Rename overridden ECS fields files to ecs-overridden.yml across CDR transforms

maxcold · claude · maxcold · commit 9b843db10c3a · 2026-02-27T13:47:39.000+01:00
Rename ecs.yml to ecs-overridden.yml for transforms that only contain
constant_keyword type overrides in aws (awsconfig, awsinspector),
aws_securityhub, google_scc, and microsoft_defender_endpoint.
Also strip external: ecs from all ecs-overridden.yml files for consistency.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml
@@ -1,7 +1,7 @@
 # newer versions go on top
 - version: "6.3.0"
   changes:
-    - description: Removed ECS field definitions from CDR misconfiguration transform, now covered by ecs@mappings component template on transform destination index templates.
+    - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml for awsconfig and awsinspector transforms.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/17552
 - version: "6.2.0"
diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/ecs-overridden.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/ecs-overridden.yml
@@ -1,6 +1,5 @@
+# Define ECS constant fields as constant_keyword
 - name: cloud.provider
   type: constant_keyword
-  external: ecs
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/ecs-overridden.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/ecs-overridden.yml
@@ -1,7 +1,5 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
 - name: vulnerability.scanner.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/aws_securityhub/changelog.yml b/packages/aws_securityhub/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.2.0"
+  changes:
+    - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/17552
 - version: "0.1.0"
   changes:
     - description: Initial release.
diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml b/packages/aws_securityhub/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml
@@ -1,7 +1,5 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
 - name: vulnerability.scanner.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/aws_securityhub/elasticsearch/transform/latest_findings/fields/ecs-overridden.yml b/packages/aws_securityhub/elasticsearch/transform/latest_findings/fields/ecs-overridden.yml
@@ -1,7 +1,5 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
 - name: vulnerability.scanner.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/aws_securityhub/manifest.yml b/packages/aws_securityhub/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.5.0
 name: aws_securityhub
 title: "AWS Security Hub"
-version: 0.1.0
+version: 0.2.0
 source:
   license: "Elastic-2.0"
 description: Collect logs from AWS Security Hub with Elastic Agent.
diff --git a/packages/google_scc/changelog.yml b/packages/google_scc/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.3.0"
+  changes:
+    - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/17552
 - version: "2.2.2"
   changes:
     - description: Remove duplicate security-solution-default tag references
diff --git a/packages/google_scc/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs-overridden.yml b/packages/google_scc/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs-overridden.yml
@@ -1,4 +1,3 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/google_scc/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml b/packages/google_scc/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml
@@ -1,7 +1,5 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
 - name: vulnerability.scanner.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/google_scc/manifest.yml b/packages/google_scc/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.2.3"
 name: google_scc
 title: Google Security Command Center
-version: "2.2.2"
+version: "2.3.0"
 description: Collect logs from Google Security Command Center with Elastic Agent.
 type: integration
 categories:
diff --git a/packages/microsoft_defender_endpoint/changelog.yml b/packages/microsoft_defender_endpoint/changelog.yml
@@ -1,7 +1,7 @@
 # newer versions go on top
 - version: "4.4.0"
   changes:
-    - description: Removed ECS field definitions from latest_action transform, now covered by ecs@mappings component template on transform destination index templates.
+    - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/17552
 - version: "4.3.1"
diff --git a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/ecs-overridden.yml b/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/ecs-overridden.yml
@@ -0,0 +1,5 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+- name: vulnerability.scanner.vendor
+  type: constant_keyword
diff --git a/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/ecs.yml b/packages/microsoft_defender_endpoint/elasticsearch/transform/latest_cdr_vuln/fields/ecs.yml
diff --git a/packages/qualys_vmdr/changelog.yml b/packages/qualys_vmdr/changelog.yml
@@ -1,7 +1,7 @@
 # newer versions go on top
 - version: "6.16.0"
   changes:
-    - description: Removed ECS field definitions from vulnerability transform, now covered by ecs@mappings component template on transform destination index templates.
+    - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/17552
 - version: "6.15.0"
diff --git a/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml b/packages/qualys_vmdr/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml
@@ -1,7 +1,5 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
 - name: vulnerability.scanner.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/rapid7_insightvm/changelog.yml b/packages/rapid7_insightvm/changelog.yml
@@ -1,7 +1,7 @@
 # newer versions go on top
 - version: "2.6.0"
   changes:
-    - description: Removed ECS field definitions from vulnerability transform, now covered by ecs@mappings component template on transform destination index templates.
+    - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/17552
 - version: "2.5.1"
diff --git a/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml b/packages/rapid7_insightvm/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml
@@ -1,7 +1,5 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
 - name: vulnerability.scanner.vendor
   type: constant_keyword
-  external: ecs
diff --git a/packages/tenable_io/changelog.yml b/packages/tenable_io/changelog.yml
@@ -1,7 +1,7 @@
 # newer versions go on top
 - version: "4.9.0"
   changes:
-    - description: Removed ECS field definitions from vulnerability transform, now covered by ecs@mappings component template on transform destination index templates.
+    - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/17552
 - version: "4.8.0"
diff --git a/packages/tenable_io/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml b/packages/tenable_io/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs-overridden.yml
@@ -1,7 +1,5 @@
 # Define ECS constant fields as constant_keyword
 - name: observer.vendor
   type: constant_keyword
-  external: ecs
 - name: vulnerability.scanner.vendor
   type: constant_keyword
-  external: ecs
