[New Integration] Add Greenhouse ATS audit logs integration

Add a new integration to collect audit logs from Greenhouse Applicant
Tracking System (ATS) via the Greenhouse Audit Log API.

Features:
- CEL input with two-step JWT authentication flow
- Cursor-based pagination with Pit-Id and Search-After headers
- Time-based filtering for incremental data collection
- Full ECS mapping including user, event, and source fields
- GeoIP enrichment for source IP addresses
- Pipeline and system tests with mock service

Dashboards:
- Audit Logs Overview: Event counts, timeline, user activity, geographic
  distribution, event types, request types, target types, performer types
- Data Changes: Focused view on create/update/delete operations with
  field-level change tracking and user activity breakdown

Co-authored-by: Cursor <[email protected]>

Author: narph

packages/greenhouse/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: "[email protected]"

packages/greenhouse/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: "2.3"
+services:
+  greenhouse:
+    image: docker.elastic.co/observability/stream:v0.15.0
+    hostname: greenhouse
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: "8080"
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml

packages/greenhouse/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,80 @@
+rules:
+  - path: /auth/jwt_access_token
+    methods: ["POST"]
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {
+            "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlRlc3QgVXNlciIsImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+            "expires": "2099-12-31T23:59:59.999Z"
+          }
+  - path: /events
+    methods: ["GET"]
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |
+          {
+            "paging": {
+              "pit_id": "cmFuZG9tX3ZhbHVl",
+              "search_after": null,
+              "size": "500",
+              "next_search_after": null
+            },
+            "hits": 2,
+            "results": [
+              {
+                "request": {
+                  "id": "1234zID",
+                  "type": "email_settings#create_organization_email"
+                },
+                "performer": {
+                  "meta": {
+                    "name": "Allison Jamie",
+                    "username": "[email protected]"
+                  },
+                  "id": 12345,
+                  "ip_address": "192.168.0.1",
+                  "type": "user"
+                },
+                "organization_id": 123,
+                "event": {
+                  "meta": null,
+                  "target_type": "Global Email Added",
+                  "type": "action"
+                },
+                "event_time": "2023-06-02T16:06:19.217Z"
+              },
+              {
+                "request": {
+                  "id": "1234zID",
+                  "type": "email_settings#create_organization_email"
+                },
+                "performer": {
+                  "meta": {
+                    "name": "Allison Jamie",
+                    "username": "[email protected]"
+                  },
+                  "id": 12345,
+                  "ip_address": "192.168.0.1",
+                  "type": "user"
+                },
+                "organization_id": 123,
+                "event": {
+                  "meta": {
+                    "id": [null, 1234],
+                    "value": [null, "[email protected]"]
+                  },
+                  "target_type": "OrganizationEmail",
+                  "target_id": 1234,
+                  "type": "data_change_create"
+                },
+                "event_time": "2023-06-02T16:06:19.137Z"
+              }
+            ]
+          }

packages/greenhouse/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1

packages/greenhouse/data_stream/audit/_dev/test/pipeline/test-audit-events.json

@@ -0,0 +1,19 @@
+{
+    "events": [
+        {
+            "message": "{\"request\":{\"id\":\"1234zID\",\"type\":\"email_settings#create_organization_email\"},\"performer\":{\"meta\":{\"name\":\"Allison Jamie\",\"username\":\"[email protected]\"},\"id\":12345,\"ip_address\":\"192.168.0.1\",\"type\":\"user\"},\"organization_id\":123,\"event\":{\"meta\":null,\"target_type\":\"Global Email Added\",\"type\":\"action\"},\"event_time\":\"2023-06-02T16:06:19.217Z\"}"
+        },
+        {
+            "message": "{\"request\":{\"id\":\"1234zID\",\"type\":\"email_settings#create_organization_email\"},\"performer\":{\"meta\":{\"name\":\"Allison Jamie\",\"username\":\"[email protected]\"},\"id\":12345,\"ip_address\":\"192.168.0.1\",\"type\":\"user\"},\"organization_id\":123,\"event\":{\"meta\":{\"id\":[null,1234],\"value\":[null,\"[email protected]\"]},\"target_type\":\"OrganizationEmail\",\"target_id\":1234,\"type\":\"data_change_create\"},\"event_time\":\"2023-06-02T16:06:19.137Z\"}"
+        },
+        {
+            "message": "{\"request\":{\"id\":\"5678aID\",\"type\":\"users#update\"},\"performer\":{\"meta\":{\"name\":\"Admin User\",\"username\":\"[email protected]\"},\"id\":99999,\"ip_address\":\"10.0.0.50\",\"type\":\"user\"},\"organization_id\":123,\"event\":{\"meta\":{\"role\":[\"Basic\",\"Site Admin\"]},\"target_type\":\"User\",\"target_id\":12345,\"type\":\"data_change_update\"},\"event_time\":\"2023-06-03T10:30:00.000Z\"}"
+        },
+        {
+            "message": "{\"request\":{\"id\":\"9012bID\",\"type\":\"/v1/candidates/123456\"},\"performer\":{\"meta\":{\"api_key_type\":\"harvest\"},\"id\":1001,\"ip_address\":\"203.0.113.42\",\"type\":\"api_key\"},\"organization_id\":123,\"event\":{\"meta\":null,\"target_type\":\"Candidate\",\"target_id\":123456,\"type\":\"harvest_access\"},\"event_time\":\"2023-06-03T12:00:00.000Z\"}"
+        },
+        {
+            "message": "{\"request\":{\"id\":\"3456cID\",\"type\":\"jobs#destroy\"},\"performer\":{\"meta\":{\"name\":\"HR Manager\",\"username\":\"[email protected]\"},\"id\":55555,\"ip_address\":\"172.16.0.100\",\"type\":\"user\"},\"organization_id\":456,\"event\":{\"meta\":{\"name\":[\"Software Engineer\",null]},\"target_type\":\"Job\",\"target_id\":789,\"type\":\"data_change_destroy\"},\"event_time\":\"2023-06-04T08:15:30.500Z\"}"
+        }
+    ]
+}