* initial commit

* update

add password redaction, remove S3 until properly tested, improve ECS mapping and field cleanups

* update dashboard to use ECS fields

user.name etc now mapped

* Fix PR link

Swap default to PR that now exists

* update batch based on code review by @kcreddy

Addresses review feedback for the Beelzebub package. This includes:
- Adds the package to CODEOWNERS
- Updates documentation to include Logstash as an alternative option to fluentd for shipping logs, removes fluentd configuration example
- Appends relevant values to related.ip and related.user
- Bumps version to 0.1.0
- Full package re-test post build via elastic-package test

* Apply suggestions from code review

Co-authored-by: Krishna Chaitanya Reddy Burri <[email protected]>

* update README

* support newer log format with HeadersMap, add Cookies field def

* Update with new PR number

* Apply suggestions from code review

Co-authored-by: Dan Kortschak <[email protected]>

* Final newline because reasons.

* Apply suggestions from code review

Co-authored-by: Dan Kortschak <[email protected]>

---------

Co-authored-by: Krishna Chaitanya Reddy Burri <[email protected]>
Co-authored-by: Dan Kortschak <[email protected]>

Add the file so that GitHub puts a link in the repository's side bar and
shows it in the community standards tab. The text is taken from the
canonical source to give a brief background, but links to the document
for the full text.

…lastic#15026)

* Added a deployment_type parameter (values: deployment, elasticsearch, observability, security).
* Added dedicated dashboards for ECH and serverless consumption breakdown

…Name` field for FDR data stream (elastic#14916)

crowdstrike: populate a mapping of ECS 'message' field from 'crowdstrike.event_simpleName' field 
for FDR data stream.

…tions (elastic#15052)

github: add table of content in audit, security advisories and user dashboards. fix the data view issue and add dashboard links in security advisories dashboard.

The previous endpoint was timing out quickly, causing user disruption.
This changes the endpoint to avoid that problem.

Endpoint docs: https://docs.greynoise.io/reference/gnqlv3metadataquery

…tic#14590)

This PR includes investigation data stream and associated dashboard.

ExtrHop fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from live data samples, which were subsequently
sanitized.

---------

Co-authored-by: Shourie Ganguly <[email protected]>

Removed preset filters from Cloud tracker dashboard

…ic#15074)

Made with ❤️️ by updatecli

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

…lastic#15073)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.11.0 to 1.11.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.11.0...v1.11.1)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…uilds (elastic#15072)

The Jamf Protect Telemetry data stream got enhancements in it's process audit tokens.
  - The audit token now contains a effective username (e_username)
  - The audit token now contains a executable path for the process (exec_path)

Extend the Kubernetes audit_logs data stream to support
collecting audit logs from managed Kubernetes clusters
in major cloud providers:
- AWS EKS via CloudWatch Logs
- Azure AKS via Event Hub
- Google GKE via Pub/Sub

The API spec states that links will be in an href field under related.
In actuality, they are put directly in related.

* [linux] require root privileges for pageinfo

---------

Co-authored-by: Mykola Kmet <[email protected]>

This reduces the per-execution maximum memory requirements since only
one content collection is held in memory at a time. It also reduces API
request failure brittleness since only a single content collection will
fail in the case that the request fails.

…tic#15090)

Bumps [github.com/ulikunitz/xz](https://github.com/ulikunitz/xz) from 0.5.12 to 0.5.14.
- [Commits](ulikunitz/xz@v0.5.12...v0.5.14)

---
updated-dependencies:
- dependency-name: github.com/ulikunitz/xz
  dependency-version: 0.5.14
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#15100)

Failure to propagate the state in the error case was causing failures
such as:

    failed eval: ERROR: :21:50: no such key: limit

Fixed by wrapping in `state.with(...)`. Also ran celfmt.

…* fields.

Added field definitions for the `o365.audit.SensitivityLabelEventData.*` fields.  
This improves clarity and ensures consistency in event representation.

…15102)

Lowering it to 3.3.2 includes the required package-spec support for the
terminate processor[1], without getting ahead of the maximum version
supported in Kibana 9.0.x[2].

