Add Zero Networks integration with assets

zero_networks/CHANGELOG.md

@@ -0,0 +1,7 @@
+# CHANGELOG - zero-networks
+
+## 1.0.0 / 2025-01-01
+
+***Added***:
+
+* Initial Release

zero_networks/README.md

@@ -0,0 +1,56 @@
+# Zero Networks
+
+## Overview
+
+[Zero Networks][1] is a cybersecurity platform that enforces zero-trust principles by restricting access to network resources based on user identity and behavior. It automates the creation of security policies, ensuring that only authorized users and devices can connect, while blocking unauthorized attempts. With features like adaptive access control, audit logs, and micro-segmentation, it minimizes attack surfaces and protects against threats. The platform is easy to deploy and integrates seamlessly with existing systems.
+
+This integration ingests the following logs:
+
+- Audit: Records an event performed by the user, providing an overview of the event's timestamp, involved entities, actions, and more.
+- Network-Activities: Represents information about network communication events occurring within a system, including protocol and traffic type, source and destination information, process information, user information, threat scores, and more.
+
+This integration seamlessly collects all the above listed logs, channeling them into Datadog for analysis. Leveraging the built-in logs pipeline, these logs are parsed and enriched, enabling effortless search and analysis. The integration provides insight into audit and network-activities through the out-of-the-box dashboards.
+
+## Setup
+
+### Generate API credentials in Zero Networks
+
+1. Log in to the Zero Networks platform.
+2. Navigate to **Settings**, click **API** under **Integrations** and click **Add new token**.
+3. Enter a **Token Name** and Set the **Expiry** to **36 months** and click **Add**.
+
+### Connect your Zero Networks Account to Datadog
+
+1. Add your Zero Networks credentials.
+
+    | Parameters                            | Description                                                  |
+    | ------------------------------------- | ------------------------------------------------------------ |
+    | Domain Name                           | The Domain Name from Zero Networks portal URL                 |
+    | API Key                               | The Personal API key of Zero Networks                         |
+
+2. Click the Save button to save your settings.
+
+## Data Collected
+
+### Logs
+
+The Zero Networks integration collects and forwards Zero Networks audit and network activities logs to Datadog.
+
+### Metrics
+
+The Zero Networks integration does not include any metrics.
+
+### Service Checks
+
+The Zero Networks integration does not include any service checks.
+
+### Events
+
+The Zero Networks integration does not include any events.
+
+## Support
+
+Need help? Contact [Datadog support][2].
+
+[1]: https://zeronetworks.com/
+[2]: https://docs.datadoghq.com/help/

zero_networks/assets/logs/zero-networks.yaml

@@ -0,0 +1,184 @@
+id: "zero-networks"
+metric_id: "zero-networks"
+backend_only: false
+facets:
+  - groups:
+      - User
+    name: User ID
+    path: usr.id
+    source: log
+  - groups:
+      - User
+    name: User Name
+    path: usr.name
+    source: log
+  - groups:
+      - Web Access
+    name: Client IP
+    path: network.client.ip
+    source: log
+  - groups:
+      - Web Access
+    name: Destination IP
+    path: network.destination.ip
+    source: log
+  - groups:
+      - Web Access
+    name: Client Port
+    path: network.client.port
+    source: log
+  - groups:
+      - Web Access
+    name: Destination Port
+    path: network.destination.port
+    source: log
+pipeline:
+  type: pipeline
+  name: Zero Networks
+  enabled: true
+  filter:
+    query: source:zero-networks
+  processors:
+    - type: date-remapper
+      name: Define `timestamp` as the official date of the log
+      enabled: true
+      sources:
+        - timestamp
+    - type: pipeline
+      name: Audit
+      enabled: true
+      filter:
+        query: service:audit
+      processors:
+        - type: attribute-remapper
+          name: Map `performedBy.id` to `usr.id`
+          enabled: true
+          sources:
+            - performedBy.id
+          sourceType: attribute
+          target: usr.id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `performedBy.name` to `usr.name`
+          enabled: true
+          sources:
+            - performedBy.name
+          sourceType: attribute
+          target: usr.name
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - name: Lookup on `userRole` to `user_role`
+          enabled: true
+          source: userRole
+          target: user_role
+          lookupTable: |-
+            0 , Unspecified
+            1 , Admin
+            2 , Viewer
+            3 , Regular
+            4 , API-FullAccess
+            5 , API-ReadOnly
+            6 , SelfService
+            7 , CloudConnectorProvisioning
+            8 , JAMF Asset
+            9 , Asset Manager
+            10 , Operator
+            11 , Service Now Token
+          type: lookup-processor
+        - name: Lookup on `enforcementSource` to `enforcement_source`
+          enabled: true
+          source: enforcementSource
+          target: enforcement_source
+          lookupTable: |-
+            1 , MFA
+            2 , System
+            3 , Access Portal
+            4 , Admin Portal
+            5 , Automation Engine
+            6 , API
+            7 , Setup
+            8 , Connect
+          type: lookup-processor
+    - type: pipeline
+      name: Network Activities
+      enabled: true
+      filter:
+        query: service:network-activities
+      processors:
+        - type: attribute-remapper
+          name: Map `src.userId` to `usr.id`
+          enabled: true
+          sources:
+            - src.userId
+          sourceType: attribute
+          target: usr.id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `src.userName` to `usr.name`
+          enabled: true
+          sources:
+            - src.userName
+          sourceType: attribute
+          target: usr.name
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `src.ip` to `network.client.ip`
+          enabled: true
+          sources:
+            - src.ip
+          sourceType: attribute
+          target: network.client.ip
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `dst.ip` to `network.destination.ip`
+          enabled: true
+          sources:
+            - dst.ip
+          sourceType: attribute
+          target: network.destination.ip
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `src.port` to `network.client.port`
+          enabled: true
+          sources:
+            - src.port
+          sourceType: attribute
+          target: network.client.port
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `dst.port` to `network.destination.port`
+          enabled: true
+          sources:
+            - dst.port
+          sourceType: attribute
+          target: network.destination.port
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: geo-ip-parser
+          name: GeoIp Parser for `network.client.ip`
+          enabled: true
+          sources:
+            - network.client.ip
+          target: network.client.geoip
+          ip_processing_behavior: do-nothing
+        - type: geo-ip-parser
+          name: GeoIp Parser for `network.destination.ip`
+          enabled: true
+          sources:
+            - network.destination.ip
+          target: network.destination.geoip
+          ip_processing_behavior: do-nothing

