[jamf_pro] Fix flattened field types for non-object values (elastic#13985)

Some fields have arrays of integers or strings as values and we were
attempting to index them as `flattened`. Although such values can be
valid JSON values or JSON documents, `flattened` fields can only index
objects.

The Jamf documentation of field values is:
- https://developer.jamf.com/jamf-pro/reference/get_v1-computers-inventory
- https://developer.jamf.com/developer-guide/docs/webhooks

Author: chrisberkhout

packages/jamf_pro/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.5.2"
+  changes:
+    - description: Fix `flattened` field types for non-object values.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13985
 - version: "0.5.1"
   changes:
     - description: Fix empty string issue for date query param in filter for Jamf Pro inventory data stream.

packages/jamf_pro/data_stream/events/fields/fields.yml

@@ -60,7 +60,7 @@
               type: group
               fields:
                 - name: action
-                  type: flattened
+                  type: keyword
             - name: patch_policy_id
               type: integer
             - name: patch_policy_name
@@ -120,7 +120,7 @@
             - name: name
               type: keyword
             - name: report_urls
-              type: flattened
+              type: keyword
             - name: bluetooth_mac_address
               type: keyword
             - name: icci_id
@@ -148,9 +148,9 @@
             - name: rest_api_operation_type
               type: keyword
             - name: group_added_user_ids
-              type: flattened
+              type: keyword
             - name: group_removed_user_ids
-              type: flattened
+              type: keyword
             - name: jssid
               type: integer
             - name: smart_group
@@ -220,7 +220,7 @@
             - name: payload_identifier
               type: keyword
             - name: payload_types
-              type: flattened
+              type: keyword
             - name: trigger
               type: keyword
             - name: host_address
@@ -238,11 +238,11 @@
             - name: group_added_devices
               type: flattened
             - name: group_added_devices_ids
-              type: flattened
+              type: keyword
             - name: group_removed_devices
               type: flattened
             - name: group_removed_devices_ids
-              type: flattened
+              type: keyword
             - name: asset_tag
               type: keyword
             - name: description

packages/jamf_pro/data_stream/inventory/fields/fields-disk-encryption.yml

@@ -25,4 +25,4 @@
             - name: file_vault2eligibility_message
               type: text
             - name: file_vault2enabled_user_names
-              type: flattened
+              type: keyword

packages/jamf_pro/data_stream/inventory/fields/fields.yml

@@ -85,11 +85,11 @@
           type: group
           fields:
             - name: cached
-              type: flattened
+              type: keyword
             - name: installed_by_installer_swu
-              type: flattened
+              type: keyword
             - name: installed_by_jamf_pro
-              type: flattened
+              type: keyword
         - name: attachments
           type: nested
         - name: certificates

packages/jamf_pro/docs/README.md

@@ -227,7 +227,7 @@ The following non-ECS fields are used in inventory documents:
 | jamf_pro.inventory.disk_encryption.boot_partition_encryption_details.partition_name |  | keyword |
 | jamf_pro.inventory.disk_encryption.disk_encryption_configuration_name |  | keyword |
 | jamf_pro.inventory.disk_encryption.file_vault2eligibility_message |  | text |
-| jamf_pro.inventory.disk_encryption.file_vault2enabled_user_names |  | flattened |
+| jamf_pro.inventory.disk_encryption.file_vault2enabled_user_names |  | keyword |
 | jamf_pro.inventory.disk_encryption.individual_recovery_key_validity_status |  | keyword |
 | jamf_pro.inventory.disk_encryption.institutional_recovery_key_present |  | boolean |
 | jamf_pro.inventory.error.message |  | text |
@@ -327,9 +327,9 @@ The following non-ECS fields are used in inventory documents:
 | jamf_pro.inventory.operating_system.software_update_device_id |  | keyword |
 | jamf_pro.inventory.operating_system.supplemental_build_version |  | keyword |
 | jamf_pro.inventory.operating_system.version |  | keyword |
-| jamf_pro.inventory.package_receipts.cached |  | flattened |
-| jamf_pro.inventory.package_receipts.installed_by_installer_swu |  | flattened |
-| jamf_pro.inventory.package_receipts.installed_by_jamf_pro |  | flattened |
+| jamf_pro.inventory.package_receipts.cached |  | keyword |
+| jamf_pro.inventory.package_receipts.installed_by_installer_swu |  | keyword |
+| jamf_pro.inventory.package_receipts.installed_by_jamf_pro |  | keyword |
 | jamf_pro.inventory.plugins |  | nested |
 | jamf_pro.inventory.printers |  | nested |
 | jamf_pro.inventory.purchasing.apple_care_id |  | keyword |
@@ -538,13 +538,13 @@ The following non-ECS fields are used in real-time event documents:
 | jamf_pro.events.event.device_enrollment_program_instance_id |  | integer |
 | jamf_pro.events.event.device_name |  | keyword |
 | jamf_pro.events.event.email_address |  | keyword |
-| jamf_pro.events.event.event_actions.action |  | flattened |
+| jamf_pro.events.event.event_actions.action |  | keyword |
 | jamf_pro.events.event.group_added_devices |  | flattened |
-| jamf_pro.events.event.group_added_devices_ids |  | flattened |
-| jamf_pro.events.event.group_added_user_ids |  | flattened |
+| jamf_pro.events.event.group_added_devices_ids |  | keyword |
+| jamf_pro.events.event.group_added_user_ids |  | keyword |
 | jamf_pro.events.event.group_removed_devices |  | flattened |
-| jamf_pro.events.event.group_removed_devices_ids |  | flattened |
-| jamf_pro.events.event.group_removed_user_ids |  | flattened |
+| jamf_pro.events.event.group_removed_devices_ids |  | keyword |
+| jamf_pro.events.event.group_removed_user_ids |  | keyword |
 | jamf_pro.events.event.host_address |  | keyword |
 | jamf_pro.events.event.icci_id |  | keyword |
 | jamf_pro.events.event.imei |  | keyword |
@@ -571,13 +571,13 @@ The following non-ECS fields are used in real-time event documents:
 | jamf_pro.events.event.patch_policy_id |  | integer |
 | jamf_pro.events.event.patch_policy_name |  | keyword |
 | jamf_pro.events.event.payload_identifier |  | keyword |
-| jamf_pro.events.event.payload_types |  | flattened |
+| jamf_pro.events.event.payload_types |  | keyword |
 | jamf_pro.events.event.phone |  | keyword |
 | jamf_pro.events.event.policy_id |  | integer |
 | jamf_pro.events.event.position |  | keyword |
 | jamf_pro.events.event.product |  | keyword |
 | jamf_pro.events.event.real_name |  | keyword |
-| jamf_pro.events.event.report_urls |  | flattened |
+| jamf_pro.events.event.report_urls |  | keyword |
 | jamf_pro.events.event.reported_ip_address |  | ip |
 | jamf_pro.events.event.rest_api_operation_type |  | keyword |
 | jamf_pro.events.event.room |  | keyword |

packages/jamf_pro/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.1.5
 name: jamf_pro
 title: "Jamf Pro"
-version: "0.5.1"
+version: "0.5.2"
 source:
   license: "Elastic-2.0"
 description: "Collect logs and inventory data from Jamf Pro with Elastic Agent"