[SIEMINT-40] [Release] DDS: Sophos Central Cloud: Crawler Integration…

… v1.0.0 (#17956) * Add Sophos Central Cloud integration with assets. * Adding facets lists and minor fixes. * Fixed pipeline suggestions * Fixed pipeline suggestion for logs * Added new sample logs for log pipeline * Fixed logs pipeline suggestions * Added service tag in logs * Fixed logs pipeline suggestions * Updated ReadMe for endpoint enrichment details * Made changes in pipeline * Made minor change * Added classifier tag in manifest file * Made changes in pipeline and dashboards * Made changes in log pipeline * Jason suggested dashboard restyling * Added colours to cloud siem group * Minor colour fixed for info in events dashboard * Update sophos_central_cloud/README.md Co-authored-by: Alicia Scott <[email protected]> * Update sophos_central_cloud/README.md Co-authored-by: Alicia Scott <[email protected]> * Update sophos_central_cloud/README.md Co-authored-by: Alicia Scott <[email protected]> * Update sophos_central_cloud/README.md Co-authored-by: Alicia Scott <[email protected]> * Update sophos_central_cloud/README.md Co-authored-by: Alicia Scott <[email protected]> * Update sophos_central_cloud/README.md Co-authored-by: Alicia Scott <[email protected]> * Updating dashboard images * Readme suggested minor changes * Readme suggested minor changes * Adding filters to cloud SIEM panel widgets * Dashboard image updated with latest chagnes * Dashboard image resizing * Added brief description for both logs type --------- Co-authored-by: surabhipatel_crest <[email protected]> Co-authored-by: surabhipatel-crest <[email protected]> Co-authored-by: savan.dalasaniya <[email protected]> Co-authored-by: Alicia Scott <[email protected]>
DataDog · Sep 6, 2024 · a70a125 · a70a125
1 parent 9e62af4
commit a70a125
Show file tree

Hide file tree

Showing 10 changed files with 4,705 additions and 25 deletions.
diff --git a/sophos_central_cloud/CHANGELOG.md b/sophos_central_cloud/CHANGELOG.md
@@ -1,6 +1,6 @@
-# CHANGELOG - sophos_central_cloud
+# CHANGELOG - sophos-central-cloud
 
-## 1.0.0 / 2024-06-17
+## 1.0.0 / 2024-06-30
 
 ***Added***:
 

diff --git a/sophos_central_cloud/README.md b/sophos_central_cloud/README.md
@@ -1,42 +1,62 @@
-# Agent Check: Sophos Central Cloud
+# Sophos Central Cloud Integration for Datadog
 
 ## Overview
 
-This check monitors [Sophos Central Cloud][1].
+[Sophos Central][1] is a unified, cloud-based management platform to monitor and secure your organization from threats. It's used by businesses of all sizes to consolidate the Sophos suite of solutions into a single management solution.
 
-## Setup
+This integration ingests the following logs:
+
+* Alerts
+  * Sophos Alert refers to a notification or warning generated by Sophos Central Cloud in response to a security event or potential threat. Alerts are triggered based on predefined security policies, detection rules, or anomalous activities identified by the Sophos Central Cloud.
+* Events
+  * Sophos Event refers to a specific occurrence that is detected and recorded by Sophos Central Cloud. Events can include various security-related activities such as malware detection, unauthorized access attempts, system vulnerabilities, and other security events.
 
-### Installation
+The Sophos Central Cloud integration seamlessly collects all the above listed logs, channeling them into Datadog for analysis. Leveraging the built-in logs pipeline, these logs are parsed and enriched, enabling effortless search and analysis. The integration provides insight into alerts and events through the out-of-the-box dashboards. Additionally, the integration enriches corresponding endpoint details along with alert and event logs through the **get_endpoint_details** flag.
 
-The Sophos Central Cloud check is included in the [Datadog Agent][2] package.
-No additional installation is needed on your server.
+## Setup
 
 ### Configuration
 
-1. <List of steps to configure this integration>
+#### Sophos Central Cloud Configuration
+
+1. Login to [**Sophos Central Platform**][2] with your credentials.
+2. From Sophos Central Admin, go to **My Products** > **General Settings** > **API Credentials Management**.
+3. Click **Add Credential**.
+4. Provide a credential name, select the appropriate role, add an optional description, and click the **Add** button. The **API credential Summary** for this credential is displayed.
+5. Click **Show Client Secret** to display the **Client Secret**.
+6. Copy the **Client ID** and **Client Secret**.
+
+#### Sophos Central Cloud DataDog Integration Configuration
 
-### Validation
+Configure the Datadog endpoint to forward Sophos Central Cloud events as logs to Datadog.
 
-<Steps to validate integration is functioning as expected>
+1. Navigate to `Sophos Central Cloud`.
+2. Add your Sophos Central Cloud credentials.
+
+| Sophos Central Cloud Parameters | Description                                                                |
+| ------------------------------- | -------------------------------------------------------------------------- |
+| Client ID                       | The Client ID from Sophos Central Cloud.                                         |
+| Client Secret                   | The Client Secret from Sophos Central Cloud.                                     |
+| Get Endpoint Details            | Set to "true" to collect endpoint details for Sophos Central Cloud Alert and Event Logs, otherwise set to "false". Default is "true".                 |
 
 ## Data Collected
 
-### Metrics
+### Logs
 
-The Sophos Central Cloud integration does not include any metrics.
+The integration collects and forwards Sophos Central Cloud Alert and Event logs to Datadog.
 
