{
  "name": "proofpoint_on_demand",
  "title": "Proofpoint On Demand",
  "version": "1.10.2",
  "release": "ga",
  "description": "Collect logs from Proofpoint On Demand with Elastic Agent.",
  "type": "integration",
  "download": "/epr/proofpoint_on_demand/proofpoint_on_demand-1.10.2.zip",
  "path": "/package/proofpoint_on_demand/1.10.2",
  "icons": [
    {
      "src": "/img/proofpoint_on_demand-logo.svg",
      "path": "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-logo.svg",
      "title": "Proofpoint On Demand Logo",
      "size": "32x32",
      "type": "image/svg+xml"
    }
  ],
  "conditions": {
    "kibana": {
      "version": "^8.19.16 || ~9.3.5 || ^9.4.0"
    },
    "elastic": {
      "subscription": "basic"
    }
  },
  "owner": {
    "type": "elastic",
    "github": "elastic/security-service-integrations"
  },
  "categories": [
    "security"
  ],
  "signature_path": "/epr/proofpoint_on_demand/proofpoint_on_demand-1.10.2.zip.sig",
  "format_version": "3.1.4",
  "readme": "/package/proofpoint_on_demand/1.10.2/docs/README.md",
  "license": "basic",
  "screenshots": [
    {
      "src": "/img/proofpoint_on_demand-audit-dashboard.png",
      "path": "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-audit-dashboard.png",
      "title": "Proofpoint On Demand Audit Dashboard Screenshot",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/proofpoint_on_demand-mail-dashboard.png",
      "path": "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-mail-dashboard.png",
      "title": "Proofpoint On Demand Mail Dashboard Screenshot",
      "size": "600x600",
      "type": "image/png"
    },
    {
      "src": "/img/proofpoint_on_demand-message-dashboard.png",
      "path": "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-message-dashboard.png",
      "title": "Proofpoint On Demand Message Dashboard Screenshot",
      "size": "600x600",
      "type": "image/png"
    }
  ],
  "assets": [
    "/package/proofpoint_on_demand/1.10.2/LICENSE.txt",
    "/package/proofpoint_on_demand/1.10.2/changelog.yml",
    "/package/proofpoint_on_demand/1.10.2/manifest.yml",
    "/package/proofpoint_on_demand/1.10.2/validation.yml",
    "/package/proofpoint_on_demand/1.10.2/docs/README.md",
    "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-audit-dashboard.png",
    "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-logo.svg",
    "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-mail-dashboard.png",
    "/package/proofpoint_on_demand/1.10.2/img/proofpoint_on_demand-message-dashboard.png",
    "/package/proofpoint_on_demand/1.10.2/kibana/tags.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/audit/manifest.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/audit/sample_event.json",
    "/package/proofpoint_on_demand/1.10.2/data_stream/mail/manifest.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/mail/sample_event.json",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/manifest.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/sample_event.json",
    "/package/proofpoint_on_demand/1.10.2/kibana/dashboard/proofpoint_on_demand-77feed4b-c40f-45f4-b9dd-7094a6877609.json",
    "/package/proofpoint_on_demand/1.10.2/kibana/dashboard/proofpoint_on_demand-ae89dee7-9dc7-4121-ba6a-93c408307ee4.json",
    "/package/proofpoint_on_demand/1.10.2/kibana/dashboard/proofpoint_on_demand-e84a69fa-843b-4697-8b9c-cd9b005581ef.json",
    "/package/proofpoint_on_demand/1.10.2/kibana/search/proofpoint_on_demand-47445983-1383-4de7-9a0a-3f39f46e5b5c.json",
    "/package/proofpoint_on_demand/1.10.2/kibana/search/proofpoint_on_demand-7748df39-1f80-4506-8e47-afac86766d3d.json",
    "/package/proofpoint_on_demand/1.10.2/kibana/search/proofpoint_on_demand-f73aa7a7-3a1d-41aa-b462-308dd0fb347b.json",
    "/package/proofpoint_on_demand/1.10.2/data_stream/audit/fields/base-fields.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/audit/fields/beats.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/audit/fields/fields.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/mail/fields/base-fields.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/mail/fields/beats.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/mail/fields/fields.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/fields/base-fields.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/fields/beats.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/fields/ecs.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/fields/fields.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/audit/agent/stream/websocket.yml.hbs",
