Merge branch 'feature/use-google-secrets' into test/use-google-secrets

* feature/use-google-secrets: (43 commits)
  use -ci account
  [jamf_pro] Fix `flattened` field types for non-object values (#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (#13904)
  apm: Add config for tail-based sampling discard on write (#13950)
  [CI] Add dev/coverage into backport script (#13987)
  Update configuration updatecli for 8.x snapshot (#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (#13969)
  o365: Ignore failures in rename processors for organization fields (#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (#13978)
  mimecast: resolve field data type conflicts between data streams (#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (#13947)
  [Cribl] Fix handling of metric event type (#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (#13755)
  Adding agentless deployment to the sublime security integration (#13963)
  [integration/system] add use_performance_counters in system integration (#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (#13959)
  github: squelch errors from pagination ends (#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (#13964)
  ...

Author: v1v

.buildkite/pipeline.serverless.yml

@@ -6,7 +6,7 @@ env:
   DOCKER_COMPOSE_VERSION: "v2.24.1"
   DOCKER_VERSION: "false" # not required to set since system tests are not running yet
   KIND_VERSION: 'v0.27.0'
-  K8S_VERSION: 'v1.32.0'
+  K8S_VERSION: 'v1.33.0'
   YQ_VERSION: 'v4.35.2'
   IMAGE_UBUNTU_X86_64: "family/core-ubuntu-2204"
   GH_CLI_VERSION: "2.29.0"
@@ -78,14 +78,11 @@ steps:
           lifetime: 10800 # seconds
           project-id: "elastic-observability-ci"
           project-number: "911195782929"
-      - elastic/oblt-google-secrets#feature/add-initial-commit:
-          project-id: "elastic-observability"
-          secret: elastic-cloud-observability-team-qa-api-key
-          env-var: "EC_API_KEY"
-      - elastic/oblt-google-secrets#feature/add-initial-commit:
-          project-id: "elastic-observability"
-          secret: elastic-cloud-observability-team-qa-endpoint
-          env-var: "EC_HOST"
+          lifetime: 10800 # seconds
+      - avaly/gcp-secret-manager#v1.2.0:
+          env:
+            EC_API_KEY: elastic-cloud-observability-team-qa-api-key
+            EC_HOST: elastic-cloud-observability-team-qa-endpoint
     artifact_paths:
       - "build/test-results/*.xml"
       - "build/elastic-stack-dump/*/logs/*.log"

.buildkite/pipeline.yml

@@ -4,7 +4,7 @@ env:
   DOCKER_COMPOSE_VERSION: "v2.24.1"
   DOCKER_VERSION: "26.1.2"
   KIND_VERSION: 'v0.27.0'
-  K8S_VERSION: 'v1.32.0'
+  K8S_VERSION: 'v1.33.0'
   YQ_VERSION: 'v4.35.2'
   JQ_VERSION: '1.7'
   GH_CLI_VERSION: "2.29.0"

.buildkite/scripts/backport_branch.sh

@@ -133,10 +133,15 @@ updateBackportBranchContents() {
   # Update scripts used by mage
   local MAGEFILE_SCRIPTS_FOLDER="dev/citools"
   local TESTSREPORTER_SCRIPTS_FOLDER="dev/testsreporter"
+  local COVERAGE_SCRIPTS_FOLDER="dev/coverage"
   if git ls-tree -d --name-only main:${MAGEFILE_SCRIPTS_FOLDER} > /dev/null 2>&1 ; then
     echo "Copying $MAGEFILE_SCRIPTS_FOLDER from $SOURCE_BRANCH..."
     git checkout "$SOURCE_BRANCH" -- "${MAGEFILE_SCRIPTS_FOLDER}"
+    echo "Copying $TESTSREPORTER_SCRIPTS_FOLDER from $SOURCE_BRANCH..."
     git checkout "$SOURCE_BRANCH" -- "${TESTSREPORTER_SCRIPTS_FOLDER}"
+    echo "Copying $COVERAGE_SCRIPTS_FOLDER from $SOURCE_BRANCH..."
+    git checkout "$SOURCE_BRANCH" -- "${COVERAGE_SCRIPTS_FOLDER}"
+    echo "Copying magefile.go from $SOURCE_BRANCH..."
     git checkout "$SOURCE_BRANCH" -- "magefile.go"
     # Run go mod tidy to update just the dependencies related to magefile and dev scripts
     go mod tidy
@@ -173,7 +178,8 @@ updateBackportBranchContents() {
 
   if [ "$DRY_RUN" == "true" ];then
     echo "DRY_RUN mode, nothing will be pushed."
-    git --no-pager diff $SOURCE_BRANCH...$BACKPORT_BRANCH_NAME
+    # Show just the relevant files diff (go.mod, go.sum, .buildkite, dev and package to be backported)
+    git --no-pager diff $SOURCE_BRANCH...$BACKPORT_BRANCH_NAME go.mod go.sum .buildkite/ dev/ "packages/${PACKAGE_NAME}"
   else
     echo "Pushing..."
     git push origin $BACKPORT_BRANCH_NAME

.github/workflows/bump-elastic-stack-version.yml

@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Install Updatecli in the runner
-        uses: updatecli/updatecli-action@cf942226b953240efac9ff60bf42df2b908c2fa0 #v2.83.0
+        uses: updatecli/updatecli-action@307ce72e224b82157cc31c78828f168b8e55d47d #v2.84.0
 
       - name: Select diff action
         if: ${{ github.event_name == 'pull_request' }}

.github/workflows/updatecli/updatecli.d/bump-latest-8x-snapshot-version.yml

@@ -29,13 +29,13 @@ sources:
     name: Get latest snapshot
     kind: json
     spec:
-      file: https://storage.googleapis.com/artifacts-api/snapshots/8.x.json
+      file: https://storage.googleapis.com/artifacts-api/snapshots/8.19.json
       key: .version
   latestSnapshotMajorMinor:
     name: Get latest snapshort major and minor
     kind: json
     spec:
-      file: https://storage.googleapis.com/artifacts-api/snapshots/8.x.json
+      file: https://storage.googleapis.com/artifacts-api/snapshots/8.19.json
       key: .version
     transformers:
       - findsubmatch:

.mergify.yml

@@ -4,6 +4,15 @@ queue_rules:
     conditions:
       - check-success=integrations/pr-merge
 
+defaults:
+  actions:
+    backport:
+      title: "[{{ destination_branch }}] (backport #{{ number }}) {{ title }}"
+      assignees:
+        - "{{ author }}"
+      labels:
+        - "backport"
+
 pull_request_rules:
   - name: automatic merge of bot 🤖
     conditions:
@@ -14,3 +23,15 @@ pull_request_rules:
     actions:
       queue:
         name: default
+
+  - name: notify the backport has not been merged yet
+    conditions:
+      - -merged
+      - -closed
+      - author=mergify[bot]
+      - "#check-success>0"
+      - schedule=Mon-Mon 06:00-10:00[Europe/Paris]
+    actions:
+      comment:
+        message: |
+          This pull request has not been merged yet. Could you please review and merge it @{{ assignee | join(', @') }}? 🙏

docs/docset.yml

@@ -1,4 +1,6 @@
 project: 'Integration developer guide'
+products:
+  - id: integrations
 exclude:
   - ci_pipelines.md
   - dashboard_guidelines.md

packages/abnormal_security/_dev/build/docs/README.md

@@ -48,6 +48,10 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 
 **Note**: By default, the URL is set to `https://api.abnormalplatform.com`. We have observed that Abnormal Security Base URL changes based on location so find your own base URL.
 
+### Enabling enrichment for Threat events
+
+Introduced in version 1.8.0, the Abnormal Security integration includes a new option called `Enable Attachments and Links enrichment` for the Threat data stream. When enabled, this feature enriches incoming threat events with additional details about any attachments and links included in the original message.
+
 ## Logs reference
 
 ### AI Security Mailbox

packages/abnormal_security/_dev/deploy/docker/files/config.yml

@@ -403,6 +403,7 @@ rules:
               "messages": [
                 {
                   "abxMessageId": -1875077659085366331,
+                  "abxMessageIdStr": "-1875077659085366331",
                   "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/12345",
                   "attachmentCount": 0,
                   "attachmentNames": [],
@@ -448,6 +449,44 @@ rules:
               ]
           }
           `}}
+  - path: /v1/threats/184712ab-6d8b-47b3-89d3-a314efef79e2/attachments
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+              "attachments": [
+                  {
+                      "abxMessageIdStr": "-1875077659085366331",
+                      "abxMessageId": -1875077659085366331,
+                      "attachmentName": "attachment1.txt"
+                  }
+              ]
+          }
+          `}}
+  - path: /v1/threats/184712ab-6d8b-47b3-89d3-a314efef79e2/links
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+            "links": []
+          }
+          `}}
   - path: /v1/threats/284712ab-6d8b-47b3-89d3-a314efef79e2
     methods: ['GET']
     query_params:
@@ -468,6 +507,7 @@ rules:
               "messages": [
                 {
                     "abxMessageId": 2260288475997441028,
+                    "abxMessageIdStr": "2260288475997441028",
                     "abxPortalUrl": "https://portal.abnormalsecurity.com/home/threat-center/remediation-history/3456765434567654",
                     "attachmentCount": 0,
                     "attachmentNames": [],
@@ -512,6 +552,68 @@ rules:
               ]
           }
           `}}
+  - path: /v1/threats/284712ab-6d8b-47b3-89d3-a314efef79e2/attachments
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+              "attachments": [
+                  {
+                      "abxMessageIdStr": "2260288475997441028",
+                      "abxMessageId": 2260288475997441028,
+                      "attachmentName": "attachment1.txt"
+                  },
+                  {
+                      "abxMessageIdStr": "2260288475997441028",
+                      "abxMessageId": 2260288475997441028,
+                      "attachmentName": "attachment2.txt"
+                  }
+              ]
+          }
+          `}}
+  - path: /v1/threats/284712ab-6d8b-47b3-89d3-a314efef79e2/links
+    methods: ['GET']
+    request_headers:
+      Authorization:
+        - "Bearer xxxx"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+            "links": [
+              {
+                "abxMessageIdStr": "2260288475997441028",
+                "abxMessageId": 2260288475997441028,
+                "domainLink": "lamronba.com",
+                "linkType": "html href",
+                "source": "body",
+                "displayText": "This is not a spoof!",
+                "linkUrl": "http://spoof.lamronba.com"
+              },
+              {
+                "abxMessageIdStr": "2260288475997441028",
+                "abxMessageId": 2260288475997441028,
+                "domainLink": "lamronba2.com",
+                "linkType": "html href",
+                "source": "body",
+                "displayText": "This is not a spoof!",
+                "linkUrl": "http://spoof.lamronba2.com"
+              }
+            ]
+          }
+          `}}
   - path: /v1/vendor-cases
     methods: ['GET']
     query_params:

packages/abnormal_security/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "1.8.0"
+  changes:
+    - description: Enrich threat events with attachment and link details.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13933
+    - description: Use abxMessageIdStr instead of the deprecated abxMessageId as message identifier.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13933
 - version: "1.7.0"
   changes:
     - description: Remove redundant installation instructions.

packages/abnormal_security/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json

@@ -64,7 +64,6 @@
                 "preserve_duplicate_custom_fields"
             ],
             "url": {
-                "extension": "0/search_v2/666/purge_messages/",
                 "original": "/v1.0/search_v2/666/purge_messages/",
                 "path": "/v1.0/search_v2/666/purge_messages/"
             },
@@ -139,7 +138,6 @@
                 "preserve_duplicate_custom_fields"
             ],
             "url": {
-                "extension": "0/messages/-3597017621819474673/email_content/",
                 "original": "/v2.0/messages/-3597017621819474673/email_content/",
                 "path": "/v2.0/messages/-3597017621819474673/email_content/"
             },
@@ -207,7 +205,6 @@
                 "preserve_duplicate_custom_fields"
             ],
             "url": {
-                "extension": "0/search_v2/",
                 "original": "/v1.0/search_v2/",
                 "path": "/v1.0/search_v2/"
             },
@@ -345,7 +342,6 @@
                 "preserve_duplicate_custom_fields"
             ],
             "url": {
-                "extension": "0/cases",
                 "original": "/v2.0/cases",
                 "path": "/v2.0/cases"
             },