[proofpoint_tap] Add Proofpoint TAP package

.github/CODEOWNERS

@@ -116,6 +116,7 @@
 /packages/problemchild @elastic/ml-ui
 /packages/prometheus @elastic/obs-cloudnative-monitoring
 /packages/proofpoint @elastic/security-external-integrations
+/packages/proofpoint_tap @elastic/security-external-integrations
 /packages/pulse_connect_secure @elastic/security-external-integrations
 /packages/qnap_nas @elastic/security-external-integrations
 /packages/rabbitmq @elastic/integrations

packages/proofpoint_tap/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@8.2

packages/proofpoint_tap/_dev/build/docs/README.md

@@ -0,0 +1,52 @@
+# Proofpoint TAP
+
+The Proofpoint TAP integration collects and parses data from the Proofpoint TAP REST APIs.
+
+## Compatibility
+
+This module has been tested against `SIEM API v2`.
+
+## Configurations
+
+The service principal and secret are used to authenticate to the SIEM API. To generate TAP Service Credentials please follow the following steps.  
+1. Log in to the [_TAP dashboard_](https://threatinsight.proofpoint.com).  
+2. Navigate to **Settings > Connected Applications**.  
+3. Click **Create New Credential**.  
+4. Name the new credential set and click **Generate**.  
+5. Copy the **Service Principal** and **Secret** and save them for later use.  
+For the more information on generating TAP credentials please follow the steps mentioned in the link [_Generate TAP Service Credentials_](https://ptr-docs.proofpoint.com/ptr-guides/integrations-files/ptr-tap/#generate-tap-service-credentials).
+
+
+## Logs
+
+### Clicks Blocked
+
+This is the `clicks_blocked` dataset.
+
+{{event "clicks_blocked"}}
+
+{{fields "clicks_blocked"}}
+
+### Clicks Permitted
+
+This is the `clicks_permitted` dataset.
+
+{{event "clicks_permitted"}}
+
+{{fields "clicks_permitted"}}
+
+### Message Blocked 
+
+This is the `message_blocked` dataset.
+
+{{event "message_blocked"}}
+
+{{fields "message_blocked"}}
+
+### Message Delivered 
+
+This is the `message_delivered` dataset.
+
+{{event "message_delivered"}}
+
+{{fields "message_delivered"}}

packages/proofpoint_tap/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2.3'
+services:
+  proofpoint_tap:
+    image: docker.elastic.co/observability/stream:v0.7.0
+    hostname: proofpoint_tap
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: "8080"
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml

