TYCHON Initial Agent Upload

.github/CODEOWNERS

@@ -228,6 +228,7 @@
 /packages/trellix_epo_cloud @elastic/security-external-integrations
 /packages/trend_micro_vision_one @elastic/security-external-integrations
 /packages/trendmicro @elastic/security-external-integrations
+/packages/tychon @elastic/security-external-integrations
 /packages/udp @elastic/security-external-integrations
 /packages/universal_profiling_agent @elastic/profiling
 /packages/universal_profiling_collector @elastic/profiling

packages/tychon/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v8.8.0

packages/tychon/_dev/build/docs/README.md

@@ -0,0 +1,32 @@
+# TYCHON Agentless
+
+[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source vulnerability and STIG data from endpoints without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/) 
+
+## Compatibility
+
+* This integration supports Windows 10 and Windows 11 Endpoint Operating Systems. 
+* This integration requires a TYCHON Agentless license. 
+* This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files.
+
+
+## Returned Data Fields
+### Vulnerablities
+
+TYCHON scans for endpoint vulenrabilites and returns the results.  
+
+**Exported fields**
+{{fields "tychon_cve"}}
+
+### Endpoint Protection Platform
+
+TYCHON scans the endpoint's Windows Defender and returns protection status and version details.  
+
+**Exported fields**
+{{fields "tychon_epp"}}
+
+### Endpoint STIG Information
+
+The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information.  
+
+**Exported fields**
+{{fields "tychon_stig"}}

packages/tychon/changelog.yml

@@ -0,0 +1,5 @@
+- version: "0.0.10"
+  changes:
+    - description: Fixed incorrect types in field.yml and cleaned up formatting
+      type: enhancement
+      link: https://github.com/joeperuzzi/integrations/pull/5 # FIXME Replace with the real PR link

packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json

@@ -0,0 +1,51 @@
+{
+	"events": [
+		{
+			"host.biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB",
+			"host.domain": "",
+			"host.hardware.bios.name": "Phoenix Technologies LTD",
+			"host.hardware.bios.version": "6.00",
+			"host.hardware.cpu.caption": "Intel64 Family 6 Model 45 Stepping 7",
+			"host.hardware.manufacturer": "VMware, Inc.",
+			"host.hardware.owner": "dcuser",
+			"host.hardware.serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb",
+			"host.hostname": "DESKTOP-TIUKL1R",
+			"host.id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP",
+			"host.ip": "10.1.9.112",
+			"host.ipv4": "10.1.9.112",
+			"host.ipv6": "fe80::40d1:5287:42b9:5645",
+			"host.mac": "00:0C:29:EF:9A:EB",
+			"host.oem.manufacturer": "",
+			"host.oem.model": "",
+			"host.os.build": "22000",
+			"host.os.description": "",
+			"host.os.family": "Windows",
+			"host.os.name": "Microsoft Windows 11 Education N",
+			"host.os.organization": "",
+			"host.os.version": "10.0.22000",
+			"host.type": "Workstation",
+			"host.uptime": 145287,
+			"host.workgroup": "WORKGROUP",
+			"id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900",
+			"script.current_duration": "315381.28",
+			"script.current_time": "2023-06-15T21:58:02Z",
+			"script.name": "Invoke-CveScan.ps1",
+			"script.start": "2023-06-15T21:52:47Z",
+			"script.type": "powershell",
+			"script.version": "0.1.0",
+			"vulnerability.classification": "vulnerability",
+			"vulnerability.iava": "2013-A-0227",
+			"vulnerability.iava_severity": "CAT II",
+			"vulnerability.id": "CVE-2013-3900",
+			"vulnerability.reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900",
+			"vulnerability.result": "fail",
+			"vulnerability.scanner.vendor": "TYCHON",
+			"vulnerability.score.base": "7.60",
+			"vulnerability.score.version": "2.0",
+			"vulnerability.severity": "HIGH",
+			"vulnerability.title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ",
+			"vulnerability.version": 1,
+			"vulnerability.year": "2013"
+		}
+	]
+}

packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-config.yml

@@ -0,0 +1,4 @@
+dynamic_fields:
+  "@timestamp": ".*"
+  event.ingested: ".*"
+

packages/tychon/data_stream/tychon_cve/_dev/test/pipeline/test-cve.json-expected.json

