[tychon] New integration

.github/CODEOWNERS

@@ -388,6 +388,7 @@
 /packages/trellix_epo_cloud @elastic/security-service-integrations
 /packages/trend_micro_vision_one @elastic/security-service-integrations
 /packages/trendmicro @elastic/security-service-integrations
+/packages/tychon @elastic/security-service-integrations
 /packages/udp @elastic/sec-deployment-and-devices
 /packages/universal_profiling_agent @elastic/profiling
 /packages/universal_profiling_collector @elastic/obs-ds-intake-services

packages/tychon/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/tychon/_dev/build/docs/README.md

@@ -0,0 +1,126 @@
+# TYCHON Agentless
+
+[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source Master Endpoint Record data from endpoints, including vulnerability and STIG results, without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/).
+
+## Compatibility
+
+* This integration supports Windows and RedHat/CENTOS Endpoint Operating Systems.
+* This integration requires a TYCHON Agentless license.
+* This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files.
+* The Linux Endpoint requires RedHat's [OpenScap](https://www.open-scap.org/tools/openscap-base/) to be installed for STIG and CVE to report data.
+
+## Returned Data Fields
+
+### ARP Table Information
+
+TYCHON scans Endpoint ARP Tables and returns the results.
+
+{{fields "arp"}}
+
+### Browser Configurations
+
+TYCHON checks local browser configuration settings.
+
+{{fields "browser"}}
+
+### Listening Certificate Ciphers
+
+TYCHON connects to open ports on the computer and reports back if it is hosting ciphers and the certificate information from those ciphers.
+
+{{fields "ciphers"}}
+
+### DISA Continuous Monitoring and Risk Scoring Data
+
+TYCHON Agentless will generate the complete Master Endpoint Record for reporting to CMRS, this dataset is unsearchable and encoded but required to send to DISA.
+
+{{fields "cmrs"}}
+
+### COAMS Information (DATT Required)
+
+TYCHON has integtred with DISA DATT and gathering what Operational Attributes have been applied.
+
+{{fields "coams"}}
+
+### Vulnerablities
+
+TYCHON scans for Endpoint CPU's and returns the results.
+
+{{fields "cpu"}}
+
+### Vulnerablities
+
+TYCHON scans for Endpoint vulnerablities and returns the results.
+
+{{fields "cve"}}
+
+### Endpoint Protection Platform
+
+TYCHON scans the Endpoint's Windows Defender and returns protection status and version details.
+
+{{fields "epp"}}
+
+### Endpoint Exposed Services Information
+
+The TYCHON script to scan Endpoint Exposed Services and returns information.
+
+{{fields "exposedservice"}}
+
+### Endpoint External Device Control
+
+TYCHON will ensure external devices like usb hard drives and cdrom drives cannot be used except for the whitelist hardware Identifiers within the policy.
+
+{{fields "externaldevicecontrol"}}
+
+### Windows Feature Information
+
+TYCHON gathers which Windows features have been enabled on endpoints and returns the results.
+
+{{fields "features"}}
+
+### Endpoint Hard Drive Information
+
+The TYCHON script scans an endpoint's Hard Drive Configurations and returns information.
+
+{{fields "harddrive"}}
+
+### Endpoint Hardware Information
+
+The TYCHON script scans an endpoint's Hardware Configurations and returns information.
+
+{{fields "hardware"}}
+
+### Endpoint Host OS Information
+
+The TYCHON script scans an endpoint's OS Configurations and returns information.
+
+{{fields "host"}}
+
+### Endpoint Network Adapters Information
+
+The TYCHON script scans an endpoint's Network Adapter Configurations and returns information.
+
+{{fields "networkadapter"}}
+
+### Endpoint Software Inventory Information
+
+The TYCHON script scans an endpoint's Software Inventory and returns information.
+
+{{fields "softwareinventory"}}
+
+### Endpoint STIG Information
+
+The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information.
+
+{{fields "stig"}}
+
+### File System Certificates 
+
+TYCHON searches the computer and hard drive for certificate files that stored in a keystore and outside of a keystore.
+
+{{fields "systemcerts"}}
+
+### Endpoint Volume Information
+
+The TYCHON script scans an endpoint's Volume Configurations and returns information.
+
+{{fields "volume"}}

packages/tychon/changelog.yml

@@ -0,0 +1,5 @@
+- version: 0.1.0
+  changes:
+    - description: Initial release of the TYCHON Agentless integration
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10811

packages/tychon/data_stream/arp/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,13 @@
+version: '2.3'
+services:
+  tychon-filestream:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}/:/var/log
+    command:
+      - /bin/sh
+      - -c
+      - |
+        cp /sample_logs/* /var/log/
+        sleep infinity

