Move Security integrations to GA

[jamiehynds]

The majority of our security integrations are currently experimental and our goal is to move these integrations towards GA in 7.14 to ensure full support as users adopt them in production environments.

Priority Order (based on Fleet telemetry)

• Windows (PowerShell/Security/Sysmon)
  • HTTP system tests
    • Windows package [windows] Add system tests for httpjson input #1044
    • System security [system] Add system tests for security data_stream #1069
  • All edge processing in ingest pipelines
  • event.original is optional
    • Windows package [windows] Make event.original optional and update to ECS 1.10 #1122
    • System security [system] Make event.original optional for application, security, and system ata streams #990
  • Bump version [windows] Make windows package GA with v1.0.0 #1214
• auditd
  • All edge processing in ingest pipelines [auditd] Move edge to ingest pipeline and make event.original optional #989
  • event.original is optional [auditd] Move edge to ingest pipeline and make event.original optional #989
  • Bump version [auditd] Make auditd package GA with v1.0.0 #1215
• Suricata
  • All edge processing in ingest pipelines
  • event.original is optional [suricata] Make event.original optional #991
  • Bump version [suricata] Make suricata package GA with v1.0.0 #1216
• Zeek
  • HTTP system tests [zeek] Add system tests for Splunk inputs #1108
  • All edge processing in ingest pipelines
  • event.original is optional [zeek] Make event.original optional #992
  • Bump version [zeek] Make zeek package GA with v1.0.0 #1217
• Netflow
  • All edge processing in ingest pipelines [netflow] Add pipeline tests and move ecs.version to ingest pipeline #1006
    - [ ] event.original is optional not apply
  • Bump version [netflow] Make netflow package GA with v1.0.0 #1218
• O365
  • HTTP system tests [o365] Add system tests #1119
  • All edge processing in ingest pipelines [O365]Moving edge processing to ingest pipelines #983
  • event.original is optional [O365] updating o365 ECS version and adding event.original options #1117
  • Bump version [o365] Make o365 package GA with v1.0.0 #1219

- [ ] Cisco
- [x] All edge processing in ingest pipelines (missing RSA) #1073
- [x] event.original is optional #1073
- [ ] Bump version #1220

• Palo Alto
  • All edge processing in ingest pipelines
  • event.original is optional [panw] Make event.original optional #1007
  • Bump version [panw] Make panw package GA with v1.0.0 #1221
• Okta
  • HTTP system tests [okta] Add system tests #1034
  • All edge processing in ingest pipelines
  • event.original is optional [okta] Make event.original optional #1009
  • Bump version [okta] Make okta package GA with v1.0.0 #1222
• Fortinet
  • All edge processing in ingest pipelines (missing RSA) [fortinet] Make event.original optional in fortinet #1075
  • event.original is optional [fortinet] Make event.original optional in fortinet #1075
  • Bump version [fortinet] Make fortinet package GA with v1.0.0 #1223

Other packages (non RSA) that meet all requirements to GA

Partially (not all data streams) RSA packages

• Juniper
• Sophos

Non RSA packages

• CEF
• Checkpoint
• Crowdstrike
• Cyberarkpas
• GCP
• Iptables
• Santa
• Google Workspace
• Osquery

---

Requirements for moving a package to GA:

• Any package with httpjson input requires:
  • Closed beats/integrations gap on httpjson system tests
  • Persistent storage for registry data in Hosted Elastic Agent https://github.com/elastic/ingest-dev/issues/1032
• All packages require:
  • Edge processing moved to ingest node pipeline https://github.com/elastic/security-team/issues/791
  • event.original is optional event.original optionality across all packages #777
  • Bump version to >=1.x.x

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[epixa]

I updated the description to add the additional must-have requirements we identified recently