    "/package/proofpoint_on_demand/1.10.2/data_stream/audit/elasticsearch/ingest_pipeline/default.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/mail/agent/stream/websocket.yml.hbs",
    "/package/proofpoint_on_demand/1.10.2/data_stream/mail/elasticsearch/ingest_pipeline/default.yml",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/agent/stream/websocket.yml.hbs",
    "/package/proofpoint_on_demand/1.10.2/data_stream/message/elasticsearch/ingest_pipeline/default.yml"
  ],
  "policy_templates": [
    {
      "name": "proofpoint_on_demand",
      "title": "Proofpoint On Demand logs",
      "description": "Collect Proofpoint On Demand logs.",
      "inputs": [
        {
          "type": "websocket",
          "vars": [
            {
              "name": "url",
              "type": "url",
              "title": "URL",
              "description": "The Proofpoint On Demand Logging Service production endpoint.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": "wss://logstream.proofpoint.com"
            },
            {
              "name": "cluster_id",
              "type": "text",
              "title": "Cluster ID",
              "description": "The Cluster ID must be a legal user group string. This is required for server authentication purposes.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "access_token",
              "type": "password",
              "title": "Access Token",
              "description": "The token value is uniquely generated and provided by Proofpoint for a customer cluster to authenticate with the service.",
              "multi": false,
              "required": true,
              "show_user": true
            },
            {
              "name": "max_reconnect_attempts",
              "type": "integer",
              "title": "Maximum Reconnect Attempts",
              "description": "The maximum number of times the agent will attempt to reconnect to the websocket endpoint if the connection is lost before giving up.",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": 10
            },
            {
              "name": "min_wait_time",
              "type": "text",
              "title": "Minimum Wait Time",
              "description": "The minimum amount of time the agent will wait before attempting to reconnect to the websocket endpoint if the connection is lost. \nThis is a time duration value. Examples, 1s, 1m, 1h.\n",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "1s"
            },
            {
              "name": "max_wait_time",
              "type": "text",
              "title": "Maximum Wait Time",
              "description": "The maximum amount of time the agent will wait before attempting to reconnect to the websocket endpoint if the connection is lost. \nThis is a time duration value. Examples, 1s, 1m, 1h.\n",
              "multi": false,
              "required": false,
              "show_user": true,
              "default": "1h"
            },
            {
              "name": "blanket_retries",
              "type": "bool",
              "title": "Blanket Retries",
              "description": "If enabled the agent will retry connection attempts irrespective of the type of connection/network error.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "infinite_retries",
              "type": "bool",
              "title": "Infinite Retries",
              "description": "If enabled the agent will retry connection attempts indefinitely irrespective of the \"Maximum Reconnect Attempts\" value.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            }
          ],
          "title": "Collect Proofpoint On Demand logs via websocket input",
          "description": "Collecting logs from Proofpoint On Demand via websocket input."