zero_networks/assets/logs/zero-networks_tests.yaml

@@ -0,0 +1,13 @@
+id: "zero-networks"
+tests:
+  - sample: |-
+     {"timestamp":1735634130990,"isoTimestamp":"2024-12-31T08:35:30.990Z","auditType":73,"enforcementSource":4,"userRole":1,"destinationEntitiesList":[{"id":"c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe","name":"Test User"}],"details":"{\"publicIp\":\"163.116.212.44\",\"tokenTtl\":\"2025-01-07T08:35:30.000Z\",\"idp\":1,\"role\":1}","parentObjectId":"","reportedObjectId":"","performedBy":{"id":"c05d5f20-89a3-4948-bcc6-8cc6e2aab3fe","name":"Test User"}}
+    result: null
+  - sample: |-
+     {"timestamp":1734584254851,"protocol":17,"state":3,"trafficType":1,"dst":{"assetId":"a:a:VWW2G2C8","assetSrc":3,"networkProtectionState":5,"assetType":2,"eventRecordId":43174318,"fqdn":"dc01.posh.local","ip":"10.0.0.4","port":123,"processId":"1056","processName":"svchost.exe (W32Time) (1056)","processPath":"C:\\Windows\\System32\\svchost.exe (W32Time) (1056)","userId":"S-1-5-19","userName":"NT AUTHORITY\\LOCAL SERVICE","ipThreatScore":0},"src":{"assetId":"a:a:ka62y0mc","assetSrc":3,"networkProtectionState":6,"assetType":2,"eventRecordId":24143201,"fqdn":"fs02.posh.local","ip":"10.0.0.8","port":123,"processId":"1072","processName":"svchost.exe (W32Time) (1072)","processPath":"C:\\Windows\\System32\\svchost.exe (W32Time) (1072)","userId":"S-1-5-19","userName":"NT AUTHORITY\\LOCAL SERVICE","ipThreatScore":0,"envGroupId":"g:e:zUnrnhfa"},"inboundRuleMatches":[],"conflictingInboundRuleMatches":[],"outboundRuleMatches":[],"conflictingOutboundRuleMatches":[],"reason":5}
+    result: null
+
+# The `result` field should be left blank to start. Once you submit your log asset files with
+# your integration pull-request in a Datadog GitHub repository, Datadog's validations will
+# run your raw logs against your pipeline and return the result. If the result output in the
+# validation is accurate, take the output and add it to the `result` field in your test YAML file.

zero_networks/assets/service_checks.json

@@ -0,0 +1 @@
+[]

zero_networks/manifest.json

@@ -0,0 +1,55 @@
+{
+  "manifest_version": "2.0.0",
+  "app_uuid": "5be301d0-072e-42c2-a579-0c8d24755a85",
+  "app_id": "zero-networks",
+  "display_on_public_website": false,
+  "tile": {
+    "overview": "README.md#Overview",
+    "configuration": "README.md#Setup",
+    "support": "README.md#Support",
+    "changelog": "CHANGELOG.md",
+    "description": "Gain insights into Zero Networks audit and network activities logs.",
+    "title": "Zero Networks",
+    "media": [
+      {
+        "caption": "Zero Networks - Audit",
+        "image_url": "images/zero_networks_audit.png",
+        "media_type": "image"
+      },
+      {
+        "caption": "Zero Networks - Network Activities",
+        "image_url": "images/zero_networks_network_activities.png",
+        "media_type": "image"
+      }
+    ],
+    "classifier_tags": [
+      "Category::Log Collection",
+      "Category::Security",
+      "Submitted Data Type::Logs",
+      "Offering::Integration"
+    ]
+  },
+  "assets": {
+    "integration": {
+      "auto_install": false,
+      "source_type_id": 35533755,
+      "source_type_name": "Zero Networks",
+      "events": {
+        "creates_events": false
+      },
+      "service_checks": {
+        "metadata_path": "assets/service_checks.json"
+      }
+    },
+    "dashboards": {
+      "Zero Networks - Audit": "assets/dashboards/zero_networks_audit.json",
+      "Zero Networks - Network Activities": "assets/dashboards/zero_networks_network_activities.json"
+    }
+  },
+  "author": {
+    "support_email": "[email protected]",
+    "name": "Datadog",
+    "homepage": "https://www.datadoghq.com",
+    "sales_email": "[email protected]"
+  }
+}