feat(sentinel_one): add application_risk and threat_event

Add modules to manage the Sentinel One application_risk and threat_event data streams.

Author: andrewkroh

fleet_integration/sentinel_one.application_risk.cel/README.md

@@ -0,0 +1,49 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_fleet_package_policy"></a> [fleet\_package\_policy](#module\_fleet\_package\_policy) | ../../fleet_package_policy | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_api_token"></a> [api\_token](#input\_api\_token) | API Token of the SentinelOne with API Access Level type. | `string` | n/a | yes |
+| <a name="input_batch_size"></a> [batch\_size](#input\_batch\_size) | Batch size for the response of the Sentinel One API. The maximum supported page size value is 1000. | `number` | `1000` | no |
+| <a name="input_enable_request_tracer"></a> [enable\_request\_tracer](#input\_enable\_request\_tracer) | The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details. | `bool` | `false` | no |
+| <a name="input_fleet_agent_policy_id"></a> [fleet\_agent\_policy\_id](#input\_fleet\_agent\_policy\_id) | Agent policy ID to add the package policy to. | `string` | n/a | yes |
+| <a name="input_fleet_data_stream_namespace"></a> [fleet\_data\_stream\_namespace](#input\_fleet\_data\_stream\_namespace) | Namespace to use for the data stream. | `string` | `"default"` | no |
+| <a name="input_fleet_package_policy_description"></a> [fleet\_package\_policy\_description](#input\_fleet\_package\_policy\_description) | Description to use for the package policy. | `string` | `""` | no |
+| <a name="input_fleet_package_policy_force"></a> [fleet\_package\_policy\_force](#input\_fleet\_package\_policy\_force) | Force reinstallation of the package even if already installed. When true, bypasses "already installed" checks and triggers complete re-installation. This deletes and recreates Kibana assets (dashboards, visualizations), removes transforms and their destination indices, and overwrites ingest pipelines and templates. | `bool` | `true` | no |
+| <a name="input_fleet_package_policy_name_suffix"></a> [fleet\_package\_policy\_name\_suffix](#input\_fleet\_package\_policy\_name\_suffix) | Suffix to append to the end of the package policy name. | `string` | `""` | no |
+| <a name="input_fleet_package_version"></a> [fleet\_package\_version](#input\_fleet\_package\_version) | Version of the sentinel\_one package to use. | `string` | `"2.1.0"` | no |
+| <a name="input_http_client_timeout"></a> [http\_client\_timeout](#input\_http\_client\_timeout) | Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h. | `string` | `"30s"` | no |
+| <a name="input_interval"></a> [interval](#input\_interval) | Duration between requests to the Sentinel One API. Supported units for this parameter are h/m/s. | `string` | `"24h"` | no |
+| <a name="input_preserve_duplicate_custom_fields"></a> [preserve\_duplicate\_custom\_fields](#input\_preserve\_duplicate\_custom\_fields) | Preserve sentinel\_one.application\_risk fields that were copied to Elastic Common Schema (ECS) fields. | `bool` | `null` | no |
+| <a name="input_preserve_original_event"></a> [preserve\_original\_event](#input\_preserve\_original\_event) | Preserves a raw copy of the original event, added to the field `event.original`. | `bool` | `false` | no |
+| <a name="input_processors_yaml"></a> [processors\_yaml](#input\_processors\_yaml) | Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. | `string` | `null` | no |
+| <a name="input_proxy_url"></a> [proxy\_url](#input\_proxy\_url) | URL to proxy connections in the form of http\[s\]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format. | `string` | `null` | no |
+| <a name="input_site_ids"></a> [site\_ids](#input\_site\_ids) | Comma separated list of Site IDs to filter by. Example - "225494730938493804,225494730938493915". | `string` | `null` | no |
+| <a name="input_ssl_yaml"></a> [ssl\_yaml](#input\_ssl\_yaml) | SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details. | `string` | `"#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `list(string)` | <pre>[<br>  "forwarded",<br>  "sentinel_one-application_risk"<br>]</pre> | no |
+| <a name="input_url"></a> [url](#input\_url) | Base URL of the SentinelOne Singularity Operations Center. It will be in the format `https://<your-tenant>.sentinelone.net`. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | Package policy ID |
+<!-- END_TF_DOCS -->

