diff --git a/packages/netskope/changelog.yml b/packages/netskope/changelog.yml index f875505b422..d9ab4e38b05 100644 --- a/packages/netskope/changelog.yml +++ b/packages/netskope/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.0.0" + changes: + - description: Change mapping of field `netskope.alerts.breach.date` from `double` to `date`. + type: breaking-change + link: https://github.com/elastic/integrations/pull/14008 - version: "1.25.0" changes: - description: Set `event.kind` to `alert` for netskope alerts. diff --git a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json index 5b1533f61ae..41da94851b6 100644 --- a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json +++ b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json @@ -1235,7 +1235,7 @@ "type": "breach" }, "breach": { - "date": 1.6019424E9, + "date": "2020-10-06T00:00:00.000Z", "description": "In September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.", "id": "bc6952df4c61b469cf4a47f17d0ea384", "score": 40 @@ -3498,7 +3498,7 @@ "type": "breach" }, "breach": { - "date": 1.6019424E9, + "date": "2020-10-06T00:00:00.000Z", "description": "In September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.", "id": "bc6952df4c61b469cf4a47f17d0ea384", "score": 40 @@ -4156,7 +4156,7 @@ "category": "app" }, "breach": { - "date": 1.5054848E9, + "date": "2017-09-15T14:13:20.000Z", "description": "Test alert description", "id": "abcdefghd857e3cfbdb6d5704b48484", "score": 40, diff --git a/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml index 4c7f2b40847..832603b7daa 100644 --- a/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -1563,11 +1563,14 @@ processors: Processor '{{{ _ingest.on_failure_processor_type }}}' {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' - - convert: - tag: convert_netskope_alerts_breach_date + - date: + tag: date_netskope_alerts_breach_date field: netskope.alerts.breach.date - type: double - ignore_missing: true + if: ctx.netskope?.alerts?.breach?.date != null && ctx.netskope.alerts.breach.date != '' + formats: + - UNIX + target_field: netskope.alerts.breach.date + ignore_failure: true on_failure: - remove: field: netskope.alerts.breach.date diff --git a/packages/netskope/data_stream/alerts/fields/fields.yml b/packages/netskope/data_stream/alerts/fields/fields.yml index a8a2ff920dc..7cac24cbf37 100644 --- a/packages/netskope/data_stream/alerts/fields/fields.yml +++ b/packages/netskope/data_stream/alerts/fields/fields.yml @@ -225,7 +225,7 @@ description: | Breach description for compromised credentials. - name: date - type: double + type: date description: | Breach date for compromised credentials. - name: id diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md index f611a4f52fd..ac09a820a69 100644 --- a/packages/netskope/docs/README.md +++ b/packages/netskope/docs/README.md @@ -114,7 +114,7 @@ Default port: _9021_ | netskope.alerts.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword | | netskope.alerts.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword | | netskope.alerts.bin.timestamp | Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). | long | -| netskope.alerts.breach.date | Breach date for compromised credentials. | double | +| netskope.alerts.breach.date | Breach date for compromised credentials. | date | | netskope.alerts.breach.description | Breach description for compromised credentials. | keyword | | netskope.alerts.breach.description.text | Multi-field of `netskope.alerts.breach.description`. | match_only_text | | netskope.alerts.breach.id | Breach ID for compromised credentials. | keyword | diff --git a/packages/netskope/manifest.yml b/packages/netskope/manifest.yml index becdde7e386..82d82856523 100644 --- a/packages/netskope/manifest.yml +++ b/packages/netskope/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: netskope title: "Netskope" -version: "1.25.0" +version: "2.0.0" description: Collect logs from Netskope with Elastic Agent. type: integration categories: