[proofpoint_itm] Initial release of Proofpoint ITM (#13153)

Add report data stream including collection and ingest logic with mapping to
the ECS, and dashboard visualisations.

Pipeline and system test data have been extracted from Splunk and sanitized to
ensure data integrity.

Author: muskan-agarwal26

.github/CODEOWNERS

@@ -335,6 +335,7 @@
 /packages/prometheus/data_stream/collector @elastic/obs-infraobs-integrations
 /packages/prometheus/data_stream/query @elastic/obs-infraobs-integrations
 /packages/prometheus_input @elastic/obs-infraobs-integrations
+/packages/proofpoint_itm @elastic/security-service-integrations
 /packages/proofpoint_on_demand @elastic/security-service-integrations
 /packages/proofpoint_tap @elastic/security-service-integrations
 /packages/proxysg @elastic/sec-deployment-and-devices

packages/proofpoint_itm/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: "git@v8.17.0"

packages/proofpoint_itm/_dev/build/docs/README.md

@@ -0,0 +1,78 @@
+# Proofpoint Insider Threat Management (ITM)
+
+[Proofpoint Insider Threat Management (ITM)](https://www.proofpoint.com/us/products/insider-threat-management) is a people-centric SaaS solution that helps you protect sensitive data from insider threats and data loss at the endpoint. It combines context across content, behavior and threats to provide you with deep visibility into user activities. Proofpoint ITM helps security teams tackle the challenges of detecting and preventing insider threats. It can streamline their responses to insider-led incidents and provide insights that help prevent further damage.
+
+Use this integration to collect and parse data from your Proofpoint ITM instance.
+
+## Compatibility
+
+This module has been tested against the Proofpoint ITM API version **v2**.
+
+## Data streams
+
+This integration collects the following logs:
+
+- **Reports** - This data stream enables users to retrieve reports from Proofpoint ITM, encompassing the below log types:
+    1. User activity
+    2. DBA activity
+    3. System events
+    4. Alerts activity
+    5. Audit activity
+    6. In-App elements
+
+## Requirements
+
+### Agentless Enabled Integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments.  This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent Based Installation
+
+- Elastic Agent must be installed
+- You can install only one Elastic Agent per host.
+- Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+#### Installing and managing an Elastic Agent:
+
+You have a few options for installing and managing an Elastic Agent:
+
+#### Install a Fleet-managed Elastic Agent (recommended):
+
+With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
+
+#### Install Elastic Agent in standalone mode (advanced users):
+
+With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
+
+#### Install Elastic Agent in a containerized environment:
+
+You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry and we provide deployment manifests for running on Kubernetes.
+
+There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
+
+## Setup
+
+Follow the [ITM On-Prem (ObserveIT) API Portal](https://prod.docs.oit.proofpoint.com/configuration_guide/observeit_api_portal.htm) guide to setup the Proofpoint ITM On-Prem API Portal.
+
+### Enabling the integration in Elastic:
+
+1. In Kibana navigate to Management > Integrations.
+2. In "Search for integrations" top bar, search for `Proofpoint ITM`.
+3. Select the "Proofpoint ITM" integration from the search results.
+4. Select "Add Proofpoint ITM" to add the integration.
+5. Add all the required integration configuration parameters, including the URL, Token URL, Client ID, and Client type, to enable data collection.
+6. Select "Save and continue" to save the integration.
+
+## Logs reference
+
+### Report
+
+This is the `report` dataset.
+
+#### Example
+
+{{event "report"}}
+
+{{fields "report"}}

packages/proofpoint_itm/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3.0'
+services:
+  proofpoint_itm:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    hostname: proofpoint_itm
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config.yml

