Remove ECS field definitions from CDR transform destinations

[maxcold]

Proposed commit message

Removes redundant ECS field definitions from transform destination index field mappings across 7 integration packages, now covered by the ecs@mappings component template added to Fleet transform destination index templates (elastic/kibana#223878).

Packages updated: wiz, cloud_security_posture, qualys_vmdr, tenable_io, rapid7_insightvm, aws, microsoft_defender_endpoint

Changes per package:

• Deleted ecs.yml files containing ECS field definitions from transform field directories
• Created ecs-overridden.yml where constant_keyword type overrides need to be preserved (qualys_vmdr, rapid7_insightvm, aws)
• Minor version bumps and changelog entries

Note: The Wiz package also bumps its Kibana version constraint from ~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0 to ^8.19.0 || ^9.1.0 since ecs@mappings was introduced in 8.19.0/9.1.0.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Simplest to use https://github.com/elastic/security-documents-generator command csp to generate some data, build packages from this PR, install them and ingest new data. Everything should work as before. Same for first installing the new version packages and then generating data with the data generator

Related issues

• Relates Remove ecs mappings from integration transform definition kibana#224221

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

Thanks for taking care of this.
It would be nice to also rename ecs.yml files which has only overridden fields to ecs-overridden.yml to conform to this change.
Example: aws.config, aws.inspector, aws_securityhub, google_scc etc.

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: c7d79c2

Failed CI Steps

• :pipeline:⬆️ Upload Pipeline: .buildkite/pipeline.yml

History

• 💔 Build #38926 failed 9b843db
• 💚 Build #38772 succeeded 65a65b9
• 💔 Build #38762 failed 2ba4fb8

[maxcold]

@kcreddy updated

[kcreddy]

LGTM.
But would like to get @chrisberkhout thoughts as per his earlier comment - elastic/elastic-package#1641 (comment)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[chrisberkhout]

This is great!

Very nice to remove the redundant defs and a potential source of divergence between source and destination indexes.
I see the overrides remain, which is good.

The one other case I can think of to have the explicit definitions is when there's an issue with field limit and it's important to ensure that certain fields are definitely present (e.g. for rules) before dynamic mappings fight for what remains. But that should be rare and only a workaround rather than a standard practice.

Not critical to do now, but it would be good to make sure that for each transform the files in elasticsearch/transform/*/fields/*.yml files are identical in name and content to their source data stream's field definition files in data_stream/*/fields/*.yml, except is-transform-source-{false,true}.yml and anything else that doesn't match for a good reason. When definitions exist in only once place, it's good to have them in a uniquely named file. All this will get easier to keep in sync once we start using the elastic-package link function (although it currently has a bug that I'm about to fix).

[elastic-vault-github-plugin-prod]

Package aws - 6.3.0 containing this change is available at https://epr.elastic.co/package/aws/6.3.0/

[elastic-vault-github-plugin-prod]

Package aws_securityhub - 0.2.0 containing this change is available at https://epr.elastic.co/package/aws_securityhub/0.2.0/

[elastic-vault-github-plugin-prod]

Package cloud_security_posture - 3.3.0-preview07 containing this change is available at https://epr.elastic.co/package/cloud_security_posture/3.3.0-preview07/

[elastic-vault-github-plugin-prod]

Package google_scc - 2.3.0 containing this change is available at https://epr.elastic.co/package/google_scc/2.3.0/

[elastic-vault-github-plugin-prod]

Package microsoft_defender_endpoint - 4.4.0 containing this change is available at https://epr.elastic.co/package/microsoft_defender_endpoint/4.4.0/

[elastic-vault-github-plugin-prod]

Package qualys_vmdr - 6.16.0 containing this change is available at https://epr.elastic.co/package/qualys_vmdr/6.16.0/

[elastic-vault-github-plugin-prod]

Package rapid7_insightvm - 2.6.0 containing this change is available at https://epr.elastic.co/package/rapid7_insightvm/2.6.0/

[elastic-vault-github-plugin-prod]

Package tenable_io - 4.9.0 containing this change is available at https://epr.elastic.co/package/tenable_io/4.9.0/

[elastic-vault-github-plugin-prod]

Package wiz - 4.1.0 containing this change is available at https://epr.elastic.co/package/wiz/4.1.0/