[ping_one] Initial Release for the PingOne

.github/CODEOWNERS

@@ -130,6 +130,7 @@
 /packages/panw_cortex_xdr @elastic/security-external-integrations
 /packages/panw @elastic/security-external-integrations
 /packages/pfsense @elastic/security-external-integrations
+/packages/ping_one @elastic/security-external-integrations
 /packages/postgresql @elastic/obs-service-integrations
 /packages/problemchild @elastic/ml-ui
 /packages/prometheus @elastic/obs-cloudnative-monitoring

packages/ping_one/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v8.4.0-rc1

packages/ping_one/_dev/build/docs/README.md

@@ -0,0 +1,67 @@
+# PingOne
+
+## Overview
+
+The [PingOne](https://www.pingidentity.com/en.html) integration allows you to monitor audit activity. PingOne is a cloud-based framework for secure identity access management.
+
+Use the PingOne integration to collect and parse data from the REST APIs or HTTP Endpoint input. Then visualize that data in Kibana.
+
+For example, you could use the data from this integration to know which action or activity is performed against a defined PingOne resource. And also tracks the actor or agent who initiated the action.
+
+## Data streams
+
+The PingOne integration collect logs for one type of event: Audit.
+
+**Audit** reporting stores incoming audit messages in a cache and provides endpoints for requesting audit events for a specific time period.
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+This module has been tested against `PingOne API version 1.0`.
+
+## Setup
+
+### To collect data from PingOne REST APIs, follow below steps:
+
+1. Go to the [PingOne console](https://www.pingidentity.com/en/account/sign-on.html), select PingOne as an Account and add username and password.
+2. Select Environment.
+3. Go to **Connections -> Applications**.
+4. Click **+** to create an application.
+5. Enter an Application Name.
+6. Select **Worker** as an application type.
+7. Click Save.
+8. Click the toggle switch to enable the application, if it is not already enabled.
+9. Go to **Configuration**.
+10. Copy **Token Endpoint**.
+11. Copy **Environment ID**, **Client ID** and **Client Secret** from General Section.
+
+For more details, see [Documentation](https://docs.pingidentity.com/bundle/pingone/page/vpz1564020488577.html).
+
+**Note** : Value of initial interval must be less than 2 years.
+
+### To collect data from PingOne via HTTP Endpoint, follow below steps:
+
+1. Reference link for configuring [HTTP Endpoint Remote logging](https://docs.pingidentity.com/bundle/pingone/page/sxi1589922927893.html) for PingOne.
+2. In Destination, enter the full URL, including the port.  
+`Example Format: http[s]://{AGENT_ADDRESS}:{AGENT_PORT}/{URL}`.
+
+**Note** : Select Ping Activity Format (JSON) in the format drop down.
+
+### Enabling the integration in Elastic
+
+1. In Kibana go to **Management > Integrations**.
+2. In the "Search for integrations" search bar, type **PingOne**.
+3. Click on **PingOne** integration from the search results.
+4. Click on **Add PingOne** button to add PingOne integration.
+5. Enable the Integration with either via API or HTTP Endpoint input and provide required parameters.
+
+## Logs Reference
+
+#### audit
+
+This is the `audit` dataset.
+
+{{event "audit"}}
+
+{{fields "audit"}}

packages/ping_one/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,23 @@
+version: '2.3'
+services:
+  ping-one-audit-http-endpoint:
+    image: docker.elastic.co/observability/stream:v0.7.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    environment:
+      - STREAM_PROTOCOL=webhook
+      - STREAM_ADDR=http://elastic-agent:9577/
+    command: log --start-signal=SIGHUP --delay=5s /sample_logs/audit.log
+  ping_one:
+    image: docker.elastic.co/observability/stream:v0.7.0
+    hostname: ping_one
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: "8080"
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml

packages/ping_one/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,19 @@
+rules:
+  - path: /xxxx/as/token
+    methods: [POST]
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |
+          {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer"}
+  - path: /v1/environments/xxxx/activities
+    methods: [GET]
+    request_headers:
+      Authorization:
+        - 'Bearer xxxx'
+    responses:
+      - status_code: 200
+        body: |-
+          {"_links":{"self":{"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/activities"}},"_embedded":{"activities":[{"_links":{"self":{"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/activities/f931efc3-7696-4f4e-b82e-bf3563e99e8a"}},"id":"f931efc3-7696-4f4e-b82e-bf3563e99e8a","recordedAt":"2022-06-10T17:09:38.264Z","createdAt":"2022-06-10T17:09:38.281Z","correlationId":"78179748-3103-4f3e-adbc-5bbcd0d02319","actors":{"client":{"id":"830109c7-f8aa-491e-b2f2-8f7532ae85e9","name":"RichardPatchetWorker","environment":{"id":"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa"},"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9","type":"CLIENT"}},"action":{"type":"GROUP.CREATED","description":"Group Created"},"resources":[{"type":"GROUP","id":"e195531b-6bc0-435a-96b3-1a377ed7be69","name":"Training","environment":{"id":"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa"},"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/e195531b-6bc0-435a-96b3-1a377ed7be69"}],"result":{"status":"SUCCESS","description":"Created Group Training"}},{"_links":{"self":{"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/activities/4ca96753-8837-419d-8e06-03fac0ec5ae8"}},"id":"4ca96753-8837-419d-8e06-03fac0ec5ae8","recordedAt":"2022-06-10T17:09:12.775Z","createdAt":"2022-06-10T17:09:12.791Z","correlationId":"45ab6e93-0252-4e46-a144-bda97337b24b","actors":{"client":{"id":"830109c7-f8aa-491e-b2f2-8f7532ae85e9","name":"RPWorker","environment":{"id":"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa"},"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9","type":"CLIENT"}},"action":{"type":"GROUP.CREATED","description":"Group Created"},"resources":[{"type":"GROUP","id":"158fcbd3-4d2b-49ed-8874-3a58da8559b3","name":"MyGroupName1","environment":{"id":"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa"},"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/158fcbd3-4d2b-49ed-8874-3a58da8559b3"}],"result":{"status":"SUCCESS","description":"Created Group MyGroupName1"}},{"_links":{"self":{"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/activities/2076da4e-81ae-4cf4-803a-4ccc16419bc9"}},"id":"2076da4e-81ae-4cf4-803a-4ccc16419bc9","recordedAt":"2022-06-10T17:04:25.518Z","createdAt":"2022-06-10T17:04:25.534Z","correlationId":"28b1f3ca-2ab6-4cc0-b33f-50153c7c9c14","actors":{"client":{"id":"830109c7-f8aa-491e-b2f2-8f7532ae85e9","name":"RichardPatchetWorker","environment":{"id":"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa"},"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/applications/830109c7-f8aa-491e-b2f2-8f7532ae85e9","type":"CLIENT"}},"action":{"type":"GROUP.CREATED","description":"Group Created"},"resources":[{"type":"GROUP","id":"ac05e3ff-60e2-4e03-bbac-f9455e6a6d51","name":"Managers","environment":{"id":"bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa"},"href":"https://api.pingone.com/v1/environments/bf4cb8b8-33e9-4576-8d70-c0ab679fe0fa/groups/ac05e3ff-60e2-4e03-bbac-f9455e6a6d51"}],"result":{"status":"SUCCESS","description":"Created Group Managers"}}]}}

packages/ping_one/_dev/deploy/docker/sample_logs/audit.log

@@ -0,0 +1 @@
+{"_embedded":{},"action":{"type":"USER.ACCESS_ALLOWED"},"actors":{"client":{"environment":{"id":"123abc123-12ab-1234-1abc-abc123abc12"},"href":"https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/applications/123abc123-12ab-1234-1abc-abc123abc12","id":"123abc123-12ab-1234-1abc-abc123abc12","name":"PingOne Admin Console","type":"CLIENT"},"user":{"environment":{"id":"123abc123-12ab-1234-1abc-abc123abc12"},"href":"https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12","id":"123abc123-12ab-1234-1abc-abc123abc12","name":"example@gmail.com","population":{"id":"123abc123-12ab-1234-1abc-abc123abc12"},"type":"USER"}},"id":"123abc123-12ab-1234-1abc-abc123abc12","recordedAt":"2022-08-08T15:31:08.237Z","resources":[{"environment":{"id":"123abc123-12ab-1234-1abc-abc123abc12"},"href":"https://api.pingone.asia/v1/environments/123abc123-12ab-1234-1abc-abc123abc12/users/123abc123-12ab-1234-1abc-abc123abc12","id":"123abc123-12ab-1234-1abc-abc123abc12","name":"example@gmail.com","population":{"id":"123abc123-12ab-1234-1abc-abc123abc12"},"type":"USER"}],"result":{"description":"Passed role access control","status":"SUCCESS"}}

packages/ping_one/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: '0.1.0'
+  changes:
+    - description: Initial Release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/4014

packages/ping_one/data_stream/audit/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,4 @@
+fields:
+  tags:
+    - preserve_original_event
+    - preserve_duplicate_custom_fields