Skip to content

[aws, blacklens, github, microsoft_sentinel] Resolve conflicting event.kind values in constant_keyword fields#18143

Merged
mohitjha-elastic merged 5 commits intoelastic:mainfrom
mohitjha-elastic:event-kind-constant_keyword-issue
Apr 6, 2026
Merged

[aws, blacklens, github, microsoft_sentinel] Resolve conflicting event.kind values in constant_keyword fields#18143
mohitjha-elastic merged 5 commits intoelastic:mainfrom
mohitjha-elastic:event-kind-constant_keyword-issue

Conversation

@mohitjha-elastic
Copy link
Copy Markdown
Collaborator

@mohitjha-elastic mohitjha-elastic commented Mar 31, 2026
edited
Loading

Proposed commit message

aws, blacklens, github, microsoft_sentinel: fix conflicting event.kind values.

Fix conflicting event.kind mappings where pipelines set pipeline_error (or state) while the field 
was defined as constant_keyword, which Elasticsearch treats as a single immutable value per index. 
The securityhub_findings_full_posture data stream now references ECS for event.kind, matching the
sibling Security Hub stream. 
For blacklens alerts, GitHub issues/code_scanning/dependabot/secret_scanning, 
and Microsoft Sentinel alert/event/incident streams, event.kind is mapped as keyword and the 
ingest pipelines set the normal ECS value (alert or event) so successful documents stay unchanged
while failure handlers can still set pipeline_error.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install the elastic package locally.
  • Start the elastic stack using the elastic package.
  • Move to integrations/packages/<integration_name> directory.
  • Run the following command to run tests.

Replace the <integration_name> with the actual name of integration.

elastic-package test -v

Related issues

@mohitjha-elastic mohitjha-elastic self-assigned this Mar 31, 2026
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner March 31, 2026 06:53
@mohitjha-elastic mohitjha-elastic added the bugfix Pull request that fixes a bug issue label Mar 31, 2026
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner March 31, 2026 06:53
@mohitjha-elastic mohitjha-elastic added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Mar 31, 2026
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner March 31, 2026 06:53
@mohitjha-elastic mohitjha-elastic added Integration:microsoft_sentinel Microsoft Sentinel Integration:blacklens blacklens.io (Community supported) Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Mar 31, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Mar 31, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026
edited
Loading

Vale Linting Results

Summary: 15 warnings, 27 suggestions found

⚠️ Warnings (15)
File Line Rule Message
packages/aws/docs/securityhub.md 1384 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/aws/docs/securityhub.md 1385 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/aws/docs/securityhub.md 1387 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 233 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/github/docs/README.md 234 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 236 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 412 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/github/docs/README.md 413 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 415 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 568 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/github/docs/README.md 569 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 571 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 801 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/github/docs/README.md 802 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/github/docs/README.md 804 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
💡 Suggestions (27)
File Line Rule Message
packages/aws/docs/securityhub.md 1386 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/aws/docs/securityhub.md 1386 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/aws/docs/securityhub.md 1386 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/blacklens/docs/README.md 148 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/blacklens/docs/README.md 148 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/blacklens/docs/README.md 148 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 235 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/github/docs/README.md 235 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 235 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 414 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/github/docs/README.md 414 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 414 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 570 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/github/docs/README.md 570 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 570 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 803 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/github/docs/README.md 803 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/github/docs/README.md 803 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/microsoft_sentinel/docs/README.md 191 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/microsoft_sentinel/docs/README.md 191 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/microsoft_sentinel/docs/README.md 191 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/microsoft_sentinel/docs/README.md 253 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/microsoft_sentinel/docs/README.md 253 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/microsoft_sentinel/docs/README.md 253 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/microsoft_sentinel/docs/README.md 434 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/microsoft_sentinel/docs/README.md 434 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/microsoft_sentinel/docs/README.md 434 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

andrewkroh
andrewkroh reviewed Mar 31, 2026
View reviewed changes
packages/blacklens/data_stream/alerts/fields/ecs.yml Outdated
- name: event.kind
type: constant_keyword
value: alert
type: keyword
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

event.kind is an ECS field and should be defined using external: ecs rather than type: keyword.

https://github.com/elastic/integrations/wiki/Fleet-Package-Code-Review-Comments#defining-an-ecs-field-without-using-an-external-definition

fwiw You can detect and fix (add -fix) this class of issue automatically using

go run github.com/andrewkroh/fydler@main -a useecs packages/blacklens/data_stream/alerts/fields/ecs.yml

Copy link
Copy Markdown
Collaborator Author

@mohitjha-elastic mohitjha-elastic Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated all occurrences of event.kind to be defined using external: ecs.

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 1, 2026
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 3, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 3, 2026

💚 Build Succeeded

History

cc @mohitjha-elastic

muthu-mps
muthu-mps approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@muthu-mps muthu-mps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code owner approval.

@mohitjha-elastic mohitjha-elastic merged commit 6efb788 into elastic:main Apr 6, 2026
12 checks passed
@mohitjha-elastic mohitjha-elastic deleted the event-kind-constant_keyword-issue branch April 6, 2026 08:59
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 6, 2026

Package aws - 6.4.3 containing this change is available at https://epr.elastic.co/package/aws/6.4.3/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 6, 2026

Package blacklens - 1.0.1 containing this change is available at https://epr.elastic.co/package/blacklens/1.0.1/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 6, 2026

Package github - 2.22.1 containing this change is available at https://epr.elastic.co/package/github/2.22.1/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 6, 2026

Package microsoft_sentinel - 1.3.1 containing this change is available at https://epr.elastic.co/package/microsoft_sentinel/1.3.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@MichaelKatsoulis MichaelKatsoulis MichaelKatsoulis approved these changes

@muthu-mps muthu-mps muthu-mps approved these changes

Assignees

@mohitjha-elastic mohitjha-elastic

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:aws AWS Integration:blacklens blacklens.io (Community supported) Integration:github GitHub Integration:microsoft_sentinel Microsoft Sentinel Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[aws, blacklens, github, microsoft_sentinel] Conflicting event.kind values in constant_keyword fields

5 participants

@mohitjha-elastic @elasticmachine @andrewkroh @MichaelKatsoulis @muthu-mps