[meta] Upgrade integrations to ECS 8.7

[ShourieG]

This is a meta issue to track ECS 8.7 updates to Fleet integrations maintained by the elastic/security-external-integrations team.

ECS 8.7 Changes :

This is a summary of the changes in ECS 8.7. You can view the official changelog here.

Added :

No features added to ECS in 8.7 required changes in SEI packages.

• added name field to threat.indicator elastic/ecs#2121
• added api option to event.category elastic/ecs#2147

• added library option to event.category elastic/ecs#2154

  SEI owned Integrations

  All SEI integrations are updated in https://github.com/elastic/integrations/pull/5765

Integrations SEI contributes to

Currently the following integrations are being reviewed to check if the api option for event.category has any impact on the following packages (any inputs appreciated) :

• aws.cloudtrail
• aws.vpcflow
• system.application
• system.auth
• system.security
• system.system
• windows.forwarded
• windows.powershell
• windows.powershell_operational
• windows.sysmon_operational

SEI Integrations Checklist :

elastic/security-external-integrations:

  - 1password
  - akamai
  - atlassian_bitbucket
  - atlassian_confluence
  - atlassian_jira
  - auditd
  - auditd_manager
  - auth0
  - azure_blob_storage
  - azure_frontdoor
  - barracuda
  - barracuda_cloudgen_firewall
  - bluecoat
  - box_events
  - carbon_black_cloud
  - carbonblack_edr
  - cef
  - checkpoint
  - cisco_aironet
  - cisco_asa
  - cisco_duo
  - cisco_ftd
  - cisco_ios
  - cisco_ise
  - cisco_meraki
  - cisco_nexus
  - cisco_secure_email_gateway
  - cisco_secure_endpoint
  - cisco_umbrella
  - citrix_waf
  - cloudflare
  - cloudflare_logpush
  - crowdstrike
  - cyberark_pta
  - cyberarkpas
  - cylance
  - darktrace
  - f5
  - f5_bigip
  - fim
  - fireeye
  - forcepoint_web
  - forgerock
  - fortinet_forticlient
  - fortinet_fortiedr
  - fortinet_fortigate
  - fortinet_fortimail
  - fortinet_fortimanager
  - gcp
  - gcp_pubsub
  - github
  - google_cloud_storage
  - google_workspace
  - hashicorp_vault
  - hid_bravura_monitor
  - http_endpoint
  - httpjson
  - imperva
  - infoblox_bloxone_ddi
  - infoblox_nios
  - iptables
  - jamf_compliance_reporter
  - jumpcloud
  - juniper_junos
  - juniper_netscreen
  - juniper_srx
  - keycloak
  - lastpass
  - lyve_cloud
  - m365_defender
  - mattermost
  - microsoft_defender_endpoint
  - microsoft_dhcp
  - microsoft_exchange_online_message_trace
  - mimecast
  - modsecurity
  - mysql_enterprise
  - netflow
  - netscout
  - netskope
  - network_traffic
  - o365
  - okta
  - osquery
  - panw
  - panw_cortex_xdr
  - pfsense
  - ping_one
  - proofpoint_tap
  - pulse_connect_secure
  - qnap_nas
  - radware
  - santa
  - sentinel_one
  - slack
  - snort
  - snyk
  - sonicwall_firewall
  - sophos
  - sophos_central
  - squid
  - suricata
  - symantec_endpoint
  - sysmon_linux
  - system_audit
  - tanium
  - tcp
  - tenable_io
  - tenable_sc
  - thycotic_ss
  - ti_abusech
  - ti_anomali
  - ti_cif3
  - ti_cybersixgill
  - ti_misp
  - ti_otx
  - ti_rapid7_threat_command
  - ti_recordedfuture
  - ti_threatq
  - ti_util
  - tines
  - trend_micro_vision_one
  - trendmicro
  - udp
  - winlog
  - zeek
  - zerofox
  - zoom
  - zscaler_zia
  - zscaler_zpa

Relates to : https://github.com/elastic/security-team/issues/5720

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[ShourieG]

@marc-gr , @andrewkroh Do you think that the new api option in event.category will have any effect on the SEI shared integrations ?

aws.cloudtrail
aws.vpcflow
system.application
system.auth
system.security
system.system
windows.forwarded
windows.powershell
windows.powershell_operational
windows.sysmon_operational

[andrewkroh]

I looked over the Windows Microsoft-Windows-Security-Auditing provider and didn't see anything that directly mentions "API" calls.

I think some of the event IDs within Symon could potentially be classified as event.category: api. I think if an event directly mentions some Windows API call then the category should be added. For example event ID 8 directly relates to a CreateRemoteThread API call.

For AWS cloudtrail I think every event is related to some REST API call. The ECS definition says "but can also include network protocols (such as SOAP, RPC, Websocket, REST, etc.)". That seems to qualify IMO.

[ShourieG]

@andrewkroh understood, so looks like this will be an enhancement for those packages. So can we get an approval for this PR and then add those separately as enhancements in another PR, since the 8.7 update is time sensitive? We will keep a track of the successive PRs in this meta issue .

[ShourieG]

SEI packages have been updated to 8.7 & merged. cc: @narph