Skip to content

proofpoint_on_demand: fix ingest failure issues #11359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 8, 2024
Merged

proofpoint_on_demand: fix ingest failure issues #11359

merged 1 commit into from
Oct 8, 2024

Conversation

@efd6
Copy link
Contributor

@efd6 efd6 commented Oct 8, 2024

Proposed commit message

Apparently sometimes Proofpoint will send zero-length-keyed JSON, so handle this more gracefully. Also fix an incorrect type check that was causing a string array to be put into a nested field.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots
@efd6 efd6 added bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:proofpoint_on_demand Proofpoint On Demand labels Oct 8, 2024
@efd6 efd6 self-assigned this Oct 8, 2024
@efd6
proofpoint_on_demand: fix ingest failure issues
738938a 
Apparently sometimes Proofpoint will send zero-length-keyed JSON, so handle this more gracefully. Also fix an incorrect type check that was causing a string array to be put into a nested field.
@efd6 efd6 force-pushed the s5180-proofpoint_on_demand branch from caf40d5 to 738938a Compare October 8, 2024 00:46
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 8, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
@elasticmachine
Copy link

elasticmachine commented Oct 8, 2024

💚 Build Succeeded

cc @efd6
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Oct 8, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
90.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@efd6 efd6 marked this pull request as ready for review October 8, 2024 01:30
@efd6 efd6 requested a review from a team as a code owner October 8, 2024 01:30
@elasticmachine
Copy link

