From 4143453a4a60e9075c36caf68df89aa51b19c246 Mon Sep 17 00:00:00 2001
From: moxarth-rathod <moxarth.rathod@elastic.co>
Date: Thu, 4 Dec 2025 14:51:24 +0530
Subject: [PATCH 1/2] [Amazon Security Lake] Fix flaky tests

---
 packages/amazon_security_lake/changelog.yml   |  5 ++++
 .../elasticsearch/ingest_pipeline/default.yml | 23 +++++++++++--------
 packages/amazon_security_lake/manifest.yml    |  2 +-
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml
index a33d1eb4d2d..b6075c2aa7e 100644
--- a/packages/amazon_security_lake/changelog.yml
+++ b/packages/amazon_security_lake/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.8.1"
+  changes:
+    - description: Improve the handling of `ocsf.resource` for serverless environment in the event data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1
 - version: "2.8.0"
   changes:
     - description: Improve documentation to align with new guidelines.
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
index 04571e011d9..07b32be1dfa 100644
--- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
@@ -83,16 +83,19 @@ processors:
           return null;
         }
         processFields(ctx.ocsf);
-  - rename:
-      field: ocsf.resource
-      target_field: ocsf.resources
-      tag: rename_resource_to_resources
-      ignore_missing: true
-      if: ctx.ocsf?.resources == null
-  - append:
-      field: ocsf.resources
-      value: []
-      if: ctx.ocsf?.resources != null
+  - script:
+      description: Append resource to resources.
+      tag: script_ocsf_resources
+      lang: painless
+      if: ctx.ocsf?.resources == null && ctx.ocsf?.resource != null
+      source: >-
+        ctx.ocsf.resources = [];
+        ctx.ocsf.resources.add(ctx.ocsf.resource);
+        ctx.ocsf.remove('resource')
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
   - foreach:
       field: ocsf.resources
       ignore_missing: true
diff --git a/packages/amazon_security_lake/manifest.yml b/packages/amazon_security_lake/manifest.yml
index eada76cbb32..462d0094b45 100644
--- a/packages/amazon_security_lake/manifest.yml
+++ b/packages/amazon_security_lake/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: amazon_security_lake
 title: Amazon Security Lake
-version: "2.8.0"
+version: "2.8.1"
 description: Collect logs from Amazon Security Lake with Elastic Agent.
 type: integration
 categories:

From deb954c4c4fa7c26978d0d9b73e33086faef473f Mon Sep 17 00:00:00 2001
From: moxarth-rathod <96762084+moxarth-rathod@users.noreply.github.com>
Date: Fri, 5 Dec 2025 10:51:32 +0530
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
---
 packages/amazon_security_lake/changelog.yml                | 2 +-
 .../event/elasticsearch/ingest_pipeline/default.yml        | 7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/packages/amazon_security_lake/changelog.yml b/packages/amazon_security_lake/changelog.yml
index b6075c2aa7e..783d2530604 100644
--- a/packages/amazon_security_lake/changelog.yml
+++ b/packages/amazon_security_lake/changelog.yml
@@ -3,7 +3,7 @@
   changes:
     - description: Improve the handling of `ocsf.resource` for serverless environment in the event data stream.
       type: bugfix
-      link: https://github.com/elastic/integrations/pull/1
+      link: https://github.com/elastic/integrations/pull/16304
 - version: "2.8.0"
   changes:
     - description: Improve documentation to align with new guidelines.
diff --git a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
index 07b32be1dfa..4eb13f8a3ee 100644
--- a/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml
@@ -88,10 +88,9 @@ processors:
       tag: script_ocsf_resources
       lang: painless
       if: ctx.ocsf?.resources == null && ctx.ocsf?.resource != null
-      source: >-
-        ctx.ocsf.resources = [];
-        ctx.ocsf.resources.add(ctx.ocsf.resource);
-        ctx.ocsf.remove('resource')
+      source: |-
+        ctx.ocsf.resources = [ctx.ocsf.resource];
+        ctx.ocsf.remove('resource');
       on_failure:
         - append:
             field: error.message