radware,slack,sophos,squid,suricata,symantec,ti_*,tomcat: remove duplicate fields (#4642)

efd6 · web-flow · commit c731f971dc2e · 2022-11-30T17:52:28.000+10:30
diff --git a/packages/radware/changelog.yml b/packages/radware/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.10.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "0.10.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/radware/data_stream/defensepro/fields/base-fields.yml b/packages/radware/data_stream/defensepro/fields/base-fields.yml
@@ -15,9 +15,6 @@
   type: constant_keyword
   description: Event dataset
   value: radware.defensepro
-- name: '@timestamp'
-  type: date
-  description: Event timestamp.
 - name: container.id
   description: Unique container id.
   ignore_above: 1024
@@ -39,8 +36,3 @@
 - name: log.offset
   description: Offset of the entry in the log file.
   type: long
-- name: tags
-  description: List of keywords used to tag each event.
-  example: '["production", "env2"]'
-  ignore_above: 1024
-  type: keyword
diff --git a/packages/radware/manifest.yml b/packages/radware/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: radware
 title: Radware DefensePro Logs
-version: "0.10.0"
+version: "0.10.1"
 description: Collect defensePro logs from Radware devices with Elastic Agent.
 categories: ["security"]
 release: experimental
diff --git a/packages/slack/changelog.yml b/packages/slack/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.2.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "0.2.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/slack/data_stream/audit/fields/ecs.yml b/packages/slack/data_stream/audit/fields/ecs.yml
@@ -6,8 +6,6 @@
   external: ecs
 - name: event.id
   external: ecs
-- name: event.category
-  external: ecs
 - name: event.type
   external: ecs
 - name: event.category
@@ -56,22 +54,14 @@
   external: ecs
 - external: ecs
   name: user_agent.device.name
-- external: ecs
-  name: user_agent.device.name
-- external: ecs
-  name: user_agent.name
 - external: ecs
   name: user_agent.name
 - external: ecs
   name: user_agent.original
-- external: ecs
-  name: user_agent.original
 - external: ecs
   name: user_agent.os.full
 - external: ecs
   name: user_agent.os.name
-- external: ecs
-  name: user_agent.os.name
 - external: ecs
   name: user_agent.os.version
 - external: ecs
diff --git a/packages/slack/data_stream/audit/fields/fields.yml b/packages/slack/data_stream/audit/fields/fields.yml
@@ -130,11 +130,6 @@
           description: >
             The timestamp of the entity when entity_type is message
 
-        - name: timestamp
-          type: date
-          description: >
-            The timestamp of the entity when entity_type is message
-
         - name: type
           type: keyword
           description: >-
diff --git a/packages/slack/docs/README.md b/packages/slack/docs/README.md
@@ -112,7 +112,7 @@ Audit logs summarize the history of changes made within the Slack Enterprise.
 | slack.audit.entity.scopes | The OAuth scopes when entity_type is app | keyword |
 | slack.audit.entity.team | Team that the entity exists within when entity_type is user or message | keyword |
 | slack.audit.entity.teams_shared_with | List of orgs channel is shared with when entity_type is channel | keyword |
-| slack.audit.entity.timestamp | The timestamp of the entity when entity_type is message | date |
+| slack.audit.entity.timestamp | The timestamp of the entity when entity_type is message | keyword |
 | slack.audit.entity.title | Title of the entity when entity_type is file | keyword |
 | slack.audit.entity.type | The type of the entity when entity_type is role | keyword |
 | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
diff --git a/packages/slack/manifest.yml b/packages/slack/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: slack
 title: "Slack Logs"
-version: "0.2.0"
+version: "0.2.1"
 license: basic
 description: "Slack Logs Integration"
 type: integration
diff --git a/packages/sophos/changelog.yml b/packages/sophos/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "2.5.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/sophos/data_stream/utm/fields/base-fields.yml b/packages/sophos/data_stream/utm/fields/base-fields.yml
@@ -36,8 +36,3 @@
 - name: log.offset
   description: Offset of the entry in the log file.
   type: long
-- name: tags
-  description: List of keywords used to tag each event.
