[New Integration] Digital Guardian ARC API

[andrewkroh]

Create a new integration to pull events and alerts from the Digital Guardian Analytics & Reporting Cloud (ARC) API.

• https://www.digitalguardian.com/
• https://www.digitalguardian.com/blog/new-dawn-dlp-digital-guardian-releases-its-analytics-reporting-cloud-arc
• https://github.com/demisto/content/pull/27914 (MIT license)

I have a PDF document of DG Analytics & Reporting Cloud External API, Version 3.1.0 to work from.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

This will be an integration with one CEL-based data stream to ingest incidents from Digital Guardian Analytics & Reporting Cloud (ARC). Because we don't have access to the real service, I propose that we develop against a mock and release this as beta (e.g. v0.1.0-beta1). Then we can get a helpful user to deploy and validate against their account.

This integration will

• Use oauth2 to obtain a token for authentication.
• Periodically fetch incidents from the POST /1.0/export_profiles/{profile}/export_and_ack API (need to set request header Accept: application/json). This returns the export profile data in JSON format and advances the server-side bookmark in a single call.
• Convert the JSON response format into a list of events. The PDF doc doesn't show the response format, but this appears to the format. This would need to be handled on the CEL side.

The required configuration is

• Authorization Server URL (use as our auth.oauth.token_url)
• OAuth Client ID
• OAuth Client Secret
• ARC Server URL
• ARC Export Profile ID