packages/proofpoint_tap/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,25 @@
+rules:
+  - path: /v2/siem/messages/blocked
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {"queryEndTime":"2022-03-30T13:00:00Z","messagesBlocked":[{"GUID":"x11xxxx1-12f9-111x-x12x-1x1x123456xx","QID":"x2XXxXXX111111","ccAddresses":["abc@example.com"],"clusterId":"pharmtech_hosted","completelyRewritten":"true","fromAddress":"abc@example.com","headerCC":"\"Example Abc\" <abc@example.com>","headerFrom":"\"A. Bc\" <abc@example.com>","headerReplyTo":null,"headerTo":"\"Aa Bb\" <aa.bb@example.com>; \"Hey Hello\" <hey.hello@example.com>","impostorScore":0,"malwareScore":100,"messageID":"12345678912345.12345.mail@example.com","messageParts":[{"contentType":"text/plain","disposition":"inline","filename":"text.txt","md5":"b10a8db164e0754105b7a99be72e3fe5","oContentType":"text/plain","sandboxStatus":"unsupported","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"},{"contentType":"application/pdf","disposition":"attached","filename":"text.pdf","md5":"b10a8db164e0754105b7a99be72e3fe5","oContentType":"application/pdf","sandboxStatus":"threat","sha256":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e"}],"messageTime":"2021-11-25T09:10:00.050Z","modulesRun":["pdr","sandbox","spam","urldefense"],"phishScore":46,"policyRoutes":["default_inbound","executives"],"quarantineFolder":"Attachment Defense","quarantineRule":"module.sandbox.threat","recipient":["example.abc@example.com","hey.hello@example.com"],"replyToAddress":null,"sender":"x99x7x5580193x6x51x597xx2x0210@example.com","senderIP":"175.16.199.1","spamScore":4,"subject":"Please find a totally safe invoice attached.","threatsInfoMap":[{"campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","classification":"MALWARE","threat":"a591a6d40bf420404a011733cfb7b190d62c65bf0bcda32b57b277d9ad9f146e","threatId":"2xxx740f143fc1aa4c1cd0146d334x5593b1428x6x062b2c406e5efe8xxx95xx","threatStatus":"active","threatTime":"2021-11-25T09:10:00.050Z","threatType":"ATTACHMENT","threatUrl":"https://www.example.com/?name=john"},{"campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","classification":"MALWARE","threat":"example.com","threatId":"3xx97xx852c66a7xx761450xxxxxx9f4ffab74715b591294f78b5e37a76481xx","threatTime":"2021-07-20T05:00:00.050Z","threatType":"URL","threatUrl":"https://www.example.com/?name=john"}],"toAddresses":["example.abc@example.com","hey.hello@example.com"],"xmailer":"Spambot v2.5"}]}
+  - path: /v2/siem/messages/delivered
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {"queryEndTime":"2022-03-29T20:00:00Z","messagesDelivered":[{"spamScore":0,"phishScore":0,"threatsInfoMap":[{"threatID":"b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatStatus":"active","classification":"spam","threatUrl":"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatTime":"2021-11-25T13:02:58.640Z","threat":"http://zbcd123456x0.example.com","campaignID":null,"threatType":"url"},{"threatID":"aaabcdefg123456f009971a9c193abcdefg123456bf5abcdefg1234566","threatStatus":"active","classification":"phish","threatUrl":"https://threatinsight.proofpoint.com/aaabcdef-1234-b1abcdefghe/threat/email/b7exxxxxxxx0d10xxxxxxe2xxxxxxxxxxxx81cxxxxxx034ac9cxxxxxxxxxxxxb","threatTime":"2021-07-19T10:28:15.100Z","threat":"http://zbcd123456x0.example.com","campaignID":null,"threatType":"url"}],"messageTime":"2022-01-01T00:00:00.000Z","impostorScore":0,"malwareScore":0,"cluster":"pharmtech_hosted","subject":null,"quarantineFolder":null,"quarantineRule":null,"policyRoutes":null,"modulesRun":null,"messageSize":0,"headerFrom":null,"headerReplyTo":null,"fromAddress":null,"ccAddresses":null,"replyToAddress":null,"toAddresses":null,"xmailer":null,"messageParts":null,"completelyRewritten":true,"id":"2hsvbU-i8abc123-12345-xxxxx12","QID":null,"GUID":"NxxxsxvxbxUxixcx2xxxxx5x6xWxBxOxxxxxjxx","sender":"","recipient":["fxxxxhxsxxvxbcx2xx5xxx6x3xx26@example.com"],"senderIP":"89.160.20.112","messageID":""}]}
+  - path: /v2/siem/clicks/permitted
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {"queryEndTime":"2022-03-30T13:00:00Z","clicksPermitted":[{"url":"https://example.com/collab/?id=x4x3x6xsx1xxxx8xEdxexnxxxaxX","classification":"phish","clickTime":"2022-03-21T20:39:37.000Z","threatTime":"2022-03-30T10:05:57.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Edg/99.0.1150.46","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"de7eef56-1234-1234-1234-5xxfx7xxxdxxxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"abc@example.com","senderIP":"81.2.69.143","GUID":"cTxxxxxxzx7xxxxxxxxxx8x4xwxx","threatID":"92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/92c17aaxxxxxxxxxx07xx7xxxx9xexcx3x3xxxxxx8xx3xxxx","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}]}
+  - path: /v2/siem/clicks/blocked
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        body: |
+          {"queryEndTime":"2022-03-30T13:00:00Z","clicksBlocked":[{"url":"https://www.example.com/abcdabcd123?query=0","classification":"malware","clickTime":"2022-03-30T10:11:12.000Z","threatTime":"2022-03-21T14:40:31.000Z","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"a5c9f8bb-1234-1234-1234-dx9xxx2xx9xxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"9c52aa64228824247c48df69b066e5a7@example.com","senderIP":"81.2.69.143","GUID":"ZcxxxxVxyxFxyxLxxxDxVxx4xxxxx","threatID":"502b7xxxx0x5x1x3xb6xcxexbxxxxxxxcxxexc6xbxxxxxxdx7fxcx6x9xxxx9xdxxxxxxxx5f","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}]}

packages/proofpoint_tap/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+  changes:
+    - description: Initial draft of the package.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3201

packages/proofpoint_tap/data_stream/clicks_blocked/_dev/test/pipeline/test-clicks-blocked.log

