were correctly defined as expected by the spec, but Fleet was only installing empty nested objects. To workaround that, subfields can be moved to have their own definitions. Issue in Fleet is fixed in elastic/kibana#191730, we can apply this workaround for current versions of the stack.
janvi-elastic · Sep 6, 2024 · 0751dc1 · 0751dc1
1 parent ad4b0e9
commit 0751dc1
Show file tree

Hide file tree

Showing 36 changed files with 383 additions and 342 deletions.
diff --git a/packages/akamai/changelog.yml b/packages/akamai/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.25.1"
+  changes:
+    - description: Fix definition of subfields of nested objects
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11016
 - version: "2.25.0"
   changes:
     - description: "Allow @custom pipeline access to event.original without setting preserve_original_event."

diff --git a/packages/akamai/data_stream/siem/fields/fields.yml b/packages/akamai/data_stream/siem/fields/fields.yml
@@ -19,29 +19,27 @@
       type: nested
       description: >
         Rules triggered by this request
-
-      fields:
-        - name: ruleVersions
-          type: keyword
-          description: Versions of rules triggered for this request.
-        - name: ruleMessages
-          type: keyword
-          description: Messages of rules that triggered for this request.
-        - name: ruleTags
-          type: keyword
-          description: Tags of rules that triggered for this request.
-        - name: ruleActions
-          type: keyword
-          description: Actions of rules that triggered for this request.
-        - name: rules
-          type: keyword
-          description: Rules that triggered for this request.
-        - name: ruleData
-          type: keyword
-          description: User data of rules that triggered for this request.
-        - name: ruleSelectors
-          type: keyword
-          description: Selectors of rules that triggered for this request.
+    - name: rules.ruleVersions
+      type: keyword
+      description: Versions of rules triggered for this request.
+    - name: rules.ruleMessages
+      type: keyword
+      description: Messages of rules that triggered for this request.
+    - name: rules.ruleTags
+      type: keyword
+      description: Tags of rules that triggered for this request.
+    - name: rules.ruleActions
+      type: keyword
+      description: Actions of rules that triggered for this request.
+    - name: rules.rules
+      type: keyword
+      description: Rules that triggered for this request.
+    - name: rules.ruleData
+      type: keyword
+      description: User data of rules that triggered for this request.
+    - name: rules.ruleSelectors
+      type: keyword
+      description: Selectors of rules that triggered for this request.
     - name: rule_actions
       type: keyword
       description: >

diff --git a/packages/akamai/docs/README.md b/packages/akamai/docs/README.md
@@ -41,6 +41,7 @@ See [Akamai API get started](https://techdocs.akamai.com/siem-integration/refere
 | akamai.siem.response.headers | HTTP response headers | flattened |
 | akamai.siem.rule_actions | Actions taken for this request. | keyword |
 | akamai.siem.rule_tags | The set of categories for the triggered rule. | keyword |
+| akamai.siem.rules | Rules triggered by this request | nested |
 | akamai.siem.rules.ruleActions | Actions of rules that triggered for this request. | keyword |
 | akamai.siem.rules.ruleData | User data of rules that triggered for this request. | keyword |
 | akamai.siem.rules.ruleMessages | Messages of rules that triggered for this request. | keyword |

diff --git a/packages/akamai/manifest.yml b/packages/akamai/manifest.yml
@@ -1,6 +1,6 @@
 name: akamai
 title: Akamai
-version: "2.25.0"
+version: "2.25.1"
 description: Collect logs from Akamai with Elastic Agent.
 type: integration
 format_version: "3.0.2"

diff --git a/packages/falco/changelog.yml b/packages/falco/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.1"
+  changes:
+    - description: Fix definition of subfields of nested objects
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11016
 - version: "0.1.0"
   changes:
     - description: Initial release of the Falco package