        }
      ],
      "multiple": true
    }
  ],
  "data_streams": [
    {
      "type": "logs",
      "dataset": "proofpoint_on_demand.audit",
      "title": "Proofpoint On Demand Audit logs",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "websocket",
          "vars": [
            {
              "name": "keep_alive",
              "type": "bool",
              "title": "Keep Alive",
              "description": "If enabled the agent will send a keep alive message to the websocket endpoint depending on the configured \"Keep Alive Interval\" value.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "keep_alive_interval",
              "type": "text",
              "title": "Keep Alive Interval",
              "description": "The interval at which the agent will send a keep alive message to the websocket endpoint. This is a time duration value. Examples, 30s, 1m, 1h.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve proofpoint_on_demand.audit fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "proofpoint_on_demand-audit"
              ]
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "websocket.yml.hbs",
          "title": "Proofpoint On Demand Audit logs",
          "description": "Collecting Proofpoint On Demand Audit logs via Websocket.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "proofpoint_on_demand",
      "path": "audit"
    },
    {
      "type": "logs",
      "dataset": "proofpoint_on_demand.mail",
      "title": "Proofpoint On Demand Mail logs",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "websocket",
          "vars": [
            {
              "name": "initial_since_time",
              "type": "text",
              "title": "Initial Since Time",
              "description": "Optional ISO 8601 timestamp (e.g. 2026-04-28T14:00:00-0500) to backfill message and mail data after an extended outage. The agent includes this timestamp on the first connection, then tracks position via cursor. The Proofpoint API ignores sinceTime when it is less than one hour old, so normal operation automatically uses real-time streaming. Clear the agent's cursor state to trigger another backfill.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "keep_alive",
              "type": "bool",
              "title": "Keep Alive",
              "description": "If enabled the agent will send a keep alive message to the websocket endpoint depending on the configured \"Keep Alive Interval\" value.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "keep_alive_interval",
              "type": "text",
              "title": "Keep Alive Interval",
              "description": "The interval at which the agent will send a keep alive message to the websocket endpoint. This is a time duration value. Examples, 30s, 1m, 1h.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve proofpoint_on_demand.mail fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "proofpoint_on_demand-mail"
              ]
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "websocket.yml.hbs",
          "title": "Proofpoint On Demand Mail logs",
          "description": "Collecting Proofpoint On Demand Mail logs via Websocket.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "proofpoint_on_demand",
      "path": "mail"
    },
    {
      "type": "logs",
      "dataset": "proofpoint_on_demand.message",
      "title": "Proofpoint On Demand Message logs",
      "release": "ga",
      "ingest_pipeline": "default",
      "streams": [
        {
          "input": "websocket",
          "vars": [
            {
              "name": "initial_since_time",
              "type": "text",
              "title": "Initial Since Time",
              "description": "Optional ISO 8601 timestamp (e.g. 2026-04-28T14:00:00-0500) to backfill message and mail data after an extended outage. The agent includes this timestamp on the first connection, then tracks position via cursor. The Proofpoint API ignores sinceTime when it is less than one hour old, so normal operation automatically uses real-time streaming. Clear the agent's cursor state to trigger another backfill.",
              "multi": false,
              "required": false,
              "show_user": false
            },
            {
              "name": "keep_alive",
              "type": "bool",
              "title": "Keep Alive",
              "description": "If enabled the agent will send a keep alive message to the websocket endpoint depending on the configured \"Keep Alive Interval\" value.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": false
            },
            {
              "name": "keep_alive_interval",
              "type": "text",
              "title": "Keep Alive Interval",
              "description": "The interval at which the agent will send a keep alive message to the websocket endpoint. This is a time duration value. Examples, 30s, 1m, 1h.",
              "multi": false,
              "required": false,
              "show_user": false,
              "default": "30s"
            },
            {
              "name": "preserve_original_event",
              "type": "bool",
              "title": "Preserve original event",
              "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
              "multi": false,
              "required": true,
              "show_user": true,
              "default": false
            },
            {
              "name": "preserve_duplicate_custom_fields",
              "type": "bool",
              "title": "Preserve duplicate custom fields",
              "description": "Preserve proofpoint_on_demand.message fields that were copied to Elastic Common Schema (ECS) fields.",
              "multi": false,
              "required": true,
              "show_user": false,
              "default": false
            },
            {
              "name": "tags",
              "type": "text",
              "title": "Tags",
              "multi": true,
              "required": true,
              "show_user": false,
              "default": [
                "forwarded",
                "proofpoint_on_demand-message"
              ]
            },
            {
              "name": "processors",
              "type": "yaml",
              "title": "Processors",
              "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.",
              "multi": false,
              "required": false,
              "show_user": false
            }
          ],
          "template_path": "websocket.yml.hbs",
          "title": "Proofpoint On Demand Message logs",
          "description": "Collecting Proofpoint On Demand Message logs via Websocket.",
          "enabled": true,
          "ingestion_method": "API"
        }
      ],
      "package": "proofpoint_on_demand",
      "path": "message"
    }
  ]
}
