diff --git a/packages/proofpoint_on_demand/_dev/deploy/docker/docker-compose.yml b/packages/proofpoint_on_demand/_dev/deploy/docker/docker-compose.yml index 1f324406be7..cffab4b93ed 100644 --- a/packages/proofpoint_on_demand/_dev/deploy/docker/docker-compose.yml +++ b/packages/proofpoint_on_demand/_dev/deploy/docker/docker-compose.yml @@ -8,4 +8,8 @@ services: - ./websocket-mock-service:/app ports: - "8443:8443" + healthcheck: + test: "wget --no-verbose --tries=1 --spider http://localhost:8443/health || exit 1" + interval: 10s + timeout: 5s command: ["go", "run", "main.go"] diff --git a/packages/proofpoint_on_demand/_dev/deploy/docker/websocket-mock-service/main.go b/packages/proofpoint_on_demand/_dev/deploy/docker/websocket-mock-service/main.go index f4ad6ab7397..35face0793f 100644 --- a/packages/proofpoint_on_demand/_dev/deploy/docker/websocket-mock-service/main.go +++ b/packages/proofpoint_on_demand/_dev/deploy/docker/websocket-mock-service/main.go @@ -17,6 +17,10 @@ func main() { } func handleWebSocket(w http.ResponseWriter, r *http.Request) { + if r.URL.Path == "/health" { + return + } + authHeader := r.Header.Get("Authorization") if authHeader != "Bearer xxxx" { // If the header is incorrect, return an authentication error message diff --git a/packages/proofpoint_on_demand/data_stream/audit/sample_event.json b/packages/proofpoint_on_demand/data_stream/audit/sample_event.json index 0f32e1375be..0693f4cbd11 100644 --- a/packages/proofpoint_on_demand/data_stream/audit/sample_event.json +++ b/packages/proofpoint_on_demand/data_stream/audit/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2023-10-30T06:13:37.162Z", "agent": { - "ephemeral_id": "b4bf2c48-a903-47a7-8249-a33f0c04416e", - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "ephemeral_id": "b91bfe40-a0b1-4d8d-a6b3-31349274c490", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_on_demand.audit", - "namespace": "56274", + "namespace": "24289", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "snapshot": false, "version": "8.13.0" }, @@ -28,7 +28,7 @@ ], "dataset": "proofpoint_on_demand.audit", "id": "792f514f-15cb-480d-825e-e3565d32f928", - "ingested": "2024-07-10T10:32:14Z", + "ingested": "2024-07-17T16:30:44Z", "kind": "event", "original": "{\"audit\":{\"action\":\"login\",\"level\":\"INFO\",\"resourceType\":\"authorization\",\"tags\":[{\"name\":\"eventSubCategory\",\"value\":\"authorization\"},{\"name\":\"eventDetails\",\"value\":\"\"},{\"name\":\"login.authorization\",\"value\":\"true\"}],\"user\":{\"email\":\"bob@example.org\",\"id\":\"a7e6abcd-1234-7901-1234-abcdefc31236\",\"ipAddress\":\"1.128.0.0\"}},\"guid\":\"792f514f-15cb-480d-825e-e3565d32f928\",\"metadata\":{\"customerId\":\"c8215678-6e78-42dd-a327-abcde13f9cff\",\"origin\":{\"data\":{\"agent\":\"89.160.20.128\",\"cid\":\"pphosted_prodmgt_hosted\",\"version\":\"1.0\"},\"schemaVersion\":\"1.0\",\"type\":\"cadmin-api-gateway\"}},\"ts\":\"2023-10-30T06:13:37.162521+0000\"}", "type": [ diff --git a/packages/proofpoint_on_demand/data_stream/mail/sample_event.json b/packages/proofpoint_on_demand/data_stream/mail/sample_event.json index eb315caafd1..2957d01cf4d 100644 --- a/packages/proofpoint_on_demand/data_stream/mail/sample_event.json +++ b/packages/proofpoint_on_demand/data_stream/mail/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2024-06-19T12:28:32.533Z", "agent": { - "ephemeral_id": "63816686-915a-4d02-93cf-517339ce263d", - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "ephemeral_id": "2c2f1486-7b59-46be-8993-e51b90e0bd00", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_on_demand.mail", - "namespace": "68554", + "namespace": "14309", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "snapshot": false, "version": "8.13.0" }, @@ -35,7 +35,7 @@ ], "dataset": "proofpoint_on_demand.mail", "id": "NABCDefGH0/I1234slqccQ", - "ingested": "2024-07-10T10:33:12Z", + "ingested": "2024-07-17T16:31:44Z", "kind": "event", "original": "{\"data\":\"2024-06-19T05:28:32.533564-07:00 m0000123 sendmail[17416]: 45ABSW12341234: to=\\u003cmailive@example.com\\u003e, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, tls_verify=OK, tls_version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM, pri=121557, relay=test4.example.net. [216.160.83.56], dsn=2.0.0, stat=Sent (Ok: queued)\",\"id\":\"NABCDefGH0/I1234slqccQ\",\"metadata\":{\"customerId\":\"c82abcde-5678-42dd-1234-1234563f9cff\",\"origin\":{\"data\":{\"agent\":\"m0000123.ppops.net\",\"cid\":\"pphosted_prodmgt_hosted\"},\"schemaVersion\":\"20200420\"}},\"pps\":{\"agent\":\"m0000123.ppops.net\",\"cid\":\"pphosted_prodmgt_hosted\"},\"sm\":{\"delay\":\"00:00:00\",\"dsn\":\"2.0.0\",\"mailer\":\"esmtp\",\"pri\":\"121557\",\"qid\":\"45ABSW12341234\",\"relay\":\"test4.example.net. [216.160.83.56]\",\"stat\":\"Sent (Ok: queued)\",\"to\":[\"\\u003cmailive@example.com\\u003e\"],\"xdelay\":\"00:00:00\"},\"tls\":{\"cipher\":\"ECDHE-RSA-AES256-GCM\",\"verify\":\"OK\",\"version\":\"TLSv1.2\"},\"ts\":\"2024-06-19T05:28:32.533564-0700\"}", "type": [ diff --git a/packages/proofpoint_on_demand/data_stream/message/sample_event.json b/packages/proofpoint_on_demand/data_stream/message/sample_event.json index d275bcf06d4..ba6d3a51371 100644 --- a/packages/proofpoint_on_demand/data_stream/message/sample_event.json +++ b/packages/proofpoint_on_demand/data_stream/message/sample_event.json @@ -1,22 +1,22 @@ { "@timestamp": "2024-05-22T19:10:03.058Z", "agent": { - "ephemeral_id": "1a9e5652-213e-41c8-bf6a-60b731a7920f", - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "ephemeral_id": "c7399ce4-1dc3-4ecd-8600-6b2eefabf8c4", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_on_demand.message", - "namespace": "50569", + "namespace": "50314", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "snapshot": false, "version": "8.13.0" }, @@ -49,7 +49,7 @@ "dataset": "proofpoint_on_demand.message", "duration": 118720000, "id": "vRq4ZIFWHXbuABCDEFghij0U4VvIc71x", - "ingested": "2024-07-10T10:34:10Z", + "ingested": "2024-07-17T16:33:05Z", "kind": "event", "original": "{\"connection\":{\"country\":\"**\",\"helo\":\"m0000123.ppops.net\",\"host\":\"localhost\",\"ip\":\"127.0.0.1\",\"protocol\":\"smtp:smtp\",\"resolveStatus\":\"ok\",\"sid\":\"3y8abcd123\",\"tls\":{\"inbound\":{\"cipher\":\"ECDHE-RSA-AES256-GCM-SHA384\",\"cipherBits\":256,\"version\":\"TLSv1.2\"}}},\"envelope\":{\"from\":\"pps@m0000123.ppops.net\",\"rcpts\":[\"pps@m0000123.ppops.net\"]},\"filter\":{\"actions\":[{\"action\":\"accept\",\"isFinal\":true,\"module\":\"access\",\"rule\":\"system\"}],\"delivered\":{\"rcpts\":[\"pps@m0000123.ppops.net\"]},\"disposition\":\"accept\",\"durationSecs\":0.11872,\"msgSizeBytes\":1127,\"qid\":\"44ABCDm0000123\",\"routeDirection\":\"outbound\",\"routes\":[\"allow_relay\",\"firewallsafe\"],\"suborgs\":{\"rcpts\":[\"0\"],\"sender\":\"0\"},\"verified\":{\"rcpts\":[\"pps@m0000123.ppops.net\"]}},\"guid\":\"vRq4ZIFWHXbuABCDEFghij0U4VvIc71x\",\"metadata\":{\"origin\":{\"data\":{\"agent\":\"m0000123.ppops.net\",\"cid\":\"pphosted_prodmgt_hosted\",\"version\":\"8.21.0.1358\"}}},\"msg\":{\"header\":{\"from\":[\"\\\"(Cron