tychon_agentless: cleaned state

.github/CODEOWNERS

@@ -249,6 +249,7 @@
 /packages/trellix_epo_cloud @elastic/security-external-integrations
 /packages/trend_micro_vision_one @elastic/security-external-integrations
 /packages/trendmicro @elastic/security-external-integrations
+/packages/tychon @elastic/security-external-integrations
 /packages/udp @elastic/security-external-integrations
 /packages/universal_profiling_agent @elastic/profiling
 /packages/universal_profiling_collector @elastic/profiling

packages/tychon/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v8.8.0

packages/tychon/_dev/build/docs/README.md

@@ -0,0 +1,96 @@
+# TYCHON Agentless
+
+[TYCHON Agentless](https://tychon.io/products/tychon-agentless/) is an integration that lets you collect TYCHON's gold source Master Endpoint Record  data from endpoints, including vulnerability and STIG results, without heavy resource use or software installation. You can then investigate the TYCHON data using Elastic's analytics, visualizations, and dashboards. [Contact us to learn more.](https://tychon.io/start-a-free-trial/)
+
+## Compatibility
+
+* This integration supports Windows and RedHat/CENTOS Endpoint Operating Systems.
+* This integration requires a TYCHON Agentless license.
+* This integration requires [TYCHON Vulnerability Definition](https://support.tychon.io/) files.
+* The Linux Endpoint requires RedHat's [OpenScap](https://www.open-scap.org/tools/openscap-base/) to be installed for STIG and CVE to report data.
+* This integration supports Elastic 8.8+.
+
+## Returned Data Fields
+### ARP Table Information
+
+TYCHON scans Endpoint ARP Tables and returns the results.
+
+**Exported fields**
+{{fields "tychon_arp"}}
+
+### Vulnerablities
+
+TYCHON scans for Endpoint CPU's and returns the results.
+
+**Exported fields**
+{{fields "tychon_cpu"}}
+
+### Vulnerablities
+
+TYCHON scans for Endpoint vulenrabilites and returns the results.
+
+**Exported fields**
+{{fields "tychon_cve"}}
+
+### Endpoint Protection Platform
+
+TYCHON scans the Endpoint's Windows Defender and returns protection status and version details.
+
+**Exported fields**
+{{fields "tychon_epp"}}
+
+### Endpoint Exposed Services Information
+
+The TYCHON script to scan Endpoint Exposed Services and returns information.
+
+**Exported fields**
+{{fields "tychon_exposedservice"}}
+
+### Endpoint Hard Drive Information
+
+The TYCHON script scans an endpoint's Hard Drive Configurations and returns information.
+
+**Exported fields**
+{{fields "tychon_harddrive"}}
+
+### Endpoint Hardware Information
+
+The TYCHON script scans an endpoint's Hardware Configurations and returns information.
+
+**Exported fields**
+{{fields "tychon_hardware"}}
+
+### Endpoint Host OS Information
+
+The TYCHON script scans an endpoint's OS Configurations and returns information.
+
+**Exported fields**
+{{fields "tychon_host"}}
+
+### Endpoint Network Adapters Information
+
+The TYCHON script scans an endpoint's Network Adapter Configurations and returns information.
+
+**Exported fields**
+{{fields "tychon_networkadapter"}}
+
+### Endpoint Software Inventory Information
+
+The TYCHON script scans an endpoint's Software Inventory and returns information.
+
+**Exported fields**
+{{fields "tychon_softwareinventory"}}
+
+### Endpoint STIG Information
+
+The TYCHON benchmark script scans an endpoint's Windows configuration for STIG/XCCDF issues and returns information.
+
+**Exported fields**
+{{fields "tychon_stig"}}
+
+### Endpoint Volume Information
+
+The TYCHON script scans an endpoint's Volume Configurations and returns information.
+
+**Exported fields**
+{{fields "tychon_volume"}}

packages/tychon/changelog.yml

@@ -0,0 +1,5 @@
+- version: 0.0.1
+  changes:
+    - description: Initial release of package.
+      type: enhancement
+      link: https://github.com/joeperuzzi/integrations/pull/1 # FIXME Replace with the real PR link

packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json

@@ -0,0 +1,51 @@
+{
+    "events": [
+        {
+            "script.type": "powershell",
+            "host.os.build": "22621",
+            "host.ip": [
+                "10.154.5.200"
+            ],
+            "host.hostname": "DESKTOP-AF7CIQM",
+            "host.os.name": "Microsoft Windows 11 Pro",
+            "host.hardware.manufacturer": "Dell Inc.",
+            "@timestamp": "2023-08-16T05:22:36Z",
+            "script.start": "2023-08-16T05:22:36Z",
+            "destination.mac": "00-09-0F-AA-00-02",
+            "host.hardware.owner": "james_sudbury@msn.com",
+            "host.hardware.cpu.caption": "Intel64 Family 6 Model 141 Stepping 1",
+            "destination.hostname": "Request timed out (700 ms)",
+            "host.os.organization": "",
+            "host.workgroup": "WORKGROUP",
+            "host.hardware.serial_number": "HYLCKG3",
+            "host.ipv4": "10.154.5.200",
+            "host.os.version": "2009",
+            "network.direction": "external",
+            "host.hardware.bios.name": "Dell Inc.",
+            "host.type": "Workstation",
+            "network.type": "IPv4",
+            "destination.name": "Request timed out (700 ms)",
+            "host.id": "47b5d5906f7d4b288a1366b2f6483148_4C4C4544-0059-4C10-8043-C8C04F4B4733_DESKTOP-AF7CIQM_WORKGROUP",
+            "host.biossn": "4C4C4544-0059-4C10-8043-C8C04F4B4733",
+            "host.mac": [
+                "60:E3:2B:4B:40:E2"
+            ],
+            "network.interface": "Ethernet 3",
+            "host.oem.model": "XPS 17 9710",
+            "host.uptime": "594263.4592614",
+            "id": "DESKTOP-AF7CIQM#6#10.70.4.15#10.70.4.16",
+            "script.current_time": "2023-08-16T05:22:37Z",
+            "script.name": "Get-TychonArpInfo.ps1",
+            "network.state": "dynamic",
+            "script.version": "2.3.53.0",
+            "host.oem.manufacturer": "Dell",
+            "host.os.description": "",
+            "script.current_duration": "1809.94",
+            "host.ipv6": "fe80::c2c9:f4e0:eb65:2c33",
+            "destination.ip": "10.70.4.16",
+            "host.hardware.bios.version": "1.20.1",
+            "host.domain": "",
+            "host.os.family": "Windows"
+        }
+    ]
+}

packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-config.yml

@@ -0,0 +1,3 @@
+dynamic_fields:
+  "@timestamp": ".*"
+  event.ingested: ".*"

packages/tychon/data_stream/tychon_arp/_dev/test/pipeline/test-arp.json-expected.json

@@ -0,0 +1,85 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2023-10-05T13:48:07.498243391Z",
+            "destination": {
+                "hostname": "Request timed out (700 ms)",
+                "ip": "10.70.4.16",
+                "mac": "00-09-0F-AA-00-02",
+                "name": "Request timed out (700 ms)"
+            },
+            "ecs": {
+                "version": "8.8.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "ingested": "2023-10-05T13:48:07.498243391Z",
+                "kind": "state",
+                "module": "tychon",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "biossn": "4C4C4544-0059-4C10-8043-C8C04F4B4733",
+                "domain": "",
+                "hardware": {
+                    "bios": {
+                        "name": "Dell Inc.",
+                        "version": "1.20.1"
+                    },
+                    "cpu": {
+                        "caption": "Intel64 Family 6 Model 141 Stepping 1"
+                    },
+                    "manufacturer": "Dell Inc.",
+                    "owner": "james_sudbury@msn.com",
+                    "serial_number": "HYLCKG3"
+                },
+                "hostname": "DESKTOP-AF7CIQM",
+                "id": "47b5d5906f7d4b288a1366b2f6483148_4C4C4544-0059-4C10-8043-C8C04F4B4733_DESKTOP-AF7CIQM_WORKGROUP",
+                "ip": [
+                    "10.154.5.200"
+                ],
+                "ipv4": [
+                    "10.154.5.200"
+                ],
+                "ipv6": "fe80::c2c9:f4e0:eb65:2c33",
+                "mac": [
+                    "60-E3-2B-4B-40-E2"
+                ],
+                "oem": {
+                    "manufacturer": "Dell",
+                    "model": "XPS 17 9710"
+                },
+                "os": {
+                    "build": "22621",
+                    "description": "",
+                    "family": "Windows",
+                    "name": "Microsoft Windows 11 Pro",
+                    "organization": "",
+                    "version": "2009"
+                },
+                "type": "Workstation",
+                "uptime": 594263,
+                "workgroup": "WORKGROUP"
+            },
+            "id": "DESKTOP-AF7CIQM#6#10.70.4.15#10.70.4.16",
+            "network": {
+                "direction": "external",
+                "interface": "Ethernet 3",
+                "state": "dynamic",
+                "type": "IPv4"
+            },
+            "script": {
+                "current_duration": 1809.94,
+                "current_time": "2023-08-16T05:22:37Z",
+                "name": "Get-TychonArpInfo.ps1",
+                "start": "2023-08-16T05:22:36Z",
+                "type": "powershell",
+                "version": "2.3.53.0"
+            }
+        }
+    ]
+}

packages/tychon/data_stream/tychon_arp/agent/stream/stream.yml.hbs

@@ -0,0 +1,20 @@
+paths:
+{{#each paths as |path|}}
+ - {{path}}
+{{/each}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+{{/contains}}
+processors:
+{{#if processors}}
+{{processors}}
+{{/if}}
+json:
+  keys_under_root: true
+  expand_keys: true

packages/tychon/data_stream/tychon_arp/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,67 @@
+---
+description: Pipeline for TYCHON ARP Tables
+processors:
+  - dot_expander:
+      field: "*"
+  - set:
+      field: "@timestamp"
+      value: "{{_ingest.timestamp}}"
+  - set:
+      field: event.ingested
+      value: "{{_ingest.timestamp}}"
+  - set:
+      field: ecs.version
+      value: 8.8.0
+  - set:
+      field: event.kind
+      value: state
+  - set:
+      field: event.module
+      value: tychon
+  - gsub:
+      field: host.mac
+      pattern: ":"
+      replacement: "-"
+      ignore_missing: true
+  - split:
+      field: host.ipv4
+      separator: ","
+      ignore_missing: true
+  - convert:
+      field: host.uptime
+      type: string
+      ignore_missing: true
+  - split:
+      field: host.uptime
+      separator: "\\.+"
+      target_field: tempuptime
+      ignore_failure: true
+  - set:
+      field: host.uptime
+      value: "{{tempuptime.0}}"
+      ignore_failure: true
+  - remove:
+      field: tempuptime
+      ignore_failure: true
+      ignore_missing: true
+  - convert:
+      field: host.uptime
+      type: long
+      ignore_missing: true
+  - set:
+      field: event.category
+      value: [network]
+  - set:
+      field: event.type
+      value: [info]
+  - convert:
+      field: script.current_duration
+      type: float
+      ignore_missing: true
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"