diff --git a/packages/falco/data_stream/alerts/fields/fields.yml b/packages/falco/data_stream/alerts/fields/fields.yml
@@ -32,17 +32,16 @@
     - name: container.mounts
       type: nested
       description: List of mount information.
-      fields:
-        - name: source
-          type: keyword
-        - name: dest
-          type: keyword
-        - name: mode
-          type: keyword
-        - name: rdrw
-          type: keyword
-        - name: propagation
-          type: keyword
+    - name: container.mounts.source
+      type: keyword
+    - name: container.mounts.dest
+      type: keyword
+    - name: container.mounts.mode
+      type: keyword
+    - name: container.mounts.rdrw
+      type: keyword
+    - name: container.mounts.propagation
+      type: keyword
     - name: output
       type: text
       index: false

diff --git a/packages/falco/docs/README.md b/packages/falco/docs/README.md
@@ -52,6 +52,7 @@ Falco alerts can contain a multitude of various fields pertaining to the type of
 | data_stream.type | Data stream type. | constant_keyword |  |
 | event.dataset | Data stream / event dataset. | constant_keyword |  |
 | event.module | The module the event belongs to. | constant_keyword |  |
+| falco.container.mounts | List of mount information. | nested |  |
 | falco.container.mounts.dest |  | keyword |  |
 | falco.container.mounts.mode |  | keyword |  |
 | falco.container.mounts.propagation |  | keyword |  |

diff --git a/packages/falco/manifest.yml b/packages/falco/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.1.2
 name: falco
 title: Falco
-version: 0.1.0
+version: 0.1.1
 description: Collect events and alerts from Falco using Elastic Agent
 type: integration
 categories:

diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.37.2"
+  changes:
+    - description: Fix definition of subfields of nested objects
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11016
 - version: "2.37.1"
   changes:
     - description: Improve GCP Billing documentation.

diff --git a/packages/gcp/data_stream/audit/fields/fields.yml b/packages/gcp/data_stream/audit/fields/fields.yml
@@ -30,31 +30,30 @@
       type: nested
       description: |
         Authorization information for the operation.
+    - name: authorization_info.permission
+      type: keyword
+      description: "The required IAM permission."
+    - name: authorization_info.granted
+      type: boolean
+      description: "Whether or not authorization for resource and permission was granted."
+    - name: authorization_info.resource
+      type: keyword
+      description: "The resource being accessed, as a REST-style string."
+    - name: authorization_info.resource_attributes
+      type: group
       fields:
-        - name: permission
+        - name: service
           type: keyword
-          description: "The required IAM permission."
-        - name: granted
-          type: boolean
-          description: "Whether or not authorization for resource and permission was granted."
-        - name: resource
+          description: |
+            The name of the service.
+        - name: name
+          type: keyword
+          description: |
+            The name of the resource.
+        - name: type
           type: keyword
-          description: "The resource being accessed, as a REST-style string."
-        - name: resource_attributes
-          type: group
-          fields:
-            - name: service
-              type: keyword
-              description: |
-                The name of the service.
-            - name: name
-              type: keyword
-              description: |
-                The name of the resource.
-            - name: type
-              type: keyword
-              description: |
-                The type of the resource.
+          description: |
+            The type of the resource.
     - name: labels
       type: flattened
       description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined."

diff --git a/packages/gcp/data_stream/billing/fields/fields.yml b/packages/gcp/data_stream/billing/fields/fields.yml
@@ -38,8 +38,7 @@
     - name: tags
       type: nested
       description: A collection of key-value pairs that provide additional metadata.
-      fields:
-        - name: key
-          type: keyword
-        - name: value
-          type: keyword
+    - name: tags.key
+      type: keyword
+    - name: tags.value
+      type: keyword
diff --git a/packages/gcp/docs/README.md b/packages/gcp/docs/README.md
@@ -236,6 +236,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.audit.authentication_info.service_account_delegation_info | Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events. | flattened |
 | gcp.audit.authentication_info.service_account_key_name | The service account key that was used to request the OAuth 2.0 access token. This field identifies the service account key by its full resource name. | keyword |
 | gcp.audit.authentication_info.third_party_principal | The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property. | flattened |
+| gcp.audit.authorization_info | Authorization information for the operation. | nested |
 | gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean |
 | gcp.audit.authorization_info.permission | The required IAM permission. | keyword |
 | gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword |
@@ -1132,6 +1133,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.billing.service_id | The ID of the service that the usage is associated with. | keyword |
 | gcp.billing.sku_description | A description of the resource type used by the service. For example, a resource type for Cloud Storage is Standard Storage US. | keyword |
 | gcp.billing.sku_id | The ID of the resource used by the service. | keyword |
+| gcp.billing.tags | A collection of key-value pairs that provide additional metadata. | nested |
 | gcp.billing.tags.key |  | keyword |
 | gcp.billing.tags.value |  | keyword |
 | gcp.billing.total | Total billing amount. | float |

