[axonius][gateway] Add Axonius Gateway datastream

.github/CODEOWNERS

@@ -93,6 +93,7 @@
 /packages/aws_vpcflow_otel @elastic/obs-infraobs-integrations
 /packages/awsfargate @elastic/obs-infraobs-integrations
 /packages/awsfirehose @elastic/obs-ds-hosted-services
+/packages/axonius @elastic/security-service-integrations
 /packages/azure @elastic/obs-infraobs-integrations @elastic/obs-ds-hosted-services @elastic/security-service-integrations
 /packages/azure/data_stream/activitylogs @elastic/obs-infraobs-integrations
 /packages/azure/data_stream/application_gateway @elastic/security-service-integrations

packages/axonius/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@v9.2.0

packages/axonius/_dev/build/docs/README.md

@@ -0,0 +1,112 @@
+# Axonius Integration for Elastic
+
+## Overview
+
+[Axonius](https://www.axonius.com/) is a cybersecurity asset management platform that automatically collects data from hundreds of IT and security tools through adapters, merges that information, and builds a unified inventory of all assets—devices, users, SaaS apps, cloud instances, and more. By correlating data from multiple systems, Axonius helps organizations identify visibility gaps, missing security controls, risky configurations, and compliance issues. It lets you create powerful queries to answer any security or IT question and automate actions such as sending alerts, creating tickets, or enforcing policies.
+
+This integration for Elastic allows you to collect assets and security events data using the Axonius API, then visualize the data in Kibana.
+
+### Compatibility
+The Axonius integration is compatible with product version **7.0**.
+
+### How it works
+This integration periodically queries the Axonius API to retrieve logs.
+
+## What data does this integration collect?
+This integration collects log messages of the following type:
+
+- `Gateway`: Collect details of all Gateway (endpoint: `/api/v2/gateway`).
+
+### Supported use cases
+
+Integrating the Axonius Gateway Datastream with Elastic SIEM provides centralized visibility into gateway configurations and the network context they operate in. Kibana dashboards surface key insights into gateway status, routing behavior, and essential connection attributes, helping analysts quickly understand overall network posture.
+
+The dashboards offer clear views of status distribution, highlight important gateway metrics, and provide searchable details that support deeper investigation. Additional tables and saved searches reveal underlying network dependencies and proxy-related information, enabling teams to track configuration changes and identify irregularities.
+
+These insights help security teams monitor gateway health, detect misconfigurations, and streamline network-focused investigations across the environment.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From Axonius
+
+To collect data through the Axonius APIs, you need to provide the **URL**, **API Key** and **API Secret**. Authentication is handled using the **API Key** and **API Secret**, which serves as the required credential.
+
+#### Retrieve URL, API Token and API Secret:
+
+1. Log in to the **Axonius** instance.
+2. Your instance URL is your Base **URL**.
+3. Navigate to **User Settings > API Key**.
+4. Generate an **API Key**.
+5. Copy both values including **API Key and Secret Key** and store them securely for use in the Integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html)
+
+### Configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Axonius**.
+3. Select the **Axonius** integration from the search results.
+4. Select **Add Axonius** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+    * To **Collect logs from Axonius API**, you'll need to:
+
+        - Configure **URL**, **API Key** and **API Secret**.
+        - Adjust the integration configuration parameters if required, including the Interval, HTTP Client Timeout etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Axonius**, and verify the dashboard information is populated.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### Gateway
+
+The `gateway` data stream provides gateway events from axonius.
+
+#### gateway fields
+
+{{ fields "gateway" }}
+
+{{ event "gateway" }}
+
+### Inputs used
+{{/* All inputs used by this package will be automatically listed here. */}}
+{{ inputDocs }}
+
+### API usage
+
+These APIs are used with this integration:
+
+* Gateway (endpoint: `/api/v2/gateway`)

packages/axonius/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3.8'
+services:
+  axonius:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    hostname: axonius
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config.yml

packages/axonius/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,63 @@
+rules:
+  - path: /api/v2/gateways
+    methods: ['GET']
+    request_headers:
+      Accept: application/json
+      api-key: xxxx
+      api-secret: xxxx
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+            "gateways": [
+              {
+                "name": "Gateway_1",
+                "default": false,
+                "dns_server": "1.128.0.0",
+                "email_when_connected": false,
+                "email_when_disconnected": false,
+                "email_recipients": [
+                  "john.doe@example.com"
+                ],
+                "backup_ids": [
+                  "backup1",
+                  "backup2"
+                ],
+                "tunnel_proxy_settings": {
+                  "enabled": false,
+                  "tunnel_proxy_addr": "addr",
+                  "tunnel_proxy_port": 8080,
+                  "tunnel_proxy_user": "tunnel-proxy-01"
+                },
+                "id": "tunnel3",
+                "status": "pending"
+              },
+              {
+                "name": "Gateway_3",
+                "default": false,
+                "dns_server": "216.160.83.56",
+                "email_when_connected": false,
+                "email_when_disconnected": false,
+                "email_recipients": [
+                  "alias.doe@example.com"
+                ],
+                "backup_ids": [
+                  "backup1",
+                  "backup2"
+                ],
+                "tunnel_proxy_settings": {
+                  "enabled": false,
+                  "tunnel_proxy_addr": "addr1",
+                  "tunnel_proxy_port": 8081,
+                  "tunnel_proxy_user": "tunnel-proxy-02"
+                },
+                "id": "tunnel2",
+                "status": "error"
+              }
+            ]
+          }
+          `}}