-### Service Checks
+### Metrics
 
-The Sophos Central Cloud integration does not include any service checks.
+The Sophos Central Cloud integration does not include any metrics.
 
 ### Events
 
 The Sophos Central Cloud integration does not include any events.
 
-## Troubleshooting
+## Support
 
-Need help? Contact [Datadog support][3].
+For further assistance, contact [Datadog Support][3].
 
-[1]: **LINK_TO_INTEGRATION_SITE**
-[2]: https://app.datadoghq.com/account/settings#agent
-[3]: https://docs.datadoghq.com/help/
+[1]: https://www.sophos.com/en-us/products/sophos-central
+[2]: https://cloud.sophos.com/manage/login
+[3]: https://docs.datadoghq.com/help/
diff --git a/sophos_central_cloud/assets/dashboards/sophos_central_cloud_alerts.json b/sophos_central_cloud/assets/dashboards/sophos_central_cloud_alerts.json
diff --git a/sophos_central_cloud/assets/dashboards/sophos_central_cloud_events.json b/sophos_central_cloud/assets/dashboards/sophos_central_cloud_events.json
diff --git a/sophos_central_cloud/assets/logs/sophos-central-cloud.yaml b/sophos_central_cloud/assets/logs/sophos-central-cloud.yaml
@@ -0,0 +1,173 @@
+id: sophos-central-cloud
+metric_id: sophos-central-cloud
+backend_only: false
+facets:
+  - groups:
+      - Event
+    name: Event Outcome
+    path: evt.outcome
+    source: log
+  - groups:
+      - Geoip
+    name: City Name
+    path: network.client.geoip.city.name
+    source: log
+  - groups:
+      - Geoip
+    name: Continent Code
+    path: network.client.geoip.continent.code
+    source: log
+  - groups:
+      - Geoip
+    name: Continent Name
+    path: network.client.geoip.continent.name
+    source: log
+  - groups:
+      - Geoip
+    name: Country ISO Code
+    path: network.client.geoip.country.iso_code
+    source: log
+  - groups:
+      - Geoip
+    name: Country Name
+    path: network.client.geoip.country.name
+    source: log
+  - groups:
+      - Geoip
+    name: Subdivision ISO Code
+    path: network.client.geoip.subdivision.iso_code
+    source: log
+  - groups:
+      - Geoip
+    name: Subdivision Name
+    path: network.client.geoip.subdivision.name
+    source: log
+  - groups:
+      - Web Access
+    name: Client IP
+    path: network.client.ip
+    source: log
+  - groups:
+      - User
+    name: User ID
+    path: usr.id
+    source: log
+pipeline:
+  type: pipeline
+  name: Sophos Central Cloud
+  enabled: true
+  filter:
+    query: "source:sophos-central-cloud"
+  processors:
+    - type: date-remapper
+      name: Define `log_message.created_at` as the official date of the log
+      enabled: true
+      sources:
+        - log_message.created_at
+    - type: pipeline
+      name: Alert
+      enabled: true
+      filter:
+        query: "service:alert"
+      processors:
+        - name: Lookup on `log_message.severity` to `log_message.status`
+          enabled: true
+          source: log_message.severity
+          target: log_message.status
+          lookupTable: |-
+            low, info
+            medium, warning
+            high, critical
+          type: lookup-processor
+        - type: status-remapper
+          name: Define `log_message.status` as the official status of the log
+          enabled: true
+          sources:
+            - log_message.status
+        - type: attribute-remapper
+          name: Map `log_message.customer_id` to `usr.id`
+          enabled: true
+          sources:
+            - log_message.customer_id
+          sourceType: attribute
+          target: usr.id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `log_message.data.source_info.ip` to `network.client.ip`
+          enabled: true
+          sources:
+            - log_message.data.source_info.ip
+          sourceType: attribute
+          target: network.client.ip
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+    - type: pipeline
+      name: Event
+      enabled: true
+      filter:
+        query: "service:event"
+      processors:
+        - name: Lookup on `log_message.severity` to `log_message.status`
+          enabled: true
+          source: log_message.severity
+          target: log_message.status
+          lookupTable: |-
+            low, info
+            medium, warning
+            high, critical
+            critical, critical
+          type: lookup-processor
+        - name: Lookup on `log_message.ips_threat_data.detectionType` to
+            `log_message.ips_threat_data.detectionTypeName`
+          enabled: true
+          source: log_message.ips_threat_data.detectionType
+          target: log_message.ips_threat_data.detectionTypeName
+          lookupTable: |-
+            0 , Inbound
+            1, Outbound
+          type: lookup-processor
+        - type: status-remapper
+          name: Define `log_message.status` as the official status of the log
+          enabled: true
+          sources:
+            - log_message.status
+        - type: attribute-remapper
+          name: Map `log_message.user_id` to `usr.id`
+          enabled: true
+          sources:
+            - log_message.user_id
+          sourceType: attribute
+          target: usr.id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `log_message.name` to `evt.outcome`
+          enabled: true
+          sources:
+            - log_message.name
+          sourceType: attribute
+          target: evt.outcome
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `log_message.source_info.ip` to `network.client.ip`
+          enabled: true
+          sources:
+            - log_message.source_info.ip
+          sourceType: attribute
+          target: network.client.ip
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+    - type: geo-ip-parser
+      name: GeoIp Parser for `network.client.ip`
+      enabled: true
+      sources:
+        - network.client.ip
+      target: network.client.geoip
+      ip_processing_behavior: do-nothing