@@ -0,0 +1,88 @@
+{
+	"expected": [
+		{
+			"@timestamp": "2023-07-28T18:14:38.394883461Z",
+			"ecs": {
+				"version": "8.8.0"
+			},
+			"event": {
+				"category": [
+					"vulnerability"
+				],
+				"ingested": "2023-07-28T18:14:38.394883461Z",
+				"kind": "state",
+				"module": "tychon",
+				"outcome": "failure"
+			},
+			"host": {
+				"biossn": "1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB",
+				"domain": "",
+				"hardware": {
+					"bios": {
+						"name": "Phoenix Technologies LTD",
+						"version": "6.00"
+					},
+					"cpu": {
+						"caption": "Intel64 Family 6 Model 45 Stepping 7"
+					},
+					"manufacturer": "VMware, Inc.",
+					"owner": "dcuser",
+					"serial_number": "VMware-56 4d da 1c 0a cf 55 aa-ff 70 b5 c7 ba ef 9a eb"
+				},
+				"hostname": "DESKTOP-TIUKL1R",
+				"id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP",
+				"ip": "10.1.9.112",
+				"ipv4": "10.1.9.112",
+				"ipv6": "fe80::40d1:5287:42b9:5645",
+				"mac": "00-0C-29-EF-9A-EB",
+				"oem": {
+					"manufacturer": "",
+					"model": ""
+				},
+				"os": {
+					"build": "22000",
+					"description": "",
+					"family": "Windows",
+					"name": "Microsoft Windows 11 Education N",
+					"organization": "",
+					"version": "10.0.22000"
+				},
+				"type": "Workstation",
+				"uptime": 145287,
+				"workgroup": "WORKGROUP"
+			},
+			"id": "bd72307d1093421f95713515c770b79a_1CDA4D56-CF0A-AA55-FF70-B5C7BAEF9AEB_DESKTOP-TIUKL1R_WORKGROUP_CVE-2013-3900",
+			"script": {
+				"current_duration": 315381.28,
+				"current_time": "2023-06-15T21:58:02Z",
+				"name": "Invoke-CveScan.ps1",
+				"start": "2023-06-15T21:52:47Z",
+				"type": "powershell",
+				"version": "0.1.0"
+			},
+			"vulnerability": {
+				"category": [
+					"oval"
+				],
+				"classification": "cvss",
+				"enumeration": "CVE",
+				"iava": "2013-A-0227",
+				"iava_severity": "CAT II",
+				"id": "CVE-2013-3900",
+				"reference": "https://www.scaprepo.com/view.jsp?id=CVE-2013-3900",
+				"result": "fail",
+				"scanner": {
+					"vendor": "tychon"
+				},
+				"score": {
+					"base": 7.6,
+					"version": "2.0"
+				},
+				"severity": "HIGH",
+				"title": "The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does ",
+				"version": "1",
+				"year": 2013
+			}
+		}
+	]
+}

packages/tychon/data_stream/tychon_cve/agent/stream/stream.yml.hbs

@@ -0,0 +1,23 @@
+paths:
+{{#each paths as |path|}}
+ - {{path}}
+{{/each}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+processors:
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
+json:
+  keys_under_root: true
+  expand_keys: true
+

packages/tychon/data_stream/tychon_cve/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,77 @@
+---
+description: Pipeline for parsing TYCHON Vulnerability Scan Results
+processors:
+  - dot_expander:
+      field: "*"
+  - set:
+      if: ctx.containsKey("tychon") && ctx.tychon.containsKey("id")
+      field: host.id
+      value: "{{tychon.id}}"
+  - remove:
+      if: ctx.containsKey("tychon") && ctx.tychon.containsKey("id")
+      field: 'tychon'
+  - set:
+      field: _id
+      value: "{{id}}"
+  - set:
+      field: "@timestamp"
+      value: "{{_ingest.timestamp}}"
+  - set:
+      field: ecs.version
+      value: 8.8.0
+  - set:
+      field: event.kind
+      value: state
+  - set:
+      field: event.module
+      value: tychon
+  - set:
+      field: event.category
+      value: [vulnerability]
+  - script:
+      source: |
+              if(ctx.vulnerability?.result == 'fail'){
+                ctx.event.outcome = "failure"
+              }else if(ctx.vulnerability?.result == 'pass'){
+                ctx.event.outcome = "success"
+              }else{
+                ctx.event.outcome = "unknown"
+              }
+  - gsub:
+      field: host.mac
+      pattern: ":"
+      replacement: "-"      
+  - set:
+      field: event.ingested
+      value: "{{_ingest.timestamp}}"
+  - convert:
+      field: script.current_duration
+      type: float
+  - convert:
+      field: vulnerability.score.base
+      type: float
+  - convert:
+      field: vulnerability.year
+      type: long
+  - set: 
+      field: vulnerability.scanner.vendor
+      value: tychon
+  - set:
+      field: vulnerability.category
+      value: [oval]
+  - set:
+      field: vulnerability.classification
+      value: cvss
+  - set:
+      field: vulnerability.enumeration
+      value: CVE
+  - set:
+      field: vulnerability.version
+      value: "{{vulnerability.version}}"
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: '{{{ _ingest.on_failure_message }}}'