elasticmachine commented Oct 8, 2024

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
efd6
efd6 commented Oct 8, 2024
View reviewed changes
packages/proofpoint_on_demand/data_stream/message/_dev/test/pipeline/test-message.log
{"connection":{"country":"us","ip":"89.160.20.112","protocol":"smtp:smtp","sid":"2y1234560gm","helo":"mail-123456.google.com","tls":{"inbound":{"cipherBits":128,"version":"TLSv1.2","cipher":"ECDHE-RSA-AES128-GCM-SHA256"}},"host":"mail-123456.google.com","resolveStatus":"ok"},"metadata":{"origin":{"data":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"}}},"pps":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"},"final_module":"spam","action_dmarc":[{"rule":"pass","action":"continue","module":"dmarc"}],"ts":"2024-04-18T18:24:49.929101-0800","action_spf":[{"rule":"test_5_pass","action":"continue","module":"spf"},{"rule":"pass","action":"continue","module":"spf"}],"final_rule":"bulk","msg":{"header":{"toHashed":["87fad3bbab2sdvdsvsdvfdbfd5f116c3986@example.com"],"to":["abcdefg@example.com"],"from":["G Suite Alerts <gsuite-alerts-noreply@google.com>"],"message-id":["<VtuqyZOABCDFrgjbrs2rEqg.0@notifications.google.com>"],"fromHashed":["dc8352b494f0b14f0baefd8eb51e47ec@google.com>"],"subject":["G Suite Alert: test123"]},"sizeBytes":6651,"lang":"en"},"filter":{"routeDirection":"inbound","durationSecs":0.286712,"startTime":"2020-02-07T08:34:49.929101-0800","isMsgEncrypted":false,"disposition":"continue","qid":"017ABCDEFGH5228","routes":["default_inbound"],"quarantine":{"rule":"audit","folder":"Audit"},"msgSizeBytes":9635,"isMsgReinjected":false,"suborgs":{"sender":"0","rcpts":["0"]},"modules":{"spf":{"domain":"chime-notifications.bounces.google.com","result":"pass"},"dkimv":[{"domain":"google.com","selector":"20161025","result":"pass"}],"pdr":{"v2":{"response":"pass"}},"urldefense":{"version":{"engine":"15"},"counts":{"rewritten":4,"unique":3,"total":4}}}},"action_dkimv":[{"rule":"dkim_policy_partner_temperror","action":"continue","module":"dkimv"}],"guid":"81Of8J5YghkL1r--abcdefghijk-OBCFg7u","envelope":{"from":"khbsdkjvbsdjkbvkjsdv-zkdqsr-ahbckdsbcjbsdkjvsd.bnl@chime-notifications.bounces.google.com","fromHashed":"2a1a927f37b8esvsvsdvsdvsdvsdvsdvsdv7f@chime-notifications.bounces.google.com","rcptsHashed":["87fadvhjhsdvsdvbksdbvidseddad5f116c3986@example.com"],"rcpts":["abcdef@example.com"]},"final_action":"continue"}
{"final_rule":"clean","connection":{"country":"us","sid":"2abcdefgs98n3","protocol":"smtp:smtp","ip":"89.160.20.112","tls":{"inbound":{"cipherBits":128,"version":"TLSv1.2","cipher":"ECDHE-RSA-AES128-GCM-SHA256"}},"helo":"mail-abcd-1234.google.com","host":"mail-abcd-1234.google.com","resolveStatus":"ok"},"pps":{"agent":"m0000001.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"},"final_module":"av","action_dmarc":[{"rule":"pass","action":"continue","module":"dmarc"}],"ts":"2024-05-10T08:14:49.410504-0800","final_action":"continue","action_spf":[{"rule":"test_5_pass","action":"continue","module":"spf"},{"rule":"pass","action":"continue","module":"spf"}],"msg":{"header":{"toHashed":["a7e7e2f59b128bdb0aa60f56f5211efe@example.net"],"to":["temple@example.net"],"from":["G Suite Alerts <gsuite-alerts-noreply@google.com>"],"message-id":["<Rohkdsbvbkousdvbdsvpf8ITrw.0@notifications.google.com>"],"subject":["G Suite Alert: test123"],"fromHashed":["dc8352b494f0b14f0baefd8eb51e47ec@google.com>"]},"sizeBytes":6637,"lang":"en"},"filter":{"routeDirection":"inbound","durationSecs":0.656005,"startTime":"2020-02-07T08:34:49.410504-0800","isMsgEncrypted":false,"disposition":"continue","isMsgReinjected":false,"quarantine":{"rule":"audit","folder":"Audit"},"qid":"017ABCDEFGH28006","routes":["default_inbound"],"msgSizeBytes":9625,"suborgs":{"sender":"0","rcpts":["0"]},"modules":{"spf":{"domain":"chime-notifications.bounces.google.com","result":"pass"},"dkimv":[{"domain":"google.com","selector":"20161025","result":"pass"}],"pdr":{"v2":{"response":"pass"}},"urldefense":{"version":{"engine":"15"},"counts":{"unique":3,"rewritten":4,"total":4}}}},"action_dkimv":[{"rule":"dkim_policy_partner_temperror","action":"continue","module":"dkimv"}],"metadata":{"origin":{"data":{"agent":"m0000001.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"}}},"envelope":{"from":"3qje9xhukfdsdsdhsd-123456-msdvsdvdsvfkd.bnl@chime-notifications.bounces.google.com","fromHashed":"2a1a927f37b8e66067d0d97aea42f67f@chime-notifications.bounces.google.com","rcptsHashed":["a7e7edfviushdjhbsdjbvjhsd6f5211efe@example.net"],"rcpts":["temple@example.net"]},"guid":"3uE0HBMzAocroyCG_8ABCDEFGHIJECQu"}
{"connection":{"country":"us","ip":"89.160.20.112","protocol":"smtp:smtp","sid":"2y1234560gm","helo":"mail-123456.google.com","tls":{"inbound":{"cipherBits":128,"version":"TLSv1.2","cipher":"ECDHE-RSA-AES128-GCM-SHA256"}},"host":"mail-123456.google.com","resolveStatus":"ok"},"metadata":{"origin":{"data":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"}}},"pps":{"agent":"m0000123.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"},"final_module":"spam","action_dmarc":[{"rule":"pass","action":"continue","module":"dmarc"}],"ts":"2024-06-17T09:38:49.929101-0800","action_spf":[{"rule":"test_5_pass","action":"continue","module":"spf"},{"rule":"pass","action":"continue","module":"spf"}],"final_rule":"bulk","msg":{"header":{"toHashed":["87fad3bbab2sdvdsvsdvfdbfd5f116c3986@example.com"],"to":["abcdefg@example.com"],"from":["G Suite Alerts <gsuite-alerts-noreply@google.com>"],"message-id":["<VtuqyZOABCDFrgjbrrEqg.0@notifications.google.com>"],"fromHashed":["dc8352b494f0b14f0baefd8eb51e47ec@google.com>"],"subject":["G Suite Alert: test123"]},"sizeBytes":6651,"lang":"en"},"filter":{"routeDirection":"inbound","durationSecs":0.286712,"startTime":"2020-02-07T08:34:49.929101-0800","isMsgEncrypted":false,"disposition":"continue","qid":"017ABCDEFGH5228","routes":["default_inbound"],"quarantine":{"rule":"audit","folder":"Bulk"},"msgSizeBytes":9635,"isMsgReinjected":false,"suborgs":{"sender":"0","rcpts":["0"]},"modules":{"spf":{"domain":"chime-notifications.bounces.google.com","result":"pass"},"dkimv":[{"domain":"google.com","selector":"20161025","result":"pass"}],"pdr":{"v2":{"response":"pass"}},"urldefense":{"version":{"engine":"15"},"counts":{"rewritten":4,"unique":3,"total":4}}}},"action_dkimv":[{"rule":"dkim_policy_partner_temperror","action":"continue","module":"dkimv"}],"guid":"81Of8J5YghkL1r--abcdefghijk-OBCFg7u","envelope":{"from":"khbsdkjvbsdjkbvkjsdv-zkdqsr-ahbckdsbcjbsdkjvsd.bnl@chime-notifications.bounces.google.com","fromHashed":"2a1a927f37b8esvsvsdvsdvsdvsdvsdvsdv7f@chime-notifications.bounces.google.com","rcptsHashed":["87fadvhjhsdvsdvbksdbvidseddad5f116c3986@example.com"],"rcpts":["abcdef@example.com"]},"final_action":"continue"}
{"final_rule":"notspam","connection":{"country":"us","sid":"2abcdefgs98n3","protocol":"smtp:smtp","ip":"67.43.156.0","tls":{"inbound":{"cipherBits":128,"version":"TLSv1.2","cipher":"ECDHE-RSA-AES128-GCM-SHA256"}},"helo":"mail-abcd-1234.google.com","host":"mail-abcd-1234.google.com","resolveStatus":"ok"},"msgParts":[{"labeledCharset":"UTF-8","md5":"5d41402abc4b2a76b9719d911017c592","sha256":"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824","disposition":"inline","isArchive":false,"isCorrupted":false,"isTimedOut":false,"isProtected":false,"sizeDecodedBytes":388,"isVirtual":false,"detectedSizeBytes":388,"dataBase64":"U0NBTEFSKDB4N2ZhYjY3ZTlhOGI4KQ==\n","detectedMime":"text/plain","detectedName":"text.txt","urls":[{"isRewritten":true,"url":"https://www.googleapis.com/auth/admin.reports.audit.readonly","src":["urldefense"]}],"detectedExt":"TXT","metadata":{"":"missing header label"},"labeledExt":"txt","detectedCharset":"utf-8","isDeleted":false,"labeledMime":"text/plain","labeledName":"text.txt","textExtracted":"U0NBTEFSKDB4N2ZhYjY3ZjI0NjQ4KQ==\n","structureId":"0"},{"labeledCharset":"UTF-8","md5":"dbcc9cc02056791cb01fa952370ced27","sha256":"f276ba3212372f31f52b22a4f18cb2b2b8e29ea8641032fcb5fc6f18e571019b","disposition":"inline","isArchive":false,"isCorrupted":false,"isTimedOut":false,"dataBase64":"U0NBTEFACBJDBDSJVJDY3Yjc1NDY4KQ==\n","isVirtual":false,"labeledMime":"text/html","detectedMime":"text/html","detectedName":"text.html","detectedSizeBytes":3056,"urls":[{"isRewritten":true,"url":"https://support.google.com/a/answer/3230421?hl=en","src":["urldefense"]},{"isRewritten":true,"url":"https://admin.google.com/AdminHome#Reports:subtab=manage-alerts","src":["urldefense"]}],"metadata":{},"isDeleted":false,"detectedCharset":"UTF-8","labeledExt":"html","isProtected":false,"sizeDecodedBytes":3056,"labeledName":"text.html","textExtracted":"U0NBTEFSKABCDEFHGJIKzZjQ4KQ==\n","structureId":"0","detectedExt":"HTML"}],"pps":{"agent":"m0000001.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"},"final_module":"spam","action_dmarc":[{"rule":"pass","action":"continue","module":"dmarc"}],"ts":"2024-05-27T08:34:49.410504-0800","final_action":"continue","action_spf":[{"rule":"test_5_pass","action":"continue","module":"spf"},{"rule":"pass","action":"continue","module":"spf"}],"msg":{"normalizedHeader":{"toHashed":["a7e7e2f59bvhbfvjksdbvkjsdbvkjbvn5211efe@example.net"],"to":["temple@example.net"],"from":["G Suite Alerts <gsuite-alerts-noreply@google.com>"],"message-id":["Ro1ylYaq9Xmy7ZIpf8ITrw.0@notifications.google.com"],"fromHashed":["dc8352b494f0b14f0baefd8eb51e47ec@google.com>"],"subject":["G Suite Alert: test123"]},"header":{"toHashed":["a7e7e2f59b128bdb0aa60f56f5211efe@example.net"],"to":["temple@example.net"],"from":["G