tenable_ot_security: change assets fingerprint to id plus timestamps

[efd6]

Proposed commit message

tenable_ot_security: change assets fingerprint to id plus timestamps

Change the assets document fingerprint from a full-body hash to a hash
of the asset id and all timestamp fields (firstSeen, lastSeen, lastHit,
lastSnapshot, lastUpdate, runStatusTime). This preserves update history;
a new document is created whenever a timestamp changes without the
duplicate-on-every-poll problem caused by the full-body hash.

Change the risk.total_risk field type from keyword to double. The field
carries a floating-point risk score and double is the correct type.
This type change also causes Fleet to trigger an automatic data stream
rollover on upgrade: the putMapping call fails with an
illegal_argument_exception when it tries to change the field type in
the existing backing index, and Fleet responds by rolling over. The
rollover starts the life-cycle clock on the old backing index so
duplicate documents from the _id scheme change age out without manual
intervention.

The Kibana version constraint is tightened to ^8.16.1 || ^9.1.4 so
that 9.x users see the breaking-change call-out. Where possible,
upgrading to 1.1.0 first and allowing at least one asset collection
interval before upgrading to 2.0.0 avoids the overlap period entirely.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Depends tenable_ot_security: fix assets data stream stale cursor and timestamp #17669 (not to be merged before and only to be merged after reasonable interval)
• Closes [tenable_ot_security.assets] Some assets are missing #17628

Screenshots

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@kcreddy I plan to sit on this for a while. Will convert to draft again until we are ready.

In draft

[andrewkroh]

I think we might have a problem with these instructions. It looks like on Serverless a user can only install latest if I'm understanding the UI.

[efd6]

This means that we need to leave this open for a while. I think that is a defect TBH.

[kcreddy]

Echoing same concern as Andrew, otherwise looks good.

[andrewkroh]

Did you mean to modify the exchange package and the tenable_ot_security package?

[efd6]

/test

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 908d4f9

History

• 💔 Build #41109 failed e6fb903
• 💔 Build #41108 failed 4e8798f
• 💔 Build #41107 failed 8b9f932
• 💔 Build #41105 failed 8b9f932
• 💚 Build #41000 succeeded ff9be0d

cc @efd6

[elastic-vault-github-plugin-prod]

Package tenable_ot_security - 2.0.0 containing this change is available at https://epr.elastic.co/package/tenable_ot_security/2.0.0/