wiz: add troubleshooting note in README on event.ingested requirement for standalone Elastic Agent.

mohitjha-elastic · web-flow · commit 0e76cceae87c · 2025-07-21T13:07:31.000+05:30
Updated the README to include a troubleshooting note explaining that the `event.ingested` ECS field is
required for transforms in the Wiz integration. This clarification helps prevent transform-related
issues in standalone setups.
diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md
@@ -98,6 +98,17 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
   - Vulnerability data is fetched for the previous day.
   - Custom headers are not supported in this integration. Only the standard Authorization header (for example, Bearer token) is used for API requests.
 
+### Troubleshooting
+
+The transforms used in the Wiz integration depend on the presence of the `event.ingested` field to function correctly.
+
+When using Fleet-managed Elastic Agents, the `.fleet_final_pipeline-1` is automatically executed and ensures that the `event.ingested` field is added to all events.
+
+However, when using standalone Elastic Agents, this pipeline is not applied, and the `event.ingested` field is not automatically added.
+
+📌 Action Required (for standalone agents):
+You must manually add the `event.ingested` field, preferably via a custom ingest pipeline (e.g., using the @custom pipeline).
+
 ## Logs reference
 
 ### Audit
diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.6.0"
+  changes:
+    - description: Add troubleshooting note in README on `event.ingested` requirement for standalone Elastic Agent.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14546
 - version: "3.5.1"
   changes:
     - description: Update texts for the input fields helpers.
diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md
@@ -98,6 +98,17 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud
   - Vulnerability data is fetched for the previous day.
   - Custom headers are not supported in this integration. Only the standard Authorization header (for example, Bearer token) is used for API requests.
 
+### Troubleshooting
+
+The transforms used in the Wiz integration depend on the presence of the `event.ingested` field to function correctly.
+
+When using Fleet-managed Elastic Agents, the `.fleet_final_pipeline-1` is automatically executed and ensures that the `event.ingested` field is added to all events.
+
+However, when using standalone Elastic Agents, this pipeline is not applied, and the `event.ingested` field is not automatically added.
+
+📌 Action Required (for standalone agents):
+You must manually add the `event.ingested` field, preferably via a custom ingest pipeline (e.g., using the @custom pipeline).
+
 ## Logs reference
 
 ### Audit
diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.4.0
 name: wiz
 title: Wiz
-version: "3.5.1"
+version: "3.6.0"
 description: Collect logs from Wiz with Elastic Agent.
 type: integration
 categories:
