[ping_one] Initial Release for the PingOne

[vinit-chauhan]

What does this PR do?

• Generated the skeleton of the PingOne integration package.
• Added data stream.
• Added data collection logic for the data stream.
• Added the ingest pipeline for the data stream.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added dashboards and visualizations.
• Added test for pipeline for the data stream.
• Added system test cases for the data stream.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target are documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to: ^7.17.0 || ^8.0.0

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/ping_one directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes Ping Identity | PingONE #1087

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-10-03T12:28:04.417+0000

• Duration: 15 min 7 sec

Test stats 🧪

Test	Results
Failed	0
Passed	7
Skipped	0
Total	7

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚 2.564
Classes	100.0% (1/1)	💚 2.564
Methods	100.0% (13/13)	💚 9.946
Lines	84.95% (254/299)	👎 -6.579
Conditionals	100.0% (0/0)	💚

[marc-gr]

Suggested change

	For example, you could use the data from this integration to know which action or activity is performed against a defined PingOne resource. And also tracks the actor or agent who initiated the action.
	For example, you could use the data from this integration to know which action or activity is performed against a defined PingOne resource, and also track the actor or agent who initiated the action.

[marc-gr]

Suggested change

	The PingOne integration collect logs for one type of event: Audit.
	The PingOne integration collects logs for one type of event: Audit.

[marc-gr]

Could this script be changed to several set processors?

[vinit-chauhan]

Hey, @marc-gr - Instead of using several set processors, we considered reducing the number of lines of code and combined all those processors in the script. However, let us know if using the script in such a way has any drawbacks.

[P1llus]

I would recommend converting it to set processors as well, they are much quicker than script in general @vinit-elastic

[marc-gr]

Do we need to keep duplicated fields under ECS and the custom object? I think the rename above could be just a rename to client.user.name and save one processor

[vinit-chauhan]

We have kept two mappings for each field ( custom and ECS ) as discussed in #3837 (comment). Moreover, we are following this practice in all the connectors.

[P1llus]

@vinit-elastic I think this could be a double edge sword in that case. Because we have on purpose removed custom fields from all our other integrations, if we would want to have something toggleable, we should have made it the same for all integrations, instead of having it on only a few.

From my point of view we should keep to the implementation we have done up until now, and simply rename the fields rather than having duplicates.

[marc-gr]

Similar to other fields, could we just iterate over json.tags to merge it with tags and save one rename processor?

[marc-gr]

Would be nice to add something explaining that this will open an endpoint to the internet, so they would need to setup proper network access and take into account any security concerns.

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport