[proofpoint_essentials] Initial Release of Proofpoint Essentials

[brijesh-elastic]

Proposed commit message

proofpoint_essentials: Initial Release of Proofpoint Essentials

The Proofpoint Essentials integration with Elastic enables the
collection of threats for monitoring and analysis. This valuable data
can be leveraged within Elastic to analyze potential threat signals,
including spam, phishing, business email compromise (BEC), imposter
emails, ransomware, and malware.

The integration collects threats using the (Essentials Threat API)
[1], after which they are rerouted to different data streams based on
their types.
- clicks_blocked
- clicks_permitted
- message_blocked
- message_delivered

Sanitized test case inputs were obtained from live Proofpoint Essentials
instance using the Essentials Threat API.

[1] https://help.proofpoint.com/Essentials/Additional_Resources/API_Documentation/Essentials_Threat_API

Note

• The integration uses routing rules to route events to a different data streams from a central threat data stream. System test were not feasible due to this. The elastic-package issue is tracked at Allow data stream overrides in system tests for specific integration packages elastic-package#1917

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/proofpoint_essentials directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes [New Integration] Proofpoint Essentials #14603
• Relates https://github.com/elastic/enhancements/issues/25240

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 1f52a15

cc @brijesh-elastic

[efd6]

Suggested change

	description: The customers entity ID.
	description: The customer's entity ID.

(throughout)

[efd6]

Suggested change

	description: The true, detected Content-Type of the messagePart. This may differ from the oContentType value.
	description: The true, detected Content-Type of the messagePart. This may differ from the `o_content_type` value.

(throughout)

I think probably that generally the camelCase names in the descriptions should be converted to snake_case to avoid confusion since all the fields have been converted to snake_case.

[efd6]

Currently the filters are acting at the dashboard level. Can they be moved to the visualisation level so that users are not able to accidentally remove them?

[efd6]

Suggested change

	ctx['@timestamp'] = item.threat_time;
	ts = item.threat_time;

[efd6]

Suggested change

	ctx['@timestamp'] = ctx.proofpoint_essentials.threat.threat_time;
	ts = ctx.proofpoint_essentials.threat.threat_time;

[efd6]

Suggested change

	}
	}
	ctx['@timestamp'] = ts;