[Netskope] Change mapping of netskope.alerts.breach.date

packages/netskope/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.0.0"
+  changes:
+    - description: Change mapping of field `netskope.alerts.breach.date` from `double` to `date`.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/14008
 - version: "1.25.0"
   changes:
     - description: Set `event.kind` to `alert` for netskope alerts.

packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json

@@ -1235,7 +1235,7 @@
                         "type": "breach"
                     },
                     "breach": {
-                        "date": 1.6019424E9,
+                        "date": "2020-10-06T00:00:00.000Z",
                         "description": "In September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of  millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.",
                         "id": "bc6952df4c61b469cf4a47f17d0ea384",
                         "score": 40
@@ -3498,7 +3498,7 @@
                         "type": "breach"
                     },
                     "breach": {
-                        "date": 1.6019424E9,
+                        "date": "2020-10-06T00:00:00.000Z",
                         "description": "In September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of  millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.",
                         "id": "bc6952df4c61b469cf4a47f17d0ea384",
                         "score": 40
@@ -4156,7 +4156,7 @@
                         "category": "app"
                     },
                     "breach": {
-                        "date": 1.5054848E9,
+                        "date": "2017-09-15T14:13:20.000Z",
                         "description": "Test alert description",
                         "id": "abcdefghd857e3cfbdb6d5704b48484",
                         "score": 40,

packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml

@@ -1563,11 +1563,14 @@ processors:
               Processor '{{{ _ingest.on_failure_processor_type }}}'
               {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
               {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
-  - convert:
-      tag: convert_netskope_alerts_breach_date
+  - date:
+      tag: date_netskope_alerts_breach_date
       field: netskope.alerts.breach.date
-      type: double
-      ignore_missing: true
+      if: ctx.netskope?.alerts?.breach?.date != null && ctx.netskope.alerts.breach.date != ''
+      formats:
+        - UNIX
+      target_field: netskope.alerts.breach.date
+      ignore_failure: true
       on_failure:
         - remove:
             field: netskope.alerts.breach.date

packages/netskope/data_stream/alerts/fields/fields.yml

@@ -225,7 +225,7 @@
           description: |
             Breach description for compromised credentials.
         - name: date
-          type: double
+          type: date
           description: |
             Breach date for compromised credentials.
         - name: id

packages/netskope/docs/README.md

@@ -114,7 +114,7 @@ Default port: _9021_
 | netskope.alerts.audit.category | The subcategories in an application such as IAM, EC in AWS, login, token, file, etc., in case of Google. | keyword |
 | netskope.alerts.audit.type | The sub category in audit according to SaaS / IaaS apps. | keyword |
 | netskope.alerts.bin.timestamp | Applicable to only: Shared Credentials, Data Exfiltration, Bulk Anomaly types( Bulk Upload/Download/Delete) and Failed Login Anomaly type. Bin TimeStamp (is a window used that is used for certain types of anomalies - for breaking into several windows per day/hour). | long |
-| netskope.alerts.breach.date | Breach date for compromised credentials. | double |
+| netskope.alerts.breach.date | Breach date for compromised credentials. | date |
 | netskope.alerts.breach.description | Breach description for compromised credentials. | keyword |
 | netskope.alerts.breach.description.text | Multi-field of `netskope.alerts.breach.description`. | match_only_text |
 | netskope.alerts.breach.id | Breach ID for compromised credentials. | keyword |

packages/netskope/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: netskope
 title: "Netskope"
-version: "1.25.0"
+version: "2.0.0"
 description: Collect logs from Netskope with Elastic Agent.
 type: integration
 categories: