25254: Rename rsa.misc.hardware_id to observer.serial_number

Author: legoguy1000

CHANGELOG.next.asciidoc

@@ -852,6 +852,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `awsfargate` module to collect container logs from Amazon ECS on Fargate. {pull}25041[25041]
 - New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]
 - Add `uri_parts` processor to Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, and ZScaler modules ingest pipelines. {issue}19088[19088] {pull}24699[24699]
+- Rename `rsa.misc.hardware_id` to `observer.serial_number` for `fortinet.fortimail` and `fortinet.fortimanager` modules.  {issue}25254[25254] {pull}25356[25356]
 
 *Heartbeat*
 

x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml

@@ -10,6 +10,11 @@ processors:
   - user_agent:
         field: user_agent.original
         ignore_missing: true
+  # Serial Number
+  - rename:
+        field: rsa.misc.hardware_id
+        target_field: observer.serial_number
+        ignore_missing: true
   # IP Geolocation Lookup
   - geoip:
         field: source.ip