Skip to content

[AI-5441] DDS: ESET Protect: Integration v1.0.0 #20349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Jun 11, 2025
Merged

[AI-5441] DDS: ESET Protect: Integration v1.0.0 #20349

merged 19 commits into from
Jun 11, 2025

Conversation

savandalasaniya-crest
Copy link
Contributor

@savandalasaniya-crest savandalasaniya-crest commented May 21, 2025
edited
Loading

What does this PR do?

This is a initial release PR of ESET Protect integration including all the required assets.

Motivation

  • OOTB detection rules JSON would be shared separately with the required teams as a part of separate repository.
  • Since during the standard attribute remapping we are not preserving the source attributes as per suggested best practices, it would result in filters using these standard attributes populating the values of other integrations as well as per current Datadog behavior.

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@savandalasaniya-crest savandalasaniya-crest changed the title DDS: ESET Protect: Crawler Integration v1.0.0 DDS: ESET Protect: Integration v1.0.0 May 21, 2025
@savandalasaniya-crest savandalasaniya-crest marked this pull request as ready for review May 23, 2025 06:20
@savandalasaniya-crest savandalasaniya-crest requested review from a team as code owners May 23, 2025 06:20
buraizu
buraizu reviewed Jun 2, 2025
View reviewed changes
Copy link
Contributor

@buraizu buraizu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggesting some minor documentation edits

@temporal-github-worker-1 temporal-github-worker-1 bot dismissed sarah-witt’s stale review June 3, 2025 10:19

Review from sarah-witt is dismissed. Related teams and files:

  • agent-integrations
    • eset_protect/README.md
    • eset_protect/assets/dashboards/eset_protect_audit_events.json
    • eset_protect/assets/dashboards/eset_protect_filtered_websites_events.json
    • eset_protect/assets/dashboards/eset_protect_overview.json
    • eset_protect/assets/dashboards/eset_protect_threat_events.json
@Wyrine Wyrine added the assets/no-dry-run Run asset publishing github checks in staging label Jun 3, 2025
@Wyrine Wyrine added assets/no-dry-run Run asset publishing github checks in staging and removed assets/no-dry-run Run asset publishing github checks in staging labels Jun 3, 2025
@baturalp-dd baturalp-dd added the assets/deploy-logs-staging ONLY USED BY Logs Backend - Validates that a PR is OK to go to staging label Jun 4, 2025
baturalp-dd
baturalp-dd approved these changes Jun 4, 2025
View reviewed changes
Copy link

@baturalp-dd baturalp-dd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just a couple of non-blocking questions

eset_protect/assets/logs/eset-protect.yaml
targetType: attribute
preserveSource: false
overrideOnConflict: false
- type: pipeline
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just asking to better understand the intention here; not a blocking comment.

  • Did you create a sub-processor to skip logs with empty user attributes while running the attribute mapper?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, if any user-related fields are null or empty, we will skip the usr.name mapping.

eset_protect/assets/logs/eset-protect.yaml
- type: grok-parser
name: Parsing the `occured` attribute to convert it into milliseconds
enabled: true
source: occured
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just want to make sure that the source field is intentionally occured not occurred.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the live logs, we are getting field named occured

buraizu
buraizu reviewed Jun 6, 2025
View reviewed changes
Copy link
Contributor

@buraizu buraizu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for applying those changes. I've flagged a typo in the new content, and also left a couple of small suggestions that make the troubleshooting section a bit easier to visually parse. Otherwise this LGTM

@sarah-witt sarah-witt added this pull request to the merge queue Jun 11, 2025
Merged via the queue into DataDog:master with commit 94a10ce Jun 11, 2025
74 of 77 checks passed
github-actions bot pushed a commit that referenced this pull request Jun 11, 2025
@github-merge-queue
[AI-5441] DDS: ESET Protect: Integration v1.0.0 (#20349)
8350c7c 
* Add ESET Protect integration with assets

* adding codeowners and labeler

* Adding datadog checks and configuration files

* Updated log pipeline

* Updating log pipeline

* Updating about file version

* Updating log pipeline for 1 sample

* Updating code owner details

* Updating dashboard and pipeline

* Updating log pipeline

* updating logs result

* Updating versions as per suggestion

* Resolved review comments and updated content

* Readme suggested changes

---------

Co-authored-by: Kirolos Shahat <kashahat@gmail.com> 94a10ce
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarah-witt sarah-witt

@buraizu buraizu

@baturalp-dd baturalp-dd

Assignees
No one assigned
Labels
agent/approved assets/deploy-logs-staging ONLY USED BY Logs Backend - Validates that a PR is OK to go to staging assets/no-dry-run Run asset publishing github checks in staging dev/testing dev/tooling docs/approved documentation ecosystems/review-requested editorial review Waiting on a more in-depth review from a docs team editor product/review-requested qa/skip-qa Automatically skip this PR for the next QA release team/agent-integrations team/documentation team/logs-backend team/logs-integrations-reviewers team/saas-integrations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@savandalasaniya-crest @sarah-witt @buraizu @baturalp-dd @jhgilbert @Wyrine