zscaler_zpa: fix IPProtocol mapping (elastic#13999)

The ingest pipeline was previously incorrectly mapping the values of
IPProtocol to network.type when it should be mapped to network.transport.

Author: efd6

packages/zscaler_zpa/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.22.3"
+  changes:
+    - description: Fix handling of `IPProtocol` field mapping.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13999
 - version: "1.22.2"
   changes:
     - description: Fix handling of remote IP lists in audit data stream.

packages/zscaler_zpa/data_stream/user_activity/_dev/test/pipeline/test-user-activity.log-expected.json

@@ -32,7 +32,7 @@
                 ]
             },
             "network": {
-                "type": "ipv6"
+                "transport": "tcp"
             },
             "organization": {
                 "name": "Customer XYZ"

packages/zscaler_zpa/data_stream/user_activity/elasticsearch/ingest_pipeline/default.yml

@@ -102,15 +102,27 @@ processors:
       if: ctx.host?.domain != null
       allow_duplicates: false
       ignore_failure: true
-  - set:
-      field: network.type
-      value: 'ipv4'
-      if: ctx.json?.IPProtocol == 4
-      ignore_failure: true
-  - set:
-      field: network.type
-      value: 'ipv6'
-      if: ctx.json?.IPProtocol == 6
+  - script:
+      if: ctx.json?.IPProtocol != null
+      params:
+        iana_numbers:
+          "0": unknown_ip_ipprotocol
+          "1": icmp
+          "2": igmp
+          "6": tcp
+          "17": udp
+          "41": ip6in4
+          "47": gre
+          "50": esp
+          "58": icmp6
+          "88": eigrp
+          "97": etherip
+          "103": pim
+          "112": vrrp
+          "132": sctp
+      source: |-
+        ctx.network = ctx.network ?: [:];
+        ctx.network.transport = params.iana_numbers[ctx.json.IPProtocol.toString()];
       ignore_failure: true
   - rename:
       field: json.Customer

packages/zscaler_zpa/data_stream/user_activity/sample_event.json

@@ -1,12 +1,11 @@
 {
     "@timestamp": "2019-05-31T17:35:42.000Z",
     "agent": {
-        "ephemeral_id": "47a2e053-f9d2-4244-b6bd-9acf12361804",
-        "hostname": "docker-fleet-agent",
-        "id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "dc5b8414-8d42-4bd7-820f-f19b6f07188b",
+        "id": "43113495-332c-42b0-a84a-dfd7a28a3adc",
+        "name": "elastic-agent-20487",
         "type": "filebeat",
-        "version": "7.16.2"
+        "version": "8.13.0"
     },
     "client": {
         "geo": {
@@ -20,24 +19,24 @@
     },
     "data_stream": {
         "dataset": "zscaler_zpa.user_activity",
-        "namespace": "ep",
+        "namespace": "11041",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
+        "id": "43113495-332c-42b0-a84a-dfd7a28a3adc",
         "snapshot": false,
-        "version": "7.16.2"
+        "version": "8.13.0"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "iam"
         ],
         "dataset": "zscaler_zpa.user_activity",
-        "ingested": "2023-02-22T12:10:47Z",
+        "ingested": "2025-05-25T22:58:32Z",
         "kind": "event",
         "original": "{\"LogTimestamp\": \"Fri May 31 17:35:42 2019\",\"Customer\": \"Customer XYZ\",\"SessionID\": \"LHJdkjmNDf12nclBsvwA\",\"ConnectionID\": \"SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm\",\"InternalReason\": \"\",\"ConnectionStatus\": \"active\",\"IPProtocol\": 6,\"DoubleEncryption\": 0,\"Username\": \"ZPA LSS Client\",\"ServicePort\": 10011,\"ClientPublicIP\": \"81.2.69.193\",\"ClientLatitude\": 45.000000,\"ClientLongitude\": -119.000000,\"ClientCountryCode\": \"US\",\"ClientZEN\": \"broker2b.pdx\",\"Policy\": \"ABC Lab Apps\",\"Connector\": \"ZDEMO ABC\",\"ConnectorZEN\": \"broker2b.pdx\",\"ConnectorIP\": \"67.43.156.12\",\"ConnectorPort\": 60266,\"Host\": \"175.16.199.1\",\"Application\": \"ABC Lab Apps\",\"AppGroup\": \"ABC Lab Apps\",\"Server\": \"0\",\"ServerIP\": \"175.16.199.1\",\"ServerPort\": 10011,\"PolicyProcessingTime\": 28,\"CAProcessingTime\": 1330,\"ConnectorZENSetupTime\": 191017,\"ConnectionSetupTime\": 192397,\"ServerSetupTime\": 465,\"AppLearnTime\": 0,\"TimestampConnectionStart\": \"2019-05-30T08:20:42.230Z\",\"TimestampConnectionEnd\": \"\",\"TimestampCATx\": \"2019-05-30T08:20:42.230Z\",\"TimestampCARx\": \"2019-05-30T08:20:42.231Z\",\"TimestampAppLearnStart\": \"\",\"TimestampZENFirstRxClient\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENFirstTxClient\": \"\",\"TimestampZENLastRxClient\": \"2019-05-31T17:34:27.348Z\",\"TimestampZENLastTxClient\": \"\",\"TimestampConnectorZENSetupComplete\": \"2019-05-30T08:20:42.422Z\",\"TimestampZENFirstRxConnector\": \"\",\"TimestampZENFirstTxConnector\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENLastRxConnector\": \"\",\"TimestampZENLastTxConnector\": \"2019-05-31T17:34:27.348Z\",\"ZENTotalBytesRxClient\": 2406926,\"ZENBytesRxClient\": 7115,\"ZENTotalBytesTxClient\": 0,\"ZENBytesTxClient\": 0,\"ZENTotalBytesRxConnector\": 0,\"ZENBytesRxConnector\": 0,\"ZENTotalBytesTxConnector\": 2406926,\"ZENBytesTxConnector\": 7115,\"Idp\": \"Example IDP Config\",\"ClientToClient\": \"0\"}",
         "type": [
@@ -55,11 +54,11 @@
     },
     "log": {
         "source": {
-            "address": "192.168.64.5:60604"
+            "address": "172.19.0.3:52362"
         }
     },
     "network": {
-        "type": "ipv6"
+        "transport": "tcp"
     },
     "organization": {
         "name": "Customer XYZ"
@@ -165,4 +164,4 @@
             }
         }
     }
-}
+}

