Guide

It is recommended to split the changes into smaller PRs to limit the number of changed files. Generally speaking, 10 integrations per PR is a good number to target.

Automated method

Use the ecs-update tool which can be found here.

cd packages/
ecs-update -pr 999999 -ecs-git-ref v8.17.0 -ecs-version 8.17.0 -owner elastic/owner-name-here package_1 [package_2 ...]

Once PR is filed, the changelogs will need to be updated with the correct PR number.

Manual method

Update ECS references in integrations to version 8.17.

• Update reference in _dev/build/build.yml to v8.17.0
• Update package changelog/manifest and regenerate README.

dependencies:
  ecs:
-    reference: "[email protected]"
+    reference: "[email protected]"

ECS 8.17 Changes

https://github.com/elastic/ecs/releases/tag/v8.17.0

Schema Changes

Bugfixes

• Fix link rendering issues and usage of http in links. [microsoft_dhcp] Upgrade ECS to 8.0.0 #2423

Improvements

• Increase ignore_above value for url.query. [netflow] Upgrade ECS to 8.0.0 #2424
• Set synthetic_source_keep = none on fields that represent sets. [microsoft_defender_endpoint] Upgrade ECS to 8.0.0 #2422

Integrations

@elastic/cloud-security-posture:

• cloud_security_posture

@elastic/ecosystem:

• elastic_package_registry

@elastic/elastic-agent:

• elastic_agent

@elastic/elastic-agent-data-plane:

• filestream
• journald
• linux
• log
• windows

@elastic/fleet:

• fleet_server

@elastic/obs-cloudnative-monitoring:

• containerd
• docker
• istio
• kubernetes
• kubernetes_otel
• nginx_ingress_controller

@elastic/obs-ds-hosted-services:

• aws
• aws_logs
• awsfirehose
• azure
• azure_metrics
• gcp
• gcp_metrics

@elastic/obs-ds-intake-services:

• apm
• profiler_collector
• profiler_symbolizer

@elastic/obs-infraobs-integrations:

• activemq
• airflow [DRAFT] [airflow] Make Airflow package GA #15287
• apache
• apache_spark
• apache_tomcat
• awsfargate
• azure_app_service
• azure_application_insights
• azure_billing
• azure_functions
• azure_logs
• azure_openai
• cassandra
• ceph
• cisco_meraki_metrics
• citrix_adc
• cockroachdb
• coredns
• couchbase
• couchdb
• etcd
• gcp_vertexai
• golang
• hadoop
• haproxy
• ibmmq
• iis
• influxdb
• jolokia
• kafka
• kafka_log
• memcached
• microsoft_sqlserver
• mongodb
• mongodb_atlas
• mysql
• nagios_xi
• nats
• nginx
• nginx_ingress_controller_otel
• oracle
• oracle_weblogic
• panw_metrics
• php_fpm
• postgresql
• prometheus
• prometheus_input
• rabbitmq
• redis
• redisenterprise
• salesforce
• spring_boot
• sql
• stan
• statsd_input [statsd_input] Make StatsD input package GA #15125
• system
• tomcat
• traefik
• vsphere
• websphere_application_server
• zookeeper

@elastic/sec-deployment-and-devices:

• Update Deployment and Devices integrations to ECS 8.17.0 (part 1) #12569

  • arista_ngfw
  • cef
  • checkpoint
  • cisco_aironet
  • cisco_asa
  • cisco_ftd
  • cisco_ios
  • cisco_ise
  • cisco_nexus
  • cisco_secure_email_gateway
  • citrix_waf

• Update Deployment and Devices integrations to ECS 8.17.0 (part 2) #12571

  • fortinet_forticlient
  • fortinet_fortiedr
  • fortinet_fortigate
  • fortinet_fortimail
  • fortinet_fortimanager
  • fortinet_fortiproxy
  • goflow2
  • hashicorp_vault
  • imperva
  • iptables

• Update Deployment and Devices integrations to ECS 8.17.0 (part 3) #12572

  • juniper_srx
  • modsecurity
  • netflow
  • osquery
  • panw
  • pfsense
  • proxysg

• Update Deployment and Devices integrations to ECS 8.17.0 (part 4) #12574

  • qnap_nas
  • snort
  • sonicwall_firewall
  • sophos
  • squid
  • stormshield
  • suricata
  • tcp
  • udp
  • watchguard_firebox
  • zeek

@elastic/sec-linux-platform:

• auditd
• auditd_manager
• cloud_defend
• fim
• network_traffic
• sysmon_linux
• system_audit

@elastic/sec-windows-platform: #12636

• hid_bravura_monitor
• microsoft_dhcp
• microsoft_dnsserver
• microsoft_exchange_server
• mysql_enterprise
• windows_etw
• winlog

@elastic/security-asset-management:

• osquery_manager

@elastic/security-service-integrations:

• Update Security Service integrations to ECS 8.17.0 (part 1) #14158

  • claroty_ctd
  • entityanalytics_ad
  • sysdig
  • tychon

• 1password

• abnormal_security

• akamai

• amazon_security_lake

• atlassian_bitbucket

• atlassian_confluence

• atlassian_jira

• auth0

• authentik

• aws_bedrock

• azure_blob_storage

• azure_frontdoor

• azure_network_watcher_nsg

• azure_network_watcher_vnet

• barracuda

• barracuda_cloudgen_firewall

• bbot

• bitdefender

• bitwarden

• blacklens

• box_events

• canva

• carbon_black_cloud

• carbonblack_edr

• cel

• checkpoint_harmony_endpoint

• cisa_kevs

• cisco_duo

• cisco_meraki

• cisco_secure_endpoint

• cisco_umbrella

• cloudflare

• cloudflare_logpush

• corelight

• cribl

• crowdstrike

• cyberark_pta

• cyberarkpas

• cybereason

• cylance

• darktrace

• digital_guardian

• entityanalytics_entra_id

• entityanalytics_okta

• eset_protect

• f5

• f5_bigip

• falco

• fireeye

• first_epss

• forcepoint_web

• forgerock

• gcp_pubsub

• gigamon

• github

• gitlab

• google_cloud_storage

• google_scc

• google_workspace

• http_endpoint

• httpjson

• imperva_cloud_waf

• infoblox_bloxone_ddi

• infoblox_nios

• jamf_compliance_reporter

• jamf_pro

• jamf_protect

• jumpcloud

• keycloak

• lastpass

• lumos

• lyve_cloud

• m365_defender

• mattermost

• menlo

• microsoft_defender_cloud

• microsoft_defender_endpoint

• microsoft_exchange_online_message_trace

• microsoft_sentinel

• mimecast

• netskope

• o365

• okta

• opencanary

• panw_cortex_xdr

• ping_one

• pps

• prisma_access

• prisma_cloud

• proofpoint_on_demand

• proofpoint_tap

• pulse_connect_secure

• qualys_vmdr

• rapid7_insightvm

• santa

• sentinel_one

• sentinel_one_cloud_funnel

• servicenow

• slack

• snyk

• sophos_central

• spycloud

• sublime_security

• symantec_edr_cloud

• symantec_endpoint

• symantec_endpoint_security

• tanium

• teleport

• tenable_io

• tenable_sc

• threat_map

• thycotic_ss

• ti_abusech

• ti_anomali

• ti_cif3

• ti_crowdstrike

• ti_custom

• ti_cybersixgill

• ti_eclecticiq

• ti_eset

• ti_maltiverse

• ti_mandiant_advantage

• ti_misp

• ti_opencti

• ti_otx

• ti_rapid7_threat_command

• ti_recordedfuture

• ti_threatconnect

• ti_threatq

• ti_util

• tines

• trellix_edr_cloud

• trellix_epo_cloud

• trend_micro_vision_one

• trendmicro

• vectra_detect

• websocket

• wiz

• zerofox

• zeronetworks

• zoom

• zscaler_zia

• zscaler_zpa

@elastic/stack-monitoring:

• beat
• elasticsearch
• enterprisesearch
• kibana
• logstash
• platform_observability