Update elastic-package to use Package Spec 3.0.0-rc1 and fix v3 packages

[jsoriano]

Proposed commit message

Fix field definitions in packages that were updated before v3 GA release, and are failing now with the first RC (see #8109, #8120)

Changes applied:

• Fix mapping of ECS fields that are only "objects", by setting
  type: group. They don't generate any mapping, and they are detected as invalid objects without object_type.
  Child mappings are imported too. Some examples of these object fields are dns.answer, or network.inner.
• Objects without object_type that seem to fit as "tags" or "labels" use cases have been converted to flattened.
• Objects without object_type that seem to fit as metrics have been converted to type: double.
• Quote field names in test configuration files.
• Validations skipped for references founds in dashboards.
• Validations skipped for the required Kibana version needed for saved tags.

Packages with changes in fields include new changelog, so a new package will be released.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-10-11T20:01:46.397+0000

• Duration: 114 min 53 sec

Test stats 🧪

Test	Results
Failed	0
Passed	4868
Skipped	6
Total	4874

Steps errors

Expand to view the steps failures

Test integration: aws

• Took 2 min 6 sec . View more details here
• Description: eval "$(../../build/elastic-package stack shellinit)" ../../build/elastic-package test -v --report-format xUnit --report-output file --test-coverage

Boot up the Elastic stack

• Took 2 min 59 sec . View more details here
• Description: ../../build/elastic-package stack up -d -v --version 8.10.1

Google Storage Download

• Took 0 min 0 sec . View more details here

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (459/459)	💚
Files	96.675% (785/812)	👎 -3.325
Classes	96.675% (785/812)	👎 -3.325
Methods	92.634% (7571/8173)	👍 67.634
Lines	88.383% (173221/195989)	👎 -11.617
Conditionals	100.0% (0/0)	💚

[ebeahan]

Replacement of dns.answer when it contains arrays of objects, to the nested type.

dns.answers in ECS is object not nested. Why the deviation?

This is not a lightweight switch either. Nested fields are indexed as separate documents, have their own query types (which are not well supported in Kibana in my own experience), and limit the field's use in visualizations.

[jsoriano]

dns.answers in ECS is object not nested. Why the deviation?

Yes, this is in my opinion a complicated case, because this field is modeled as an object, but it is also described as an array. Arrays of objects are not supported by Elasticsearch, so it can lead to unexpected results. One way to have an array of objects is to use the nested type, but as you said, it doesn't come without tradeoffs.

I am going to try to relax this restriction, because it is causing many problems and probably the benefit of the correctness is not so big.

[jsoriano]

@elastic/security-external-integrations one of the only pending issues is in the trellix_edr_cloud package. It fails with:

parsing field value failed: field "trellix_edr_cloud.event.certs" is a group of fields, it cannot store values

The issue is that this field is defined as nested, but it is storing an array of arrays of objects. In the sample document and in the expected files in tests, the first level of the array contains a single element, so it could be flattened as an array of objects, with only the first element. And that would match the fields definition.

Is this structure of arrays of arrays of objects needed or this could be flattened and then the current field mappings would work?

[jsoriano]

Is this structure of arrays of arrays of objects needed or this could be flattened and then the current field mappings would work?

If this structure is actually needed, I have prepared a PR to handle it: elastic/elastic-package#1498

[elasticmachine]

Package hid_bravura_monitor - 1.15.1 containing this change is available at https://epr.elastic.co/search?package=hid_bravura_monitor

[elasticmachine]

Package juniper_srx - 1.18.1 containing this change is available at https://epr.elastic.co/search?package=juniper_srx

[elasticmachine]

Package netflow - 2.16.1 containing this change is available at https://epr.elastic.co/search?package=netflow

[elasticmachine]

Package network_traffic - 1.25.1 containing this change is available at https://epr.elastic.co/search?package=network_traffic

[elasticmachine]

Package osquery_manager - 1.10.1 containing this change is available at https://epr.elastic.co/search?package=osquery_manager

[elasticmachine]

Package panw_cortex_xdr - 1.21.1 containing this change is available at https://epr.elastic.co/search?package=panw_cortex_xdr

[elasticmachine]

Package suricata - 2.18.1 containing this change is available at https://epr.elastic.co/search?package=suricata

[elasticmachine]

Package sysmon_linux - 1.5.1 containing this change is available at https://epr.elastic.co/search?package=sysmon_linux

[elasticmachine]

Package zeek - 2.19.1 containing this change is available at https://epr.elastic.co/search?package=zeek

[ruflin]

@jsoriano Is the mapping that is created by Fleet based on this change identical?

[jsoriano]

No, it isn't. With this change we are providing an actual mapping to these fields.

Previous mapping was probably not the expected one, it was not generating any useful mapping:

              "tags": {
                "properties": {
                  "*": {
                    "type": "object"
                  }
                }
              }

Now it generates a flattened field:

              "tags": {
                "type": "flattened"
              }

[ruflin]

I see, that previous one seems like a bug. Trying to remember what it exactly produced in Beats, my guess in this scenario was that just everything becomes a keyword. Is my assumption correct that the buggy mapping above did not have any affect? So if tags.foo came in, it was just a keyword? Now it will be flattened. One concern I have is that for some users this might be a breaking change as not all the same queries are supported: https://www.elastic.co/guide/en/elasticsearch/reference/current/flattened.html At the same time I like the idea of tags being of type flattened.

Main reason I comment to make sure we have thought through the potential implications of the change and in case users get hit by it, we have a plan for them ready. @tommyers-elastic

[zmoog]

I want to report a problem from a user due to changing the aws.dimension type from object to flattened:

they confirmed they can do search on the fields, but they cannot setup alerts on these flattened fields.