ti_*: Add missing fields in transform destination indices (1)

[kcreddy]

Proposed commit message

Add missing fields for detection rules.

Some fields such as event.module were missing from the 
destination index. In few packages, the field mappings are getting 
overwritten when same prefix exists in multiple files. To prevent this, 
all fields with same prefix are moved into single file, ecs.yml. 
This is only a temporary fix until kibana.version is updated to 
>= 8.14.0, in which the root issue is fixed.

  - Add comments inside ecs.yml describing the issue.

  - Add `threat.feed.name` field only if its not added inside 
    ingest pipelines.

  - Some packages have missing fields `event.module` and `event.dataset` 
    which are added to both source and destination.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Manually verify destination mappings using system tests.

Following mappings validates that missing fields such as event.module are now mapped correctly in destination indices:
cif3-feed-source-8.13-1.13.1.json
cif3-feed-dest-8.13-1.13.1.json
crowdstrike-intel-dest-8.13-1.0.1.json
crowdstrike-intel-source-8.13-1.0.1.json
crowdstrike-ioc-dest-8.13-1.0.1.json
crowdstrike-ioc-source-8.13-1.0.1.json
cybersixgill-threat-dest-8.13-1.28.1.json
cybersixgill-threat-source-8.13-1.28.1.json
eclecticiq-threat-dest-8.13-1.0.1.json
eclecticiq-threat-source-8.13-1.0.1.json
maltiverse-indicator-dest-8.13-1.1.1.json
maltiverse-indicator-source-8.13-1.1.1.json
eset-apt-dest-8.13-1.1.1.json
eset-apt-source-8.13-1.1.1.json
eset-botnet-dest-8.13-1.1.1.json
eset-botnet-source-8.13-1.1.1.json
eset-cc-dest-8.13-1.1.1.json
eset-cc-source-8.13-1.1.1.json
eset-domains-dest-8.13-1.1.1.json
eset-domains-source-8.13-1.1.1.json
eset-files-dest-8.13-1.1.1.json
eset-files-source-8.13-1.1.1.json
eset-ip-dest-8.13-1.1.1.json
eset-ip-source-8.13-1.1.1.json
eset-url-dest-8.13-1.1.1.json
eset-url-source-8.13-1.1.1.json

Related issues

• Relates [threat intelligence] logs-ti_abusech_latest.dest_threatfox-1 missing event.module field -> Threat Intel IP Match rule not working #10032
• Relates [Fleet] Transform mappings lost in shallow merge kibana#175331

Screenshots

Before:

After:

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 5d5dbee

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[chrisberkhout]

Good fix!

When I found elastic/kibana#175331 I unfortunately didn't think to check for other integrations with affected transforms.

[elasticmachine]

Package ti_cif3 - 1.13.1 containing this change is available at https://epr.elastic.co/search?package=ti_cif3

[elasticmachine]

Package ti_crowdstrike - 1.0.1 containing this change is available at https://epr.elastic.co/search?package=ti_crowdstrike

[elasticmachine]

Package ti_cybersixgill - 1.28.1 containing this change is available at https://epr.elastic.co/search?package=ti_cybersixgill

[elasticmachine]

Package ti_eclecticiq - 1.0.1 containing this change is available at https://epr.elastic.co/search?package=ti_eclecticiq

[elasticmachine]

Package ti_eset - 1.1.1 containing this change is available at https://epr.elastic.co/search?package=ti_eset

[elasticmachine]

Package ti_maltiverse - 1.1.1 containing this change is available at https://epr.elastic.co/search?package=ti_maltiverse