diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md index fc2a6e9841b..f5e292f3180 100644 --- a/packages/wiz/_dev/build/docs/README.md +++ b/packages/wiz/_dev/build/docs/README.md @@ -98,6 +98,17 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud - Vulnerability data is fetched for the previous day. - Custom headers are not supported in this integration. Only the standard Authorization header (for example, Bearer token) is used for API requests. +### Troubleshooting + +The transforms used in the Wiz integration depend on the presence of the `event.ingested` field to function correctly. + +When using Fleet-managed Elastic Agents, the `.fleet_final_pipeline-1` is automatically executed and ensures that the `event.ingested` field is added to all events. + +However, when using standalone Elastic Agents, this pipeline is not applied, and the `event.ingested` field is not automatically added. + +📌 Action Required (for standalone agents): +You must manually add the `event.ingested` field, preferably via a custom ingest pipeline (e.g., using the @custom pipeline). + ## Logs reference ### Audit diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 4a61c4dba6c..e70f5c3a5bd 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.6.0" + changes: + - description: Add troubleshooting note in README on `event.ingested` requirement for standalone Elastic Agent. + type: enhancement + link: https://github.com/elastic/integrations/pull/14546 - version: "3.5.1" changes: - description: Update texts for the input fields helpers. diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 06851771aac..0b855a376bb 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -98,6 +98,17 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud - Vulnerability data is fetched for the previous day. - Custom headers are not supported in this integration. Only the standard Authorization header (for example, Bearer token) is used for API requests. +### Troubleshooting + +The transforms used in the Wiz integration depend on the presence of the `event.ingested` field to function correctly. + +When using Fleet-managed Elastic Agents, the `.fleet_final_pipeline-1` is automatically executed and ensures that the `event.ingested` field is added to all events. + +However, when using standalone Elastic Agents, this pipeline is not applied, and the `event.ingested` field is not automatically added. + +📌 Action Required (for standalone agents): +You must manually add the `event.ingested` field, preferably via a custom ingest pipeline (e.g., using the @custom pipeline). + ## Logs reference ### Audit diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index 52c1389f4b3..4c1478e5883 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.4.0 name: wiz title: Wiz -version: "3.5.1" +version: "3.6.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: