network_traffic: fix invalid terms in tls and thrift data sets

packages/network_traffic/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.0.2"
+  changes:
+    - description: Remove invalid value from `event.category` for TLS and Thrift
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3409
 - version: "1.0.1"
   changes:
     - description: Remove invalid value from `event.category`.

packages/network_traffic/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml

@@ -21,6 +21,20 @@ processors:
 - uppercase:
     field: host.mac
     ignore_missing: true
+- script:
+    description: Remove invalid "network_traffic" term added by packetbeat prior to v8.
+    # This string-based comparison is valid while versions are below v10.x.
+    if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0'
+    lang: painless
+    source: >
+        if (ctx.event?.category != null) {
+            for (int i=ctx.event.category.length-1; i>=0; i--) {
+                if (ctx.event.category[i] == "network_traffic") {
+                    ctx.event.category.remove(i);
+                }
+            }
+        }
+
 on_failure:
 - set:
     field: error.message

packages/network_traffic/data_stream/thrift/sample_event.json

@@ -1,11 +1,11 @@
 {
-    "@timestamp": "2022-03-09T08:33:31.022Z",
+    "@timestamp": "2022-05-23T10:59:35.668Z",
     "agent": {
-        "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c",
-        "id": "f789afb0-558d-48bd-b448-0fc838efd730",
+        "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff",
+        "id": "0488c467-eaa0-4733-a81a-326734926bc2",
         "name": "docker-fleet-agent",
         "type": "packetbeat",
-        "version": "8.0.0"
+        "version": "8.2.0"
     },
     "client": {
         "bytes": 25,
@@ -26,45 +26,45 @@
         "version": "8.2.0"
     },
     "elastic_agent": {
-        "id": "f789afb0-558d-48bd-b448-0fc838efd730",
+        "id": "0488c467-eaa0-4733-a81a-326734926bc2",
         "snapshot": false,
-        "version": "8.0.0"
+        "version": "8.2.0"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "network"
         ],
         "dataset": "network_traffic.thrift",
-        "duration": 1394000,
-        "end": "2022-03-09T08:33:31.023Z",
-        "ingested": "2022-03-09T08:33:32Z",
+        "duration": 1275700,
+        "end": "2022-05-23T10:59:35.669Z",
+        "ingested": "2022-05-23T10:59:36Z",
         "kind": "event",
-        "start": "2022-03-09T08:33:31.022Z",
+        "start": "2022-05-23T10:59:35.668Z",
         "type": [
             "connection",
             "protocol"
         ]
     },
     "host": {
         "architecture": "x86_64",
-        "containerized": true,
+        "containerized": false,
         "hostname": "docker-fleet-agent",
         "ip": [
-            "192.168.176.7"
+            "192.168.224.7"
         ],
         "mac": [
-            "02-42-C0-A8-B0-07"
+            "02-42-C0-A8-E0-07"
         ],
         "name": "docker-fleet-agent",
         "os": {
             "codename": "focal",
             "family": "debian",
-            "kernel": "5.10.47-linuxkit",
+            "kernel": "5.10.104-linuxkit",
             "name": "Ubuntu",
             "platform": "ubuntu",
             "type": "linux",
-            "version": "20.04.3 LTS (Focal Fossa)"
+            "version": "20.04.4 LTS (Focal Fossa)"
         }
     },
     "method": "testByte",

packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml

@@ -49,6 +49,21 @@ processors:
       - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province.
       - tls.server.x509.version          # Duplicated as tls.server.x509.version_number.
     ignore_missing: true
+
+- script:
+    description: Remove invalid "network_traffic" term added by packetbeat prior to v8.
+    # This string-based comparison is valid while versions are below v10.x.
+    if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0'
+    lang: painless
+    source: >
+        if (ctx.event?.category != null) {
+            for (int i=ctx.event.category.length-1; i>=0; i--) {
+                if (ctx.event.category[i] == "network_traffic") {
+                    ctx.event.category.remove(i);
+                }
+            }
+        }
+
 on_failure:
 - set:
     field: error.message