[proofpoint_on_demand] Initial release of the Proofpoint On Demand (e…

…lastic#10472)

Create New integration package proofpoint_on_demand.

Added audit, mail and message data stream.
Added data collection logic for all the data stream.
Added the ingest pipeline for all the data stream.
Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
Added dashboards and visualizations.
Added test for pipeline for all the data stream.
Added system test cases for all the data stream.

.github/CODEOWNERS

@@ -291,6 +291,7 @@
 /packages/prometheus/data_stream/collector @elastic/obs-infraobs-integrations
 /packages/prometheus/data_stream/query @elastic/obs-infraobs-integrations
 /packages/prometheus_input @elastic/obs-infraobs-integrations
+/packages/proofpoint_on_demand @elastic/security-service-integrations
 /packages/proofpoint_tap @elastic/security-service-integrations
 /packages/pulse_connect_secure @elastic/security-service-integrations
 /packages/qualys_vmdr @elastic/security-service-integrations

packages/proofpoint_on_demand/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/proofpoint_on_demand/_dev/build/docs/README.md

@@ -0,0 +1,86 @@
+# Proofpoint On Demand
+
+Proofpoint on Demand is a cloud-based cybersecurity platform that offers a wide range of services to protect businesses against cyber threats. This includes email security, threat intelligence, information protection, and compliance solutions. The Proofpoint on Demand integration for Elastic provides insight into the functioning and effectiveness of your email security policies, allowing you to make informed decisions to improve security posture.
+
+The Proofpoint On Demand integration collects data for Audit, Mail, and Message logs utilizing the Secure WebSocket (WSS) protocol for log streaming.
+
+## Data streams
+
+The Proofpoint On Demand integration collects data for the following three events:
+
+| Event Type                    |
+|-------------------------------|
+| Audit                         |
+| Mail                          |
+| Message                       |
+
+## Requirements
+
+Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html#_minimum_requirements).
+
+## Setup
+
+### To collect data from the Proofpoint On Demand Log Service:
+
+The **Cluster ID** is displayed in the upper-right corner of the management interface, next to the release number. Proofpoint will provide the token for each cluster.
+
+**NOTE**: Proofpoint On Demand Log service requires a Remote Syslog Forwarding license. Please refer the [documentation](https://proofpointcommunities.force.com/community/s/article/Proofpoint-on-Demand-Pod-Log-API) on how to enable it.
+
+### Enabling the integration in Elastic:
+
+1. In Kibana go to Management > Integrations.
+2. In "Search for integrations" search bar, type Proofpoint On Demand.
+3. Click on the "Proofpoint On Demand" integration from the search results.
+4. Click on the "Add Proofpoint On Demand" button to add the integration.
+5. Add all the required integration configuration parameters, including Cluster ID and Access Token, to enable data collection.
+6. Click on "Save and continue" to save the integration.
+
+## Logs Reference
+
+### Audit
+
+This is the `Audit` dataset.
+
+#### Example
+
+{{event "audit"}}
+
+{{fields "audit"}}
+
+### Mail
+
+This is the `Mail` dataset.
+
+#### Example
+
+{{event "mail"}}
+
+{{fields "mail"}}
+
+### Message
+
+This is the `Message` dataset.
+
+#### Example
+
+{{event "message"}}
+
+{{fields "message"}}

packages/proofpoint_on_demand/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: "2.3"
+services:
+  proofpoint_on_demand-websocket:
+    image: golang:1.21-alpine
+    hostname: proofpoint_on_demand
+    working_dir: /app
+    volumes:
+      - ./websocket-mock-service:/app
+    ports:
+      - "8443:8443"
+    healthcheck:
+      test: "wget --no-verbose --tries=1 --spider http://localhost:8443/health || exit 1"
+      interval: 10s
+      timeout: 5s
+    command: ["go", "run", "main.go"]

packages/proofpoint_on_demand/_dev/deploy/docker/websocket-mock-service/go.mod

@@ -0,0 +1,7 @@
+module websocket-mock-service
+
+go 1.21.3
+
+require github.com/gorilla/websocket v1.5.1
+
+require golang.org/x/net v0.17.0 // indirect

packages/proofpoint_on_demand/_dev/deploy/docker/websocket-mock-service/go.sum

@@ -0,0 +1,4 @@
+github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
+github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=

packages/proofpoint_on_demand/_dev/deploy/docker/websocket-mock-service/main.go

@@ -0,0 +1,61 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/gorilla/websocket"
+)
+
+func main() {
+	http.HandleFunc("/", handleWebSocket)
+	log.Fatal(http.ListenAndServe(":8443", nil))
+}
+
+func handleWebSocket(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path == "/health" {
+		return
+	}
+
+	authHeader := r.Header.Get("Authorization")
+	if authHeader != "Bearer xxxx" {
+		// If the header is incorrect, return an authentication error message
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte("Error: Authentication failed."))
+		return
+	}
+
+	upgrader := websocket.Upgrader{
+		CheckOrigin: func(r *http.Request) bool { return true },
+	}
+	conn, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	defer conn.Close()
+
+	var responseMessage string
+
+	// Get the query parameter "type" to determine the type of message to send
+	typeParam := r.URL.Query().Get("type")
+
+	if typeParam == "audit" {
+		responseMessage = `{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"1.128.0.0"}},"guid":"792f514f-15cb-480d-825e-e3565d32f928","metadata":{"customerId":"c8215678-6e78-42dd-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.128","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-30T06:13:37.162521+0000"}`
+	} else if typeParam == "maillog" {
+		responseMessage = `{"data":"2024-06-19T05:28:32.533564-07:00 m0000123 sendmail[17416]: 45ABSW12341234: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, tls_verify=OK, tls_version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM, pri=121557, relay=test4.example.net. [216.160.83.56], dsn=2.0.0, stat=Sent (Ok: queued)","id":"NABCDefGH0/I1234slqccQ","metadata":{"customerId":"c82abcde-5678-42dd-1234-1234563f9cff","origin":{"data":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted"},"schemaVersion":"20200420"}},"pps":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted"},"sm":{"delay":"00:00:00","dsn":"2.0.0","mailer":"esmtp","pri":"121557","qid":"45ABSW12341234","relay":"test4.example.net. [216.160.83.56]","stat":"Sent (Ok: queued)","to":["<[email protected]>"],"xdelay":"00:00:00"},"tls":{"cipher":"ECDHE-RSA-AES256-GCM","verify":"OK","version":"TLSv1.2"},"ts":"2024-06-19T05:28:32.533564-0700"}`
+	} else {
+		responseMessage = `{"connection":{"country":"**","helo":"m0000123.ppops.net","host":"localhost","ip":"127.0.0.1","protocol":"smtp:smtp","resolveStatus":"ok","sid":"3y8abcd123","tls":{"inbound":{"cipher":"ECDHE-RSA-AES256-GCM-SHA384","cipherBits":256,"version":"TLSv1.2"}}},"envelope":{"from":"[email protected]","rcpts":["[email protected]"]},"filter":{"actions":[{"action":"accept","isFinal":true,"module":"access","rule":"system"}],"delivered":{"rcpts":["[email protected]"]},"disposition":"accept","durationSecs":0.11872,"msgSizeBytes":1127,"qid":"44ABCDm0000123","routeDirection":"outbound","routes":["allow_relay","firewallsafe"],"suborgs":{"rcpts":["0"],"sender":"0"},"verified":{"rcpts":["[email protected]"]}},"guid":"vRq4ZIFWHXbuABCDEFghij0U4VvIc71x","metadata":{"origin":{"data":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.21.0.1358"}}},"msg":{"header":{"from":["\"(Cron Daemon)\" <[email protected]>"],"message-id":["<[email protected]>"],"subject":["Cron <pps@m0000123> /opt/proofpoint/resttimer.pl"],"to":["[email protected]"]},"lang":"","normalizedHeader":{"from":["\"(Cron Daemon)\" <[email protected]>"],"message-id":["[email protected]"],"subject":["Cron <pps@m0000123> /opt/proofpoint/resttimer.pl"],"to":["[email protected]"]},"parsedAddresses":{},"sizeBytes":1151},"msgParts":[],"ts":"2024-05-22T12:10:03.058340-0700"}`
+	}
+
+	// Send a json log message to the client
+	err = conn.WriteMessage(websocket.TextMessage, []byte(responseMessage))
+	if err != nil {
+		log.Println("write:", err)
+		return
+	}
+}

packages/proofpoint_on_demand/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10472

packages/proofpoint_on_demand/data_stream/audit/_dev/test/pipeline/test-audit.log

