Cyberark PAS: Fix handling of non-array CAProperty (elastic#31094)

The CAProperty field included in events from the Cyberark PAS can be an
object instead of an array in cases when a single property is defined.

CHANGELOG.next.asciidoc

@@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 - Recover CEF extensions from messages with invalid/incomplete headers. {issue}30757[30757] {pull}30938[30938]
 - Fix panic in filestream input when `copy_truncate` log rotation strategy is used {issue}29024[29024] {pull}31041[31041]
 - Fix Azure signinlogs authentication_requirement_policies field type and several missing fields. {pull}31062[31062]
+- Cyberark PAS: Fix error ingesting events with a single entry in the CAProperties field. {pull}31094[31094]
 
 *Heartbeat*
 

x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml

@@ -181,7 +181,19 @@ processors:
       ignore_empty_value: true
       override: true
 
-  # This script converts the nested object under cyberarkpas.audit.CAProperties.CAProperty
+  # This script ensures that CAProperties.CAProperty is an array.
+  # When there's a single property, it is serialised as an object instead
+  # of a single element array.
+  - script:
+      lang: painless
+      description: "Converts CAProperties into an array if necessary"
+      source: >
+        def props = ctx.cyberarkpas?.audit?.CAProperties?.CAProperty;
+        if (props != null && props instanceof Map) {
+          ctx.cyberarkpas.audit.CAProperties.CAProperty = [ props ];
+        }
+
+  # This processor converts the nested object under cyberarkpas.audit.CAProperties.CAProperty
   # into an object under cyberarkpas.audit.CAProperties:
   #
   # input:

x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log

@@ -1,2 +1,3 @@
 <5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}}
 <5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"AppProviderConf","File":"Root\\main_appprovider.conf.Win64.11.04","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}}
+<5>1 2022-03-30T05:51:59Z HOSTNAME {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 30 16:51:59","IsoTimestamp":"2022-03-30T05:51:59Z","Hostname":"HOSTNAME","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.1.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PSMApp_FOOBAR","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root[\\ConfigurationSchemas\\AuditFilters.xsd](file:///ConfigurationSchemas////AuditFilters.xsd/)","Station":"10.2.1.12","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":"","CAProperties":{"CAProperty":{"Name":"ConfigurationSchemaVersion","Value":"12121"}}}}}

x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json

@@ -80,5 +80,47 @@
             "cyberarkpas.audit",
             "forwarded"
         ]
+    },
+    {
+        "@timestamp": "2022-03-30T05:51:59.000Z",
+        "cyberarkpas.audit.action": "Retrieve File",
+        "cyberarkpas.audit.ca_properties.other.configuration_schema_version": "12121",
+        "cyberarkpas.audit.desc": "Retrieve File",
+        "cyberarkpas.audit.file": "Root[\\ConfigurationSchemas\\AuditFilters.xsd](file:///ConfigurationSchemas////AuditFilters.xsd/)",
+        "cyberarkpas.audit.iso_timestamp": "2022-03-30T05:51:59Z",
+        "cyberarkpas.audit.issuer": "PSMApp_FOOBAR",
+        "cyberarkpas.audit.message": "Retrieve File",
+        "cyberarkpas.audit.rfc5424": true,
+        "cyberarkpas.audit.safe": "PVWAConfig",
+        "cyberarkpas.audit.severity": "Info",
+        "cyberarkpas.audit.station": "10.2.1.12",
+        "cyberarkpas.audit.timestamp": "Mar 30 16:51:59",
+        "event.action": "retrieve file",
+        "event.code": "51",
+        "event.dataset": "cyberarkpas.audit",
+        "event.kind": "event",
+        "event.module": "cyberarkpas",
+        "event.severity": 2,
+        "event.timezone": "-02:00",
+        "file.path": "Root[\\ConfigurationSchemas\\AuditFilters.xsd](file:///ConfigurationSchemas////AuditFilters.xsd/)",
+        "fileset.name": "audit",
+        "host.name": "HOSTNAME",
+        "input.type": "log",
+        "log.offset": 1243,
+        "log.syslog.priority": "5",
+        "observer.hostname": "HOSTNAME",
+        "observer.product": "Vault",
+        "observer.vendor": "Cyber-Ark",
+        "observer.version": "12.1.0000",
+        "related.ip": [
+            "10.2.1.12"
+        ],
+        "service.type": "cyberarkpas",
+        "source.address": "10.2.1.12",
+        "source.ip": "10.2.1.12",
+        "tags": [
+            "cyberarkpas.audit",
+            "forwarded"
+        ]
     }
 ]