[Menlo Security] Fix parsing of Menlo Web Api for proxy_events

packages/menlo/changelog.yml

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "1.7.0"
+  changes:
+    - description: Add parsing for proxy events returned by the Menlo Web API.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15967
+    - description: Fix parsing of documents when the Menlo `event.categories` field is missing.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15967
 - version: "1.6.0"
   changes:
     - description: Standardize user fields processing across integrations.

packages/menlo/data_stream/web/_dev/test/pipeline/test-web-proxy.log

@@ -0,0 +1 @@
+{"event":{"connId":"DFErYj2RQvS","domain":"settings-win.data.microsoft.com","event_time":"2025-11-12T19:34:02","name":"proxy_event","pe_action":"proxy_event","pe_rulename":"proxy_event","product":"MSIP","proxyEventDetail":"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN@depth=2 (cert_error)","proxyEventType":"cert_error","region":"us-east5","reqId":"zmT3cDWEwMC","request_type":"CONNECT","response_code":"200","risk_score":"low","severity":"5","srcPort":"31189","url":"settings-win.data.microsoft.com:443","vendor":"Menlo Security","version":"2.0","x-client-ip":"81.2.69.142"}}

packages/menlo/data_stream/web/_dev/test/pipeline/test-web-proxy.log-expected.json

@@ -0,0 +1,66 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-11-12T19:34:02.000Z",
+            "client": {
+                "ip": "81.2.69.142"
+            },
+            "cloud": {
+                "region": "us-east5"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "proxy_event",
+                "category": [
+                    "web",
+                    "network",
+                    "threat"
+                ],
+                "kind": "alert",
+                "original": "{\"event\":{\"connId\":\"DFErYj2RQvS\",\"domain\":\"settings-win.data.microsoft.com\",\"event_time\":\"2025-11-12T19:34:02\",\"name\":\"proxy_event\",\"pe_action\":\"proxy_event\",\"pe_rulename\":\"proxy_event\",\"product\":\"MSIP\",\"proxyEventDetail\":\"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN@depth=2 (cert_error)\",\"proxyEventType\":\"cert_error\",\"region\":\"us-east5\",\"reqId\":\"zmT3cDWEwMC\",\"request_type\":\"CONNECT\",\"response_code\":\"200\",\"risk_score\":\"low\",\"severity\":\"5\",\"srcPort\":\"31189\",\"url\":\"settings-win.data.microsoft.com:443\",\"vendor\":\"Menlo Security\",\"version\":\"2.0\",\"x-client-ip\":\"81.2.69.142\"}}",
+                "outcome": "unknown",
+                "severity": 5
+            },
+            "http": {
+                "request": {
+                    "method": "CONNECT"
+                },
+                "response": {
+                    "status_code": 200
+                }
+            },
+            "menlo": {
+                "web": {
+                    "conn_id": "DFErYj2RQvS",
+                    "proxy_event_detail": "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN@depth=2 (cert_error)",
+                    "proxy_event_type": "cert_error",
+                    "req_id": "zmT3cDWEwMC",
+                    "request_type": "proxy_event",
+                    "risk_score": "low"
+                }
+            },
+            "observer": {
+                "product": "MSIP",
+                "vendor": "Menlo Security",
+                "version": "2.0"
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.142"
+                ]
+            },
+            "source": {
+                "ip": "81.2.69.142"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "original": "settings-win.data.microsoft.com:443",
+                "scheme": "settings-win.data.microsoft.com"
+            }
+        }
+    ]
+}

packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml

@@ -214,6 +214,7 @@ processors:
   - rename:
       field: json.event.categories
       target_field: menlo.web.categories
+      ignore_missing: true
   - rename:
       field: json.event.threats
       target_field: menlo.web.threats
@@ -270,6 +271,22 @@ processors:
       field: json.event.casb_risk_score
       target_field: menlo.web.casb_risk_score
       ignore_missing: true
+  - rename:
+      field: json.event.connId
+      target_field: menlo.web.conn_id
+      ignore_missing: true
+  - rename:
+      field: json.event.reqId
+      target_field: menlo.web.req_id
+      ignore_missing: true
+  - rename:
+      field: json.event.proxyEventType
+      target_field: menlo.web.proxy_event_type
+      ignore_missing: true
+  - rename:
+      field: json.event.proxyEventDetail
+      target_field: menlo.web.proxy_event_detail
+      ignore_missing: true
   - rename:
       field: json.event.sbox
       target_field: menlo.web.sbox

packages/menlo/data_stream/web/fields/fields.yml

@@ -79,3 +79,15 @@
         - name: risk_score
           type: keyword
           description: "Risk calculated for URL"
+        - name: proxy_event_type
+          type: keyword
+          description: "Menlo Proxy Event Type"
+        - name: proxy_event_detail
+          type: keyword
+          description: "Menlo Proxy Event Detail"
+        - name: req_id
+          type: keyword
+          description: "Menlo Request ID"
+        - name: conn_id
+          type: keyword
+          description: "Menlo Connection ID"

packages/menlo/docs/README.md

@@ -213,9 +213,13 @@ An example event for `web` looks as following:
 | menlo.web.casb_profile_type | Menlo CASB profile type (sanctioned/unsanctioned/unclassified) | keyword |
 | menlo.web.casb_risk_score | Menlo risk score for application (0-10) | keyword |
 | menlo.web.categories | Category Rules Category type classification | keyword |
+| menlo.web.conn_id | Menlo Connection ID | keyword |
 | menlo.web.content_type | Page type | keyword |
 | menlo.web.has_password | Presence of password in form POST request | boolean |
 | menlo.web.is_iframe | Is inline frame (iframe) element | boolean |
+| menlo.web.proxy_event_detail | Menlo Proxy Event Detail | keyword |
+| menlo.web.proxy_event_type | Menlo Proxy Event Type | keyword |
+| menlo.web.req_id | Menlo Request ID | keyword |
 | menlo.web.request_type | Request type | keyword |
 | menlo.web.risk_score | Risk calculated for URL | keyword |
 | menlo.web.sbox | Sandbox Inspection Result | keyword |

packages/menlo/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: menlo
 title: "Menlo Security"
-version: "1.6.0"
+version: "1.7.0"
 source:
   license: "Elastic-2.0"
 description: "Collect logs from Menlo Security products with Elastic Agent"