-  example: '["production", "env2"]'
-  ignore_above: 1024
-  type: keyword
diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml
@@ -680,10 +680,6 @@
           type: keyword
           description: |
             Email subject
-        - name: syslog_server_name
-          type: keyword
-          description: |
-            Syslog server name
         - name: syslog_server_name
           type: keyword
           description: |
diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md
@@ -1236,7 +1236,7 @@ An example event for `xg` looks as following:
 | sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword |
 | sophos.xg.status_code | Status code | keyword |
 | sophos.xg.subject | Email subject | keyword |
-| sophos.xg.syslog_server_name | Syslog server name | keyword |
+| sophos.xg.syslog_server_name | Syslog server name. | keyword |
 | sophos.xg.system_cpu | system | float |
 | sophos.xg.target | Platform of the traffic. | keyword |
 | sophos.xg.temp | Temp | float |
diff --git a/packages/sophos/manifest.yml b/packages/sophos/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: sophos
 title: Sophos
-version: "2.5.0"
+version: "2.5.1"
 description: Collect logs from Sophos with Elastic Agent.
 categories: ["security"]
 release: ga
diff --git a/packages/squid/changelog.yml b/packages/squid/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.11.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "0.11.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/squid/data_stream/log/fields/base-fields.yml b/packages/squid/data_stream/log/fields/base-fields.yml
@@ -15,9 +15,6 @@
   type: constant_keyword
   description: Event dataset
   value: squid.log
-- name: '@timestamp'
-  type: date
-  description: Event timestamp.
 - name: container.id
   description: Unique container id.
   ignore_above: 1024
@@ -39,8 +36,3 @@
 - name: log.offset
   description: Offset of the entry in the log file.
   type: long
-- name: tags
-  description: List of keywords used to tag each event.
-  example: '["production", "env2"]'
-  ignore_above: 1024
-  type: keyword
diff --git a/packages/squid/data_stream/log/fields/ecs.yml b/packages/squid/data_stream/log/fields/ecs.yml
@@ -240,8 +240,6 @@
   name: user_agent.name
 - external: ecs
   name: user_agent.original
-- external: ecs
-  name: user_agent.original
 - external: ecs
   name: user_agent.os.family
 - external: ecs
diff --git a/packages/squid/manifest.yml b/packages/squid/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: squid
 title: Squid Logs
-version: "0.11.0"
+version: "0.11.1"
 description: Collect and parse logs from Squid devices with Elastic Agent.
 categories: ["security"]
 release: experimental
diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.2"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "2.5.1"
   changes:
     - description: Defensive copy of parameter lists
diff --git a/packages/suricata/data_stream/eve/fields/agent.yml b/packages/suricata/data_stream/eve/fields/agent.yml
@@ -108,9 +108,7 @@
       ignore_above: 1024
       description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`."
     - name: ip
-      level: core
-      type: ip
-      description: Host ip addresses.
+      external: ecs
     - name: mac
       level: core
       type: keyword
diff --git a/packages/suricata/data_stream/eve/fields/base-fields.yml b/packages/suricata/data_stream/eve/fields/base-fields.yml
@@ -15,6 +15,3 @@
   type: constant_keyword
   description: Event dataset
   value: suricata.eve
-- name: '@timestamp'
-  type: date
-  description: Event timestamp.
diff --git a/packages/suricata/data_stream/eve/fields/ecs.yml b/packages/suricata/data_stream/eve/fields/ecs.yml
@@ -50,8 +50,6 @@
   name: file.path
 - external: ecs
   name: file.size
-- external: ecs
-  name: host.ip
 - external: ecs
   name: http.request.method
 - external: ecs
diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml
@@ -1,6 +1,6 @@
 name: suricata
 title: Suricata
-version: "2.5.1"
+version: "2.5.2"
 release: ga
 description: Collect logs from Suricata with Elastic Agent.
 type: integration
diff --git a/packages/symantec_endpoint/changelog.yml b/packages/symantec_endpoint/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.1.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "2.1.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/symantec_endpoint/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/data_stream/log/fields/agent.yml
@@ -63,10 +63,7 @@
   type: group
   fields:
     - name: id
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: Unique container id.
