[proofpoint_on_demand] Adapt definitions of nested subfields (#11031)

Adapt definitions of subfields of nested objects so they are actually installed by Fleet. New mappings are otherwise equivalent. These mappings were correctly defined as expected by the spec, but Fleet was only installing empty nested objects. To workaround that, subfields can be moved to have their own definitions. Issue in Fleet is fixed in elastic/kibana#191730, but we can apply this workaround for older versions of the stack.
elastic · Sep 9, 2024 · 92f726e · 92f726e
1 parent 01b8c6d
commit 92f726e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 8 deletions.
diff --git a/packages/proofpoint_on_demand/changelog.yml b/packages/proofpoint_on_demand/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.1.1"
+  changes:
+    - description: Fix definition of subfields of nested objects
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11031
 - version: "0.1.0"
   changes:
     - description: Initial release.

diff --git a/packages/proofpoint_on_demand/data_stream/audit/fields/fields.yml b/packages/proofpoint_on_demand/data_stream/audit/fields/fields.yml
@@ -74,13 +74,12 @@
               description: The IP address of the service.
         - name: tags
           type: nested
-          fields:
-            - name: name
-              type: keyword
-              description: Tag name for the particular instance of event.
-            - name: value
-              type: keyword
-              description: The value associated with the tag name.
+        - name: tags.name
+          type: keyword
+          description: Tag name for the particular instance of event.
+        - name: tags.value
+          type: keyword
+          description: The value associated with the tag name.
         - name: ts
           type: date
           description: Timestamp of when the event to be audited occurred.

diff --git a/packages/proofpoint_on_demand/docs/README.md b/packages/proofpoint_on_demand/docs/README.md
@@ -226,6 +226,7 @@ An example event for `audit` looks as following:
 | proofpoint_on_demand.audit.service.customer_id | The customer id of the service. | keyword |
 | proofpoint_on_demand.audit.service.id | The IDM service id. | keyword |
 | proofpoint_on_demand.audit.service.ip_address | The IP address of the service. | ip |
+| proofpoint_on_demand.audit.tags |  | nested |
 | proofpoint_on_demand.audit.tags.name | Tag name for the particular instance of event. | keyword |
 | proofpoint_on_demand.audit.tags.value | The value associated with the tag name. | keyword |
 | proofpoint_on_demand.audit.ts | Timestamp of when the event to be audited occurred. | date |

diff --git a/packages/proofpoint_on_demand/manifest.yml b/packages/proofpoint_on_demand/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.1.4
 name: proofpoint_on_demand
 title: Proofpoint On Demand
-version: 0.1.0
+version: 0.1.1
 description: Collect logs from Proofpoint On Demand with Elastic Agent.
 type: integration
 categories: