Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[proofpoint_on_demand] Initial release of the Proofpoint On Demand #10472

Merged
merged 5 commits into from
Jul 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,7 @@
/packages/prometheus/data_stream/collector @elastic/obs-infraobs-integrations
/packages/prometheus/data_stream/query @elastic/obs-infraobs-integrations
/packages/prometheus_input @elastic/obs-infraobs-integrations
/packages/proofpoint_on_demand @elastic/security-service-integrations
/packages/proofpoint_tap @elastic/security-service-integrations
/packages/pulse_connect_secure @elastic/security-service-integrations
/packages/qualys_vmdr @elastic/security-service-integrations
Expand Down
3 changes: 3 additions & 0 deletions packages/proofpoint_on_demand/_dev/build/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
dependencies:
ecs:
reference: [email protected]
86 changes: 86 additions & 0 deletions packages/proofpoint_on_demand/_dev/build/docs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Proofpoint On Demand

Proofpoint on Demand is a cloud-based cybersecurity platform that offers a wide range of services to protect businesses against cyber threats. This includes email security, threat intelligence, information protection, and compliance solutions. The Proofpoint on Demand integration for Elastic provides insight into the functioning and effectiveness of your email security policies, allowing you to make informed decisions to improve security posture.

The Proofpoint On Demand integration collects data for Audit, Mail, and Message logs utilizing the Secure WebSocket (WSS) protocol for log streaming.

## Data streams

The Proofpoint On Demand integration collects data for the following three events:

| Event Type |
|-------------------------------|
| Audit |
| Mail |
| Message |

## Requirements

Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).

### Installing and managing an Elastic Agent:

You have a few options for installing and managing an Elastic Agent:

### Install a Fleet-managed Elastic Agent (recommended):

With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.

### Install Elastic Agent in standalone mode (advanced users):

With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.

### Install Elastic Agent in a containerized environment:

You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html#_minimum_requirements).

## Setup

### To collect data from the Proofpoint On Demand Log Service:

The **Cluster ID** is displayed in the upper-right corner of the management interface, next to the release number. Proofpoint will provide the token for each cluster.

**NOTE**: Proofpoint On Demand Log service requires a Remote Syslog Forwarding license. Please refer the [documentation](https://proofpointcommunities.force.com/community/s/article/Proofpoint-on-Demand-Pod-Log-API) on how to enable it.

### Enabling the integration in Elastic:

1. In Kibana go to Management > Integrations.
2. In "Search for integrations" search bar, type Proofpoint On Demand.
3. Click on the "Proofpoint On Demand" integration from the search results.
4. Click on the "Add Proofpoint On Demand" button to add the integration.
5. Add all the required integration configuration parameters, including Cluster ID and Access Token, to enable data collection.
6. Click on "Save and continue" to save the integration.

## Logs Reference

### Audit

This is the `Audit` dataset.

#### Example

{{event "audit"}}

{{fields "audit"}}

### Mail

This is the `Mail` dataset.

#### Example

{{event "mail"}}

{{fields "mail"}}

### Message

This is the `Message` dataset.

#### Example

{{event "message"}}

{{fields "message"}}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
version: "2.3"
services:
proofpoint_on_demand-websocket:
image: golang:1.21-alpine
hostname: proofpoint_on_demand
working_dir: /app
volumes:
- ./websocket-mock-service:/app
ports:
- "8443:8443"
healthcheck:
test: "wget --no-verbose --tries=1 --spider http://localhost:8443/health || exit 1"
interval: 10s
timeout: 5s
command: ["go", "run", "main.go"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
module websocket-mock-service

go 1.21.3

require github.com/gorilla/websocket v1.5.1

require golang.org/x/net v0.17.0 // indirect
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

package main

import (
"log"
"net/http"

"github.com/gorilla/websocket"
)

func main() {
http.HandleFunc("/", handleWebSocket)
log.Fatal(http.ListenAndServe(":8443", nil))
}

func handleWebSocket(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/health" {
return
}

authHeader := r.Header.Get("Authorization")
if authHeader != "Bearer xxxx" {
// If the header is incorrect, return an authentication error message
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte("Error: Authentication failed."))
return
}

upgrader := websocket.Upgrader{
CheckOrigin: func(r *http.Request) bool { return true },
}
conn, err := upgrader.Upgrade(w, r, nil)
if err != nil {
log.Println(err)
return
}
defer conn.Close()

var responseMessage string

// Get the query parameter "type" to determine the type of message to send
typeParam := r.URL.Query().Get("type")

if typeParam == "audit" {
responseMessage = `{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"1.128.0.0"}},"guid":"792f514f-15cb-480d-825e-e3565d32f928","metadata":{"customerId":"c8215678-6e78-42dd-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.128","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-30T06:13:37.162521+0000"}`
} else if typeParam == "maillog" {
responseMessage = `{"data":"2024-06-19T05:28:32.533564-07:00 m0000123 sendmail[17416]: 45ABSW12341234: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, tls_verify=OK, tls_version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM, pri=121557, relay=test4.example.net. [216.160.83.56], dsn=2.0.0, stat=Sent (Ok: queued)","id":"NABCDefGH0/I1234slqccQ","metadata":{"customerId":"c82abcde-5678-42dd-1234-1234563f9cff","origin":{"data":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted"},"schemaVersion":"20200420"}},"pps":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted"},"sm":{"delay":"00:00:00","dsn":"2.0.0","mailer":"esmtp","pri":"121557","qid":"45ABSW12341234","relay":"test4.example.net. [216.160.83.56]","stat":"Sent (Ok: queued)","to":["<[email protected]>"],"xdelay":"00:00:00"},"tls":{"cipher":"ECDHE-RSA-AES256-GCM","verify":"OK","version":"TLSv1.2"},"ts":"2024-06-19T05:28:32.533564-0700"}`
} else {
responseMessage = `{"connection":{"country":"**","helo":"m0000123.ppops.net","host":"localhost","ip":"127.0.0.1","protocol":"smtp:smtp","resolveStatus":"ok","sid":"3y8abcd123","tls":{"inbound":{"cipher":"ECDHE-RSA-AES256-GCM-SHA384","cipherBits":256,"version":"TLSv1.2"}}},"envelope":{"from":"[email protected]","rcpts":["[email protected]"]},"filter":{"actions":[{"action":"accept","isFinal":true,"module":"access","rule":"system"}],"delivered":{"rcpts":["[email protected]"]},"disposition":"accept","durationSecs":0.11872,"msgSizeBytes":1127,"qid":"44ABCDm0000123","routeDirection":"outbound","routes":["allow_relay","firewallsafe"],"suborgs":{"rcpts":["0"],"sender":"0"},"verified":{"rcpts":["[email protected]"]}},"guid":"vRq4ZIFWHXbuABCDEFghij0U4VvIc71x","metadata":{"origin":{"data":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.21.0.1358"}}},"msg":{"header":{"from":["\"(Cron Daemon)\" <[email protected]>"],"message-id":["<[email protected]>"],"subject":["Cron <pps@m0000123> /opt/proofpoint/resttimer.pl"],"to":["[email protected]"]},"lang":"","normalizedHeader":{"from":["\"(Cron Daemon)\" <[email protected]>"],"message-id":["[email protected]"],"subject":["Cron <pps@m0000123> /opt/proofpoint/resttimer.pl"],"to":["[email protected]"]},"parsedAddresses":{},"sizeBytes":1151},"msgParts":[],"ts":"2024-05-22T12:10:03.058340-0700"}`
}