packages/proofpoint_itm/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,186 @@
+rules:
+  - path: /v2/apis/auth/oauth/token
+    methods: ['POST']
+    request_headers:
+      Content-Type:
+        - 'application/x-www-form-urlencoded'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |
+          {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer"}
+  - path: /v2/apis/report;realm=observeit/reports
+    methods: ['GET']
+    query_params:
+      since: "{since:20.*}"
+    request_headers:
+      Authorization:
+        - 'Bearer xxxx'
+    responses:
+      - status_code: 200
+        body: |-
+          {{ minify_json `
+          {
+            "data": [
+              {
+                "_time": "2025-02-25T16:08:11Z",
+                "accessedSiteName": "c-awfi.top",
+                "accessedUrl": "http://c-awfi.top/",
+                "applicationName": "Windows Shell Experience Host",
+                "collectorId": "C2C1C429-C002-4FB8-99F4-7F1005ED9889",
+                "collectorUrl": "https://code1.preview.observeit.net/",
+                "command": "example_command",
+                "commandParams": "--example --params",
+                "createdAt": "2025-02-25T16:08:11Z",
+                "domainName": "code1.observeit.net",
+                "endpointId": "E035BBC2-1D72-4F25-9408-2BD807FB7B13",
+                "endpointName": "Example Endpoint",
+                "host": "host.example.com",
+                "id": "7340EB6D-A8BB-4F25-9408-2BD807FB7B13",
+                "loginName": "Administrator",
+                "observedAt": "2025-02-25T16:08:11Z",
+                "os": "Windows",
+                "playbackUrl": "https://code1.preview.observeit.net/ObserveIT/SlideViewer.aspx?SessionID=1A8B5249-EDAC-A8BB-4F25-9408-2BD807FB7B13",
+                "processExecutable": "shellexexperiencehost",
+                "remoteAddress": "175.16.199.0",
+                "remoteHostName": "Dake-WinX",
+                "risingValue": "2025-03-01T12:00:00Z",
+                "secondaryDomainName": "n/a",
+                "secondaryLoginName": "n/a",
+                "sessionUrl": "https://session.example.com/abc123",
+                "timezoneOffset": "0",
+                "windowTitle": "Start",
+                "sessionId": "1A8B52A9-EDAC-448E-9871-79DB21D53C28",
+                "databaseName": "example_database",
+                "details": "Detailed description of the event.",
+                "detailsUrl": "https://details.example.com/event/abcde",
+                "eventPlaybackUrl": "https://playback.example.com/event/abcde",
+                "ruleCategoryName": "Security",
+                "ruleDesc": "Description of the security rule.",
+                "ruleName": "Invalid User Asstempt",
+                "severity": "High",
+                "sqlCommand": "SELECT * FROM users;",
+                "sqlUserName": "db_user",
+                "userActivityEventId": 9876543210,
+                "userActivityObservedAt": "2025-02-25T16:08:11Z",
+                "operationKind": "Read",
+                "originFileName": "confidential.docx",
+                "originSiteName": "Internal SharePoint",
+                "targetFileName": "confidential_copy.docx",
+                "targetSiteName": "External Drive"
+              },
+              {
+                "_time": "2125-02-25T16:09:11Z",
+                "accessedSiteName": "c-awfi.top",
+                "accessedUrl": "http://c-awfi.top/",
+                "applicationName": "Windows Shell Experience Host",
+                "collectorId": "C2C1C429-C002-4FB8-99F4-7F1005ED9889",
+                "collectorUrl": "https://code1.preview.observeit.net/",
+                "command": "example_command",
+                "commandParams": "--example --params",
+                "createdAt": "2125-02-25T16:08:11Z",
+                "domainName": "code1.observeit.net",
+                "endpointId": "E035BBC2-1D72-4F25-9408-2BD807FB7B13",
+                "endpointName": "Example Endpoint",
+                "host": "host.example.com",
+                "id": "7340EB6D-A8BB-4F25-9408-2BD807FB7B13",
+                "loginName": "Administrator",
+                "observedAt": "2125-02-25T16:08:11Z",
+                "os": "Windows",
+                "playbackUrl": "https://code1.preview.observeit.net/ObserveIT/SlideViewer.aspx?SessionID=1A8B5249-EDAC-A8BB-4F25-9408-2BD807FB7B13",
+                "processExecutable": "shellexexperiencehost",
+                "remoteAddress": "175.16.199.0",
+                "remoteHostName": "Dake-WinX",
+                "risingValue": "2125-03-01T12:00:00Z",
+                "secondaryDomainName": "n/a",
+                "secondaryLoginName": "n/a",
+                "sessionUrl": "https://session.example.com/abc123",
+                "timezoneOffset": "0",
+                "windowTitle": "Start",
+                "sessionId": "1A8B52A9-EDAC-448E-9871-79DB21D53C28",
+                "databaseName": "example_database",
+                "details": "Detailed description of the event.",
+                "detailsUrl": "https://details.example.com/event/abcde",
+                "eventPlaybackUrl": "https://playback.example.com/event/abcde",
+                "ruleCategoryName": "Security",
+                "ruleDesc": "Description of the security rule.",
+                "ruleName": "Invalid User Asstempt",
+                "severity": "High",
+                "sqlCommand": "SELECT * FROM users;",
+                "sqlUserName": "db_user",
+                "userActivityEventId": 9876543210,
+                "userActivityObservedAt": "2125-02-25T16:08:11Z",
+                "operationKind": "Read",
+                "originFileName": "confidential.docx",
+                "originSiteName": "Internal SharePoint",
+                "targetFileName": "confidential_copy.docx",
+                "targetSiteName": "External Drive"
+              }
+            ]
+          }
+          `}}
+  - path: /v2/apis/report;realm=observeit/reports
+    methods: ['GET']
+    query_params:
+      since: "{since:21.*}"
+    request_headers:
+      Authorization:
+        - 'Bearer xxxx'
+    responses:
+      - status_code: 200
+        body: |-
+          {{ minify_json `
+          {
+            "data": [
+              {
+                "_time": "2125-02-25T16:08:11Z",
+                "accessedSiteName": "c-awfi.top",
+                "accessedUrl": "http://c-awfi.top/",
+                "applicationName": "Windows Shell Experience Host",
+                "collectorId": "C2C1C429-C002-4FB8-99F4-7F1005ED9889",
+                "collectorUrl": "https://code1.preview.observeit.net/",
+                "command": "example_command",
+                "commandParams": "--example --params",
+                "createdAt": "2125-02-25T16:08:11Z",
+                "domainName": "code1.observeit.net",
+                "endpointId": "E035BBC2-1D72-4F25-9408-2BD807FB7B13",
+                "endpointName": "Example Endpoint",
+                "host": "host.example.com",
+                "id": "7340EB6D-A8BB-4F25-9408-2BD807FB7B13",
+                "loginName": "Administrator",
+                "observedAt": "2125-02-25T16:08:11Z",
+                "os": "Windows",
+                "playbackUrl": "https://code1.preview.observeit.net/ObserveIT/SlideViewer.aspx?SessionID=1A8B5249-EDAC-A8BB-4F25-9408-2BD807FB7B13",
+                "processExecutable": "shellexexperiencehost",
+                "remoteAddress": "175.16.199.0",
+                "remoteHostName": "Dake-WinX",
+                "risingValue": "2225-03-01T12:00:00Z",
+                "secondaryDomainName": "n/a",
+                "secondaryLoginName": "n/a",
+                "sessionUrl": "https://session.example.com/abc123",
+                "timezoneOffset": "0",
+                "windowTitle": "Start",
+                "sessionId": "1A8B52A9-EDAC-448E-9871-79DB21D53C28",
+                "databaseName": "example_database",
+                "details": "Detailed description of the event.",
+                "detailsUrl": "https://details.example.com/event/abcde",
+                "eventPlaybackUrl": "https://playback.example.com/event/abcde",
+                "ruleCategoryName": "Security",
+                "ruleDesc": "Description of the security rule.",
+                "ruleName": "Invalid User Asstempt",
+                "severity": "High",
+                "sqlCommand": "SELECT * FROM users;",
+                "sqlUserName": "db_user",
+                "userActivityEventId": 9876543210,
+                "userActivityObservedAt": "2125-02-25T16:08:11Z",
+                "operationKind": "Read",
+                "originFileName": "confidential.docx",
+                "originSiteName": "Internal SharePoint",
+                "targetFileName": "confidential_copy.docx",
+                "targetSiteName": "External Drive"
+              }
+            ]
+          }
+          `}}