packages/zscaler_zpa/docs/README.md

@@ -699,12 +699,11 @@ An example event for `user_activity` looks as following:
 {
     "@timestamp": "2019-05-31T17:35:42.000Z",
     "agent": {
-        "ephemeral_id": "47a2e053-f9d2-4244-b6bd-9acf12361804",
-        "hostname": "docker-fleet-agent",
-        "id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "dc5b8414-8d42-4bd7-820f-f19b6f07188b",
+        "id": "43113495-332c-42b0-a84a-dfd7a28a3adc",
+        "name": "elastic-agent-20487",
         "type": "filebeat",
-        "version": "7.16.2"
+        "version": "8.13.0"
     },
     "client": {
         "geo": {
@@ -718,24 +717,24 @@ An example event for `user_activity` looks as following:
     },
     "data_stream": {
         "dataset": "zscaler_zpa.user_activity",
-        "namespace": "ep",
+        "namespace": "11041",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
+        "id": "43113495-332c-42b0-a84a-dfd7a28a3adc",
         "snapshot": false,
-        "version": "7.16.2"
+        "version": "8.13.0"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "iam"
         ],
         "dataset": "zscaler_zpa.user_activity",
-        "ingested": "2023-02-22T12:10:47Z",
+        "ingested": "2025-05-25T22:58:32Z",
         "kind": "event",
         "original": "{\"LogTimestamp\": \"Fri May 31 17:35:42 2019\",\"Customer\": \"Customer XYZ\",\"SessionID\": \"LHJdkjmNDf12nclBsvwA\",\"ConnectionID\": \"SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm\",\"InternalReason\": \"\",\"ConnectionStatus\": \"active\",\"IPProtocol\": 6,\"DoubleEncryption\": 0,\"Username\": \"ZPA LSS Client\",\"ServicePort\": 10011,\"ClientPublicIP\": \"81.2.69.193\",\"ClientLatitude\": 45.000000,\"ClientLongitude\": -119.000000,\"ClientCountryCode\": \"US\",\"ClientZEN\": \"broker2b.pdx\",\"Policy\": \"ABC Lab Apps\",\"Connector\": \"ZDEMO ABC\",\"ConnectorZEN\": \"broker2b.pdx\",\"ConnectorIP\": \"67.43.156.12\",\"ConnectorPort\": 60266,\"Host\": \"175.16.199.1\",\"Application\": \"ABC Lab Apps\",\"AppGroup\": \"ABC Lab Apps\",\"Server\": \"0\",\"ServerIP\": \"175.16.199.1\",\"ServerPort\": 10011,\"PolicyProcessingTime\": 28,\"CAProcessingTime\": 1330,\"ConnectorZENSetupTime\": 191017,\"ConnectionSetupTime\": 192397,\"ServerSetupTime\": 465,\"AppLearnTime\": 0,\"TimestampConnectionStart\": \"2019-05-30T08:20:42.230Z\",\"TimestampConnectionEnd\": \"\",\"TimestampCATx\": \"2019-05-30T08:20:42.230Z\",\"TimestampCARx\": \"2019-05-30T08:20:42.231Z\",\"TimestampAppLearnStart\": \"\",\"TimestampZENFirstRxClient\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENFirstTxClient\": \"\",\"TimestampZENLastRxClient\": \"2019-05-31T17:34:27.348Z\",\"TimestampZENLastTxClient\": \"\",\"TimestampConnectorZENSetupComplete\": \"2019-05-30T08:20:42.422Z\",\"TimestampZENFirstRxConnector\": \"\",\"TimestampZENFirstTxConnector\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENLastRxConnector\": \"\",\"TimestampZENLastTxConnector\": \"2019-05-31T17:34:27.348Z\",\"ZENTotalBytesRxClient\": 2406926,\"ZENBytesRxClient\": 7115,\"ZENTotalBytesTxClient\": 0,\"ZENBytesTxClient\": 0,\"ZENTotalBytesRxConnector\": 0,\"ZENBytesRxConnector\": 0,\"ZENTotalBytesTxConnector\": 2406926,\"ZENBytesTxConnector\": 7115,\"Idp\": \"Example IDP Config\",\"ClientToClient\": \"0\"}",
         "type": [
@@ -753,11 +752,11 @@ An example event for `user_activity` looks as following:
     },
     "log": {
         "source": {
-            "address": "192.168.64.5:60604"
+            "address": "172.19.0.3:52362"
         }
     },
     "network": {
-        "type": "ipv6"
+        "transport": "tcp"
     },
     "organization": {
         "name": "Customer XYZ"

packages/zscaler_zpa/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: zscaler_zpa
 title: Zscaler Private Access
-version: "1.22.2"
+version: "1.22.3"
 source:
   license: Elastic-2.0
 description: Collect logs from Zscaler Private Access (ZPA) with Elastic Agent.