[New Connector] Sandfly Security

[sandflysnapp]

Closes #3510

New connector for Sandfly Security

Sandfly Security

Sandfly is an agentless, instantly deployable, and safe Linux Endpoint Detection and Response (EDR) platform. Sandfly protects virtually any Linux system, from modern cloud deployments to decade-old devices, regardless of distribution or CPU architecture. And, we do it without loading agents on your endpoints that can cause performance and stability impacts.

Besides traditional EDR capabilities, Sandfly also tracks SSH credentials, audits for weak passwords, detects unauthorized changes with drift detection, and allows custom modules to help incident responders find emerging threats.

Sandfly connector

The connector will initiate a REST API connection to the Sandfly Server with the supplied credentials and ingest the following types of data:

1. Results - the details from Sandfly investigations resulting in alerts, errors or passed checks
2. Hosts - various details about each Linux host protected by Sandfly
3. SSH Keys - various details about all SSH Keys found during Sandfly investigations

Checklists

Pre-Review Checklist

• this PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check config.yml.example)
• this PR has a meaningful title
• this PR links to all relevant github issues that it fixes or partially addresses
• if there is no GH issue, please create it. Each PR should have a link to an issue
• this PR has a thorough description
• Covered the changes with automated tests
• Tested the changes locally
• Added a label for each target release version (example: v7.13.2, v7.14.0, v8.0.0)
• For bugfixes: backport safely to all minor branches still receiving patch releases
• Considered corresponding documentation changes
• Contributed any configuration settings changes to the configuration reference
• if you added or changed Rich Configurable Fields for a Native Connector, you made a corresponding PR in Kibana

Changes Requiring Extra Attention

• Security-related changes (encryption, TLS, SSRF, etc)
• New external service dependencies added.

Release Note

[cla-checker-service]

💚 CLA has been signed

[sandflysnapp]

Our company CEO signed the contributor agreement and added me as an authorized contributor. Can we recheck the CLA to see if that is working now?

[seanstory]

Our company CEO signed the contributor agreement and added me as an authorized contributor. Can we recheck the CLA to see if that is working now?

Sorry, I think we missed this comment.

The best way to re-trigger it would be to add an empty commit, like:

git commit -m 'commit using CLA-signed email' --allow-empty

If that doesn't work, there's probably a commit in the history that's attributed to an email that hasn't signed the CLA. You can squash all the commits into one, and force-push with that single commit signed by the right email.

[mattnowzari]

buildkite test this

[mattnowzari]

Hey @sandflysnapp , I'm coming back to this, and by and large the connector looks good! Thank you for addressing the comments from myself and Artem 🙂

How confident are you in the functional test coverage provided by the fixtures under fixtures/sandfly? Do you feel it is sufficient for capturing the functionality of the connector?

For context, we run functional tests as part of our CI, and if we merge this, we'd most likely integrate Sandfly's functional tests into our CI pipeline.

[sandflysnapp]

How confident are you in the functional test coverage provided by the fixtures under fixtures/sandfly? Do you feel it is sufficient for capturing the functionality of the connector?

@mattnowzari

I tried to make sure that the functional tests covered all of the basic functionality. Ping, license check, Results ingest, SSH Keys ingest, and Hosts ingest (both full and incremental sync). Our JSON blobs can be pretty large, but only a small subset of fields are touched during the sync process, so those are all tested and verified during the testing. So yes, I am confident that the functionality is tested. I have also tested the small/med/large data size tests and all of them ran without errors and returned the expected number of documents.

I have also been running the connector pretty consistently the last few weeks, both with an Elastic Cloud deployment and our own internal deployment, with large amounts of data and frequent incremental sync operations, and I am very happy with how it is performing.

Happy to address any other issues you may find.

--Steve

[mattnowzari]

Hey Steve,

If Sandfly is confident with the coverage provided by the e2e tests then we are good to go 👍

Just wanted to note something about 'community' connectors before we merge - we will most likely move this (and other community connectors) to a directory called /community soon, so that our users can differentiate between connector sources developed by Elastic vs. those contributed by the open source community. We'll encourage any future support questions/requests about this connector tag @sandflysecurity so that you can assist.

[sandflysnapp]

Excellent and thanks for the update. Let me know if there is anything else you need from us.

[mattnowzari]

@sandflysnapp Great! Whenever you are able, go ahead and update this branch with main so we can get this PR merge-able! 😄

[sandflysnapp]

@sandflysnapp Great! Whenever you are able, go ahead and update this branch with main so we can get this PR merge-able! 😄

Done, thanks.

[mattnowzari]

buildkite test this

[github-actions]

💔 Failed to create backport PR(s)

The backport operation could not be completed due to the following error:
There are no branches to backport to. Aborting.

The backport PRs will be merged automatically after passing CI.

To backport manually run:
backport --pr 3522 --autoMerge --autoMergeMethod squash