…ic#16004)

Made with ❤️️ by updatecli

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

… using GuardDuty API (elastic#15858)

Updated wording regarding data duplication issue with Amazon GuardDuty API.

---------

Co-authored-by: Dan Kortschak <[email protected]>

… during the split operation and returned as the root object

The Google Workspace Reports API sometimes does not return the `items[]` array, resulting
in the absence of the target field in the `response.split` operation. This leads to the
root level object being returned, which causes failures in the ingest pipeline.

An issue[1] has been created to resolve the problem with the split[].ignore_empty_value operation.

To address this issue as of now, a `drop` processor has been added at the start of the pipeline to ensure
that we discard events that are not required.

Here is the list of affected data streams:

- access_transparency
- admin
- context_aware_access
- device
- drive
- gcp
- group_enterprise
- groups
- login
- rules
- saml
- token
- user_accounts

[1] elastic/beats#47699

)

* Add health_status field to status change logs data stream
* Add processor for health_status field in status_change_logs data stream
* Add agent status alert rules
* Use more specific index for system metrics, remove RLIKE clauses, and fix field used for CPU usage in alerting rules

Adds whitespace normalization for the SidList field in Windows
Security event 4908 (Special Groups Logon table modified). The
ingest pipeline now uses a gsub processor to normalize separators
before parsing, and the Painless script handles the normalized
format correctly.

Test data originates from
elastic/beats@dd7a1b3

box_events: remove non-ecs fields in ecs namespace

* wrap HTTP links in < >

* docs: update changelogs and build documentation

---------

Co-authored-by: subham sarkar <[email protected]>

…lastic#15801)

This commit addresses inconsistencies in package categorization by adding
missing categories to various integration packages.

Previously, policy templates within certain integrations used categories
(or their parent categories) that were not explicitly defined at the
integration level. This was identified by ensuring all parent categories
of policy template categories are a subset of integration-level
categories.

References

https://github.com/elastic/package-registry/blob/1bec8bf2e7f67f04f38a6310f5b70e56e3b22bfd/categories/categories.yml

…(v1) (elastic#15900)

Add the processor version option to the Raw Events integration v1. With these new options, users can switch from processor v1 (current default) to the processor v2.

This change anticipate the switch to v2 as default processor.

…6001)

Bumps [github.com/elastic/elastic-package](https://github.com/elastic/elastic-package) from 0.115.0 to 0.116.0.
- [Release notes](https://github.com/elastic/elastic-package/releases)
- [Changelog](https://github.com/elastic/elastic-package/blob/main/.goreleaser.yml)
- [Commits](elastic/elastic-package@v0.115.0...v0.116.0)

---
updated-dependencies:
- dependency-name: github.com/elastic/elastic-package
  dependency-version: 0.116.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Teresa Romero <[email protected]>

Fixed a typo in the processor code that was causing issues in the integration.

…lastic#16023)

* Put backslash before underscore

* docs: update changelogs and build documentation

There is an issue with fields that are removed from README generation.

…tic#15713)

Migrated SIEM data stream from HTTPJSON to CEL input with 
with necessary reworks and working system tests. Updated 
minimum stack version to 8.18 to allow usage of required CEL functions.

…16030)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.44.0 to 0.45.0.
- [Commits](golang/crypto@v0.44.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…lastic#16014)

Test sample is derived from the sample above it with the seeAlso field
removed.

…etails field.

This change resolves the mapping conflict in the 'ExtendedProperties' field by explicitly
defining 'additionalDetails' as an object. The existing wildcard mapping for other dynamic keys
has been preserved to maintain backward compatibility and ensure no impact to existing users.
Additionally, the previous 'o365audit.ExtendedProperties.additionalDetails_value' field has been
updated to retain the original field name 'o365audit.ExtendedProperties.additionalDetails'.

…CloudTrail Logs (elastic#15644)

…r data streams. (elastic#16076)

Without these settings, the permissions are not properly added 
to write data to "user" and "device" data streams and causes the error:

{\"type\":\"security_exception\",\"reason\":\"action [indices:data/write/bulk[s]] is unauthorized for API key id [REDACTED] of user [elastic/fleet-server] on indices [logs-entityanalytics_ad.user-default], this action is granted by the index privileges [create_doc,create,delete,index,write,all]\"}

Other "entityanalytics_*" integrations already have these settings.