Skip to content

[proofpoint_tap] Set timestamp to max of {click,message}Time and threatTime #9982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 27, 2024
Merged

[proofpoint_tap] Set timestamp to max of {click,message}Time and threatTime #9982

merged 5 commits into from
May 27, 2024

Conversation

andrewkroh
Copy link
Member

Proposed commit message

Prevent new events from appearing in the past by using the time the event was triggered as the @timestamp. An event can be triggered when a click occurs, a message is delivered/blocked, or new threat is discovered. When a new threat is discovered the previous behavior made the event appear to have happened in the past because we used the clickTime or messageTime as the timestamp which might have occurred weeks ago.

The API docs state, "the time an event is created is always after either of these two times:

  • the time that the message was sent or the time click occurred (messageTime or clickTime)
  • the time that the threat referenced by the message or click was recognized and condemned by Proofpoint (threatsInfoMap/threatTime)"

I suspect this does not occur for clicks_blocked because click was already condemned, but in case they send an update if a new threat matches the previous click I'll include the same change there.

Fixes #9967

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

@andrewkroh andrewkroh added enhancement New feature or request Integration:proofpoint_tap Proofpoint TAP Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 24, 2024
@elasticmachine
Copy link

elasticmachine commented May 24, 2024
edited
Loading

🚀 Benchmarks report

Package proofpoint_tap 👍(3) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
message_blocked 3521.13 2638.52 -882.61 (-25.07%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh marked this pull request as ready for review May 24, 2024 17:54
@andrewkroh andrewkroh requested a review from a team as a code owner May 24, 2024 17:54
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh enabled auto-merge (squash) May 27, 2024 00:53
@andrewkroh andrewkroh merged commit 4a3964b into elastic:main May 27, 2024
3 checks passed
@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

Package proofpoint_tap - 1.19.0 containing this change is available at https://epr.elastic.co/search?package=proofpoint_tap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request Integration:proofpoint_tap Proofpoint TAP Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Proofpoint TAP] Document surprising timestamp behavior
3 participants
@andrewkroh @elasticmachine @efd6