osquery_manager: update ECS mapping

[mmahacek]

A number of ECS fields are not defined within the integration field mapping, which is causing them to map as object instead of the expected nested type. These fields are:

dll.pe.sections
file.macho.sections
file.pe.sections
process.parent.macho.sections
process.parent.pe.sections
threat.enrichments.indicator.file.pe.sections
threat.indicator.file.pe.sections

Additionally, the integration defines an error field as text, however this conflicts with the ECS error field that is expected to be an object.

Proposed commit message

osquery_manager: update ECS mapping and rename error to error.message

Please explain:

• WHAT: patterns used, algorithms implemented, design architecture, message processing, etc.
• WHY: the rationale/motivation for the changes

This text will be pasted into the squash dialog when the change is committed and will be
a long term historical record of the change to help future contributors understand the
change, please help them by making it clear and comprehensive, they may be you.

If the commit title is adequate to describe both of these things, The text here may be omitted
or replaced with "See title". The title of the PR will be used as the commit message title when
the merge is made and the "See title" marker will be removed if present.

The text here and the PR title will be subject to the PR review process.
-->
Update ECS mapping for the osquery_manager.results datastream.
Update osquery_manager.action_responses ingest pipeline to rename error to error.message

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

There are no special tests to run outside of elastic-package test

Related issues

• Closes [osquery_manager]: Update *.sections field mappings to match ECS #16643

Screenshots

[mmahacek]

Marking as ready for review. Buildkite fails, however it passes tests locally.

[mmahacek]

@elastic/security-defend-workflows Can I get a review on this and check why buildkite fails when tests pass locally? The plan is to also backport these changes to 8.19, though I don't know the process for that. Thanks in advance!

[tomsonpl]

Hey, thanks for taking care of these, really appreciated ❤️
I am not sure what the process of backporting is either, sorry can't help.
But I left a comment regarding the compilation error, please see if that makes any sense.

[mmahacek]

@tomsonpl I fixed the buildkite error with your suggestion. Can you check and re-review this PR? Thanks!

[mmahacek]

@marc-gr would you be able to review this PR? This is related to an issue found during SDH.

[mmahacek]

@elastic/security-defend-workflows Is someone available to review this PR? This is a fix for an issue raised via SDH. Thanks in advance!

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: b63be66

History

• 💚 Build #40651 succeeded 36a9136
• 💚 Build #39978 succeeded aa4d254
• 💚 Build #38587 succeeded d58acb0
• 💔 Build #37364 failed 747fae2
• 💔 Build #37363 failed 601fc82
• 💔 Build #37361 failed a8abd0c

cc @mmahacek

[tomsonpl]

lgtm 👍

[elastic-vault-github-plugin-prod]

Package osquery_manager - 1.28.1 containing this change is available at https://epr.elastic.co/package/osquery_manager/1.28.1/