Daemon)\\\" \\u003cpps@m0000123.ppops.net\\u003e\"],\"message-id\":[\"\\u003c212345678910.44ABCDE1231370@m0000123.ppops.net\\u003e\"],\"subject\":[\"Cron \\u003cpps@m0000123\\u003e /opt/proofpoint/resttimer.pl\"],\"to\":[\"pps@m0000123.ppops.net\"]},\"lang\":\"\",\"normalizedHeader\":{\"from\":[\"\\\"(Cron Daemon)\\\" \\u003cpps@m0000123.ppops.net\\u003e\"],\"message-id\":[\"212345678910.44ABCDE1231370@m0000123.ppops.net\"],\"subject\":[\"Cron \\u003cpps@m0000123\\u003e /opt/proofpoint/resttimer.pl\"],\"to\":[\"pps@m0000123.ppops.net\"]},\"parsedAddresses\":{},\"sizeBytes\":1151},\"msgParts\":[],\"ts\":\"2024-05-22T12:10:03.058340-0700\"}", "type": [ diff --git a/packages/proofpoint_on_demand/docs/README.md b/packages/proofpoint_on_demand/docs/README.md index f863bc74e06..0858c287242 100644 --- a/packages/proofpoint_on_demand/docs/README.md +++ b/packages/proofpoint_on_demand/docs/README.md @@ -67,22 +67,22 @@ An example event for `audit` looks as following: { "@timestamp": "2023-10-30T06:13:37.162Z", "agent": { - "ephemeral_id": "b4bf2c48-a903-47a7-8249-a33f0c04416e", - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "ephemeral_id": "b91bfe40-a0b1-4d8d-a6b3-31349274c490", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_on_demand.audit", - "namespace": "56274", + "namespace": "24289", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "snapshot": false, "version": "8.13.0" }, @@ -94,7 +94,7 @@ An example event for `audit` looks as following: ], "dataset": "proofpoint_on_demand.audit", "id": "792f514f-15cb-480d-825e-e3565d32f928", - "ingested": "2024-07-10T10:32:14Z", + "ingested": "2024-07-17T16:30:44Z", "kind": "event", "original": "{\"audit\":{\"action\":\"login\",\"level\":\"INFO\",\"resourceType\":\"authorization\",\"tags\":[{\"name\":\"eventSubCategory\",\"value\":\"authorization\"},{\"name\":\"eventDetails\",\"value\":\"\"},{\"name\":\"login.authorization\",\"value\":\"true\"}],\"user\":{\"email\":\"bob@example.org\",\"id\":\"a7e6abcd-1234-7901-1234-abcdefc31236\",\"ipAddress\":\"1.128.0.0\"}},\"guid\":\"792f514f-15cb-480d-825e-e3565d32f928\",\"metadata\":{\"customerId\":\"c8215678-6e78-42dd-a327-abcde13f9cff\",\"origin\":{\"data\":{\"agent\":\"89.160.20.128\",\"cid\":\"pphosted_prodmgt_hosted\",\"version\":\"1.0\"},\"schemaVersion\":\"1.0\",\"type\":\"cadmin-api-gateway\"}},\"ts\":\"2023-10-30T06:13:37.162521+0000\"}", "type": [ @@ -227,22 +227,22 @@ An example event for `mail` looks as following: { "@timestamp": "2024-06-19T12:28:32.533Z", "agent": { - "ephemeral_id": "63816686-915a-4d02-93cf-517339ce263d", - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "ephemeral_id": "2c2f1486-7b59-46be-8993-e51b90e0bd00", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_on_demand.mail", - "namespace": "68554", + "namespace": "14309", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "snapshot": false, "version": "8.13.0" }, @@ -261,7 +261,7 @@ An example event for `mail` looks as following: ], "dataset": "proofpoint_on_demand.mail", "id": "NABCDefGH0/I1234slqccQ", - "ingested": "2024-07-10T10:33:12Z", + "ingested": "2024-07-17T16:31:44Z", "kind": "event", "original": "{\"data\":\"2024-06-19T05:28:32.533564-07:00 m0000123 sendmail[17416]: 45ABSW12341234: to=\\u003cmailive@example.com\\u003e, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, tls_verify=OK, tls_version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM, pri=121557, relay=test4.example.net. [216.160.83.56], dsn=2.0.0, stat=Sent (Ok: queued)\",\"id\":\"NABCDefGH0/I1234slqccQ\",\"metadata\":{\"customerId\":\"c82abcde-5678-42dd-1234-1234563f9cff\",\"origin\":{\"data\":{\"agent\":\"m0000123.ppops.net\",\"cid\":\"pphosted_prodmgt_hosted\"},\"schemaVersion\":\"20200420\"}},\"pps\":{\"agent\":\"m0000123.ppops.net\",\"cid\":\"pphosted_prodmgt_hosted\"},\"sm\":{\"delay\":\"00:00:00\",\"dsn\":\"2.0.0\",\"mailer\":\"esmtp\",\"pri\":\"121557\",\"qid\":\"45ABSW12341234\",\"relay\":\"test4.example.net. [216.160.83.56]\",\"stat\":\"Sent (Ok: queued)\",\"to\":[\"\\u003cmailive@example.com\\u003e\"],\"xdelay\":\"00:00:00\"},\"tls\":{\"cipher\":\"ECDHE-RSA-AES256-GCM\",\"verify\":\"OK\",\"version\":\"TLSv1.2\"},\"ts\":\"2024-06-19T05:28:32.533564-0700\"}", "type": [ @@ -395,22 +395,22 @@ An example event for `message` looks as following: { "@timestamp": "2024-05-22T19:10:03.058Z", "agent": { - "ephemeral_id": "1a9e5652-213e-41c8-bf6a-60b731a7920f", - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "ephemeral_id": "c7399ce4-1dc3-4ecd-8600-6b2eefabf8c4", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "proofpoint_on_demand.message", - "namespace": "50569", + "namespace": "50314", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "0a23b9c0-d1c4-47ce-b003-9b5041aff6e9", + "id": "edea5fcb-b045-4791-8aee-17f9771265b4", "snapshot": false, "version": "8.13.0" }, @@ -443,7 +443,7 @@ An example event for `message` looks as following: "dataset": "proofpoint_on_demand.message", "duration": 118720000, "id": "vRq4ZIFWHXbuABCDEFghij0U4VvIc71x", - "ingested": "2024-07-10T10:34:10Z", + "ingested": "2024-07-17T16:33:05Z", "kind": "event", "original": "{\"connection\":{\"country\":\"**\",\"helo\":\"m0000123.ppops.net\",\"host\":\"localhost\",\"ip\":\"127.0.0.1\",\"protocol\":\"smtp:smtp\",\"resolveStatus\":\"ok\",\"sid\":\"3y8abcd123\",\"tls\":{\"inbound\":{\"cipher\":\"ECDHE-RSA-AES256-GCM-SHA384\",\"cipherBits\":256,\"version\":\"TLSv1.2\"}}},\"envelope\":{\"from\":\"pps@m0000123.ppops.net\",\"rcpts\":[\"pps@m0000123.ppops.net\"]},\"filter\":{\"actions\":[{\"action\":\"accept\",\"isFinal\":true,\"module\":\"access\",\"rule\":\"system\"}],\"delivered\":{\"rcpts\":[\"pps@m0000123.ppops.net\"]},\"disposition\":\"accept\",\"durationSecs\":0.11872,\"msgSizeBytes\":1127,\"qid\":\"44ABCDm0000123\",\"routeDirection\":\"outbound\",\"routes\":[\"allow_relay\",\"firewallsafe\"],\"suborgs\":{\"rcpts\":[\"0\"],\"sender\":\"0\"},\"verified\":{\"rcpts\":[\"pps@m0000123.ppops.net\"]}},\"guid\":\"vRq4ZIFWHXbuABCDEFghij0U4VvIc71x\",\"metadata\":{\"origin\":{\"data\":{\"agent\":\"m0000123.ppops.net\",\"cid\":\"pphosted_prodmgt_hosted\",\"version\":\"8.21.0.1358\"}}},\"msg\":{\"header\":{\"from\":[\"\\\"(Cron Daemon)\\\" \\u003cpps@m0000123.ppops.net\\u003e\"],\"message-id\":[\"\\u003c212345678910.44ABCDE1231370@m0000123.ppops.net\\u003e\"],\"subject\":[\"Cron \\u003cpps@m0000123\\u003e /opt/proofpoint/resttimer.pl\"],\"to\":[\"pps@m0000123.ppops.net\"]},\"lang\":\"\",\"normalizedHeader\":{\"from\":[\"\\\"(Cron Daemon)\\\" \\u003cpps@m0000123.ppops.net\\u003e\"],\"message-id\":[\"212345678910.44ABCDE1231370@m0000123.ppops.net\"],\"subject\":[\"Cron \\u003cpps@m0000123\\u003e /opt/proofpoint/resttimer.pl\"],\"to\":[\"pps@m0000123.ppops.net\"]},\"parsedAddresses\":{},\"sizeBytes\":1151},\"msgParts\":[],\"ts\":\"2024-05-22T12:10:03.058340-0700\"}", "type": [