Fix affected _ignored fields due to new check in system tests

[narph]

Following this PR which adds a check whether any indexed docs have an _ignored field - this would indicate a mapping problem:

Example output:

Error: error running package system tests: could not complete test run: found _ignored fields in data stream logs-cel.cel-ep

Also relevant elastic/elastic-package#1276

The following integration tests are failing with affected fields:

• ti_threatconnect: threat_connect.indicator.tags.data.description (cc @elastic/security-service-integrations )
• tenable_io: tenable_io.vulnerability.plugin.description vulnerability.description (cc @elastic/security-service-integrations )
• tanium: tanium.threat_response.other_parameters.log_details.payload, tanium.threat_response.other_parameters.original (cc @elastic/security-service-integrations )
• panw: panw.panos.after_change_detail (cc @elastic/sec-deployment-and-devices )
• m365_defender: m365_defender.incident.alert.recommended_actions (cc @elastic/security-service-integrations )
• fortinet_fortimanager: fortimanager.log.changes (cc @elastic/sec-deployment-and-devices)
• crowdstrike: crowdstrike.ConfigStateData, crowdstrike.FeatureVector, crowdstrike.OSVersionFileData, process.command_line (cc @elastic/security-service-integrations )

Steps:

• run the system tests to analyze the _ignored data and why is failing to index
• fix potential issues with the fields affected or ignore these usecases

[andrewkroh]

https://buildkite.com/elastic/integrations/builds/10578 contains the failing test output with raw events. This makes it easier to see what went wrong with with each field.

[ShourieG]

@narph, @andrewkroh, As all the failures here are tied to length of fields with type 'keyword', we need to wait for the following PR: elastic/package-spec#743 to get merged before we make changes. The PR will enable adding certain skip/ignore attributes to fields that will stop tests from failing with throwing out ignored fields.

[flash1293]

@ShourieG what about setting all of these fields to index: false? I'm not sure I'm seeing the value of indexing these fields if they are often ignored. This isn't tied to the PR of muting these errors.

[ShourieG]

@ShourieG what about setting all of these fields to index: false? I'm not sure I'm seeing the value of indexing these fields if they are often ignored. This isn't tied to the PR of muting these errors.

Will have to discuss this with the team and take the call accordingly, any thoughts @andrewkroh ?

[andrewkroh]

If the fields are chronically unindexable due to length then we should consider changing them to different more usable data type. Or if there is no search use-case for making the data indexed then turn off index entirely. Wildcard or match_only_text would likely be best types to consider based on use-case.