packages/axonius/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16169

packages/axonius/data_stream/gateway/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_duplicate_custom_fields

packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log

@@ -0,0 +1,3 @@
+{"name":"Gateway_1","default":false,"dns_server":"1.128.0.0","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["john.doe@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr","tunnel_proxy_port":8080,"tunnel_proxy_user":"tunnel-proxy-01"},"id":"tunnel3","status":"pending"}
+{"name":"Gateway_3","default":false,"dns_server":"216.160.83.56","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["alias.doe@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr1","tunnel_proxy_port":8081,"tunnel_proxy_user":"tunnel-proxy-02"},"id":"tunnel2","status":"error"}
+{"name":"Gateway_2","default":true,"dns_server":"89.160.20.128","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["john.martin@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr2","tunnel_proxy_port":8082,"tunnel_proxy_user":"tunnel-proxy-03"},"id":"tunnel1","status":"success"}

packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log-expected.json

@@ -0,0 +1,177 @@
+{
+    "expected": [
+        {
+            "axonius": {
+                "gateway": {
+                    "backup_ids": [
+                        "backup1",
+                        "backup2"
+                    ],
+                    "default": false,
+                    "dns_server": "1.128.0.0",
+                    "email_recipients": [
+                        "john.doe@example.com"
+                    ],
+                    "email_when_connected": false,
+                    "email_when_disconnected": false,
+                    "id": "tunnel3",
+                    "name": "Gateway_1",
+                    "status": "pending",
+                    "tunnel_proxy_settings": {
+                        "enabled": false,
+                        "tunnel_proxy_addr": "addr",
+                        "tunnel_proxy_port": "8080",
+                        "tunnel_proxy_user": "tunnel-proxy-01"
+                    }
+                }
+            },
+            "dns": {
+                "resolved_ip": [
+                    "1.128.0.0"
+                ]
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "to": {
+                    "address": [
+                        "john.doe@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "id": "tunnel3",
+                "kind": "event",
+                "original": "{\"name\":\"Gateway_1\",\"default\":false,\"dns_server\":\"1.128.0.0\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"john.doe@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr\",\"tunnel_proxy_port\":8080,\"tunnel_proxy_user\":\"tunnel-proxy-01\"},\"id\":\"tunnel3\",\"status\":\"pending\"}"
+            },
+            "related": {
+                "ip": [
+                    "1.128.0.0"
+                ],
+                "user": [
+                    "tunnel-proxy-01"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "axonius": {
+                "gateway": {
+                    "backup_ids": [
+                        "backup1",
+                        "backup2"
+                    ],
+                    "default": false,
+                    "dns_server": "216.160.83.56",
+                    "email_recipients": [
+                        "alias.doe@example.com"
+                    ],
+                    "email_when_connected": false,
+                    "email_when_disconnected": false,
+                    "id": "tunnel2",
+                    "name": "Gateway_3",
+                    "status": "error",
+                    "tunnel_proxy_settings": {
+                        "enabled": false,
+                        "tunnel_proxy_addr": "addr1",
+                        "tunnel_proxy_port": "8081",
+                        "tunnel_proxy_user": "tunnel-proxy-02"
+                    }
+                }
+            },
+            "dns": {
+                "resolved_ip": [
+                    "216.160.83.56"
+                ]
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "to": {
+                    "address": [
+                        "alias.doe@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "id": "tunnel2",
+                "kind": "event",
+                "original": "{\"name\":\"Gateway_3\",\"default\":false,\"dns_server\":\"216.160.83.56\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"alias.doe@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr1\",\"tunnel_proxy_port\":8081,\"tunnel_proxy_user\":\"tunnel-proxy-02\"},\"id\":\"tunnel2\",\"status\":\"error\"}",
+                "outcome": "failure"
+            },
+            "related": {
+                "ip": [
+                    "216.160.83.56"
+                ],
+                "user": [
+                    "tunnel-proxy-02"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        },
+        {
+            "axonius": {
+                "gateway": {
+                    "backup_ids": [
+                        "backup1",
+                        "backup2"
+                    ],
+                    "default": true,
+                    "dns_server": "89.160.20.128",
+                    "email_recipients": [
+                        "john.martin@example.com"
+                    ],
+                    "email_when_connected": false,
+                    "email_when_disconnected": false,
+                    "id": "tunnel1",
+                    "name": "Gateway_2",
+                    "status": "success",
+                    "tunnel_proxy_settings": {
+                        "enabled": false,
+                        "tunnel_proxy_addr": "addr2",
+                        "tunnel_proxy_port": "8082",
+                        "tunnel_proxy_user": "tunnel-proxy-03"
+                    }
+                }
+            },
+            "dns": {
+                "resolved_ip": [
+                    "89.160.20.128"
+                ]
+            },
+            "ecs": {
+                "version": "9.2.0"
+            },
+            "email": {
+                "to": {
+                    "address": [
+                        "john.martin@example.com"
+                    ]
+                }
+            },
+            "event": {
+                "id": "tunnel1",
+                "kind": "event",
+                "original": "{\"name\":\"Gateway_2\",\"default\":true,\"dns_server\":\"89.160.20.128\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"john.martin@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr2\",\"tunnel_proxy_port\":8082,\"tunnel_proxy_user\":\"tunnel-proxy-03\"},\"id\":\"tunnel1\",\"status\":\"success\"}",
+                "outcome": "success"
+            },
+            "related": {
+                "ip": [
+                    "89.160.20.128"
+                ],
+                "user": [
+                    "tunnel-proxy-03"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ]
+        }
+    ]
+}