+      external: ecs
     - name: image.name
       level: extended
       type: keyword
diff --git a/packages/symantec_endpoint/data_stream/log/fields/ecs.yml b/packages/symantec_endpoint/data_stream/log/fields/ecs.yml
@@ -1,5 +1,3 @@
-- name: container.id
-  external: ecs
 - name: destination.address
   external: ecs
 - name: destination.as.number
diff --git a/packages/symantec_endpoint/manifest.yml b/packages/symantec_endpoint/manifest.yml
@@ -1,6 +1,6 @@
 name: symantec_endpoint
 title: Symantec Endpoint Protection
-version: "2.1.0"
+version: "2.1.1"
 release: ga
 description: Collect logs from Symantec Endpoint Protection with Elastic Agent.
 type: integration
diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "1.8.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml
@@ -16,8 +16,6 @@
   name: event.severity
 - external: ecs
   name: event.created
-- external: ecs
-  name: message
 - external: ecs
   name: tags
 - external: ecs
diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml
@@ -1,6 +1,6 @@
 name: ti_cybersixgill
 title: Cybersixgill
-version: "1.8.0"
+version: "1.8.1"
 release: ga
 description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent.
 type: integration
diff --git a/packages/ti_threatq/changelog.yml b/packages/ti_threatq/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "1.7.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/ti_threatq/data_stream/threat/fields/base-fields.yml b/packages/ti_threatq/data_stream/threat/fields/base-fields.yml
@@ -11,10 +11,6 @@
   type: constant_keyword
   description: Event module
   value: ti_threatq
-- name: threat.feed.name
-  type: constant_keyword
-  description: Display friendly feed name
-  value: ThreatQuotient
 - name: threat.feed.dashboard_id
   type: constant_keyword
   description: Dashboard ID used for Kibana CTI UI
diff --git a/packages/ti_threatq/manifest.yml b/packages/ti_threatq/manifest.yml
@@ -1,6 +1,6 @@
 name: ti_threatq
 title: ThreatQuotient
-version: "1.7.0"
+version: "1.7.1"
 release: ga
 description: Ingest threat intelligence indicators from ThreatQuotient with Elastic Agent.
 type: integration
diff --git a/packages/tomcat/changelog.yml b/packages/tomcat/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.1"
+  changes:
+    - description: Remove duplicate fields.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/4642
 - version: "1.7.0"
   changes:
     - description: Update package to ECS 8.5.0.
diff --git a/packages/tomcat/data_stream/log/fields/base-fields.yml b/packages/tomcat/data_stream/log/fields/base-fields.yml
@@ -7,9 +7,6 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
-- name: '@timestamp'
-  type: date
-  description: Event timestamp.
 - name: event.module
   type: constant_keyword
   description: Event module
diff --git a/packages/tomcat/data_stream/log/fields/ecs.yml b/packages/tomcat/data_stream/log/fields/ecs.yml
@@ -208,8 +208,6 @@
   name: source.top_level_domain
 - external: ecs
   name: tags
-- external: ecs
-  name: tags
 - external: ecs
   name: url.domain
 - external: ecs
diff --git a/packages/tomcat/docs/README.md b/packages/tomcat/docs/README.md
@@ -13,7 +13,7 @@ The `log` dataset collects Apache Tomcat logs.
 
 | Field | Description | Type |
 |---|---|---|
-| @timestamp | Event timestamp. | date |
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
 | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword |
 | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword |
 | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain.  In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword |
diff --git a/packages/tomcat/manifest.yml b/packages/tomcat/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: tomcat
 title: Apache Tomcat
-version: "1.7.0"
+version: "1.7.1"
 description: Collect and parse logs from Apache Tomcat servers with Elastic Agent.
 categories: ["web", "security"]
 release: ga
