You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix conflicting event.kind mappings where pipelines set pipeline_error (or state) while the field
was defined as constant_keyword, which Elasticsearch treats as a single immutable value per index.
The securityhub_findings_full_posture data stream now references ECS for event.kind, matching the
sibling Security Hub stream.
For blacklens alerts, GitHub issues/code_scanning/dependabot/secret_scanning,
and Microsoft Sentinel alert/event/incident streams, event.kind is mapped as keyword and the
ingest pipelines set the normal ECS value (alert or event) so successful documents stay unchanged
while failure handlers can still set pipeline_error.
Copy file name to clipboardExpand all lines: packages/aws/docs/securityhub.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1383,7 +1383,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
1383
1383
| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-`\* No longer than 100 characters | constant_keyword |
1384
1384
| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
1385
1385
| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
1386
-
| event.kind || constant_keyword|
1386
+
| event.kind |This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword|
1387
1387
| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
1388
1388
| host.containerized | If the host is a container. | boolean |
1389
1389
| host.os.build | OS build information. | keyword |
Copy file name to clipboardExpand all lines: packages/blacklens/changelog.yml
+5Lines changed: 5 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,9 @@
1
1
# newer versions go on top
2
+
- version: "1.0.1"
3
+
changes:
4
+
- description: Change `event.kind` to `keyword` and set `alert` in the ingest pipeline so `pipeline_error` on failure does not conflict with constant_keyword mapping.
Copy file name to clipboardExpand all lines: packages/blacklens/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json
+1Lines changed: 1 addition & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -31,6 +31,7 @@
31
31
"threat"
32
32
],
33
33
"id": "7ea10c5d-559a-4c55-8608-2e060956de68",
34
+
"kind": "alert",
34
35
"original": "{\"updated_date\":\"2025-12-31T16:10:56.155874Z\",\"created_date\":\"2025-12-30T16:11:57.194393Z\",\"id\":\"7ea10c5d-559a-4c55-8608-2e060956de68\",\"name\":\"External Vulnerability Detected\",\"type\":\"ExternalVulnerabilityDiscovered\",\"severity\":\"high\",\"status\":\"new\",\"analysis\":\"completed\",\"category\":\"vulnerability\",\"activities\":[{\"updated_date\":null,\"created_date\":\"2025-12-30T16:11:40.195989Z\",\"id\":\"73dcaa88-09e1-4c58-9fa5-5495f8dac2a4\",\"type\":\"ExternalVulnerabilityCreated\",\"description\":\"A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'\",\"category\":\"threat\",\"trace_id\":\"40eda190-83fd-4a1b-8155-3a1c7434b319\",\"data\":{}}]}",
| event.kind |This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword|
0 commit comments