[integration automatic-import] Adding ECS 'reserved' fields list and adding check in the invalid ecs check (#189006)

This PR updates the invalid ecs check to include a check for 'reserved'
ECS fields. Reserved ECS fields are valid ecs fields, but ones we do not
want to add mappings for as they are reserved for agent operations or
utilized in categorization.

ECS reserved:
- ecs.version
- error.message
- event.category
- event.created
- event.dataset
- event.ingested
- event.original
- event.type

x-pack/plugins/integration_assistant/server/graphs/ecs/constants.ts

@@ -2248,3 +2248,14 @@ export const ECS_EXAMPLE_ANSWER = {
     },
   },
 };
+
+export const ECS_RESERVED = [
+  'ecs.version',
+  'error.message',
+  'event.category',
+  'event.created',
+  'event.dataset',
+  'event.ingested',
+  'event.original',
+  'event.type',
+];

x-pack/plugins/integration_assistant/server/graphs/ecs/validate.test.ts

@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { processMapping } from './validate';
+import { findInvalidEcsFields, processMapping } from './validate';
 
 describe('Testing ecs handler', () => {
   it('processMapping()', async () => {
@@ -50,3 +50,43 @@ describe('Testing ecs handler', () => {
     });
   });
 });
+
+describe('findInvalidEcsFields', () => {
+  it('invalid: invalid ecs mapping', async () => {
+    const ecsMappingInvalid = {
+      mysql_enterprise: {
+        audit: {
+          test_array: null,
+          bytes: {
+            target: 'myField.bytes',
+            confidence: 0.99,
+            type: 'number',
+            date_formats: [],
+          },
+        },
+      },
+    };
+
+    const invalid = findInvalidEcsFields(ecsMappingInvalid);
+    expect(invalid.length).toBe(1);
+  });
+
+  it('invalid: reserved ecs field', async () => {
+    const ecsMappingReserved = {
+      mysql_enterprise: {
+        audit: {
+          test_array: null,
+          type: {
+            target: 'event.type',
+            confidence: 'error',
+            type: 'string',
+            date_formats: [],
+          },
+        },
+      },
+    };
+
+    const invalid = findInvalidEcsFields(ecsMappingReserved);
+    expect(invalid.length).toBe(1);
+  });
+});

x-pack/plugins/integration_assistant/server/graphs/ecs/validate.ts

@@ -7,6 +7,7 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { ECS_FULL } from '../../../common/ecs';
 import type { EcsMappingState } from '../../types';
+import { ECS_RESERVED } from './constants';
 
 const valueFieldKeys = new Set(['target', 'confidence', 'date_formats', 'type']);
 type AnyObject = Record<string, any>;
@@ -127,10 +128,11 @@ function findDuplicateFields(samples: string[], ecsMapping: AnyObject): string[]
 }
 
 // Function to find invalid ECS fields
-function findInvalidEcsFields(ecsMapping: AnyObject): string[] {
+export function findInvalidEcsFields(ecsMapping: AnyObject): string[] {
   const results: string[] = [];
   const output: Record<string, string[][]> = {};
   const ecsDict = ECS_FULL;
+  const ecsReserved = ECS_RESERVED;
 
   processMapping([], ecsMapping, output);
   const filteredOutput = Object.fromEntries(
@@ -142,6 +144,11 @@ function findInvalidEcsFields(ecsMapping: AnyObject): string[] {
       const field = paths.map((p) => p.join('.'));
       results.push(`Invalid ECS field mapping identified for ${ecsValue} : ${field.join(', ')}`);
     }
+
+    if (ecsReserved.includes(ecsValue)) {
+      const field = paths.map((p) => p.join('.'));
+      results.push(`Reserved ECS field mapping identified for ${ecsValue} : ${field.join(', ')}`);
+    }
   }
 
   return results;