[windows] Upgrade package-spec

[taylor-swanson]

There are two configuration values flagged in #8610 that need to be marked as secret:

• httpjson.password
• httpjson.token

In order to support secrets variables and validation, the package-spec version of the integration will need to be raised to 3.0.2 or higher. As a note, migrating to package-spec 3.0 or higher will more than likely trigger validation errors for fields. One of the main reasons why windows is being held back at pkg-spec 1.0.0 is due to the presence of dynamic metrics fields in the perfmon data stream. This is no longer allowed in newer versions of pkg-spec.

Things to do as part of the package-spec bump:

• [ ] Mark httpjson.password and httpjson.token as secret: true
• [ ] Fix manifest.yml options
• [ ] Consider using TSDB for perfmon data stream
• [ ] Fix field definitions
  • [ ] Fix array type fields ie: invocation_details
  • [ ] Fix dynamic metric fields (check subobjects
• [ ] Rework dashboards to use Lens

Some of the changes will probably be breaking changes :

• [ ] Update major version
• [ ] Test upgrade process and document any issues given windows is a highly used integration

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[jlind23]

@cmacknz @pierrehilbert any reason why the data plane team is mentioned as the codeowner here https://github.com/elastic/integrations/blob/ca7078d194b387d0d390e996a09dcddedc84b491/.github/CODEOWNERS#L352C1-L353C1 ?

[pierrehilbert]

We discussed with @nfritts a month ago and his team should be the owner.

[jlind23]

@pierrehilbert let's make sure we have a pr for this then. @nfritts what's the right github team we should use then?

[nimarezainia]

Should we remove the data plane team from that ownership file. I think majority of the inputs are security owned.

[pierrehilbert]

Yes we should, we are waiting to have a confirmation from @nfritts about the team we should add instead of the Data Plane team to open a PR.

[marc-gr]

Even though the upgrade to a most recent package-spec is something we should do, I wonder if we want to keep the httpjson based Splunk input. @jamiehynds what do you think? Would be something we could remove, also from the other couple integrations that have it?

[nfritts]

The data plane team seems to own this too: https://github.com/elastic/integrations/blob/ca7078d194b387d0d390e996a09dcddedc84b491/.github/CODEOWNERS#L361C1-L361C72

I don't know if they should or not? If they should, then maybe it makes sense for them to remain on the root windows folder like they currently are? If it doesn't make sense then they could just be removed as sec-windows-platform is already on it.