m365_defender: set network.transport to ssl for ssl type actions (#10730

)

Co-authored-by: Peter Rydzynski <[email protected]>

packages/m365_defender/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.14.3"
+  changes:
+    - description: Fix sslconnectioninspected event `network.protocol` getting set to `dns`. 
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10730
 - version: "2.14.2"
   changes:
     - description: Fix `network.transport` and `network.protocol` processing.

packages/m365_defender/data_stream/event/_dev/test/pipeline/test-device.log-expected.json

@@ -3128,7 +3128,7 @@
             },
             "network": {
                 "direction": "outbound",
-                "protocol": "dns",
+                "protocol": "ssl",
                 "transport": "tcp"
             },
             "process": {

packages/m365_defender/data_stream/event/elasticsearch/ingest_pipeline/pipeline_device.yml

@@ -2389,7 +2389,7 @@ processors:
       override: true
   - set:
       field: network.protocol
-      value: dns
+      value: ssl
       tag: set_network_protocol_ssl
       if: ctx.m365_defender?.event?.action?.type != null && ctx.m365_defender.event.action.type.toLowerCase().contains('ssl')
       override: true

packages/m365_defender/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: m365_defender
 title: Microsoft M365 Defender
-version: "2.14.2"
+version: "2.14.3"
 description: Collect logs from Microsoft M365 Defender with Elastic Agent.
 categories:
   - "security"