[meta] ECS 8.5 Updates (Security External Integrations)

[efd6]

This is a meta issue to track ECS 8.5 updates to Fleet integrations maintained by the elastic/security-external-integrations team.

ECS 8.5 Changes

This is a summary of the changes in ECS 8.5. You can view the official changelog here.

Added

No features added to ECS in 8.5 required changes in SEI packages.

• Adding risk.* fields as experimental.
• Adding process.io.* as beta fields.
• Adding process.tty.rows and process.tty.columns as beta fields.
• Changed process.env_vars field type to be an array of keywords.
• process.attested_user and process.attested_groups as beta fields.
• Added risk.* fieldset to beta.

SEI owned Integrations

All SEI integrations are updated in #4285 (currently updating to v8.5.0-rc1).

Prior to this PR a number of preparatory PRs were required to bring packages up to date:

• sei: use ECS definition of geo.location #4227
• cisco_meraki,fortinet_fortigate: fix ECS issues #4283
• carbon_black_cloud,sentinel_one: ensure consistent ordering of arrays #4296
• sei: remove duplicate fields #4327
• carbonblack_edr,checkpoint,cisco_umbrella,gcp,zeek: remove duplicate fields and fix types #4339
• gcp,google_workspace: remove duplicate fields #4397

Integrations SEI contributes to

I reviewed these to see if they were affected any changes to ECS; as above no changes in the ECS have any impact in these packages and they will not be touched.

• aws.cloudtrail
• aws.vpcflow
• system.application
• system.auth
• system.security
• system.system
• windows.forwarded
• windows.powershell
• windows.powershell_operational
• windows.sysmon_operational