integrations-core icon indicating copy to clipboard operation
integrations-core copied to clipboard
verified publisher icon DataDog

[SIEMINT-40] [Release] DDS: Sophos Central Cloud: Crawler Integration v1.0.0

Open ravindrasojitra-crest opened this issue 1 year ago • 5 comments

What does this PR do?

This is a initial release PR of Sophos Central Cloud integration including all the required assets.

Additional Notes

  • Crawler code for this integration has been committed in its respective repo
  • Pipeline and Facet group created for this integration are available in our sandbox and would be shared separately with the required teams.
  • Samples for the pipeline review would also be shared separately with the required teams.
  • OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository.
  • Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current Datadog behaviour

Review checklist (to be filled by reviewers)

  • [ ] Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • [ ] Changelog entries must be created for modifications to shipped code
  • [ ] Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • [ ] If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

ravindrasojitra-crest avatar Jul 01 '24 09:07 ravindrasojitra-crest

Hi @ravindrasojitra-crest, is this ready for review? I see the title says "[DRAFT]".

jhgilbert avatar Jul 01 '24 16:07 jhgilbert

Hi @ravindrasojitra-crest, is this ready for review? I see the title says "[DRAFT]".

yes, now it is ready for review. We kept in DRAFT as we were resolving pipeline failure.

ravindrasojitra-crest avatar Jul 02 '24 10:07 ravindrasojitra-crest

@ravindrasojitra-crest please rebase this to resolve the conflicts

nathanmadams avatar Jul 26 '24 21:07 nathanmadams

@nathanmadams @audesikorav we got one suggestion on Sophos Crawler PR. Due to that we have changed the response structure.

Instead of mutating the original log record, we should put the endpoint data next to the original log message like this:

{
    "log_message": <original log json here>,
    "endpoint_details": <endpoint data here>,
}

Hence, we have change dashboard and pipelines accordingly. Please re-review and let us know if anything is required.

ravindrasojitra-crest avatar Aug 01 '24 18:08 ravindrasojitra-crest

we made changes as per Jason's suggestion on dashboard restyling.

savandalasaniya-crest avatar Aug 07 '24 13:08 savandalasaniya-crest