diff --git a/packages/gcp/docs/audit.md b/packages/gcp/docs/audit.md
@@ -25,6 +25,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.audit.authentication_info.service_account_delegation_info | Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events. | flattened |
 | gcp.audit.authentication_info.service_account_key_name | The service account key that was used to request the OAuth 2.0 access token. This field identifies the service account key by its full resource name. | keyword |
 | gcp.audit.authentication_info.third_party_principal | The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property. | flattened |
+| gcp.audit.authorization_info | Authorization information for the operation. | nested |
 | gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean |
 | gcp.audit.authorization_info.permission | The required IAM permission. | keyword |
 | gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword |

diff --git a/packages/gcp/docs/billing.md b/packages/gcp/docs/billing.md
@@ -147,6 +147,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.billing.service_id | The ID of the service that the usage is associated with. | keyword |
 | gcp.billing.sku_description | A description of the resource type used by the service. For example, a resource type for Cloud Storage is Standard Storage US. | keyword |
 | gcp.billing.sku_id | The ID of the resource used by the service. | keyword |
+| gcp.billing.tags | A collection of key-value pairs that provide additional metadata. | nested |
 | gcp.billing.tags.key |  | keyword |
 | gcp.billing.tags.value |  | keyword |
 | gcp.billing.total | Total billing amount. | float |

diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml
@@ -1,6 +1,6 @@
 name: gcp
 title: Google Cloud Platform
-version: "2.37.1"
+version: "2.37.2"
 description: Collect logs and metrics from Google Cloud Platform with Elastic Agent.
 type: integration
 icons:

diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.1"
+  changes:
+    - description: Fix definition of nested subfields
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11016
 - version: "1.29.0"
   changes:
     - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

diff --git a/packages/github/data_stream/dependabot/fields/fields.yml b/packages/github/data_stream/dependabot/fields/fields.yml
@@ -143,21 +143,20 @@
               description: >
                 CWEs associated with this Advisory.
 
-              fields:
-                - name: cwe_id
-                  type: keyword
-                  description: >
-                    The id of the CWE.
+            - name: cwes.cwe_id
+              type: keyword
+              description: >
+                The id of the CWE.
 
-                - name: description
-                  type: keyword
-                  description: >
-                    The name of this CWE.
+            - name: cwes.description
+              type: keyword
+              description: >
+                The name of this CWE.
 
-                - name: name
-                  type: keyword
-                  description: >
-                    A detailed description of this CWE.
+            - name: cwes.name
+              type: keyword
+              description: >
+                A detailed description of this CWE.
 
             - name: ghsa_id
               type: keyword
@@ -169,16 +168,15 @@
               description: >
                 A list of identifiers for this advisory.
 
-              fields:
-                - name: type
-                  type: keyword
-                  description: >
-                    The identifier type, e.g. GHSA, CVE.
+            - name: identifiers.type
+              type: keyword
+              description: >
+                The identifier type, e.g. GHSA, CVE.
 
-                - name: value
-                  type: keyword
-                  description: >
-                    The identifier.
+            - name: identifiers.value
+              type: keyword
+              description: >
+                The identifier.
 
             - name: origin
               type: keyword

diff --git a/packages/github/docs/README.md b/packages/github/docs/README.md
@@ -466,10 +466,12 @@ To use this integration, you must be an administrator for the repository or for
 | github.dependabot.number | Identifies the alert number. | integer |
 | github.dependabot.security_advisory.classification | The classification of the advisory. | keyword |
 | github.dependabot.security_advisory.cvss.vector_string | The CVSS vector string associated with this advisory. | keyword |
+| github.dependabot.security_advisory.cwes | CWEs associated with this Advisory. | nested |
 | github.dependabot.security_advisory.cwes.cwe_id | The id of the CWE. | keyword |
 | github.dependabot.security_advisory.cwes.description | The name of this CWE. | keyword |
 | github.dependabot.security_advisory.cwes.name | A detailed description of this CWE. | keyword |
 | github.dependabot.security_advisory.ghsa_id | The GitHub Security Advisory ID. | keyword |
+| github.dependabot.security_advisory.identifiers | A list of identifiers for this advisory. | nested |
 | github.dependabot.security_advisory.identifiers.type | The identifier type, e.g. GHSA, CVE. | keyword |
 | github.dependabot.security_advisory.identifiers.value | The identifier. | keyword |
 | github.dependabot.security_advisory.origin | The organization that originated the advisory. | keyword |

diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml
@@ -1,6 +1,6 @@
 name: github
 title: GitHub
-version: "1.29.0"
+version: "1.29.1"
 description: Collect logs from GitHub with Elastic Agent.
 type: integration
 format_version: "3.0.2"

diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.25.1"
+  changes:
+    - description: Fix definition of subfields of nested objects
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11016
 - version: "2.25.0"
   changes:
     - description: Add GeoIP processors to all data streams.

diff --git a/packages/google_workspace/data_stream/alert/fields/fields.yml b/packages/google_workspace/data_stream/alert/fields/fields.yml
@@ -375,9 +375,8 @@
                         - name: info
                           type: nested
                           description: Metadata related to the triggered actions.
-                          fields:
-                            - name: object
-                              type: keyword
+                        - name: info.object
+                          type: keyword
                         - name: types
                           type: keyword
                           description: Actions applied as a consequence of the rule being triggered.

diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md
@@ -1564,6 +1564,7 @@ An example event for `alert` looks as following:
 | google_workspace.alert.data.rule.violation_info.suppressed.action.types | Actions suppressed due to other actions with higher priority. | keyword |
 | google_workspace.alert.data.rule.violation_info.trigger.user.email | Email of the user who caused the violation. Value could be empty if not applicable, for example, a violation found by drive continuous scan. | keyword |
 | google_workspace.alert.data.rule.violation_info.trigger.value | Trigger of the rule. | keyword |
+| google_workspace.alert.data.rule.violation_info.triggered.action.info | Metadata related to the triggered actions. | nested |
 | google_workspace.alert.data.rule.violation_info.triggered.action.info.object |  | keyword |
 | google_workspace.alert.data.rule.violation_info.triggered.action.types | Actions applied as a consequence of the rule being triggered. | keyword |
 | google_workspace.alert.data.rule_description | Description of the rule. | text |

diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml
@@ -1,6 +1,6 @@
 name: google_workspace
 title: Google Workspace
-version: "2.25.0"
+version: "2.25.1"
 source:
   license: Elastic-2.0
 description: Collect logs from Google Workspace with Elastic Agent.

diff --git a/packages/jamf_protect/changelog.yml b/packages/jamf_protect/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.6.1"
+  changes:
+    - description: Fix definition of subfields of nested objects
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11016
 - version: "2.6.0"
   changes:
     - description: Added a lowercased host.name field to the telemetry data stream.

diff --git a/packages/jamf_protect/data_stream/telemetry/fields/fields.yml b/packages/jamf_protect/data_stream/telemetry/fields/fields.yml
@@ -274,10 +274,9 @@
         - name: timer_wakeups
           type: nested
           description: Timer wakeups for the task
-          fields:
-            - name: wakeups
-              type: long
-              description: Number of wakeups
+        - name: timer_wakeups.wakeups
+          type: long
+          description: Number of wakeups
     - name: error_message
       type: keyword
       description: Contains the event specific error message