[cloud_security_posture] Remove dynamic: false from misconfiguration transform

[maxcold]

PR #17552 removed explicit ECS field definitions from CDR integration transform destinations, relying on the ecs@mappings component template. This broke ECS field searchability and Group-by in the Kibana CSP Findings data grid because the CSP misconfiguration transform had dynamic: false, which completely prevents ecs@mappings dynamic templates from evaluating.

This PR removes dynamic: false and the redundant strings_as_keyword dynamic template, keeping only the index sort settings and date_detection: false.

The dynamic: false setting is also not inline with other CDR related transforms, cloud_security_posture integration is the only integration with this setting

Fixes:

• https://github.com/elastic/security-team/issues/16212

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version conditions are aligned across all changed packages.

Author's Checklist

• Changes are limited to a single package

How to test this PR locally

1. Install the integration in local Kibana
2. Verify destination index template has ecs@mappings and no dynamic: false:

   curl -s "http://localhost:9200/_index_template/security_solution-cloud_security_posture.misconfiguration_latest*" -u elastic:changeme | jq '.index_templates[].index_template'

3. Wait for transform to run, then check destination index mapping has ECS fields:

   curl -s "http://localhost:9200/security_solution-cloud_security_posture.misconfiguration_latest-*/_mapping" -u elastic:changeme | jq '.[] .mappings.properties.cloud'

4. In Findings page: verify Group by Cloud Account ID works
5. Verify search bar autocompletes ECS field names (cloud.account.id, event.category, etc.)

Related issues

Fixes the regression introduced in #17552

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 5eaeadd

[alexreal1314]

@maxcold is there any risk introduced by this change? AFAIK it makes it kinda schema-less and we might have conflicts where the same field has two different types and can be ingested to the same index.

[maxcold]

@alexreal1314 tbh I could think of a case when it will be a problem. Now we have ecs@mappings template a part of our destination index template. So ECS fields should have dynamic mappings that follow ECS. Then we have data ingested to our native integration only via cloudbeat, so I'm not sure if I understand the concern of different data types ingested into the same index. Do you have an example in mind?

[maxcold]

@alexreal1314 I think your concerns are close to what was brought up in this comment #17552 (review) . But I'm not sure if keeping explicit transform mapping is worth it.

[elastic-vault-github-plugin-prod]

Package cloud_security_posture - 3.3.0-preview08 containing this change is available at https://epr.elastic.co/package/cloud_security_posture/3.3.0-preview08/