Skip to content

proofpoint_on_demand: add sinceTime cursor to message stream#17508

Merged
efd6 merged 1 commit intoelastic:mainfrom
efd6:14241-proofpoint_on_demand
Mar 10, 2026
Merged

proofpoint_on_demand: add sinceTime cursor to message stream#17508
efd6 merged 1 commit intoelastic:mainfrom
efd6:14241-proofpoint_on_demand

Conversation

@efd6
Copy link
Copy Markdown
Contributor

@efd6 efd6 commented Feb 23, 2026
edited
Loading

Proposed commit message

proofpoint_on_demand: add sinceTime cursor to message stream

Track the ts timestamp from each message event and pass it as the
sinceTime query parameter on WebSocket reconnection. This allows the
agent to resume from its last position rather than relying on the
API's default replay behaviour, which only covers the most recent
hour of data [1].

The ts values have microsecond resolution while the API documentation
specifies millisecond resolution for sinceTime. We pass the
microsecond value through unchanged because at least one other
integration (logrhythm-proofpoint-on-demand [2]) does the same
successfully.

Only the message data stream is changed here. The mail and audit
streams use the same API endpoint and likely support sinceTime too,
but there is no direct evidence confirming that events are delivered
in ascending ts order for those stream types.

[1] https://docs.cyderes.cloud/files/proofpoint-on-demand-log-api-rev-c.pdf
[2] https://github.com/jpsutton/logrhythm-proofpoint-on-demand

Warning

Note caveats in commit message.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Feb 23, 2026
@efd6 efd6 added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:proofpoint_on_demand Proofpoint On Demand labels Feb 23, 2026
@efd6
proofpoint_on_demand: add sinceTime cursor to message stream
1289a1d 
Track the ts timestamp from each message event and pass it as the
sinceTime query parameter on WebSocket reconnection. This allows the
agent to resume from its last position rather than relying on the
API's default replay behaviour, which only covers the most recent
hour of data [1].

The ts values have microsecond resolution while the API documentation
specifies millisecond resolution for sinceTime. We pass the
microsecond value through unchanged because at least one other
integration (logrhythm-proofpoint-on-demand [2]) does the same
successfully.

Only the message data stream is changed here. The mail and audit
streams use the same API endpoint and likely support sinceTime too,
but there is no direct evidence confirming that events are delivered
in ascending ts order for those stream types.

[1] https://docs.cyderes.cloud/files/proofpoint-on-demand-log-api-rev-c.pdf
[2] https://github.com/jpsutton/logrhythm-proofpoint-on-demand
@efd6 efd6 force-pushed the 14241-proofpoint_on_demand branch from 811ec4c to 1289a1d Compare February 23, 2026 01:13
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Feb 23, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 23, 2026

💚 Build Succeeded

cc @efd6

@efd6 efd6 marked this pull request as ready for review February 23, 2026 01:43
@efd6 efd6 requested a review from a team as a code owner February 23, 2026 01:43
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 23, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 requested a review from btrieger February 23, 2026 01:43
@efd6 efd6 merged commit 8243a0b into elastic:main Mar 10, 2026
9 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Mar 10, 2026

Package proofpoint_on_demand - 1.9.0 containing this change is available at https://epr.elastic.co/package/proofpoint_on_demand/1.9.0/

@andrewkroh andrewkroh mentioned this pull request Mar 17, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

@btrieger btrieger Awaiting requested review from btrieger

Assignees

@efd6 efd6

Labels

enhancement New feature or request Integration:proofpoint_on_demand Proofpoint On Demand Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Proofpoint On Demand]: Add support for since timestamp

3 participants

@efd6 @elasticmachine @kcreddy