[1]: elastic/package-spec#857
[2]: https://github.com/elastic/kibana/blob/v9.0.6/x-pack/platform/plugins/shared/fleet/server/config.ts#L30

…ns (elastic#15082)

…elastic#15081)

)

crowdstrike: migrate to combined vulnerabilities endpoint

Modify the CEL program to use "/spotlight/combined/vulnerabilities/v1"
API endpoint in vulnerability data stream.
The "/spotlight/queries/vulnerabilities/v1" and "/spotlight/entities/vulnerabilities/v2"
endpoints have been deprecated and are no longer recommended
by CrowdStrike.

Update the configuration variables to ensure compatibility with the
new API endpoint.

Add support for the "facet" query parameter to control what data is
returned in the API response.

Add more fields definition for the vulnerability data.

Remove the constant value `logs-aws_logs.generic` from the `event.dataset` mapping. 

**Context**

The Custom AWS Logs integration is an integration package, so it doesn't automatically create a new index template for each installation, as input packages do.

To overcome this single index template limit, users manually clone the `logs-aws_logs.generic` index template (for more context, see the [comment](elastic#13433 (comment))) and adapt it for a custom dataset.

Unfortunately, all index template clones reference the same `logs-aws_logs.generic@package` component template that maps `event.dataset` as `constant_keyword` with a constant value of `logs-aws_logs.generic`. This means data streams created from the cloned index templates reject documents with `event.dataset` values other than `logs-aws_logs.generic`.

**Changes**

In this PR I removed the fixed value, but we have at least two options:

- We can keep the `event.dataset` mapping as `constant_keyword` without the fixed value to `logs-aws_logs.generic`.
- Change the mapping to `keyword` to align with ECS https://www.elastic.co/docs/reference/ecs/ecs-event#field-event-dataset to give users more flexibility.

Audit dashboards in Github integration didn't have any filters so controls
showed not only fields related to github.audit but also any possible value
for fields like user.name or event.action even they belong to different indexes.

Added the filter data_stream.dataset == github.audit to both dashboards.

Also replaced deprecated controls panel in both dashboards.

…lastic#15505)

Some CISCO Meraki events contain an identity field with the
user name or email. This PR aims to move this data to user.name
and normalize it. Some events had identity in the DOMAIN\username
format which are now properly dissected.

Added support for 8021x_client_deauth events that were not handled.

…ic#15517)

Parse extended `CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE` messages including:
- Slot number (`cisco.wps.slot` – existing field)
- Radio interface number (`cisco.wps.radio` - new field added)
- Channel number (`cisco.wps.channel`  – existing field)
- Support for timestamps with year and timezone

* Fix broken link

* Update changelog and manifest

* Update packages/panw/changelog.yml

Co-authored-by: Michael Wolf <[email protected]>

---------

Co-authored-by: Michael Wolf <[email protected]>

)

Azure Frontdoor events include N/A in every field that
don't contain any valid data. This can break the ingest
pipelines in several points where processors expect valid values.

It has been added a script at the beginning of the ingest
pipelines to remove any field that contains N/A or is empty.

Other typos have been fixed in the ingest pipelines at the same time.

…5329)

* update dashboard panel to use donut chart

The BeyondTrust PRA Reporting API requires the start_time parameter to be a
Unix timestamp (integer) or YYYY-MM-DD, but it was previously being sent in
RFC3339 format. This change corrects the format by converting the timestamp to
an integer before making the API request.

This commit also includes several improvements:
- Use CEL optional with the has() checks
- Added comments to the program and ran celfmt.
- Updated the input field types for url and proxy_url in the manifest to use the url type.
- Bumped the stream image version to v0.20.0.

References: https://docs.beyondtrust.com/pra/reference/reporting-api

Relates: elastic#14925

---------

Co-authored-by: Dan Kortschak <[email protected]>

…stic#15550)

* Add missing info

* Update changelog and manifest

* Integrate reviewer's comments

…lastic#15501)

Adds a new "Default Timegrain" configuration option to allow users to customize the timegrain used in the Storage Account integration. The default value remains PT5M, but users can now choose a different value.

Without this option, users can only collect metrics with a PT5M time grain. It is a sensible default, but some users want to collect metrics with a PT1M time grain.

To learn more, see elastic#15464.

…tic#15577)

…n_engine-9.1 from the main branch

…tic#15682)

…stic#15935)

)

…stic#16101)

)