[Amazon Security Lake] Improve the handling of ocsf.resource for serverless environment

packages/amazon_security_lake/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.8.1"
+  changes:
+    - description: Improve the handling of `ocsf.resource` for serverless environment in the event data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1
 - version: "2.8.0"
   changes:
     - description: Improve documentation to align with new guidelines.

packages/amazon_security_lake/data_stream/event/elasticsearch/ingest_pipeline/default.yml

@@ -83,16 +83,19 @@ processors:
           return null;
         }
         processFields(ctx.ocsf);
-  - rename:
-      field: ocsf.resource
-      target_field: ocsf.resources
-      tag: rename_resource_to_resources
-      ignore_missing: true
-      if: ctx.ocsf?.resources == null
-  - append:
-      field: ocsf.resources
-      value: []
-      if: ctx.ocsf?.resources != null
+  - script:
+      description: Append resource to resources.
+      tag: script_ocsf_resources
+      lang: painless
+      if: ctx.ocsf?.resources == null && ctx.ocsf?.resource != null
+      source: >-
+        ctx.ocsf.resources = [];
+        ctx.ocsf.resources.add(ctx.ocsf.resource);
+        ctx.ocsf.remove('resource')
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
   - foreach:
       field: ocsf.resources
       ignore_missing: true

packages/amazon_security_lake/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: amazon_security_lake
 title: Amazon Security Lake
-version: "2.8.0"
+version: "2.8.1"
 description: Collect logs from Amazon Security Lake with Elastic Agent.
 type: integration
 categories: