[proofpoint_on_demand] Initial release of the Proofpoint On Demand

[brijesh-elastic]

Proposed commit message

Create New integration package proofpoint_on_demand.

• Added audit, mail and message data stream.
• Added data collection logic for all the data stream.
• Added the ingest pipeline for all the data stream.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added dashboards and visualizations.
• Added test for pipeline for all the data stream.
• Added system test cases for all the data stream.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/proofpoint_on_demand directory.
• Run the following command to run tests.

elastic-package test

--- Test results for package: proofpoint_on_demand - START ---
╭──────────────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE              │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├──────────────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ proofpoint_on_demand │ audit       │ static    │ Verify sample_event.json │ PASS   │  123.94021ms │
│ proofpoint_on_demand │ mail        │ static    │ Verify sample_event.json │ PASS   │ 128.099553ms │
│ proofpoint_on_demand │ message     │ static    │ Verify sample_event.json │ PASS   │   145.2949ms │
╰──────────────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: proofpoint_on_demand - END   ---
Done
--- Test results for package: proofpoint_on_demand - START ---
╭──────────────────────┬─────────────┬───────────┬─────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE              │ DATA STREAM │ TEST TYPE │ TEST NAME                                   │ RESULT │ TIME ELAPSED │
├──────────────────────┼─────────────┼───────────┼─────────────────────────────────────────────┼────────┼──────────────┤
│ proofpoint_on_demand │ audit       │ pipeline  │ (ingest pipeline warnings test-audit.log)   │ PASS   │ 334.507862ms │
│ proofpoint_on_demand │ audit       │ pipeline  │ test-audit.log                              │ PASS   │ 415.951639ms │
│ proofpoint_on_demand │ mail        │ pipeline  │ (ingest pipeline warnings test-mail.log)    │ PASS   │ 316.577142ms │
│ proofpoint_on_demand │ mail        │ pipeline  │ test-mail.log                               │ PASS   │ 351.665205ms │
│ proofpoint_on_demand │ message     │ pipeline  │ (ingest pipeline warnings test-message.log) │ PASS   │ 282.115325ms │
│ proofpoint_on_demand │ message     │ pipeline  │ test-message.log                            │ PASS   │ 871.319284ms │
╰──────────────────────┴─────────────┴───────────┴─────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: proofpoint_on_demand - END   ---
Done
--- Test results for package: proofpoint_on_demand - START ---
╭──────────────────────┬─────────────┬───────────┬───────────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE              │ DATA STREAM │ TEST TYPE │ TEST NAME                                                                     │ RESULT │ TIME ELAPSED │
├──────────────────────┼─────────────┼───────────┼───────────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ proofpoint_on_demand │             │ asset     │ dashboard proofpoint_on_demand-77feed4b-c40f-45f4-b9dd-7094a6877609 is loaded │ PASS   │      4.997µs │
│ proofpoint_on_demand │             │ asset     │ dashboard proofpoint_on_demand-ae89dee7-9dc7-4121-ba6a-93c408307ee4 is loaded │ PASS   │      1.152µs │
│ proofpoint_on_demand │             │ asset     │ dashboard proofpoint_on_demand-e84a69fa-843b-4697-8b9c-cd9b005581ef is loaded │ PASS   │      1.233µs │
│ proofpoint_on_demand │             │ asset     │ search proofpoint_on_demand-47445983-1383-4de7-9a0a-3f39f46e5b5c is loaded    │ PASS   │      1.323µs │
│ proofpoint_on_demand │             │ asset     │ search proofpoint_on_demand-7748df39-1f80-4506-8e47-afac86766d3d is loaded    │ PASS   │      1.047µs │
│ proofpoint_on_demand │             │ asset     │ search proofpoint_on_demand-f73aa7a7-3a1d-41aa-b462-308dd0fb347b is loaded    │ PASS   │      1.084µs │
│ proofpoint_on_demand │ audit       │ asset     │ index_template logs-proofpoint_on_demand.audit is loaded                      │ PASS   │        988ns │
│ proofpoint_on_demand │ audit       │ asset     │ ingest_pipeline logs-proofpoint_on_demand.audit-0.1.0 is loaded               │ PASS   │        931ns │
│ proofpoint_on_demand │ mail        │ asset     │ index_template logs-proofpoint_on_demand.mail is loaded                       │ PASS   │        986ns │
│ proofpoint_on_demand │ mail        │ asset     │ ingest_pipeline logs-proofpoint_on_demand.mail-0.1.0 is loaded                │ PASS   │        973ns │
│ proofpoint_on_demand │ message     │ asset     │ index_template logs-proofpoint_on_demand.message is loaded                    │ PASS   │      1.008µs │
│ proofpoint_on_demand │ message     │ asset     │ ingest_pipeline logs-proofpoint_on_demand.message-0.1.0 is loaded             │ PASS   │        843ns │
╰──────────────────────┴─────────────┴───────────┴───────────────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: proofpoint_on_demand - END   ---
Done
--- Test results for package: proofpoint_on_demand - START ---
╭──────────────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE              │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├──────────────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ proofpoint_on_demand │ audit       │ system    │ default   │ PASS   │ 53.695690723s │
│ proofpoint_on_demand │ mail        │ system    │ default   │ PASS   │ 38.289262876s │
│ proofpoint_on_demand │ message     │ system    │ default   │ PASS   │ 37.409306523s │
╰──────────────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: proofpoint_on_demand - END   ---
Done

Related issues

• Closes Proofpoint On Demand #1196

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

@brijesh-elastic Looks like CI is failing on system tests. Can you please check?

[ShourieG]

Hi @brijesh-elastic, we need to add a health check to the mock service container in the docker compose and the respective /health uri path in the mock server code to resolve the system tests issue, similar to this PR.

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[kcreddy]

event.outcome can be derived from here.

[kcreddy]

You might need to remove characters < and > from *address and message_id

[kcreddy]

This event doesn't have a from= address, so the from could be derived from ctladdr

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 164ec7a

History

• 💚 Build #13870 succeeded 79d4f12
• 💚 Build #13742 succeeded b833375
• 💔 Build #13605 failed 8f0dc7a

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
96.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

Package proofpoint_on_demand - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=proofpoint_on_demand