Skip to content

[rapid7_insightvm] Add nested fields to asset and asset_vulnerability data streams#17833

Open
brijesh-elastic wants to merge 2 commits intoelastic:mainfrom
brijesh-elastic:rapid7_insightvm-2.7.0
Open

[rapid7_insightvm] Add nested fields to asset and asset_vulnerability data streams#17833
brijesh-elastic wants to merge 2 commits intoelastic:mainfrom
brijesh-elastic:rapid7_insightvm-2.7.0

Conversation

@brijesh-elastic
Copy link
Collaborator

@brijesh-elastic brijesh-elastic commented Mar 16, 2026

Proposed commit message

rapid7_insightvm: Add nested fields to asset and asset_vulnerability data streams

The `credential_assessments`, `tags`, and `unique_identifiers` fields were originally defined as arrays.
To improve searchability and allow each object to be queried independently of one another, this PR
introduced new nested field variations for each.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/rapid7_insightvm directory.
  • Run the following command to run tests.

elastic-package test -v

Related issues

@brijesh-elastic brijesh-elastic self-assigned this Mar 16, 2026
@brijesh-elastic brijesh-elastic requested a review from a team as a code owner March 16, 2026 12:23
@brijesh-elastic brijesh-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:rapid7_insightvm Rapid7 InsightVM Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Mar 16, 2026
@elasticmachine
Copy link

elasticmachine commented Mar 16, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Contributor

github-actions bot commented Mar 16, 2026

Vale Linting Results

Summary: 4 warnings found

⚠️ Warnings (4)
File Line Rule Message
packages/rapid7_insightvm/docs/README.md 263 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/rapid7_insightvm/docs/README.md 265 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/rapid7_insightvm/docs/README.md 548 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/rapid7_insightvm/docs/README.md 550 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 16, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Mar 16, 2026

💚 Build Succeeded

cc @brijesh-elastic

efd6
efd6 approved these changes Mar 17, 2026
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the implementation that the user asked for. An alternative would be to construct a map of name to type, but I think risks clobbering data if the same name appears twice, and if a user wants that behaviour it is easy to implement in a @custom pipeline.

packages/rapid7_insightvm/docs/README.md
@@ -252,10 +261,14 @@ An example event for `asset` looks as following:
| rapid7.insightvm.asset.severe_vulnerabilities | The count of severe vulnerability findings. | long |
| rapid7.insightvm.asset.tags.name | The stored value. | keyword |
| rapid7.insightvm.asset.tags.type | The type of information stored and displayed. For sites, the value is "SITE". | keyword |
| rapid7.insightvm.asset.tags_nested.name | The stored value. | keyword |
| rapid7.insightvm.asset.tags_nested.type | The type of information stored and displayed. For sites, the value is "SITE". | keyword |
Copy link
Contributor

@efd6 efd6 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree with the Vale linter here; in normal English punctuation rules, what it says is correct, but in the context of quoting a value that is a string literal it is heading for confused users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@brijesh-elastic brijesh-elastic

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:rapid7_insightvm Rapid7 InsightVM Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rapid7 InsightVM [rapid7_insightvm]: Unknown (array) fields

3 participants

@brijesh-elastic @elasticmachine @efd6