packages/tychon/data_stream/arp/_dev/deploy/docker/sample_logs/test-base.ndjson

@@ -0,0 +1 @@
+{"destination.hostname":"Request timed out (700 ms)","destination.ip":"10.1.9.1","destination.mac":"04-d5-90-f6-de-a3","destination.name":"Request timed out (700 ms)","host.biossn":"737C4D56-5714-9415-3B54-352BA8936AF3","host.cloud.hosted":"false","host.domain":"","host.hardware.bios.name":"Phoenix Technologies LTD","host.hardware.bios.version":"6.00","host.hardware.cpu.caption":"Intel64 Family 6 Model 45 Stepping 7","host.hardware.manufacturer":"VMware, Inc.","host.hardware.owner":"admin","host.hardware.serial_number":"VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3","host.hostname":"BOTANYBAYEP1","host.id":"c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP","host.ip":"10.1.9.51","host.ipv4":"10.1.9.51","host.ipv6":"","host.mac":"00:0C:29:93:6A:F3","host.oem.manufacturer":"","host.oem.model":"","host.os.build":"19045","host.os.description":"","host.os.family":"Windows","host.os.name":"Microsoft Windows 10 Pro","host.os.organization":"","host.os.version":"2009","host.type":"Workstation","host.uptime":"44743.4042923","host.workgroup":"WORKGROUP","id":"BOTANYBAYEP1#11#10.1.9.51#10.1.9.1","network.direction":"external","network.interface":"Ethernet0","network.state":"dynamic","network.type":"IPv4","script.current_duration":"14334.03","script.current_time":"2023-11-15T14:03:54Z","script.name":"Get-TychonArpInfo.ps1","script.start":"2023-11-15T14:03:39Z","script.type":"powershell","script.version":"2.3.197.0","tychon.id":"c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP"}

packages/tychon/data_stream/arp/_dev/test/pipeline/test-base.log

@@ -0,0 +1 @@
+{"destination.hostname":"Request timed out (700 ms)","destination.ip":"10.1.9.1","destination.mac":"04-d5-90-f6-de-a3","destination.name":"Request timed out (700 ms)","host.biossn":"737C4D56-5714-9415-3B54-352BA8936AF3","host.cloud.hosted":"false","host.domain":"","host.hardware.bios.name":"Phoenix Technologies LTD","host.hardware.bios.version":"6.00","host.hardware.cpu.caption":"Intel64 Family 6 Model 45 Stepping 7","host.hardware.manufacturer":"VMware, Inc.","host.hardware.owner":"admin","host.hardware.serial_number":"VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3","host.hostname":"BOTANYBAYEP1","host.id":"c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP","host.ip":"10.1.9.51","host.ipv4":"10.1.9.51","host.ipv6":"","host.mac":"00:0C:29:93:6A:F3","host.oem.manufacturer":"","host.oem.model":"","host.os.build":"19045","host.os.description":"","host.os.family":"Windows","host.os.name":"Microsoft Windows 10 Pro","host.os.organization":"","host.os.version":"2009","host.type":"Workstation","host.uptime":"44743.4042923","host.workgroup":"WORKGROUP","id":"BOTANYBAYEP1#11#10.1.9.51#10.1.9.1","network.direction":"external","network.interface":"Ethernet0","network.state":"dynamic","network.type":"IPv4","script.current_duration":"14334.03","script.current_time":"2023-11-15T14:03:54Z","script.name":"Get-TychonArpInfo.ps1","script.start":"2023-11-15T14:03:39Z","script.type":"powershell","script.version":"2.3.197.0","tychon.id":"c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP"}

