tenable_sc.vulnerability: Update mapping of tenable_sc.vulnerability.plugin.text field to match_only_text (elastic#16508)

kcreddy · web-flow · commit 2f19a2d5a49c · 2025-12-12T16:00:58.000+05:30
The "tenable_sc.vulnerability.plugin.text" field stores several details of vulnerable packages found on the host. It is currently mapped to "keyword". It can grow larger than maximum "ignore_above" limit of keywordfields, making it unusable in searches. This PR updates the data type of "tenable_sc.vulnerability.plugin.text" field to "match_only_text" to allow searches on this field. This is a breaking-change because the data types "keyword" and "match_only_text" are from different family [1] and could break users' custom Kibana dashboards or queries. [1] https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/field-data-types
diff --git a/packages/tenable_sc/changelog.yml b/packages/tenable_sc/changelog.yml
@@ -1,4 +1,11 @@
 # newer versions go on top
+- version: "2.0.0"
+  changes:
+    - description: >-
+        Update mapping of `tenable_sc.vulnerability.plugin.text` field from `keyword`to `match_only_text`.
+        This could break custom Kibana dashboards or queries that rely on the `tenable_sc.vulnerability.plugin.text` field.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/16508
 - version: "1.32.1"
   changes:
     - description: Fix handling of vulnerablity documents that do not contain a seeAlso field.
diff --git a/packages/tenable_sc/data_stream/vulnerability/fields/fields.yml b/packages/tenable_sc/data_stream/vulnerability/fields/fields.yml
@@ -160,7 +160,7 @@
           description: |
             The date on which the vulnerability was published.
         - name: text
-          type: keyword
+          type: match_only_text
           description: |
             Text provided by plugin. (Usually plugin output text).
     - name: port
diff --git a/packages/tenable_sc/docs/README.md b/packages/tenable_sc/docs/README.md
@@ -696,7 +696,7 @@ An example event for `vulnerability` looks as following:
 | tenable_sc.vulnerability.plugin.mod_date | The date on which the vulnerability was modified. | date |
 | tenable_sc.vulnerability.plugin.name | The name of the plugin. | keyword |
 | tenable_sc.vulnerability.plugin.pub_date | The date on which the vulnerability was published. | date |
-| tenable_sc.vulnerability.plugin.text | Text provided by plugin. (Usually plugin output text). | keyword |
+| tenable_sc.vulnerability.plugin.text | Text provided by plugin. (Usually plugin output text). | match_only_text |
 | tenable_sc.vulnerability.port | The port the scanner used to communicate with the asset. | keyword |
 | tenable_sc.vulnerability.protocol | The protocol the scanner used to communicate with the asset. | keyword |
 | tenable_sc.vulnerability.recast_risk | Modified the severity risk measure of vulnerabilities using recast rules. | keyword |
diff --git a/packages/tenable_sc/manifest.yml b/packages/tenable_sc/manifest.yml
@@ -2,7 +2,7 @@ format_version: "3.3.2"
 name: tenable_sc
 title: Tenable Security Center
 # The version must be updated in the input configuration templates as well, in order to set the correct User-Agent header. Until elastic/kibana#121310 is implemented we will have to manually sync these.
-version: "1.32.1"
+version: "2.0.0"
 description: |
   Collect data from Tenable Security Center with Elastic Agent.
 type: integration
