[AWS Firehose] populate event.dataset field for ingested records #12750
Description
Background
Firehose integration 1 utilizes several other AWS data streams added through AWS integration 2. Most of those integrations do not currently define event.dataset field (ex: see Cloudtrail fields3).
Problem
Other components rely on the existence of the event.dataset field. For example, consider the pre-build security rule 4. These rules will fail to work with current integration configurations as data lacks the required field.
Solution
Update integrations to add event.dataset where possible with correct constant values. For example, Cloudtrail should have event.dataset: aws.cloudtrail. This must get added through relevant AWS assets as Firehose internally perform rerouting ( for example see logs 5 and metrics 6)
Footnotes
-
https://github.com/elastic/integrations/tree/main/packages/awsfirehose ↩
-
https://github.com/elastic/integrations/tree/main/packages/aws ↩
-
https://github.com/elastic/integrations/blob/main/packages/aws/data_stream/cloudtrail/fields/base-fields.yml ↩
-
https://www.elastic.co/guide/en/security/current/aws-iam-login-profile-added-to-user.html ↩
-
https://github.com/elastic/integrations/blob/main/packages/awsfirehose/data_stream/logs/routing_rules.yml ↩
-
https://github.com/elastic/integrations/blob/main/packages/awsfirehose/data_stream/metrics/routing_rules.yml ↩