packages/proofpoint_itm/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13153

packages/proofpoint_itm/data_stream/report/_dev/test/pipeline/test-alert.log

@@ -0,0 +1 @@
+{"_time":"2025-02-25T16:08:11Z","accessedSiteName":"Example Site","accessedUrl":"https://www.example.com","applicationName":"Windows Shell Experience Host","collectorId":"C2C1C429-C002-4FB8-99F4-7F1005ED9889","collectorUrl":"https://code1.preview.observeit.net/","command":"example_command","commandParams":"--example --params","createdAt":"2025-02-25T16:08:11Z","domainName":"code1.observeit.net","endpointId":"E035BBC2-1D72-4F25-9408-2BD807FB7B13","endpointName":"Example Endpoint","host":"host.example.com","id":"7330EB6D-A8BB-4F25-9408-2BD807FB7B13","loginName":"Administrator","observedAt":"2025-02-25T16:08:11Z","os":"Windows","playbackUrl":"https://code1.preview.observeit.net/ObserveIT/SlideViewer.aspx?SessionID=1A8B5249-EDAC-A8BB-4F25-9408-2BD807FB7B13","processExecutable":"shellexexperiencehost","remoteAddress":"192.168.1.1","remoteHostName":"Michaels-MacBoo","risingValue":"2018-06-06T17:43:18.446Z","secondaryDomainName":"n/a","secondaryLoginName":"n/a","sessionUrl":"https://session.example.com/abc123","timezoneOffset":"0","windowTitle":"Start","sessionId":"1A8B52A9-EDAC-448E-9871-79DB21D53C28","databaseName":"example_database","details":"Detailed description of the event.","detailsUrl":"https://details.example.com/event/abcde","eventPlaybackUrl":"https://playback.example.com/event/abcde","ruleCategoryName":"Security","ruleDesc":"Description of the security rule.","ruleName":"Unauthorized Access Attempt","severity":"High","sqlCommand":"SELECT * FROM users;","sqlUserName":"db_user","userActivityEventId":9876543210,"userActivityObservedAt":"2025-02-25T16:08:11Z","operationKind":"Read","originFileName":"confidential.docx","originSiteName":"Internal SharePoint","targetFileName":"confidential_copy.docx","targetSiteName":"External Drive"}