Suite Alerts <gsuite-alerts-noreply@google.com>"],"message-id":["<Rohkdsbvbkousbdsvpf8ITrw.0@notifications.google.com>"],"subject":["G Suite Alert: test123"],"fromHashed":["dc8352b494f0b14f0baefd8eb51e47ec@google.com>"]},"sizeBytes":6637,"parsedAddresses":{"toHashed":["a7e7e2f59b128bdb0aa60f56f5211efe@example.net"],"to":["temple@example.net"],"from":["gsuite-alerts-noreply@google.com"],"fromHashed":["8e0a7ed672474ebcd2555e8484eadb61@google.com"]},"lang":"en"},"filter":{"routeDirection":"inbound","durationSecs":0.656005,"startTime":"2020-02-07T08:34:49.410504-0800","isMsgEncrypted":false,"disposition":"continue","isMsgReinjected":false,"quarantine":{"rule":"audit","folder":"Audit"},"qid":"017ABCDEFGH28006","routes":["default_inbound"],"msgSizeBytes":9625,"pe":{"branding":"4","module":"access","rcpts":["i_am@not_an_object.com"]},"actions":[{"rule":"pass","action":"continue","isFinal":true,"module":"pdr"},{"rule":"pp_external_tag","action":"audit","module":"access"},{"rule":"pp_external_tag","action":"reply-sender","module":"access"},{"rule":"pp_external_tag","action":"continue","module":"access"},{"rule":"test_5_pass","action":"continue","module":"spf"},{"rule":"pass","action":"continue","module":"spf"},{"rule":"clean","action":"add-header","module":"av"},{"rule":"clean","action":"continue","module":"av"},{"rule":"dkim_policy_partner_temperror","action":"continue","module":"dkimv"},{"rule":"pass","action":"continue","module":"dmarc"},{"rule":"notspam","action":"audit","module":"spam"},{"rule":"notspam","action":"add-header","module":"spam"},{"rule":"notspam","action":"continue","module":"spam"}],"suborgs":{"sender":"0","rcpts":["0"]},"modules":{"dmarc":{"authResults":[{"method":"spf","reason":"","result":"pass","emailIdentities":{"smtp.mailfromHashed":"0984d6cbdghvcjhdsbjhcsdbj7ca9a87cb@chime-notifications.bounces.google.com","smtp.mailfrom":"3qJE9XhUKALkfrthsd-123456-dhvjhdschjsdbjchnfkd.bnl@chime-notifications.bounces.google.com"}},{"method":"dkim","reason":"","result":"pass","propspec":{"header.d":"google.com","header.s":"20161025"}},{"method":"dmarc","reason":"","result":"pass","emailIdentities":{"header.from":"google.com"}}],"filterdResult":"pass","alignment":[{"fromDomain":"google.com","results":[{"method":"spf","result":"relaxed","identity":"chime-notifications.bounces.google.com","identityOrg":"google.com"},{"method":"dkim","result":"strict","identity":"google.com","identityOrg":"google.com"}]}],"srvid":"000123456.pphosted.com"},"spf":{"domain":"chime-notifications.bounces.google.com","result":"pass"},"dkimv":[{"domain":"google.com","selector":"20161025","result":"pass"}],"pdr":{"v2":{"response":"pass"}},"urldefense":{"version":{"engine":"15"},"counts":{"unique":3,"rewritten":4,"total":4}}}},"action_dkimv":[{"rule":"dkim_policy_partner_temperror","action":"continue","module":"dkimv"}],"metadata":{"origin":{"data":{"agent":"m0000001.ppops.net","cid":"pphosted_prodmgt_hosted","version":"8.14.0.396"}}},"envelope":{"from":"3qje9xhukfdsdsdhsd-123456-msdvsdvdsvfkd.bnl@chime-notifications.bounces.google.com","fromHashed":"2a1a927f37b8e66067d0d97aea42f67f@chime-notifications.bounces.google.com","rcptsHashed":["a7e7edfviushdjhbsdjbvjhsd6f5211efe@example.net"],"rcpts":["temple@example.net"]},"guid":"3uE0HBMzAocroyCG_8ABCDEFGHIJECQu"}
Copy link
Contributor Author

@efd6 efd6 Oct 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copied from above with the addition of a filter.pe.recpt: ["i_am@not_an_object.com"] and msgParts.metadata."": ["missing header label"].
@efd6 efd6 merged commit 26029a5 into elastic:main Oct 8, 2024
5 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 8, 2024

Package proofpoint_on_demand - 1.0.1 containing this change is available at https://epr.elastic.co/search?package=proofpoint_on_demand
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@efd6
proofpoint_on_demand: fix ingest failure issues (elastic#11359)
c624cdb 
Apparently sometimes Proofpoint will send zero-length-keyed JSON, so handle this more gracefully. Also fix an incorrect type check that was causing a string array to be put into a nested field.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@efd6
proofpoint_on_demand: fix ingest failure issues (elastic#11359)
79dd278 
Apparently sometimes Proofpoint will send zero-length-keyed JSON, so handle this more gracefully. Also fix an incorrect type check that was causing a string array to be put into a nested field.
@efd6 efd6 deleted the s5180-proofpoint_on_demand branch February 5, 2025 22:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes a bug issue Integration:proofpoint_on_demand Proofpoint On Demand Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

3 participants

@efd6 @elasticmachine @kcreddy