// Send a json log message to the client
err = conn.WriteMessage(websocket.TextMessage, []byte(responseMessage))
if err != nil {
log.Println("write:", err)
return
}
}
6 changes: 6 additions & 0 deletions packages/proofpoint_on_demand/changelog.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# newer versions go on top
- version: "0.1.0"
changes:
- description: Initial release.
type: enhancement
link: https://github.com/elastic/integrations/pull/10472
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-4621-1234-abcdefc3b3e6","ipAddress":"89.160.20.128"}},"guid":"7061cc5e-72f4-4f4b-984e-8338a585c011","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.144","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:49:38.968838+0000"}
{"audit":{"action":"create","level":"INFO","resourceName":"new_test_key","resourceType":"config","tags":[{"name":"eventSubCategory","value":"threatProtectionApiKeys"},{"name":"eventDetails","value":"Create New Threat Protection API Key with name new_test_key"},{"name":"create.threatProtectionApiKeys","value":"true"}],"user":{"email":"[email protected]","id":"abcdefg4-1234-4621-1234-bcbf45123456","ipAddress":"1.128.0.0"}},"guid":"762e1234-1234-4690-abcd-c1954e5364d4","metadata":{"customerId":"c821c1de-6e78-1234-5678-abcdefgf9cff","origin":{"data":{"agent":"81.2.69.144","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:49:55.605152+0000"}
{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-4621-5678-abcdefc3b3e6","ipAddress":"1.128.0.0"}},"guid":"7991abcd-1234-480c-1234-abcdef1cf43e","metadata":{"customerId":"c8211234-6e78-42dd-a327-abcde13f9cff","origin":{"data":{"agent":"175.16.199.1","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:50:32.575108+0000"}
{"audit":{"action":"delete","level":"INFO","resourceName":"new_test_key","resourceType":"config","tags":[{"name":"eventSubCategory","value":"threatProtectionApiKeys"},{"name":"eventDetails","value":"Revoke Threat Protection API Key with name new_test_key"},{"name":"delete.threatProtectionApiKeys","value":"true"}],"user":{"email":"[email protected]","id":"abcdefg4-1234-1234-b6a4-bcbf45123456","ipAddress":"175.16.199.1"}},"guid":"3b8abcdef-1234-42e1-5678-abcde8192536","metadata":{"customerId":"c821c1de-6e78-1234-5678-abcdefgf9cff","origin":{"data":{"agent":"175.16.199.1","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:50:48.115372+0000"}
{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"1.128.0.0"}},"guid":"792f514f-15cb-480d-825e-e3565d32f928","metadata":{"customerId":"c8215678-6e78-42dd-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.128","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-30T06:13:37.162521+0000"}
{"audit":{"action":"logout","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"logout.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"67.43.156.0"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"175.16.199.1","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-06-21T21:28:42.143478+0000"}
{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"81.2.69.142"}},"guid":"abcdefd5c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T08:36:51.768822+0000"}
{"audit":{"action":"create","level":"INFO","resourceName":"test_route","resourceType":"policy_routes","tags":[{"name":"eventSubCategory","value":"policyRoutes"},{"name":"eventDetails","value":"Policy Route: test_route and Description: ."},{"name":"create.policyRoutes","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"216.160.83.56"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:25:02.417831+0000"}
{"audit":{"action":"delete","level":"INFO","resourceName":"test_route","resourceType":"policy_routes","tags":[{"name":"eventSubCategory","value":"policyRoutes"},{"name":"eventDetails","value":"Policy Route: test_route"},{"name":"delete.policyRoutes","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"81.2.69.142"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:28:57.048728+0000"}
{"audit":{"action":"execute","level":"INFO","resourceType":"smart_search","tags":[{"name":"eventSubCategory","value":"search"},{"name":"eventDetails","value":"Search Query: {\"uiDateRange\":\"last.24.hours\",\"cid\":\"pphosted_prodmgt_hosted\",\"from\":\"2024-04-15T10:29:53.376Z\",\"to\":\"2024-04-16T10:29:53.376Z\"} and result count is [2000]"},{"name":"execute.search","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"89.160.20.112"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.112","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:29:54.489540+0000"}
{"audit":{"action":"execute","level":"INFO","resourceType":"smart_search","tags":[{"name":"eventSubCategory","value":"search"},{"name":"eventDetails","value":"Search Query: {\"uiDateRange\":\"last.24.hours\",\"cid\":\"pphosted_prodmgt_hosted\",\"from\":\"2024-04-15T10:30:36.531Z\",\"to\":\"2024-04-16T10:30:36.531Z\",\"action\":\"reject\"} and result count is [0]"},{"name":"execute.search","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"89.160.20.112"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.112","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:30:37.114184+0000"}
{"audit":{"action":"edit","level":"INFO","resourceName":"test_4","resourceType":"spam_module","tags":[{"name":"eventSubCategory","value":"spamDetection.policies"},{"name":"eventDetails","value":"Policy name: test_4 and Description: "},{"name":"edit.spamDetection.policies","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"216.160.83.56"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-22T17:59:35.420853+0000"}
{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"175.16.199.1"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-23T17:27:29.412463+0000"}
{"audit":{"action":"read","level":"INFO","resourceName":"40AbcD123456789","resourceType":"smart_search","tags":[{"name":"eventSubCategory","value":"sendMailSearch"},{"name":"eventDetails","value":"Sendmail search request : \u0026qid=40AbcD123456789\u0026cid=pphosted_prodmgt_hosted\u0026from=2024-01-16T04:55:02.291514-0800 and the result count is [2]"},{"name":"read.sendMailSearch","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"81.2.69.192"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.112","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-01-16T12:56:27.145800+0000"}
Loading