[New Connector] Sandfly Security

[sandflysnapp]

Closes #3510

New connector for Sandfly Security

Sandfly Security

Sandfly is an agentless, instantly deployable, and safe Linux Endpoint Detection and Response (EDR) platform. Sandfly protects virtually any Linux system, from modern cloud deployments to decade-old devices, regardless of distribution or CPU architecture. And, we do it without loading agents on your endpoints that can cause performance and stability impacts.

Besides traditional EDR capabilities, Sandfly also tracks SSH credentials, audits for weak passwords, detects unauthorized changes with drift detection, and allows custom modules to help incident responders find emerging threats.

Sandfly connector

The connector will initiate a REST API connection to the Sandfly Server with the supplied credentials and ingest the following types of data:

1. Results - the details from Sandfly investigations resulting in alerts, errors or passed checks
2. Hosts - various details about each Linux host protected by Sandfly
3. SSH Keys - various details about all SSH Keys found during Sandfly investigations

Checklists

Pre-Review Checklist

• this PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check config.yml.example)
• this PR has a meaningful title
• this PR links to all relevant github issues that it fixes or partially addresses
• if there is no GH issue, please create it. Each PR should have a link to an issue
• this PR has a thorough description
• Covered the changes with automated tests
• Tested the changes locally
• Added a label for each target release version (example: v7.13.2, v7.14.0, v8.0.0)
• For bugfixes: backport safely to all minor branches still receiving patch releases
• Considered corresponding documentation changes
• Contributed any configuration settings changes to the configuration reference
• if you added or changed Rich Configurable Fields for a Native Connector, you made a corresponding PR in Kibana

Changes Requiring Extra Attention

• Security-related changes (encryption, TLS, SSRF, etc)
• New external service dependencies added.

Release Note

[cla-checker-service]

💚 CLA has been signed

[seanstory]

buildkite test this

[seanstory]

@sandflysnapp thanks for the contribution!
Please sign the CLA, and resolve any CI issues.

Before we invest in a thorough review, we'll be discussing whether we want to include Sandfly Security in our connector catalog, or if this is better kept as a reference PR and in a fork. We'll be in touch on the linked issue if we have questions in regards to that discussion.

[mattnowzari]

This is great work, thank you for the submission! I've left some comments on things that stuck out to me from a general 'code quality' perspective.

[sandflysnapp]

Our company CEO signed the contributor agreement and added me as an authorized contributor. Can we recheck the CLA to see if that is working now?

[seanstory]

Our company CEO signed the contributor agreement and added me as an authorized contributor. Can we recheck the CLA to see if that is working now?

Sorry, I think we missed this comment.

The best way to re-trigger it would be to add an empty commit, like:

git commit -m 'commit using CLA-signed email' --allow-empty

If that doesn't work, there's probably a commit in the history that's attributed to an email that hasn't signed the CLA. You can squash all the commits into one, and force-push with that single commit signed by the right email.

[mattnowzari]

buildkite test this