packages/tychon/data_stream/arp/_dev/test/pipeline/test-base.log-expected.json

@@ -0,0 +1,118 @@
+{
+    "expected": [
+        {
+            "destination": {
+                "ip": "10.1.9.1",
+                "mac": "04-D5-90-F6-DE-A3"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "kind": "state",
+                "module": "tychon",
+                "original": "{\"destination.hostname\":\"Request timed out (700 ms)\",\"destination.ip\":\"10.1.9.1\",\"destination.mac\":\"04-d5-90-f6-de-a3\",\"destination.name\":\"Request timed out (700 ms)\",\"host.biossn\":\"737C4D56-5714-9415-3B54-352BA8936AF3\",\"host.cloud.hosted\":\"false\",\"host.domain\":\"\",\"host.hardware.bios.name\":\"Phoenix Technologies LTD\",\"host.hardware.bios.version\":\"6.00\",\"host.hardware.cpu.caption\":\"Intel64 Family 6 Model 45 Stepping 7\",\"host.hardware.manufacturer\":\"VMware, Inc.\",\"host.hardware.owner\":\"admin\",\"host.hardware.serial_number\":\"VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3\",\"host.hostname\":\"BOTANYBAYEP1\",\"host.id\":\"c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP\",\"host.ip\":\"10.1.9.51\",\"host.ipv4\":\"10.1.9.51\",\"host.ipv6\":\"\",\"host.mac\":\"00:0C:29:93:6A:F3\",\"host.oem.manufacturer\":\"\",\"host.oem.model\":\"\",\"host.os.build\":\"19045\",\"host.os.description\":\"\",\"host.os.family\":\"Windows\",\"host.os.name\":\"Microsoft Windows 10 Pro\",\"host.os.organization\":\"\",\"host.os.version\":\"2009\",\"host.type\":\"Workstation\",\"host.uptime\":\"44743.4042923\",\"host.workgroup\":\"WORKGROUP\",\"id\":\"BOTANYBAYEP1#11#10.1.9.51#10.1.9.1\",\"network.direction\":\"external\",\"network.interface\":\"Ethernet0\",\"network.state\":\"dynamic\",\"network.type\":\"IPv4\",\"script.current_duration\":\"14334.03\",\"script.current_time\":\"2023-11-15T14:03:54Z\",\"script.name\":\"Get-TychonArpInfo.ps1\",\"script.start\":\"2023-11-15T14:03:39Z\",\"script.type\":\"powershell\",\"script.version\":\"2.3.197.0\",\"tychon.id\":\"c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "hostname": "BOTANYBAYEP1",
+                "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP",
+                "ip": [
+                    "10.1.9.51"
+                ],
+                "mac": [
+                    "00-0C-29-93-6A-F3"
+                ],
+                "os": {
+                    "family": "Windows",
+                    "name": "Microsoft Windows 10 Pro",
+                    "type": "windows",
+                    "version": "2009"
+                },
+                "type": "Workstation",
+                "uptime": 44743
+            },
+            "network": {
+                "direction": "external",
+                "type": "ipv4"
+            },
+            "related": {
+                "hosts": [
+                    "BOTANYBAYEP1",
+                    "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP",
+                    "Request timed out (700 ms)"
+                ],
+                "ip": [
+                    "10.1.9.51",
+                    "10.1.9.1"
+                ]
+            },
+            "tychon": {
+                "destination": {
+                    "hostname": "Request timed out (700 ms)",
+                    "ip": "10.1.9.1",
+                    "mac": "04-D5-90-F6-DE-A3",
+                    "name": "Request timed out (700 ms)"
+                },
+                "host": {
+                    "biossn": "737C4D56-5714-9415-3B54-352BA8936AF3",
+                    "hardware": {
+                        "bios": {
+                            "name": "Phoenix Technologies LTD",
+                            "version": "6.00"
+                        },
+                        "cpu": {
+                            "caption": "Intel64 Family 6 Model 45 Stepping 7"
+                        },
+                        "manufacturer": "VMware, Inc.",
+                        "owner": "admin",
+                        "serial_number": "VMware-56 4d 7c 73 14 57 15 94-3b 54 35 2b a8 93 6a f3"
+                    },
+                    "hostname": "BOTANYBAYEP1",
+                    "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP",
+                    "ip": [
+                        "10.1.9.51"
+                    ],
+                    "ipv4": [
+                        "10.1.9.51"
+                    ],
+                    "mac": [
+                        "00-0C-29-93-6A-F3"
+                    ],
+                    "os": {
+                        "build": "19045",
+                        "family": "Windows",
+                        "name": "Microsoft Windows 10 Pro",
+                        "version": "2009"
+                    },
+                    "type": "Workstation",
+                    "uptime": 44743,
+                    "workgroup": "WORKGROUP"
+                },
+                "id": "BOTANYBAYEP1#11#10.1.9.51#10.1.9.1",
+                "network": {
+                    "direction": "external",
+                    "interface": "Ethernet0",
+                    "state": "dynamic",
+                    "type": "ipv4"
+                },
+                "script": {
+                    "current_duration": 14334,
+                    "current_time": "2023-11-15T14:03:54Z",
+                    "name": "Get-TychonArpInfo.ps1",
+                    "start": "2023-11-15T14:03:39Z",
+                    "type": "powershell",
+                    "version": "2.3.197.0"
+                },
+                "tychon": {
+                    "id": "c698e42cc0794fd19b2f9157a8a2c88b_737C4D56-5714-9415-3B54-352BA8936AF3_BOTANYBAYEP1_WORKGROUP"
+                }
+            }
+        }
+    ]
+}

packages/tychon/data_stream/arp/_dev/test/system/test-default-config.yml

@@ -0,0 +1,9 @@
+service: tychon-filestream
+vars: ~
+input: filestream
+data_stream:
+  vars:
+    paths:
+      - "{{SERVICE_LOGS_DIR}}/*"
+assert:
+  hit_count: 1

packages/tychon/data_stream/arp/agent/stream/filestream.yml.hbs

@@ -0,0 +1,17 @@
+paths:
+{{#each paths as |path|}}
+  - {{path}}
+{{/each}}
+prospector.scanner.exclude_files: ['.gz$']
+publisher_pipeline.disable_host: true
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/tychon/data_stream/arp/elasticsearch/ilm/default_policy.json

@@ -0,0 +1,23 @@
+{
+    "policy": {
+        "phases": {
+            "hot": {
+                "actions": {
+                    "rollover": {
+                        "max_age": "2d",
+                        "max_size": "50gb"
+                    },
+                    "set_priority": {
+                        "priority": 100
+                    }
+                }
+            },
+            "delete": {
+                "min_age": "3d",
+                "actions": {
+                    "delete": {}
+                }
+            }
+        }
+    }
+}