@@ -0,0 +1,14 @@
+{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-4621-1234-abcdefc3b3e6","ipAddress":"89.160.20.128"}},"guid":"7061cc5e-72f4-4f4b-984e-8338a585c011","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.144","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:49:38.968838+0000"}
+{"audit":{"action":"create","level":"INFO","resourceName":"new_test_key","resourceType":"config","tags":[{"name":"eventSubCategory","value":"threatProtectionApiKeys"},{"name":"eventDetails","value":"Create New Threat Protection API Key with name new_test_key"},{"name":"create.threatProtectionApiKeys","value":"true"}],"user":{"email":"[email protected]","id":"abcdefg4-1234-4621-1234-bcbf45123456","ipAddress":"1.128.0.0"}},"guid":"762e1234-1234-4690-abcd-c1954e5364d4","metadata":{"customerId":"c821c1de-6e78-1234-5678-abcdefgf9cff","origin":{"data":{"agent":"81.2.69.144","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:49:55.605152+0000"}
+{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-4621-5678-abcdefc3b3e6","ipAddress":"1.128.0.0"}},"guid":"7991abcd-1234-480c-1234-abcdef1cf43e","metadata":{"customerId":"c8211234-6e78-42dd-a327-abcde13f9cff","origin":{"data":{"agent":"175.16.199.1","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:50:32.575108+0000"}
+{"audit":{"action":"delete","level":"INFO","resourceName":"new_test_key","resourceType":"config","tags":[{"name":"eventSubCategory","value":"threatProtectionApiKeys"},{"name":"eventDetails","value":"Revoke Threat Protection API Key with name new_test_key"},{"name":"delete.threatProtectionApiKeys","value":"true"}],"user":{"email":"[email protected]","id":"abcdefg4-1234-1234-b6a4-bcbf45123456","ipAddress":"175.16.199.1"}},"guid":"3b8abcdef-1234-42e1-5678-abcde8192536","metadata":{"customerId":"c821c1de-6e78-1234-5678-abcdefgf9cff","origin":{"data":{"agent":"175.16.199.1","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-25T21:50:48.115372+0000"}
+{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"1.128.0.0"}},"guid":"792f514f-15cb-480d-825e-e3565d32f928","metadata":{"customerId":"c8215678-6e78-42dd-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.128","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2023-10-30T06:13:37.162521+0000"}
+{"audit":{"action":"logout","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"logout.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"67.43.156.0"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"175.16.199.1","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-06-21T21:28:42.143478+0000"}
+{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"81.2.69.142"}},"guid":"abcdefd5c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T08:36:51.768822+0000"}
+{"audit":{"action":"create","level":"INFO","resourceName":"test_route","resourceType":"policy_routes","tags":[{"name":"eventSubCategory","value":"policyRoutes"},{"name":"eventDetails","value":"Policy Route: test_route and Description: ."},{"name":"create.policyRoutes","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"216.160.83.56"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:25:02.417831+0000"}
+{"audit":{"action":"delete","level":"INFO","resourceName":"test_route","resourceType":"policy_routes","tags":[{"name":"eventSubCategory","value":"policyRoutes"},{"name":"eventDetails","value":"Policy Route: test_route"},{"name":"delete.policyRoutes","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"81.2.69.142"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:28:57.048728+0000"}
+{"audit":{"action":"execute","level":"INFO","resourceType":"smart_search","tags":[{"name":"eventSubCategory","value":"search"},{"name":"eventDetails","value":"Search Query: {\"uiDateRange\":\"last.24.hours\",\"cid\":\"pphosted_prodmgt_hosted\",\"from\":\"2024-04-15T10:29:53.376Z\",\"to\":\"2024-04-16T10:29:53.376Z\"} and result count is [2000]"},{"name":"execute.search","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"89.160.20.112"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.112","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:29:54.489540+0000"}
+{"audit":{"action":"execute","level":"INFO","resourceType":"smart_search","tags":[{"name":"eventSubCategory","value":"search"},{"name":"eventDetails","value":"Search Query: {\"uiDateRange\":\"last.24.hours\",\"cid\":\"pphosted_prodmgt_hosted\",\"from\":\"2024-04-15T10:30:36.531Z\",\"to\":\"2024-04-16T10:30:36.531Z\",\"action\":\"reject\"} and result count is [0]"},{"name":"execute.search","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"89.160.20.112"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.112","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-16T10:30:37.114184+0000"}
+{"audit":{"action":"edit","level":"INFO","resourceName":"test_4","resourceType":"spam_module","tags":[{"name":"eventSubCategory","value":"spamDetection.policies"},{"name":"eventDetails","value":"Policy name: test_4 and Description: "},{"name":"edit.spamDetection.policies","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"216.160.83.56"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-22T17:59:35.420853+0000"}
+{"audit":{"action":"login","level":"INFO","resourceType":"authorization","tags":[{"name":"eventSubCategory","value":"authorization"},{"name":"eventDetails","value":""},{"name":"login.authorization","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"175.16.199.1"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"81.2.69.192","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-04-23T17:27:29.412463+0000"}
+{"audit":{"action":"read","level":"INFO","resourceName":"40AbcD123456789","resourceType":"smart_search","tags":[{"name":"eventSubCategory","value":"sendMailSearch"},{"name":"eventDetails","value":"Sendmail search request : \u0026qid=40AbcD123456789\u0026cid=pphosted_prodmgt_hosted\u0026from=2024-01-16T04:55:02.291514-0800 and the result count is [2]"},{"name":"read.sendMailSearch","value":"true"}],"user":{"email":"[email protected]","id":"a7e6abcd-1234-7901-1234-abcdefc31236","ipAddress":"81.2.69.192"}},"guid":"abcdefb9c-1234-5678-9123-1234567eb3e4","metadata":{"customerId":"c8211234-1234-5678-a327-abcde13f9cff","origin":{"data":{"agent":"89.160.20.112","cid":"pphosted_prodmgt_hosted","version":"1.0"},"schemaVersion":"1.0","type":"cadmin-api-gateway"}},"ts":"2024-01-16T12:56:27.145800+0000"}