[Darktrace] Initial Release for the Darktrace

[vinit-chauhan]

What does this PR do?

• Generated the skeleton of the Darktrace integration package.
• Added data streams.
• Added data collection logic for all the data streams.
• Added the ingest pipeline for all the data streams.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added dashboards and visualizations.
• Added test for pipeline for all the data streams.
• Added system test cases for all the data streams.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target are documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to: ^8.2.1

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/darktrace directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes Darktrace #2754

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-10-03T12:24:09.310+0000

• Duration: 25 min 21 sec

Test stats 🧪

Test	Results
Failed	0
Passed	29
Skipped	0
Total	29

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (3/3)	💚 2.564
Classes	100.0% (3/3)	💚 2.564
Methods	100.0% (46/46)	💚 9.946
Lines	95.645% (2350/2457)	👍 4.116
Conditionals	100.0% (0/0)	💚

[efd6]

Query: There are a lot of object arrays in the documents produced here under the darktrace key path. Is this a concern?

[vinit-chauhan]

Hey @efd6, Yes the Darktrace API sends the data in such a way. And We can't flatten in as it would result in conflicts in index mappings. So that doesn't seem to be a good idea to flatten it.

[efd6]

Thanks

[jamiehynds]

@andrewkroh @efd6 could we prioritise review on this integration next please? Thanks!

[P1llus]

I am a bit concerned about the amount of arrays in the resulting data, but I don't feel there is any good way around it, since creating single documents for each would simply be too many.

I presume there has not been any big challenges in still using them for visualizations?

I am also a bit unsure how this impacts possibility to create SIEM rules for certain content, seeing as they are all stored in arrays.

If this is something that has already been discussed/thought about, feel free to ignore that.

Outside of that I added a few small comments, the rest seems good to go, great work! :)

[P1llus]

Does this API use any sort of authentication? Any way we could add that in as well?

[P1llus]

Could this be a configurable advanced option which defaults to 5min? We usually allow users to override this in some niche usecases.

[P1llus]

Same as above, please make this configurable

[P1llus]

I think maybe we have to discuss the duplicate custom fields, as has been brought up in some other PR comments as well

[vinit-chauhan]

/test

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport