Upgrade packages to ECS 8.2 (2/4)

packages/cloudflare/_dev/build/build.yml

@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: git@8.0
+    reference: git@8.2

packages/cloudflare/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.4.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2779
 - version: "1.3.2"
   changes:
     - description: Add documentation for multi-fields

packages/cloudflare/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

@@ -1,12 +1,9 @@
 ---
 description: Pipeline for parsing cloudflare audit logs
 processors:
-- set:
-    field: event.ingested
-    value: '{{_ingest.timestamp}}'
 - set:
     field: ecs.version
-    value: '8.0.0'
+    value: '8.2.0'
 - rename:
     field: message
     target_field: event.original

packages/cloudflare/data_stream/audit/sample_event.json

@@ -33,7 +33,7 @@
         "type": "logs"
     },
     "ecs": {
-        "version": "8.0.0"
+        "version": "8.2.0"
     },
     "elastic_agent": {
         "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",

packages/cloudflare/data_stream/logpull/_dev/test/pipeline/test-http-json.log-expected.json

@@ -129,7 +129,7 @@
             },
             "@timestamp": "2019-08-02T15:29:08.000Z",
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "http": {
                 "request": {
@@ -174,7 +174,6 @@
             },
             "event": {
                 "duration": 0,
-                "ingested": "2021-12-30T04:25:53.365518980Z",
                 "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":15169,\"ClientCountry\":\"us\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2577,\"ClientRequestHost\":\"cf-analytics.com\",\"ClientRequestMethod\":\"POST\",\"ClientRequestPath\":\"/wp-cron.php\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://cf-analytics.com/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestURI\":\"/wp-cron.php?doing_wp_cron=1564759748.3962020874023437500000\",\"ClientRequestUserAgent\":\"WordPress/5.2.2;https://cf-analytics.com\",\"ClientSSLCipher\":\"ECDHE-ECDSA-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.2\",\"ClientSrcPort\":55028,\"EdgeColoID\":14,\"EdgeEndTimestamp\":\"2019-08-02T15:29:08Z\",\"EdgePathingOp\":\"chl\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"captchaNew\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"\",\"EdgeResponseBytes\":2848,\"EdgeResponseCompressionRatio\":2.64,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":\"2019-08-02T15:29:08Z\",\"FirewallMatchesActions\":[\"simulate\",\"challenge\"],\"FirewallMatchesSources\":[\"firewallRules\",\"firewallRules\"],\"FirewallMatchesRuleIDs\":[\"094b71fea25d4860a61fa0c6fbbd8d8b\",\"e454fd4a0ce546b3a9a462536613692c\"],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"500115ec386354d8\",\"SecurityLevel\":\"med\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":155978002}",
                 "kind": "event",
                 "start": "2019-08-02T15:29:08.000Z",
@@ -320,7 +319,7 @@
             },
             "@timestamp": "2021-07-08T14:02:38.812Z",
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "http": {
                 "request": {
@@ -360,7 +359,6 @@
             },
             "event": {
                 "duration": 63000000,
-                "ingested": "2021-12-30T04:25:53.365521557Z",
                 "original": "{\"CacheCacheStatus\":\"hit\",\"CacheResponseBytes\":26888,\"CacheResponseStatus\":200,\"CacheTieredFill\":true,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":5324,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestProtocol\":\"HTTP/1.1\",\"ClientRequestReferer\":\"https://eqlplayground.io/s/eqldemo/app/security/timelines/default?sourcerer=(default:!(.siem-signals-eqldemo))\u0026timerange=(global:(linkTo:!(),timerange:(from:%272021-03-03T19:55:15.519Z%27,fromStr:now-24h,kind:relative,to:%272021-03-04T19:55:15.519Z%27,toStr:now)),timeline:(linkTo:!(),timerange:(from:%272020-03-04T19:55:28.684Z%27,fromStr:now-1y,kind:relative,to:%272021-03-04T19:55:28.692Z%27,toStr:now)))\u0026timeline=(activeTab:eql,graphEventId:%27%27,id:%2769f93840-7d23-11eb-866c-79a0609409ba%27,isOpen:!t)\",\"ClientRequestURI\":\"/40865/bundles/plugin/securitySolution/8.0.0/securitySolution.chunk.9.js\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"NONE\",\"ClientSSLProtocol\":\"none\",\"ClientSrcPort\":0,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"33.147.138.217\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625752958875000000,\"EdgePathingOp\":\"wl\",\"EdgePathingSrc\":\"macro\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"eqlplayground.io\",\"EdgeResponseBytes\":24743,\"EdgeResponseCompressionRatio\":0,\"EdgeResponseContentType\":\"application/javascript\",\"EdgeResponseStatus\":200,\"EdgeServerIP\":\"89.160.20.156\",\"EdgeStartTimestamp\":1625752958812000000,\"FirewallMatchesActions\":[],\"FirewallMatchesRuleIDs\":[],\"FirewallMatchesSources\":[],\"OriginIP\":\"\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"66b9d9f88b5b4c4f\",\"RayID\":\"66b9d9f890ae4c4f\",\"SecurityLevel\":\"off\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":true,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}",
                 "kind": "event",
                 "start": "2021-07-08T14:02:38.812Z",
@@ -513,7 +511,7 @@
             },
             "@timestamp": "2021-07-08T14:24:24.676Z",
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "http": {
                 "request": {
@@ -557,7 +555,6 @@
             },
             "event": {
                 "duration": 8000000,
-                "ingested": "2021-12-30T04:25:53.365522491Z",
                 "original": "{\"CacheCacheStatus\":\"unknown\",\"CacheResponseBytes\":0,\"CacheResponseStatus\":0,\"CacheTieredFill\":false,\"ClientASN\":1136,\"ClientCountry\":\"nl\",\"ClientDeviceType\":\"desktop\",\"ClientIP\":\"89.160.20.156\",\"ClientIPClass\":\"noRecord\",\"ClientRequestBytes\":2520,\"ClientRequestHost\":\"eqlplayground.io\",\"ClientRequestMethod\":\"GET\",\"ClientRequestPath\":\"/s/eqldemo/security/account\",\"ClientRequestProtocol\":\"HTTP/2\",\"ClientRequestReferer\":\"\",\"ClientRequestURI\":\"/s/eqldemo/security/account\",\"ClientRequestUserAgent\":\"Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/91.0.4472.124Safari/537.36\",\"ClientSSLCipher\":\"AEAD-AES128-GCM-SHA256\",\"ClientSSLProtocol\":\"TLSv1.3\",\"ClientSrcPort\":61593,\"ClientXRequestedWith\":\"\",\"EdgeColoCode\":\"AMS\",\"EdgeColoID\":20,\"EdgeEndTimestamp\":1625754264684000000,\"EdgePathingOp\":\"ban\",\"EdgePathingSrc\":\"filterBasedFirewall\",\"EdgePathingStatus\":\"nr\",\"EdgeRateLimitAction\":\"\",\"EdgeRateLimitID\":0,\"EdgeRequestHost\":\"183.53.30.34\",\"EdgeResponseBytes\":2066,\"EdgeResponseCompressionRatio\":2.45,\"EdgeResponseContentType\":\"text/html\",\"EdgeResponseStatus\":403,\"EdgeServerIP\":\"\",\"EdgeStartTimestamp\":1625754264676000000,\"FirewallMatchesActions\":[\"block\"],\"FirewallMatchesRuleIDs\":[\"391eb601201e4f2a81038910f2b63f6d\"],\"FirewallMatchesSources\":[\"firewallRules\"],\"OriginIP\":\"89.160.20.156\",\"OriginResponseBytes\":0,\"OriginResponseHTTPExpires\":\"\",\"OriginResponseHTTPLastModified\":\"\",\"OriginResponseStatus\":0,\"OriginResponseTime\":0,\"OriginSSLProtocol\":\"unknown\",\"ParentRayID\":\"00\",\"RayID\":\"66b9f9da396e4c01\",\"SecurityLevel\":\"unk\",\"WAFAction\":\"unknown\",\"WAFFlags\":\"0\",\"WAFMatchedVar\":\"\",\"WAFProfile\":\"unknown\",\"WAFRuleID\":\"\",\"WAFRuleMessage\":\"\",\"WorkerCPUTime\":0,\"WorkerStatus\":\"unknown\",\"WorkerSubrequest\":false,\"WorkerSubrequestCount\":0,\"ZoneID\":393347122}",
                 "kind": "event",
                 "start": "2021-07-08T14:24:24.676Z",

packages/cloudflare/data_stream/logpull/elasticsearch/ingest_pipeline/default.yml

@@ -1,12 +1,9 @@
 ---
 description: Pipeline for parsing cloudflare logs
 processors:
-- set:
-    field: event.ingested
-    value: '{{_ingest.timestamp}}'
 - set:
     field: ecs.version
-    value: '8.0.0'
+    value: '8.2.0'
 - rename:
     field: message
     target_field: event.original

packages/cloudflare/data_stream/logpull/sample_event.json

@@ -103,7 +103,7 @@
         "bytes": 2848
     },
     "ecs": {
-        "version": "8.0.0"
+        "version": "8.2.0"
     },
     "elastic_agent": {
         "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",

packages/cloudflare/docs/README.md

@@ -126,7 +126,7 @@ An example event for `audit` looks as following:
         "type": "logs"
     },
     "ecs": {
-        "version": "8.0.0"
+        "version": "8.2.0"
     },
     "elastic_agent": {
         "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",
@@ -487,7 +487,7 @@ An example event for `logpull` looks as following:
         "bytes": 2848
     },
     "ecs": {
-        "version": "8.0.0"
+        "version": "8.2.0"
     },
     "elastic_agent": {
         "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",

packages/cloudflare/manifest.yml

@@ -1,6 +1,6 @@
 name: cloudflare
 title: Cloudflare
-version: 1.3.2
+version: 1.4.0
 release: ga
 description: Collect and parse logs from Cloudflare API with Elastic Agent.
 type: integration

packages/crowdstrike/_dev/build/build.yml

@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: git@8.0
+    reference: git@8.2

packages/crowdstrike/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.3.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2779
 - version: "1.2.7"
   changes:
     - description: Move invalid field value

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-audit-events.log-expected.json

@@ -18,7 +18,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": [
@@ -73,7 +73,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": [
@@ -152,7 +152,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -205,7 +205,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -259,7 +259,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -322,7 +322,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "user_activity_audit_event",
@@ -382,7 +382,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -436,7 +436,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -496,7 +496,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -550,7 +550,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -604,7 +604,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -658,7 +658,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -729,7 +729,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "user_activity_audit_event",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-events.log-expected.json

@@ -58,7 +58,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "Prevention, process killed.",
@@ -153,7 +153,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "incident",
@@ -201,7 +201,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "user_activity_audit_event",

packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json

@@ -46,7 +46,7 @@
                 "port": 445
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": [
@@ -121,7 +121,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "incident",
@@ -183,7 +183,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "category": [
@@ -245,7 +245,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "user_activity_audit_event",
@@ -290,7 +290,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": [
@@ -356,7 +356,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": [
@@ -484,7 +484,7 @@
                 }
             },
             "ecs": {
-                "version": "8.0.0"
+                "version": "8.2.0"
             },
             "event": {
                 "action": "Detection, process would have been blocked if related prevention policy setting was enabled.",

packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml

@@ -3,7 +3,7 @@ description: Ingest pipeline for normalizing CrowdStrike Falcon logs
 processors:
   - set:
       field: ecs.version
-      value: '8.0.0'
+      value: '8.2.0'
   - rename:
       field: message
       target_field: event.original

packages/crowdstrike/data_stream/falcon/sample_event.json

@@ -52,7 +52,7 @@
         "type": "logs"
     },
     "ecs": {
-        "version": "8.0.0"
+        "version": "8.2.0"
     },
     "elastic_agent": {
         "id": "c53ddea2-61ac-4643-8676-0c70ebf51c91",