google_workspace,jamf_protect,ti_mandiant: add "preserve_original_event" tag to documents with event.kind set to "pipeline_error" (#12108)

efd6 · web-flow · commit d51dd297a410 · 2024-12-18T06:22:04.000+10:30
This manually replays the changes in #12046.
diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.27.0"
+  changes:
+    - description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12108
 - version: "2.26.1"
   changes:
     - description: Fix string literals in painless scripts.
diff --git a/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml
@@ -382,3 +382,7 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
@@ -823,6 +823,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
@@ -1056,6 +1056,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml
@@ -357,3 +357,7 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml
@@ -554,3 +554,7 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml
@@ -276,6 +276,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml
@@ -337,3 +337,7 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml
@@ -377,3 +377,7 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml
@@ -307,6 +307,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml
@@ -265,6 +265,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml
@@ -527,6 +527,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml
@@ -188,6 +188,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml
@@ -371,3 +371,7 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml
@@ -183,6 +183,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml
@@ -1,6 +1,6 @@
 name: google_workspace
 title: Google Workspace
-version: "2.26.1"
+version: "2.27.0"
 source:
   license: Elastic-2.0
 description: Collect logs from Google Workspace with Elastic Agent.
diff --git a/packages/jamf_protect/changelog.yml b/packages/jamf_protect/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.8.0"
+  changes:
+    - description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12108
 - version: "2.7.0"
   changes:
     - description: Do not remove `event.original` in main ingest pipeline.
diff --git a/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
@@ -486,6 +486,10 @@ on_failure:
     - set:
         field: event.kind
         value: pipeline_error
+    - append:
+        field: tags
+        value: preserve_original_event
+        allow_duplicates: false
     - append:
         field: error.message
         value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/default.yml
@@ -353,6 +353,10 @@ on_failure:
   - set:
       field: event.kind
       value: pipeline_error
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
   - append:
       field: error.message
       value: >-
diff --git a/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml
@@ -241,6 +241,10 @@ on_failure:
     - set:
         field: event.kind
         value: pipeline_error
+    - append:
+        field: tags
+        value: preserve_original_event
+        allow_duplicates: false
     - append:
         field: error.message
         value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml
@@ -265,6 +265,10 @@ on_failure:
     - set:
         field: event.kind
         value: pipeline_error
+    - append:
+        field: tags
+        value: preserve_original_event
+        allow_duplicates: false
     - append:
         field: error.message
         value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/jamf_protect/manifest.yml b/packages/jamf_protect/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: jamf_protect
 title: Jamf Protect
-version: "2.7.0"
+version: "2.8.0"
 description: Receives events from Jamf Protect with Elastic Agent.
 type: integration
 categories:
diff --git a/packages/ti_mandiant_advantage/changelog.yml b/packages/ti_mandiant_advantage/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.0"
+  changes:
+    - description: Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12108
 - version: "1.6.0"
   changes:
     - description: Add support for proxy configuration.
diff --git a/packages/ti_mandiant_advantage/data_stream/threat_intelligence/elasticsearch/ingest_pipeline/default.yml b/packages/ti_mandiant_advantage/data_stream/threat_intelligence/elasticsearch/ingest_pipeline/default.yml
@@ -415,3 +415,7 @@ on_failure:
         field: event.kind
         value: pipeline_error
         allow_duplicates: false
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
diff --git a/packages/ti_mandiant_advantage/manifest.yml b/packages/ti_mandiant_advantage/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: ti_mandiant_advantage
 title: "Mandiant Advantage"
-version: "1.6.0"
+version: "1.7.0"
 source:
   license: "Elastic-2.0"
 description: "Collect Threat Intelligence from products within the Mandiant Advantage platform."
