Cybersixgill Actionable Alerts

cybersixgill_actionable_alerts/CHANGELOG.md

@@ -0,0 +1,3 @@
+# CHANGELOG - cybersixgill_actionable_alerts
+
+## 1.0.0 / 2022-10-30

cybersixgill_actionable_alerts/README.md

@@ -0,0 +1,67 @@
+# Agent Check: cybersixgill_actionable_alerts
+
+## Overview
+By integrating Cybersixgill actionable alerts, Datadog customers gain a premium,
+automated threat intelligence solution based on the most comprehensive data sources from the deep, dark and surface web. 
+It is customizable, enabling users to define key assets relevant to their brand, industry, and geolocation. Users can covertly 
+monitor critical assets such as IP addresses, domains, vulnerabilities, and VIPs for activity on the underground and closed sources - and 
+prioritize, as well as respond to threats directly from the Siemplify dashboard.
+This check monitors [cybersixgill_actionable_alerts][1].
+
+## Setup
+
+### Installation
+
+To install the cybersixgill_actionable_alerts check on your host:
+
+
+1. Install the [developer toolkit][11] on any machine.
+
+2. To build the package, run the command: `ddev release build cybersixgill_actionable_alerts` 
+
+3. [Install the Datadog Agent][10] on your host.
+
+4. Once the Agent is installed, upload the build artifact by running the command: `datadog-agent integration install -w
+ path/to/cybersixgill_actionable_alerts/dist/datadog_cybersixgill_actionable_alerts-0.0.1-py3-none-any.whl`.
+
+### Configuration
+
+1. Provide Client Id and Client Secret in Configuration.yaml file which you will get it [email protected].
+2. Provide the min collection interval in seconds. `min_collection_interval: 3600`
+
+### Validation
+
+1. Verify that [events][12] are generated in your account 
+
+## Data Collected
+
+### Metrics
+
+cybersixgill_actionable_alerts does not include any metrics.
+
+### Service Checks
+
+See assets/service_checks.json for a list of service checks provided by this integration..
+
+### Events
+
+cybersixgill_actionable_alerts does include events.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][3] or [Cybersixgill support][13].
+
+[1]: https://www.cybersixgill.com/
+[2]: https://app.datadoghq.com/account/settings#agent
+[3]: https://docs.datadoghq.com/agent/kubernetes/integrations/
+[4]: https://github.com/DataDog/integrations-extras/blob/master/cybersixgill_actionable_alerts/datadog_checks/cybersixgill_actionable_alerts/data/conf.yaml.example
+[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent
+[6]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information
+[7]: https://github.com/DataDog/integrations-extras/blob/master/cybersixgill_actionable_alerts/metadata.csv
+[8]: https://github.com/DataDog/integrations-extras/blob/master/cybersixgill_actionable_alerts/assets/service_checks.json
+[9]: https://docs.datadoghq.com/help/
+[10]: https://docs.datadoghq.com/getting_started/agent/
+[11]: https://docs.datadoghq.com/developers/integrations/new_check_howto/#developer-toolkit
+[12]: https://app.datadoghq.com/event/explorer
+[13]: [email protected]
+

cybersixgill_actionable_alerts/assets/configuration/spec.yaml

@@ -0,0 +1,50 @@
+name: Cybersixgill Actionable Alerts
+files:
+- name: cybersixgill_actionable_alerts.yaml
+  options:
+  - template: init_config
+    options:
+    - template: init_config/default
+  - template: instances
+    options:
+      - name: cl_id
+        required: true
+        description: The Client Id given by Cybersixgill
+        enabled:  true
+        value:
+          type: string
+          example:  clientid
+          display_default:  null
+      - name: cl_secret
+        required: true
+        description:  The Client Secret given by Cybersixgill
+        enabled:  true
+        value:
+          type: string
+          example:  client00000secret
+          display_default:  null
+      - name: alerts_limit
+        required: false
+        description:  The number of alerts to fetch on a single request default is 50
+        enabled:  false
+        value:
+          type: string
+          example:  50
+          display_default:  null
+      - name: threat_type
+        required: false
+        description:  Predefined types of threats alerts you would like to see like fraud, malware
+        enabled:  false
+        value:
+          type: string
+          example:  compromised accounts, fraud
+          display_default:  null
+      - name: threat_level
+        required: false
+        description:  Type of alerts which are either imminent or emerging
+        enabled:  false
+        value:
+          type: string
+          example:  imminent
+          display_default:  null
+    - template: instances/default

cybersixgill_actionable_alerts/assets/dashboards/alerts_count_overview.json

@@ -0,0 +1,33 @@
+{
+    "viz": "timeseries",
+    "requests": [
+        {
+            "style": {
+                "palette": "dog_classic"
+            },
+            "type": "bars",
+            "formulas": [
+                {
+                    "formula": "query1"
+                }
+            ],
+            "response_format": "timeseries",
+            "queries": [
+                {
+                    "search": {
+                        "query": "source:my_apps"
+                    },
+                    "data_source": "events",
+                    "compute": {
+                        "aggregation": "count"
+                    },
+                    "name": "query1",
+                    "indexes": [
+                        "*"
+                    ],
+                    "group_by": []
+                }
+            ]
+        }
+    ]
+}

cybersixgill_actionable_alerts/assets/dashboards/cybersixgill_actionable_alerts_overview.json

@@ -0,0 +1,27 @@
+{
+    "viz": "event_stream",
+    "requests": [
+        {
+            "query": {
+                "query_string": "source: my_apps",
+                "data_source": "event_stream",
+                "event_size": "s"
+            },
+            "columns": [
+                {
+                    "field": "source",
+                    "width": 50
+                },
+                {
+                    "field": "message",
+                    "width": "auto"
+                },
+                {
+                    "field": "date",
+                    "width": 90
+                }
+            ],
+            "response_format": "event_list"
+        }
+    ]
+}

cybersixgill_actionable_alerts/assets/dashboards/emerging_alerts_count.json

@@ -0,0 +1,35 @@
+{
+    "viz": "sunburst",
+    "requests": [
+        {
+            "formulas": [
+                {
+                    "formula": "query2",
+                    "limit": {
+                        "order": "desc"
+                    }
+                }
+            ],
+            "response_format": "scalar",
+            "queries": [
+                {
+                    "search": {
+                        "query": "source:my_apps message:\"Threat Level: emerging\""
+                    },
+                    "data_source": "events",
+                    "compute": {
+                        "aggregation": "count"
+                    },
+                    "name": "query2",
+                    "indexes": [
+                        "*"
+                    ],
+                    "group_by": []
+                }
+            ]
+        }
+    ],
+    "legend": {
+        "type": "automatic"
+    }
+}

cybersixgill_actionable_alerts/assets/dashboards/imminent_alerts_count.json

@@ -0,0 +1,35 @@
+{
+    "viz": "sunburst",
+    "requests": [
+        {
+            "formulas": [
+                {
+                    "formula": "query2",
+                    "limit": {
+                        "order": "desc"
+                    }
+                }
+            ],
+            "response_format": "scalar",
+            "queries": [
+                {
+                    "search": {
+                        "query": "source:my_apps message:\"Threat Level: imminent\""
+                    },
+                    "data_source": "events",
+                    "compute": {
+                        "aggregation": "count"
+                    },
+                    "name": "query2",
+                    "indexes": [
+                        "*"
+                    ],
+                    "group_by": []
+                }
+            ]
+        }
+    ],
+    "legend": {
+        "type": "automatic"
+    }
+}

cybersixgill_actionable_alerts/assets/service_checks.json

@@ -0,0 +1,26 @@
+[
+  {
+        "agent_version": "7.37.1",
+        "integration": "Cybersixgill Actionable Alerts",
+        "groups": [],
+        "check": "cybersixgill.can_connect",
+        "statuses": [
+            "ok",
+            "critical"
+        ],
+        "name": "Can Connect",
+        "description": "Returns `OK` If Client Id and Client Secre are present in Instance. Returns `CRITICAL` If Configuration Errors occurs."
+    },
+  {
+        "agent_version": "7.37.1",
+        "integration": "Cybersixgill Actionable Alerts",
+        "groups": [],
+        "check": "cybersixgill.health",
+        "statuses": [
+            "ok",
+            "critical"
+        ],
+        "name": "Health",
+        "description": "Returns `CRITICAL` If the agent is unable to connect to Cybersixgill API"
+    }
+]

cybersixgill_actionable_alerts/datadog_checks/__init__.py

@@ -0,0 +1 @@
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)  # type: ignore

cybersixgill_actionable_alerts/datadog_checks/cybersixgill_actionable_alerts/__about__.py

@@ -0,0 +1 @@
+__version__ = '0.0.1'

cybersixgill_actionable_alerts/datadog_checks/cybersixgill_actionable_alerts/__init__.py

@@ -0,0 +1,4 @@
+from .__about__ import __version__
+from .check import CybersixgillActionableAlertsCheck
+
+__all__ = ['__version__', 'CybersixgillActionableAlertsCheck']