Merge branch 'main' into main

Author: trisch-me

.buildkite/pipeline.schedule-daily.yml

@@ -34,7 +34,7 @@ steps:
       env:
         SERVERLESS: "false"
         FORCE_CHECK_ALL: "true"
-        STACK_VERSION: 8.19.1-SNAPSHOT
+        STACK_VERSION: 8.19.3-SNAPSHOT
         PUBLISH_COVERAGE_REPORTS: "true"
     depends_on:
       - step: "check"
@@ -48,7 +48,7 @@ steps:
       env:
         SERVERLESS: "false"
         FORCE_CHECK_ALL: "true"
-        STACK_VERSION: 8.19.1-SNAPSHOT
+        STACK_VERSION: 8.19.3-SNAPSHOT
         STACK_LOGSDB_ENABLED: "true"
         PUBLISH_COVERAGE_REPORTS: "false"
     depends_on:

.buildkite/pipeline.schedule-weekly.yml

@@ -21,7 +21,7 @@ steps:
       env:
         SERVERLESS: "false"
         FORCE_CHECK_ALL: "true"
-        STACK_VERSION: 8.19.1-SNAPSHOT
+        STACK_VERSION: 8.19.3-SNAPSHOT
         PUBLISH_COVERAGE_REPORTS: "false"
         ELASTIC_PACKAGE_DISABLE_ELASTIC_AGENT_WOLFI: "true"
     depends_on:

.buildkite/scripts/common.sh

@@ -768,7 +768,7 @@ is_pr_affected() {
     # Example:
     # https://buildkite.com/elastic/integrations/builds/25606
     # https://github.com/elastic/integrations/pull/13810
-    if git diff --name-only "${commit_merge}" "${to}" | grep -E -v '^(packages/|\.github/(CODEOWNERS|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE|workflows/)|README\.md|docs/|catalog-info\.yaml|\.buildkite/(pull-requests\.json|pipeline\.schedule-daily\.yml|pipeline\.schedule-weekly\.yml|pipeline\.backport\.yml))' > /dev/null; then
+    if git diff --name-only "${commit_merge}" "${to}" | grep -E -v '^(packages/|\.github/(CODEOWNERS|ISSUE_TEMPLATE|PULL_REQUEST_TEMPLATE|workflows/)|CODE_OF_CONDUCT\.md|README\.md|docs/|catalog-info\.yaml|\.buildkite/(pull-requests\.json|pipeline\.schedule-daily\.yml|pipeline\.schedule-weekly\.yml|pipeline\.backport\.yml))' > /dev/null; then
         echo "[${package}] PR is affected: found non-package files"
         return 0
     fi

.github/CODEOWNERS

@@ -212,6 +212,7 @@
 /packages/eset_protect @elastic/security-service-integrations
 /packages/ess_billing @elastic/customer-architects
 /packages/etcd @elastic/obs-infraobs-integrations
+/packages/extrahop @elastic/security-service-integrations
 /packages/f5_bigip @elastic/security-service-integrations
 /packages/falco @elastic/security-service-integrations
 /packages/filestream @elastic/elastic-agent-data-plane
@@ -268,6 +269,7 @@
 /packages/httpjson @elastic/security-service-integrations
 /packages/ibmmq @elastic/obs-infraobs-integrations
 /packages/iis @elastic/obs-infraobs-integrations
+/packages/iis_otel @elastic/obs-infraobs-integrations
 /packages/imperva @elastic/integration-experience
 /packages/imperva_cloud_waf @elastic/security-service-integrations
 /packages/influxdb @elastic/obs-infraobs-integrations
@@ -494,6 +496,7 @@
 /packages/windows_etw @elastic/sec-windows-platform
 /packages/winlog @elastic/sec-windows-platform
 /packages/wiz @elastic/security-service-integrations
+/packages/wmi @elastic/obs-infraobs-integrations
 /packages/zeek @elastic/integration-experience
 /packages/zerofox @elastic/security-service-integrations
 /packages/zeronetworks @elastic/security-service-integrations

.github/ISSUE_TEMPLATE/integration_bug.yml

@@ -28,6 +28,7 @@ body:
         - Amazon Security Lake [amazon_security_lake]
         - Anomali [ti_anomali]
         - Apache HTTP Server [apache]
+        - Apache OpenTelemetry Assets [apache_otel]
         - Apache Spark [apache_spark]
         - Apache Tomcat [apache_tomcat]
         - Arbor Peakflow SP Logs (Deprecated) [netscout]
@@ -125,6 +126,7 @@ body:
         - Custom Websocket logs [websocket]
         - Custom Windows ETW logs [windows_etw]
         - Custom Windows Event Logs [winlog]
+        - Custom WMI Input Package [wmi]
         - CyberArk EPM [cyberark_epm]
         - CyberArk Privileged Access Security [cyberarkpas]
         - Cyberark Privileged Threat Analytics [cyberark_pta]
@@ -139,7 +141,7 @@ body:
         - Docker OpenTelemetry Assets [docker_otel]
         - Docker [docker]
         - Domain Generation Algorithm Detection [dga]
-        - DomainTools Real Time Unified Feeds [ti_domaintools]
+        - DomainTools Feeds [ti_domaintools]
         - EclecticIQ [ti_eclecticiq]
         - Elastic Agent [elastic_agent]
         - Elastic APM [apm]
@@ -157,6 +159,7 @@ body:
         - ESET PROTECT [eset_protect]
         - ESET Threat Intelligence [ti_eset]
         - etcd [etcd]
+        - ExtraHop [extrahop]
         - F5 BIG-IP [f5_bigip]
         - Falco [falco]
         - File Integrity Monitoring [fim]
@@ -191,6 +194,7 @@ body:
         - Host Traffic Anomalies [hta]
         - HPE Aruba CX [hpe_aruba_cx]
         - IBM MQ [ibmmq]
+        - IIS OpenTelemetry assets [iis_otel]
         - IIS [iis]
         - Imperva Cloud WAF [imperva_cloud_waf]
         - Imperva [imperva]

.github/ISSUE_TEMPLATE/integration_feature_request.yml

@@ -28,6 +28,7 @@ body:
         - Amazon Security Lake [amazon_security_lake]
         - Anomali [ti_anomali]
         - Apache HTTP Server [apache]
+        - Apache OpenTelemetry Assets [apache_otel]
         - Apache Spark [apache_spark]
         - Apache Tomcat [apache_tomcat]
         - Arbor Peakflow SP Logs (Deprecated) [netscout]
@@ -125,6 +126,7 @@ body:
         - Custom Websocket logs [websocket]
         - Custom Windows ETW logs [windows_etw]
         - Custom Windows Event Logs [winlog]
+        - Custom WMI Input Package [wmi]
         - CyberArk EPM [cyberark_epm]
         - CyberArk Privileged Access Security [cyberarkpas]
         - Cyberark Privileged Threat Analytics [cyberark_pta]
@@ -139,7 +141,7 @@ body:
         - Docker OpenTelemetry Assets [docker_otel]
         - Docker [docker]
         - Domain Generation Algorithm Detection [dga]
-        - DomainTools Real Time Unified Feeds [ti_domaintools]
+        - DomainTools Feeds [ti_domaintools]
         - EclecticIQ [ti_eclecticiq]
         - Elastic Agent [elastic_agent]
         - Elastic APM [apm]
@@ -157,6 +159,7 @@ body:
         - ESET PROTECT [eset_protect]
         - ESET Threat Intelligence [ti_eset]
         - etcd [etcd]
+        - ExtraHop [extrahop]
         - F5 BIG-IP [f5_bigip]
         - Falco [falco]
         - File Integrity Monitoring [fim]
@@ -191,6 +194,7 @@ body:
         - Host Traffic Anomalies [hta]
         - HPE Aruba CX [hpe_aruba_cx]
         - IBM MQ [ibmmq]
+        - IIS OpenTelemetry assets [iis_otel]
         - IIS [iis]
         - Imperva Cloud WAF [imperva_cloud_waf]
         - Imperva [imperva]

.github/workflows/bump-elastic-stack-version.yml

@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Install Updatecli in the runner
-        uses: updatecli/updatecli-action@419b75cb4d4bd6b50b03da7b33e1e0065d383eaf #v2.89.0
+        uses: updatecli/updatecli-action@2289ae9c945707079a248f5e4f5743a6592429ef #v2.90.0
 
       - name: Select diff action
         if: ${{ github.event_name == 'pull_request' }}

CODE_OF_CONDUCT.md

@@ -0,0 +1,14 @@
+# Community Code of Conduct
+
+Elastic is dedicated to providing a positive experience for everyone in
+Elastic's Open Source Community, regardless of age, caste, citizenship,
+disability, education, ethnicity, gender identity or expression, immigration
+status, level of experience, neurodiversity, physical appearance or body size,
+nationality, socio-economic status, sexual orientation, race, or religion
+(or lack thereof). Our products are distributed by design, and with many
+languages, perspectives, and cultures, it's easy to lose something in
+translation. Respect cultural differences, and don't assume malice. We do not
+tolerate harassment or discrimination in any form.
+
+Please see Elastic's [Open Source Community Code of Conduct](https://www.elastic.co/community/codeofconduct)
+for the full text of the code.

docs/extend/_publish_an_integration.md

@@ -3,32 +3,39 @@ mapped_pages:
   - https://www.elastic.co/guide/en/integrations-developer/current/_publish_an_integration.html
 ---
 
-# Publish an integration [_publish_an_integration]
+# Publish an integration via Pull Request[_publish_an_integration]
 
-When your integration is done, it’s time to open a PR to include it in the integrations repository. Before opening your PR, run:
+When your integration is done, it’s time to open a PR to include it in the integrations repository. 
+Before opening your PR, make sure you have:
 
+1. Pass all checks
+Run:
 ```bash
 elastic-package check
 ```
 
-The `check` command ensures the package is built correctly, formatted properly, and aligned with the spec. Passing the `check` command is required before adding your integration to the repository.
+This command validates that your package is built correctly, formatted properly, and aligned with the specification. Passing this `check` is required before submitting your integration.
 
