[Netskope]: Fields netskope.alerts.breach.date and netskope.alerts.breach.description have the wrong mapping.

[leandrojmp]

The fields netskope.alerts.breach.date and netskope.alerts.breach.description in the Alerts dataset of the Netskope integration have the wrong mapping.

The field netskope.alerts.breach.date is mapped as a double, but this is not a numeric field, it is a date, the value in the logs is an epoch time and the field netskope.alerts.breach.description is mapped as just keyword, but its content is a lenghty description, so it needs to follow other *.description fields and be mapped as a multi-field with a .text field as match_only_text.

For example, considering the sample message in the test files:

{"event":{"id":"47eccb9569fe50460ad1200f"},"netskope":{"alerts":{"insertion_epoch_timestamp":1642755526,"acked":"false","is_alert":"yes","alert":{"name":"cit0day - download1.mios.com","type":"breach"},"type":"Compromised Credential","breach":{"date":1601942400,"description":"In September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of  millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.","id":"bc6952df4c61b469cf4a47f17d0ea384","media_references":"null","score":40,"target_references":"null"},"category":{"name":"null"},"cci":"0","ccl":"unknown","count":1,"email":{"source":"Active"},"external":{"email":1},"matched":{"username":"[email protected]"},"organization":{"unit":"null"},"other":{"categories":"null"},"user":{"group":"null"},"app":{"category":"null"}}},"@timestamp":"2022-01-19T21:39:15.000Z","user":{"email":{"1":"[email protected]","2":"[email protected]","3":"[email protected]"}}}

The value for the field breach.date is 1601942400

And this value is an epoch date:

$ date -d@1601942400
seg 05 out 2020 21:00:00 -03

And for the field breach.description, the value is a text:

n September 2020, a threat actor began sharing the millions of stolen credentials that were associated with a prominent Dark Web credentials service shut down by US federal authorites in August 2020. The stolen credentials represent hundreds of websites and hundreds of millions of users and their associated passwords affected by the illegal antics of the threat actor who managed the now defunct Dark Web forum. Users and companies from all over the world were affected by these various breaches. This file contains the download1.mios.com accounts dump.

In resume, the current mappings are:

• netskope.alerts.breach.date: double
• netskope.alerts.breach.description: keyword

But the mapping needs to be changed to:

• netskope.alerts.breach.date: date
• netskope.alerts.breach.description: keyword (multi-field)
• netskope.alerts.breach.description.text: match_only_text (multi-field)