Vulnerability is not being allowed in event.category

I am seeing this failure while testing pipeline of integration:
[0] parsing field value failed: field "event.category"'s value "vulnerability" is not one of the allowed values (authentication, configuration, database, driver, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, web)

When ECS states the following:
Description: This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory.
This field is an array. This will allow proper categorization of some events that fall in multiple categories.
type: keyword
Note: this field should contain an array of values.
Important: The field value must be one of the following:
api, authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, library, malware, network, package, process, registry, session, threat, vulnerability, web
To learn more about when to use which value, visit the page allowed values for event.category

What version of ECS is the integration package specifying? For example, the zeek package is targeting v8.8.0 here: integrations/packages/zeek/_dev/build/build.yml at main · elastic/integrations · GitHub

The vulnerability category was added in ECS 8.6, and the version of ECS currently used by the package may be pre-8.6.

1 Like

I believe we are using ECS version 8.5.1 which would explain this issue. I will check with the content team and if so upgrade our version to 8.6 minimum.
Thank you for the quick response,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.