fleet_integration/sentinel_one.application_risk.cel/module.tf.json

@@ -0,0 +1,138 @@
+{
+  "//": "Generated by fleet-terraform-generator - DO NOT EDIT",
+  "variable": {
+    "api_token": {
+      "type": "string",
+      "description": "API Token of the SentinelOne with API Access Level type.",
+      "sensitive": true,
+      "nullable": false
+    },
+    "batch_size": {
+      "type": "number",
+      "description": "Batch size for the response of the Sentinel One API. The maximum supported page size value is 1000.",
+      "default": 1000,
+      "nullable": false
+    },
+    "enable_request_tracer": {
+      "type": "bool",
+      "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.",
+      "default": false
+    },
+    "fleet_agent_policy_id": {
+      "type": "string",
+      "description": "Agent policy ID to add the package policy to."
+    },
+    "fleet_data_stream_namespace": {
+      "type": "string",
+      "description": "Namespace to use for the data stream.",
+      "default": "default"
+    },
+    "fleet_package_policy_description": {
+      "type": "string",
+      "description": "Description to use for the package policy.",
+      "default": ""
+    },
+    "fleet_package_policy_force": {
+      "type": "bool",
+      "description": "Force reinstallation of the package even if already installed. When true, bypasses \"already installed\" checks and triggers complete re-installation. This deletes and recreates Kibana assets (dashboards, visualizations), removes transforms and their destination indices, and overwrites ingest pipelines and templates.",
+      "default": true
+    },
+    "fleet_package_policy_name_suffix": {
+      "type": "string",
+      "description": "Suffix to append to the end of the package policy name.",
+      "default": ""
+    },
+    "fleet_package_version": {
+      "type": "string",
+      "description": "Version of the sentinel_one package to use.",
+      "default": "2.1.0"
+    },
+    "http_client_timeout": {
+      "type": "string",
+      "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.",
+      "default": "30s",
+      "nullable": false
+    },
+    "interval": {
+      "type": "string",
+      "description": "Duration between requests to the Sentinel One API. Supported units for this parameter are h/m/s.",
+      "default": "24h",
+      "nullable": false
+    },
+    "preserve_duplicate_custom_fields": {
+      "type": "bool",
+      "description": "Preserve sentinel_one.application_risk fields that were copied to Elastic Common Schema (ECS) fields.",
+      "default": null
+    },
+    "preserve_original_event": {
+      "type": "bool",
+      "description": "Preserves a raw copy of the original event, added to the field `event.original`.",
+      "default": false
+    },
+    "processors_yaml": {
+      "type": "string",
+      "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.",
+      "default": null
+    },
+    "proxy_url": {
+      "type": "string",
+      "description": "URL to proxy connections in the form of http\\[s\\]://<user>:<password>@<server name/ip>:<port>. Please ensure your username and password are in URL encoded format.",
+      "default": null
+    },
+    "site_ids": {
+      "type": "string",
+      "description": "Comma separated list of Site IDs to filter by. Example - \"225494730938493804,225494730938493915\".",
+      "default": null
+    },
+    "ssl_yaml": {
+      "type": "string",
+      "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.",
+      "default": "#certificate_authorities:\n#  - |\n#    -----BEGIN CERTIFICATE-----\n#    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n#    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n#    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n#    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n#    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n#    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n#    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n#    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n#    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n#    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n#    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n#    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n#    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n#    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n#    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n#    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n#    sxSmbIUfc2SGJGCJD4I=\n#    -----END CERTIFICATE-----\n"
+    },
+    "tags": {
+      "type": "list(string)",
+      "default": [
+        "forwarded",
+        "sentinel_one-application_risk"
+      ],
+      "nullable": false
+    },
+    "url": {
+      "type": "string",
+      "description": "Base URL of the SentinelOne Singularity Operations Center. It will be in the format `https://<your-tenant>.sentinelone.net`.",
+      "nullable": false
+    }
+  },
+  "output": {
+    "id": {
+      "description": "Package policy ID",
+      "value": "${module.fleet_package_policy.id}"
+    }
+  },
+  "module": {
+    "fleet_package_policy": {
+      "agent_policy_id": "${var.fleet_agent_policy_id}",
+      "all_data_streams": [
+        "application",
+        "application_risk",
+        "threat_event"
+      ],
+      "all_policy_template_inputs": [
+        "sentinel_one-cel",
+        "sentinel_one-httpjson"
+      ],
+      "data_stream": "application_risk",
+      "data_stream_variables_json": "${jsonencode({\n  batch_size = var.batch_size\n  enable_request_tracer = var.enable_request_tracer\n  http_client_timeout = var.http_client_timeout\n  interval = var.interval\n  preserve_duplicate_custom_fields = var.preserve_duplicate_custom_fields\n  preserve_original_event = var.preserve_original_event\n  processors = var.processors_yaml\n  site_ids = var.site_ids\n  tags = var.tags\n})}",
+      "description": "${var.fleet_package_policy_description}",
+      "force": "${var.fleet_package_policy_force}",
+      "input_type": "cel",
+      "input_variables_json": "${jsonencode({\n  api_token = var.api_token\n  proxy_url = var.proxy_url\n  ssl = var.ssl_yaml\n  url = var.url\n})}",
+      "namespace": "${var.fleet_data_stream_namespace}",
+      "package_name": "sentinel_one",
+      "package_policy_name": "sentinel_one-application_risk-${var.fleet_data_stream_namespace}${var.fleet_package_policy_name_suffix}",
+      "package_version": "${var.fleet_package_version}",
+      "policy_template": "sentinel_one",
+      "source": "../../fleet_package_policy"
+    }
+  }
+}