[INTPLAT-467] DDS: Bitdefender Integration v1.0.0. #19037
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
datadog-agent-integrations-bot
bot
added
documentation
changelog/no-changelog
dev/testing
dev/tooling
qa/skip-qa
…integrations-core into bitdefender-v1.0.0
janine-c
added
the
editorial review
janine-c
requested changes
Nov 29, 2024
|
|
||
| ***Added***: | ||
|
|
||
| * Initial Release |
There was a problem hiding this comment.
Suggested change
| * Initial Release | |
| * Initial release |
There was a problem hiding this comment.
This is an automatically generated file.
bitdefender/README.md
Outdated
| @@ -0,0 +1,97 @@ | |||
| # Bitdefender Integration For Datadog | |||
There was a problem hiding this comment.
Suggested change
| # Bitdefender Integration For Datadog | |
| # Bitdefender integration for Datadog |
There was a problem hiding this comment.
Updated as Suggested.
bitdefender/README.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| [Bitdefender][1] provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers. Bitdefender EDR effectively stops ransomware and breaches with automated cross-endpoint correlation and seamlessly integrated prevention, protection, detection and response. |
There was a problem hiding this comment.
Suggested change
| [Bitdefender][1] provides cybersecurity solutions with leading security efficacy, performance and ease of use to small and medium businesses, mid-market enterprises and consumers. Bitdefender EDR effectively stops ransomware and breaches with automated cross-endpoint correlation and seamlessly integrated prevention, protection, detection and response. | |
| [Bitdefender][1] provides cybersecurity solutions with leading security efficacy, performance, and ease of use to small and medium businesses, mid-market enterprises, and consumers. Bitdefender EDR effectively stops ransomware and breaches with automated cross-endpoint correlation and seamlessly integrated prevention, protection, detection, and response. |
There was a problem hiding this comment.
Updated as Suggested.
bitdefender/README.md
Outdated
Comment on lines
7
to
22
| The Bitdefender integration utilizes a webhook to ingest Bitdefender EDR logs. Following are the event types for which integration provides OOTB dashboards and detection rules: | ||
|
|
||
| - **Antiphishing:** This event is generated each time the endpoint agent detects a known phishing attempt when accessing a web page. | ||
| - **Antimalware:** This event is generated each time Bitdefender detects malware on an endpoint in your network. | ||
| - **Advanced Threat Control (ATC):** This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint. | ||
| - **Data Protection:** This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules. | ||
| - **Exchange Malware Detection:** This event is created when Bitdefender detects malware on an Exchange server in your network. | ||
| - **Firewall:** This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy. | ||
| - **Hyper Detect event:** This event is generated when a malware is detected by the Hyper Detect module. | ||
| - **Sandbox Analyzer Detection:** This event is generated each time Sandbox Analyzer detects a new threat among the submitted files. | ||
| - **Antiexploit Event:** This event is generated when Advanced Anti-Exploit triggers a detection. | ||
| - **Network Attack Defense Event:** This event is generated when the Network Attack Defense module triggers a detection. | ||
| - **User Control/Content Control:** This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy. | ||
| - **Storage Antimalware Event:** This event is generated each time SVA detects a new threat among the protected storage (NAS). | ||
| - **Ransomware activity detection:** This event occurs when the endpoint agent blocks ransomware attack. | ||
| - **New Incident:** This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON. |
There was a problem hiding this comment.
