[Enhancement] Update winlog.event_data.AttributeValue mappings (#9515)

* [Enhancement] Update winlog.event_data.AttributeValue * Update manifest.yml * Update README.md

Author: w0rk3r

packages/system/changelog.yml

@@ -1,5 +1,9 @@
 # newer versions go on top
-
+- version: "1.57.0"
+ changes:
+ - description: Adjust `winlog.event_data.AttributeValue` ignore_above parameter and add wildcard multi-field.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/9515
 - version: "1.56.0"
  changes:
  - description: Add `custom` configuration option to windows system inputs.

packages/system/data_stream/security/fields/winlog.yml

@@ -69,6 +69,12 @@
  type: keyword
  - name: AllowedToDelegateTo
  type: keyword
+ - name: AttributeValue
+ type: keyword
+ ignore_above: 5120
+ multi_fields:
+ - name: wildcard
+ type: wildcard
  - name: AuditPolicyChanges
  type: keyword
  - name: AuditPolicyChangesDescription

packages/system/docs/README.md

@@ -710,6 +710,8 @@ An example event for `security` looks as following:
 | winlog.event_data.AccountName | | keyword |
 | winlog.event_data.AllowedToDelegateTo | | keyword |
 | winlog.event_data.Application | | keyword |
+| winlog.event_data.AttributeValue | | keyword |
+| winlog.event_data.AttributeValue.wildcard | Multi-field of `winlog.event_data.AttributeValue`. | wildcard |
 | winlog.event_data.AuditPolicyChanges | | keyword |
 | winlog.event_data.AuditPolicyChangesDescription | | keyword |
 | winlog.event_data.AuditSourceName | | keyword |

packages/system/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: 1.56.0
+version: 1.57.0
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories: