symantec_endpoint: use valid ECS values for fields (#3330)

This cleans up items missed in the previous pass.

packages/symantec_endpoint/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.0.4"
+  changes:
+    - description: Make field values conform to ECS
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3330
 - version: "0.0.3"
   changes:
     - description: Make field values conform to ECS

packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-agent-traffic.log-expected.json

@@ -22,7 +22,8 @@
                 "action": "blocked",
                 "category": [
                     "intrusion_detection",
-                    "network"
+                    "network",
+                    "process"
                 ],
                 "count": 1,
                 "end": "2020-01-30T07:48:18.000Z",
@@ -32,7 +33,6 @@
                 "start": "2020-01-30T07:48:18.000Z",
                 "type": [
                     "connection",
-                    "process",
                     "denied"
                 ]
             },
@@ -127,7 +127,8 @@
                 "action": "blocked",
                 "category": [
                     "intrusion_detection",
-                    "network"
+                    "network",
+                    "process"
                 ],
                 "count": 1,
                 "end": "2020-12-09T00:46:50.000Z",
@@ -137,7 +138,6 @@
                 "start": "2020-12-09T00:46:50.000Z",
                 "type": [
                     "connection",
-                    "process",
                     "denied"
                 ]
             },
@@ -207,7 +207,8 @@
                 "action": "blocked",
                 "category": [
                     "intrusion_detection",
-                    "network"
+                    "network",
+                    "process"
                 ],
                 "count": 4,
                 "end": "2020-11-11T19:25:28.000Z",
@@ -217,7 +218,6 @@
                 "start": "2020-11-11T19:25:21.000Z",
                 "type": [
                     "connection",
-                    "process",
                     "denied"
                 ]
             },

packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-remove-mapped-fields.log-expected.json

@@ -22,7 +22,8 @@
                 "action": "blocked",
                 "category": [
                     "intrusion_detection",
-                    "network"
+                    "network",
+                    "process"
                 ],
                 "count": 1,
                 "end": "2020-01-30T07:48:18.000Z",
@@ -32,7 +33,6 @@
                 "start": "2020-01-30T07:48:18.000Z",
                 "type": [
                     "connection",
-                    "process",
                     "denied"
                 ]
             },

packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc3164.log-expected.json

@@ -21,7 +21,8 @@
                 "action": "blocked",
                 "category": [
                     "intrusion_detection",
-                    "network"
+                    "network",
+                    "process"
                 ],
                 "count": 4,
                 "end": "2020-11-11T19:25:28.000Z",
@@ -31,7 +32,6 @@
                 "start": "2020-11-11T19:25:21.000Z",
                 "type": [
                     "connection",
-                    "process",
                     "denied"
                 ]
             },

packages/symantec_endpoint/data_stream/log/_dev/test/pipeline/test-rfc5424.log-expected.json

@@ -18,7 +18,8 @@
                 "action": "blocked",
                 "category": [
                     "intrusion_detection",
-                    "network"
+                    "network",
+                    "process"
                 ],
                 "count": 4,
                 "end": "2020-11-11T19:25:28.000Z",
@@ -28,7 +29,6 @@
                 "start": "2020-11-11T19:25:21.000Z",
                 "type": [
                     "connection",
-                    "process",
                     "denied"
                 ]
             },

packages/symantec_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -227,8 +227,8 @@ processors:
       # https://knowledge.broadcom.com/external/article?legacyId=TECH171741#Agent_Traffic
       - name: 'Agent Traffic Log'
         fingerprint: NONE|local_host_ip|local_port|local_host_mac|remote_host_ip|remote_host_name|remote_port|remote_host_mac|NONE|NONE|begin|end|occurrences|application|rule|location|user_name|domain_name|action|sha-256|md-5
-        event_category: [intrusion_detection, network]
-        event_type: [connection, process]
+        event_category: [intrusion_detection, network, process]
+        event_type: [connection]
         columns:
           - index: 9
             name: traffic_direction

packages/symantec_endpoint/data_stream/log/sample_event.json

@@ -102,11 +102,11 @@
         "end": "2020-11-11T19:25:28.000Z",
         "category": [
             "intrusion_detection",
-            "network"
+            "network",
+            "process"
         ],
         "type": [
             "connection",
-            "process",
             "denied"
         ]
     },

packages/symantec_endpoint/docs/README.md

@@ -456,11 +456,11 @@ An example event for `log` looks as following:
         "end": "2020-11-11T19:25:28.000Z",
         "category": [
             "intrusion_detection",
-            "network"
+            "network",
+            "process"
         ],
         "type": [
             "connection",
-            "process",
             "denied"
         ]
     },

packages/symantec_endpoint/manifest.yml

@@ -1,6 +1,6 @@
 name: symantec_endpoint
 title: Symantec Endpoint Protection
-version: 0.0.3
+version: 0.0.4
 release: beta
 description: Collect logs from Symantec Endpoint Protection with Elastic Agent.
 type: integration