Suggested change
| The Bitdefender integration utilizes a webhook to ingest Bitdefender EDR logs. Following are the event types for which integration provides OOTB dashboards and detection rules: | |
| - **Antiphishing:** This event is generated each time the endpoint agent detects a known phishing attempt when accessing a web page. | |
| - **Antimalware:** This event is generated each time Bitdefender detects malware on an endpoint in your network. | |
| - **Advanced Threat Control (ATC):** This event is created whenever a potentially dangerous applications is detected and blocked on an endpoint. | |
| - **Data Protection:** This event is generated each time the data traffic is blocked on an endpoint, according to data protection rules. | |
| - **Exchange Malware Detection:** This event is created when Bitdefender detects malware on an Exchange server in your network. | |
| - **Firewall:** This event is generated when the endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy. | |
| - **Hyper Detect event:** This event is generated when a malware is detected by the Hyper Detect module. | |
| - **Sandbox Analyzer Detection:** This event is generated each time Sandbox Analyzer detects a new threat among the submitted files. | |
| - **Antiexploit Event:** This event is generated when Advanced Anti-Exploit triggers a detection. | |
| - **Network Attack Defense Event:** This event is generated when the Network Attack Defense module triggers a detection. | |
| - **User Control/Content Control:** This event is generated when a user activity such as web browsing of software application is blocked on the endpoint according to the applied policy. | |
| - **Storage Antimalware Event:** This event is generated each time SVA detects a new threat among the protected storage (NAS). | |
| - **Ransomware activity detection:** This event occurs when the endpoint agent blocks ransomware attack. | |
| - **New Incident:** This event is generated every time a new Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON. | |
| The Bitdefender integration uses a webhook to ingest Bitdefender EDR logs. The integration provides OOTB dashboards and detection rules for the following event types: | |
| | Event | Trigger | | |
| |-------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------| | |
| | Antiphishing | Endpoint agent detects a known phishing attempt when accessing a web page | | |
| | Antimalware | Bitdefender detects malware on an endpoint in your network | | |
| | Advanced Threat Control (ATC) | Potentially dangerous application is detected and blocked on an endpoint | | |
| | Data Protection | Data traffic is blocked on an endpoint, according to data protection rules | | |
| | Exchange Malware Detection | Bitdefender detects malware on an Exchange server in your network | | |
| | Firewall | Endpoint agent blocks a port scan or an application from accessing the network, according to the applied policy | | |
| | Hyper Detect event | Hyper Detect module detects malware | | |
| | Sandbox Analyzer Detection | Sandbox Analyzer detects a new threat among the submitted files | | |
| | Antiexploit Event | Advanced Anti-Exploit triggers a detection | | |
| | Network Attack Defense Event | Network Attack Defense module triggers a detection | | |
| | User Control/Content Control | User activity, such as web browsing of software application, is blocked on the endpoint according to the applied policy | | |
| | Storage Antimalware Event | SVA detects a new threat among the protected storage (NAS) | | |
| | Ransomware activity detection | Endpoint agent blocks ransomware attack | | |
| | New Incident | New Root Cause Analysis (RCA) is displayed under the Incidents section of Control Center. The event contains a list of relevant items extracted from the RCA JSON | |
There was a problem hiding this comment.
Updated as Suggested.
bitdefender/README.md
Outdated
Comment on lines
26
to
30
| ### Configuration | ||
|
|
||
| #### Bitdefender Configuration | ||
|
|
||
| ##### Steps to Create API Key on Bitdefender Business Security Enterprise Portal: |
There was a problem hiding this comment.
Suggested change
| ### Configuration | |
| #### Bitdefender Configuration | |
| ##### Steps to Create API Key on Bitdefender Business Security Enterprise Portal: | |
| ### Create a Bitdefender API Key |
There was a problem hiding this comment.
Updated as Suggested.
| "id": 2723456080788240, | ||
| "definition": { | ||
| "type": "note", | ||
| "content": "**Dashboard Overview**\n\n- Bitdefender Ransomware Activity Detection Event Details dashboard provides insights about detected ransomware.\n\nFor more information, see the [Bitdefender Integration Documentation](https://docs.datadoghq.com/integrations/bitdefender/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", |
There was a problem hiding this comment.
Suggested change
| "content": "**Dashboard Overview**\n\n- Bitdefender Ransomware Activity Detection Event Details dashboard provides insights about detected ransomware.\n\nFor more information, see the [Bitdefender Integration Documentation](https://docs.datadoghq.com/integrations/bitdefender/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", | |
| "content": "**Dashboard Overview**\n\nThe Bitdefender Ransomware Activity Detection Event Details dashboard provides insights about detected ransomware.\n\nFor more information, see the [Bitdefender Integration Documentation](https://docs.datadoghq.com/integrations/bitdefender/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", |
There was a problem hiding this comment.
Updated as Suggested.
| @@ -0,0 +1,576 @@ | |||
| { | |||
| "title": "Bitdefender - User Control Event Details", | |||
| "description": "Bitdefender User Control Event Details dashboard provides insights about blocked user activity on the endpoint according to the applied policy.", | |||
There was a problem hiding this comment.
Suggested change
| "description": "Bitdefender User Control Event Details dashboard provides insights about blocked user activity on the endpoint according to the applied policy.", | |
| "description": "The Bitdefender User Control Event Details dashboard provides insights about endpoint user activity that has been blocked according to your applied policy.", |
There was a problem hiding this comment.
Updated as Suggested.
| "id": 6106324979267452, | ||
| "definition": { | ||
| "type": "note", | ||
| "content": "**Dashboard Overview**\n\n- Bitdefender User Control Event Details dashboard provides insights about blocked user activity on the endpoint according to the applied policy.\n\nFor more information, see the [Bitdefender Integration Documentation](https://docs.datadoghq.com/integrations/bitdefender/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", |
There was a problem hiding this comment.
Suggested change
| "content": "**Dashboard Overview**\n\n- Bitdefender User Control Event Details dashboard provides insights about blocked user activity on the endpoint according to the applied policy.\n\nFor more information, see the [Bitdefender Integration Documentation](https://docs.datadoghq.com/integrations/bitdefender/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify and add widgets and visualizations. ", | |
| "content": "**Dashboard Overview**\n\nThe Bitdefender User Control Event Details dashboard provides insights about endpoint user activity that has been blocked according to your applied policy.\n\nFor more information, see the [Bitdefender Integration Documentation](https://docs.datadoghq.com/integrations/bitdefender/).\n\n**Tips**\n- Use the timeframe selector in the top right of the dashboard to change the default timeframe.\n- Clone this dashboard to rearrange, modify, and add widgets and visualizations.", |
There was a problem hiding this comment.
Updated as Suggested.
bitdefender/manifest.json
Outdated
| "configuration": "README.md#Setup", | ||
| "support": "README.md#Support", | ||
| "changelog": "CHANGELOG.md", | ||
| "description": "Provides overall insights of the bitdefender logs generated by bitdefender agent", |
There was a problem hiding this comment.
Suggested change
| "description": "Provides overall insights of the bitdefender logs generated by bitdefender agent", | |
| "description": "Provides insights about the logs Bitdefender Agent generated.", |
There was a problem hiding this comment.
Updated as Suggested.
| "id": 161897206113872, | ||
| "definition": { | ||
| "type": "note", | ||
| "content": "Datadog Cloud SIEM analyzes and correlates Bitdefender logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", |
There was a problem hiding this comment.
Suggested change
| "content": "Datadog Cloud SIEM analyzes and correlates Bitdefender logs to detect threats to your environment in real time. If you don't see signals please make sure you've enabled [Datadog Cloud SIEM](/security). ", | |
| "content": "Datadog Cloud SIEM analyzes Bitdefender logs to detect threats to your environment in real time. If you don't see signals, please make sure you've enabled [Datadog Cloud SIEM](/security).", |
There was a problem hiding this comment.
Updated as Suggested.
datadog-assets
bot
added
docs/requested-changes
and removed
docs/review-requested
labels
…rview changes as well as changelog.md file changes.
torosmassa
changed the title
torosmassa
changed the title
janine-c
previously approved these changes
Dec 6, 2024
BoyangHuang
requested changes
Dec 12, 2024
| type: pipeline | ||
| name: Bitdefender | ||
| enabled: true | ||
| filter: |
There was a problem hiding this comment.
Why are no facets defined? There are some opportunities to remap to standard attributes here.
Take a look at various standard facets here: https://docs.datadoghq.com/standard-attributes/?product=log+management
- Would it make sense to map
computer_nameorcomputer_idmap to host? computer_ip->network.client.ip?url->http.url?- What are the potential values of
status? Is there a category remapped you can implement to map the status of the Datadog log (info, warning, error, etc) to the value
There was a problem hiding this comment.
Considering this Datadog Pipeline limitations and discussions here: link, adding any remappers was not feasible, but based on this new internal Doc from Jason here : link, we have done a POC and have updated both TDD : link and Pipeline with possible processors here: link
There was a problem hiding this comment.
Excellent, it looks good. I'm going to add the staging tag and see if we can get this validated in staging. Thanks for updating the pipeline.
BoyangHuang
added
assets/deploy-logs-staging
janine-c
reviewed
Dec 18, 2024
| preserveSource: false | ||
| overrideOnConflict: false | ||
| - type: pipeline | ||
| name: Processing of Netwrok Attack Defense logs |
There was a problem hiding this comment.
Can't make a suggestion for some reason, but "Netwrok" should be "Network" here
janine-c
approved these changes
Dec 20, 2024
BoyangHuang
approved these changes
Jan 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
PR for a new integration Bitdefender 1.0.0
Additional Notes
-- OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository .
-- Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current datadog behavior.
Review checklist (to be filled by reviewers)
qa/skip-qalabel if the PR doesn't need to be tested during QA.backport/<branch-name>label to the PR and it will automatically open a backport PR once this one is merged