Fix mappings for subfields of nested fields

packages/akamai/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.25.1"
+ changes:
+ - description: Fix definition of subfields of nested objects
+ type: bugfix
+ link: https:/elastic/integrations/pull/10919
 - version: "2.25.0"
  changes:
  - description: "Allow @custom pipeline access to event.original without setting preserve_original_event."

packages/akamai/data_stream/siem/fields/fields.yml

@@ -19,29 +19,27 @@
  type: nested
  description: >
  Rules triggered by this request
-
- fields:
- - name: ruleVersions
- type: keyword
- description: Versions of rules triggered for this request.
- - name: ruleMessages
- type: keyword
- description: Messages of rules that triggered for this request.
- - name: ruleTags
- type: keyword
- description: Tags of rules that triggered for this request.
- - name: ruleActions
- type: keyword
- description: Actions of rules that triggered for this request.
- - name: rules
- type: keyword
- description: Rules that triggered for this request.
- - name: ruleData
- type: keyword
- description: User data of rules that triggered for this request.
- - name: ruleSelectors
- type: keyword
- description: Selectors of rules that triggered for this request.
+ - name: rules.ruleVersions
+ type: keyword
+ description: Versions of rules triggered for this request.
+ - name: rules.ruleMessages
+ type: keyword
+ description: Messages of rules that triggered for this request.
+ - name: rules.ruleTags
+ type: keyword
+ description: Tags of rules that triggered for this request.
+ - name: rules.ruleActions
+ type: keyword
+ description: Actions of rules that triggered for this request.
+ - name: rules.rules
+ type: keyword
+ description: Rules that triggered for this request.
+ - name: rules.ruleData
+ type: keyword
+ description: User data of rules that triggered for this request.
+ - name: rules.ruleSelectors
+ type: keyword
+ description: Selectors of rules that triggered for this request.
  - name: rule_actions
  type: keyword
  description: >

packages/akamai/docs/README.md

@@ -41,6 +41,7 @@ See [Akamai API get started](https://techdocs.akamai.com/siem-integration/refere
 | akamai.siem.response.headers | HTTP response headers | flattened |
 | akamai.siem.rule_actions | Actions taken for this request. | keyword |
 | akamai.siem.rule_tags | The set of categories for the triggered rule. | keyword |
+| akamai.siem.rules | Rules triggered by this request | nested |
 | akamai.siem.rules.ruleActions | Actions of rules that triggered for this request. | keyword |
 | akamai.siem.rules.ruleData | User data of rules that triggered for this request. | keyword |
 | akamai.siem.rules.ruleMessages | Messages of rules that triggered for this request. | keyword |

packages/akamai/manifest.yml

@@ -1,6 +1,6 @@
 name: akamai
 title: Akamai
-version: "2.25.0"
+version: "2.25.1"
 description: Collect logs from Akamai with Elastic Agent.
 type: integration
 format_version: "3.0.2"

packages/falco/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.1"
+ changes:
+ - description: Fix definition of subfields of nested objects
+ type: bugfix
+ link: https:/elastic/integrations/pull/10919
 - version: "0.1.0"
  changes:
  - description: Initial release of the Falco package

packages/falco/data_stream/alerts/fields/fields.yml

@@ -32,17 +32,16 @@
  - name: container.mounts
  type: nested
  description: List of mount information.
- fields:
- - name: source
- type: keyword
- - name: dest
- type: keyword
- - name: mode
- type: keyword
- - name: rdrw
- type: keyword
- - name: propagation
- type: keyword
+ - name: container.mounts.source
+ type: keyword
+ - name: container.mounts.dest
+ type: keyword
+ - name: container.mounts.mode
+ type: keyword
+ - name: container.mounts.rdrw
+ type: keyword
+ - name: container.mounts.propagation
+ type: keyword
  - name: output
  type: text
  index: false

packages/falco/docs/README.md

@@ -52,6 +52,7 @@ Falco alerts can contain a multitude of various fields pertaining to the type of
 | data_stream.type | Data stream type. | constant_keyword | |
 | event.dataset | Data stream / event dataset. | constant_keyword | |
 | event.module | The module the event belongs to. | constant_keyword | |
+| falco.container.mounts | List of mount information. | nested | |
 | falco.container.mounts.dest | | keyword | |
 | falco.container.mounts.mode | | keyword | |
 | falco.container.mounts.propagation | | keyword | |

packages/falco/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.1.2
 name: falco
 title: Falco
-version: 0.1.0
+version: 0.1.1
 description: Collect events and alerts from Falco using Elastic Agent
 type: integration
 categories:

packages/gcp/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.37.2"
+ changes:
+ - description: Fix definition of subfields of nested objects
+ type: bugfix
+ link: https:/elastic/integrations/pull/10919
 - version: "2.37.1"
  changes:
  - description: Improve GCP Billing documentation.

packages/gcp/data_stream/audit/fields/fields.yml

@@ -30,31 +30,30 @@
  type: nested
  description: |
  Authorization information for the operation.
+ - name: authorization_info.permission
+ type: keyword
+ description: "The required IAM permission."
+ - name: authorization_info.granted
+ type: boolean
+ description: "Whether or not authorization for resource and permission was granted."
+ - name: authorization_info.resource
+ type: keyword
+ description: "The resource being accessed, as a REST-style string."
+ - name: authorization_info.resource_attributes
+ type: group
  fields:
- - name: permission
+ - name: service
  type: keyword
- description: "The required IAM permission."
- - name: granted
- type: boolean
- description: "Whether or not authorization for resource and permission was granted."
- - name: resource
+ description: |
+ The name of the service.
+ - name: name
+ type: keyword
+ description: |
+ The name of the resource.
+ - name: type
  type: keyword
- description: "The resource being accessed, as a REST-style string."
- - name: resource_attributes
- type: group
- fields:
- - name: service
- type: keyword
- description: |
- The name of the service.
- - name: name
- type: keyword
- description: |
- The name of the resource.
- - name: type
- type: keyword
- description: |
- The type of the resource.
+ description: |
+ The type of the resource.
  - name: labels
  type: flattened
  description: "A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined."

packages/gcp/data_stream/billing/fields/fields.yml

@@ -38,8 +38,7 @@
  - name: tags
  type: nested
  description: A collection of key-value pairs that provide additional metadata.
- fields:
- - name: key
- type: keyword
- - name: value
- type: keyword
+ - name: tags.key
+ type: keyword
+ - name: tags.value
+ type: keyword

packages/gcp/docs/README.md

@@ -236,6 +236,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.audit.authentication_info.service_account_delegation_info | Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events. | flattened |
 | gcp.audit.authentication_info.service_account_key_name | The service account key that was used to request the OAuth 2.0 access token. This field identifies the service account key by its full resource name. | keyword |
 | gcp.audit.authentication_info.third_party_principal | The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property. | flattened |
+| gcp.audit.authorization_info | Authorization information for the operation. | nested |
 | gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean |
 | gcp.audit.authorization_info.permission | The required IAM permission. | keyword |
 | gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword |
@@ -1132,6 +1133,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.billing.service_id | The ID of the service that the usage is associated with. | keyword |
 | gcp.billing.sku_description | A description of the resource type used by the service. For example, a resource type for Cloud Storage is Standard Storage US. | keyword |
 | gcp.billing.sku_id | The ID of the resource used by the service. | keyword |
+| gcp.billing.tags | A collection of key-value pairs that provide additional metadata. | nested |
 | gcp.billing.tags.key | | keyword |
 | gcp.billing.tags.value | | keyword |
 | gcp.billing.total | Total billing amount. | float |

packages/gcp/docs/audit.md

@@ -25,6 +25,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.audit.authentication_info.service_account_delegation_info | Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events. | flattened |
 | gcp.audit.authentication_info.service_account_key_name | The service account key that was used to request the OAuth 2.0 access token. This field identifies the service account key by its full resource name. | keyword |
 | gcp.audit.authentication_info.third_party_principal | The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property. | flattened |
+| gcp.audit.authorization_info | Authorization information for the operation. | nested |
 | gcp.audit.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean |
 | gcp.audit.authorization_info.permission | The required IAM permission. | keyword |
 | gcp.audit.authorization_info.resource | The resource being accessed, as a REST-style string. | keyword |

packages/gcp/docs/billing.md

@@ -147,6 +147,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | gcp.billing.service_id | The ID of the service that the usage is associated with. | keyword |
 | gcp.billing.sku_description | A description of the resource type used by the service. For example, a resource type for Cloud Storage is Standard Storage US. | keyword |
 | gcp.billing.sku_id | The ID of the resource used by the service. | keyword |
+| gcp.billing.tags | A collection of key-value pairs that provide additional metadata. | nested |
 | gcp.billing.tags.key | | keyword |
 | gcp.billing.tags.value | | keyword |
 | gcp.billing.total | Total billing amount. | float |

packages/gcp/manifest.yml

@@ -1,6 +1,6 @@
 name: gcp
 title: Google Cloud Platform
-version: "2.37.1"
+version: "2.37.2"
 description: Collect logs and metrics from Google Cloud Platform with Elastic Agent.
 type: integration
 icons:

packages/google_workspace/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.25.1"
+ changes:
+ - description: Fix definition of subfields of nested objects
+ type: bugfix
+ link: https:/elastic/integrations/pull/10919
 - version: "2.25.0"
  changes:
  - description: Add GeoIP processors to all data streams.

packages/google_workspace/data_stream/alert/fields/fields.yml

@@ -375,9 +375,8 @@
  - name: info
  type: nested
  description: Metadata related to the triggered actions.
- fields:
- - name: object
- type: keyword
+ - name: info.object
+ type: keyword
  - name: types
  type: keyword
  description: Actions applied as a consequence of the rule being triggered.

packages/google_workspace/docs/README.md

@@ -1564,6 +1564,7 @@ An example event for `alert` looks as following:
 | google_workspace.alert.data.rule.violation_info.suppressed.action.types | Actions suppressed due to other actions with higher priority. | keyword |
 | google_workspace.alert.data.rule.violation_info.trigger.user.email | Email of the user who caused the violation. Value could be empty if not applicable, for example, a violation found by drive continuous scan. | keyword |
 | google_workspace.alert.data.rule.violation_info.trigger.value | Trigger of the rule. | keyword |
+| google_workspace.alert.data.rule.violation_info.triggered.action.info | Metadata related to the triggered actions. | nested |
 | google_workspace.alert.data.rule.violation_info.triggered.action.info.object | | keyword |
 | google_workspace.alert.data.rule.violation_info.triggered.action.types | Actions applied as a consequence of the rule being triggered. | keyword |
 | google_workspace.alert.data.rule_description | Description of the rule. | text |

packages/google_workspace/manifest.yml

@@ -1,6 +1,6 @@
 name: google_workspace
 title: Google Workspace
-version: "2.25.0"
+version: "2.25.1"
 source:
  license: Elastic-2.0
 description: Collect logs from Google Workspace with Elastic Agent.

packages/jamf_protect/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.4.1"
+ changes:
+ - description: Fix definition of subfields of nested objects
+ type: bugfix
+ link: https:/elastic/integrations/pull/10919
 - version: "2.4.0"
  changes:
  - description: Added process.name and some minor enhancements to some events

packages/jamf_protect/data_stream/telemetry/fields/fields.yml

@@ -274,10 +274,9 @@
  - name: timer_wakeups
  type: nested
  description: Timer wakeups for the task
- fields:
- - name: wakeups
- type: long
- description: Number of wakeups
+ - name: timer_wakeups.wakeups
+ type: long
+ description: Number of wakeups
  - name: error_message
  type: keyword
  description: Contains the event specific error message

packages/jamf_protect/docs/README.md

@@ -560,6 +560,7 @@ An example event for `telemetry` looks as following:
 | jamf_protect.telemetry.system_performance.qos_utility_ms_per_s | QoS utility time in milliseconds per second for the task | double |
 | jamf_protect.telemetry.system_performance.qos_utility_ns | QoS utility time in nanoseconds for the task | long |
 | jamf_protect.telemetry.system_performance.started_abstime_ns | Absolute start time in nanoseconds for the task | long |
+| jamf_protect.telemetry.system_performance.timer_wakeups | Timer wakeups for the task | nested |
 | jamf_protect.telemetry.system_performance.timer_wakeups.wakeups | Number of wakeups | long |
 | jamf_protect.telemetry.to_username | Username to which an action is directed | keyword |
 | jamf_protect.telemetry.tty | Software terminal device file that the process is associated with | keyword |

packages/jamf_protect/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: jamf_protect
 title: Jamf Protect
-version: "2.4.0"
+version: "2.4.1"
 description: Receives events from Jamf Protect with Elastic Agent.
 type: integration
 categories:

packages/proofpoint_on_demand/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.1"
+ changes:
+ - description: Fix definition of subfields of nested objects
+ type: bugfix
+ link: https:/elastic/integrations/pull/10919
 - version: "0.1.0"
  changes:
  - description: Initial release.

packages/proofpoint_on_demand/data_stream/audit/fields/fields.yml

@@ -74,13 +74,12 @@
  description: The IP address of the service.
  - name: tags
  type: nested
- fields:
- - name: name
- type: keyword
- description: Tag name for the particular instance of event.
- - name: value
- type: keyword
- description: The value associated with the tag name.
+ - name: tags.name
+ type: keyword
+ description: Tag name for the particular instance of event.
+ - name: tags.value
+ type: keyword
+ description: The value associated with the tag name.
  - name: ts
  type: date
  description: Timestamp of when the event to be audited occurred.

packages/proofpoint_on_demand/docs/README.md

@@ -226,6 +226,7 @@ An example event for `audit` looks as following:
 | proofpoint_on_demand.audit.service.customer_id | The customer id of the service. | keyword |
 | proofpoint_on_demand.audit.service.id | The IDM service id. | keyword |
 | proofpoint_on_demand.audit.service.ip_address | The IP address of the service. | ip |
+| proofpoint_on_demand.audit.tags | | nested |
 | proofpoint_on_demand.audit.tags.name | Tag name for the particular instance of event. | keyword |
 | proofpoint_on_demand.audit.tags.value | The value associated with the tag name. | keyword |
 | proofpoint_on_demand.audit.ts | Timestamp of when the event to be audited occurred. | date |

packages/proofpoint_on_demand/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.1.4
 name: proofpoint_on_demand
 title: Proofpoint On Demand
-version: 0.1.0
+version: 0.1.1
 description: Collect logs from Proofpoint On Demand with Elastic Agent.
 type: integration
 categories:

packages/tanium/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.10.1"
+ changes:
+ - description: Fix definition of subfields of nested objects
+ type: bugfix
+ link: https:/elastic/integrations/pull/10919
 - version: "1.10.0"
  changes:
  - description: Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.