@@ -0,0 +1,5 @@
+{"url":"https://www.example.com/?name=john","classification":"phish","clickTime":"2022-03-21T07:52:11.000Z","threatTime":"2022-03-18T14:54:20.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.39","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"8760d0fc-1234-1234-1234-2exxfxxxxx1xd","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"123abc@example.com","senderIP":"81.2.69.143","GUID":"x11xxxx1-12f9-111x-x12x-1x1x123456xx","threatID":"3xx97xx852c66a7xx761450xxxxxx9f4ffaxxxxxxxxxxxxxxx7a76481xx","threatURL":"https://www.example.com/?name=john","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"url":"http://www.example.com/public/download-shares/wwwxxxyyyzzz12345","classification":"phish","clickTime":"2022-03-30T07:22:52.000Z","threatTime":"2022-03-07T01:21:41.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"b80af74a-1234-1234-1234-43xdxxbxxxxx6","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"bd5da771530b11830e6dfd25838b0240@example.com","senderIP":"81.2.69.143","GUID":"bXkXXUrXAXVXWXGXxXrXAXXX-XXXH","threatID":"fdxxxxxxxxxxxcc34aff1aefxbx3xx7xb7xfxcxx1xxxxxxxx98780b5xxxexbx5xc32c","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/fdxxxxxxxxa080xxxxxxxxc6bcxxxxxxxxxxxx5aefb37xxxxb5ebxx1234","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"url":"https://www.example.com/url?q=httpabc12345","classification":"spam","clickTime":"2022-03-30T07:10:19.000Z","threatTime":"2022-03-29T09:27:21.000Z","userAgent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"85219a90-1234-1234-1234-axx5xx4xxxfxxxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"b81458bb9f757994e79a9287b8447622@example.com","senderIP":"81.2.69.143","GUID":"JXXXXaXehXHXzX-XxXhXyXXXXX7","threatID":"eaxxxxxxxxxxxx6376xxxxxxxxxxx1cba65xxx9x7xxxxxxxxxxfbbxx4x0","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/eaxxxxxa6597fd3xxxxxxxxx92e4xxxxxxxxxx27c98052fxxxxxxxxxx1234","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"url":"https://www.example.org/abcdabcd123?query=0","classification":"malware","clickTime":"2022-03-30T10:11:12.000Z","threatTime":"2022-03-21T14:40:31.000Z","userAgent":"Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) GSA/199.0.427504638 Mobile/15E148 Safari/604.1","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"a5c9f8bb-1234-1234-1234-dxx9xcxxxx8xxxc","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"9c52aa64228824247c48df69b066e5a7@example.com","senderIP":"81.2.69.143","GUID":"XXcXXxXDXVXXXXXXXXXXXX4XXXXX","threatID":"502bxxxxxxxxxxx70513b6cxxxxxxxxxxxxebc7fc699xxxxxxxxxxxxxxxxd5f","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/502xxxxxxxxxcebxxxxxxxxxxa04277xxxxx5dxc6xxxxxxxxx5f","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}
+{"url":"https://www.example.org","classification":"spam","clickTime":"2022-03-30T10:01:01.000Z","threatTime":"2022-03-14T05:59:12.000Z","userAgent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36","campaignId":"46x01x8x-x899-404x-xxx9-111xx393d1x7","id":"d35cc5fc-1234-1234-1234-2xxx0xaxbxcxx","clickIP":"89.160.20.112","sender":"abc123@example.com","recipient":"xyz@example.com","senderIP":"81.2.69.143","GUID":"uHXXXJXTXlXDXmXgXTX3XOXLNXVXNX3XXXHX","threatID":"47580xdx0x2x5x2xfx8x3x3x7x7xxxxcx6x7x4x4x1xexcx5cx9x3xfxfxxx1","threatURL":"https://threatinsight.proofpoint.com/a2abc123-1234-1234-1234-babcded1234/threat/email/4xxxxd02xxxxxxxxxxxxcacf9da3xxxxxxxxxxx9a947xxxxxxxxxx1","threatStatus":"active","messageID":"12345678912345.12345.mail@example.com"}