-When CI is happy, merge your PR into the integrations repository.
+2. Added a new entry into `changelog.yml`
+Update the package’s `changelog.yml` with a clear description of your changes for the new version.
 
-CI will kick off a build job for the main branch, which can release your integration to the package-storage. It means that it will open a PR to the Package Storage/snapshot with the built integration if only the package version doesn’t already exist in the storage (hasn’t been released yet).
+3. Bumped the package version
+If you are releasing new changes, increment the version in your manifest.yml file. This is required for the package to be published.
 
+4. Wrote clear PR title and description
+- Use a concise, descriptive title (e.g., `[New Integration] Add Acme Logs integration`).
+- In the PR description, summarize what your integration or change does, list key features or fixes, reference related issues, and provide testing instructions.
+- Ensure your documentation, sample events, and tests are included and up to date.
 
-## Promote [_promote]
+::::{tip}
+A well-written PR with clear documentation, versioning, and testing instructions will speed up the review and publishing process!
+::::
 
-Now that you’ve tested your integration with {{kib}}, it’s time to promote it to staging or production. Run:
 
-```bash
-elastic-package promote
-```
+When CI is happy, merge your PR into the integrations repository.
 
-The tool will open 2 pull requests (promote and delete) to the package-storage: target and source branches.
+Once the PR with the new version of the package is merged, the required CI pipelines are triggered to release that new version into Package Storage V2 and make them available in https://epr.elastic.co.
 
-Please review both pull requests on your own, check if CI is happy and merge - first target, then source. Once any PR is merged, the CI will kick off a job to bake a new Docker image of package-storage (tracking). Ideally the "delete" PR should be merged once the CI job for "promote" is done, as the Docker image of previous stage depends on the later one.
 
 ::::{tip}
 When you are ready for your changes in the integration to be released, remember to bump up the package version. It is up to you, as the package developer, to decide how many changes you want to release in a single version. For example, you could implement a change in a PR and bump up the package version in the same PR. Or you could implement several changes across multiple pull requests and then bump up the package version in the last of these pull requests or in a separate follow up PR.

docs/extend/add-data-stream.md

@@ -20,24 +20,39 @@ apache
 
 A data stream defines multiple {{es}} assets, like index templates, ingest pipelines, and field definitions. These assets are loaded into {{es}} when a user installs an integration using the {{fleet}} UI in {{kib}}.
 
-A data stream also defines a policy template. Policy templates include variables that allow users to configure the data stream using the {{fleet}} UI in {{kib}}. Then, the {{agent}} interprets the resulting policy to collect relevant information from the product or service being observed. Policy templates can also define an integration’s supported [`deployment_modes`](/extend/define-deployment-modes.md#deployment_modes).
+A data stream also defines a policy template. Policy templates include variables that allow users to configure the data stream using the {{fleet}} UI in {{kib}}. Then, the {{agent}} interprets the resulting policy to collect relevant information from the product or service being observed. Policy templates can also define an integration’s supported [`deployment_modes`](/extend/define-deployment-modes.md#set-deployment-modes).
 
 See [data streams](docs-content://reference/fleet/data-streams.md) for more information.
 
 ::::
 
+## How to add a data stream [how-to]
 
-Bootstrap a new data stream using the TUI wizard. In the directory of your package, run:
+1. Boostrap a new data stream
+
+In your package directory, run:
 
 ```bash
 elastic-package create data-stream
 ```
 
-Follow the prompts to name, title, and select your data stream type. Then, run this command each time you add a new data stream to your integration.
+Follow the prompts to set the name, title, and type (logs, metrics, etc.) for the data stream. Repeat this command for each new data stream you want to add.
+
+2. Configure the data stream
+
+After bootstrapping, manually adjust the generated files to suit your use case:
+
+* Define required variables:
+In the policy template, specify variables that users can configure (e.g., paths, ports, log levels).
+* Define used fields:
+Edit the fields/ files to describe the structure and types of data your stream will ingest.
+* Define ingest pipeline definitions:
+If needed, create or update ingest pipelines to parse, enrich, or transform incoming data before it’s indexed.
+* Update the {{agent}} stream configuration:
+Ensure the {{agent}}’s stream configuration matches your data collection requirements and references the correct variables and pipelines.
 
-Next, manually adjust the data stream:
+3. How data streams are used
 
-* define required variables
-* define used fields
-* define ingest pipeline definitions (if necessary)
-* update the {{agent}}'s stream configuration
+* When the integration is installed, each data stream is registered in {{es}} as a managed, time-based resource.
+* Data sent to the data stream is automatically routed to the correct backing indices, with lifecycle management (rollover, retention) handled by Elasticsearch.
+* Users can query, visualize, and analyze data from each stream in {{kib}}, using the single data stream name (e.g., `logs-apache.access`).