[SAASINT-4032] DDS: DNSFilter: Crawler Integration v1.0.0 (DataDog#20384)

* initial commit without assets

* Adding changes into manifest file

* Removed service_checks and added codeowners

* Add: DNSFilter Assets

* Update: facets in logs file

* Update: fix CI checks and add sample results

* Update: minor changes in overview dashboard

* Update: address review

* Update: map result to evt.outcome

* Update: pipeline results

* Remove Log Details Panel from Overview Dashboard

* Updated dashboard image

---------

Co-authored-by: Akshit Vaid <akshit.vaid@crestdata.ai>

Author: manan-crest

dnsfilter/README.md

@@ -1,43 +1,54 @@
-# Agent Check: DNSFilter
+# DNSFilter
 
 ## Overview
 
-This check monitors [DNSFilter][1].
+[DNSFilter][1] is a cloud-based content filtering tool that blocks internet threats at the DNS layer. It helps protect organizations by preventing access to malicious domains, phishing sites, and other cyber threats, ensuring a safer and more secure internet experience.
 
-## Setup
+This integration ingests the following logs:
+
+- DNS Traffic Logs: Represents information about allowed and blocked DNS requests, threats, domains accessed, policies, networks, and other DNS-related traffic data.
 
-### Installation
+This integration collects DNS Traffic Logs, channeling them into Datadog for analysis. Leveraging the built-in logs pipeline, these logs are parsed and enriched, enabling search and analysis. The integration provides insight into DNS traffic logs through out-of-the-box dashboards and includes ready-to-use Cloud SIEM detection rules for improved monitoring and security.
+
+## Setup
 
-The DNSFilter check is included in the [Datadog Agent][2] package.
-No additional installation is needed on your server.
+### Generate API credentials in DNSFilter
 
-### Configuration
+1. Login to the **DNSFilter dashboard** and navigate to **Account**.
+2. Select **Account Settings**.
+3. Navigate to the **Security** tab.
+4. Navigate to the **API Keys** section, then click **CREATE KEY**.
+5. Enter a key **Name** and select an **Expiration**.
+6. Click **GENERATE KEY**.
+7. Fetch the API Key from the **Your API Key** Section.
 
-!!! Add list of steps to set up this integration !!!
+### Connect your DNSFilter account to Datadog
 
-### Validation
+1. Add your API Key.
 
-!!! Add steps to validate integration is functioning as expected !!!
+    | Parameters                            | Description                                                  |
+    | ------------------------------------- | ------------------------------------------------------------ |
+    | API Key                               | The API Key of your DNSFilter platform                       |
+    
+2. Click the **Save** button to save your settings.
 
 ## Data Collected
 
-### Metrics
+### Logs
 
-DNSFilter does not include any metrics.
+The DNSFilter integration collects and forwards DNS traffic logs to Datadog.
 
-### Service Checks
+### Metrics
 
-DNSFilter does not include any service checks.
+The DNSFilter integration does not include any metrics.
 
 ### Events
 
-DNSFilter does not include any events.
-
-## Troubleshooting
+The DNSFilter integration does not include any events.
 
-Need help? Contact [Datadog support][3].
+## Support
 
-[1]: **LINK_TO_INTEGRATION_SITE**
-[2]: https://app.datadoghq.com/account/settings/agent/latest
-[3]: https://docs.datadoghq.com/help/
+Need help? Contact [Datadog support][2].
 
+[1]: https://www.dnsfilter.com/
+[2]: https://docs.datadoghq.com/help/

dnsfilter/assets/dashboards/dnsfilter_overview.json

@@ -0,0 +1,189 @@
+id: dnsfilter
+metric_id: dnsfilter
+backend_only: false
+facets:
+  - groups:
+      - DNS
+    name: Response Code
+    path: dns.flags.rcode
+    source: log
+  - groups:
+      - DNS
+    name: Question Name
+    path: dns.question.name
+    source: log
+  - groups:
+      - DNS
+    name: Question Type
+    path: dns.question.type
+    source: log
+  - groups:
+      - Event
+    name: Event Outcome
+    path: evt.outcome
+    source: log
+  - groups:
+      - Geoip
+    name: City Name
+    path: network.client.geoip.city.name
+    source: log
+  - groups:
+      - Geoip
+    name: Continent Code
+    path: network.client.geoip.continent.code
+    source: log
+  - groups:
+      - Geoip
+    name: Continent Name
+    path: network.client.geoip.continent.name
+    source: log
+  - groups:
+      - Geoip
+    name: Country ISO Code
+    path: network.client.geoip.country.iso_code
+    source: log
+  - groups:
+      - Geoip
+    name: Country Name
+    path: network.client.geoip.country.name
+    source: log
+  - groups:
+      - Geoip
+    name: Subdivision ISO Code
+    path: network.client.geoip.subdivision.iso_code
+    source: log
+  - groups:
+      - Geoip
+    name: Subdivision Name
+    path: network.client.geoip.subdivision.name
+    source: log
+  - groups:
+      - Web Access
+    name: Client IP
+    path: network.client.ip
+    source: log
+  - groups:
+      - User
+    name: User ID
+    path: usr.id
+    source: log
+  - groups:
+      - User
+    name: User Name
+    path: usr.name
+    source: log
+pipeline:
+  type: pipeline
+  name: DNSFilter
+  enabled: true
+  filter:
+    query: source:dnsfilter
+  processors:
+    - type: grok-parser
+      name: Convert to epoch time
+      enabled: true
+      source: time
+      samples:
+        - 2025-05-02 07:05:46.529
+      grok:
+        supportRules: ""
+        matchRules: rule %{date("yyyy-M-d H:m:s.SSS"):timestamp}
+    - type: date-remapper
+      name: Define `timestamp` as the official date of the log
+      enabled: true
+      sources:
+        - timestamp
+    - type: attribute-remapper
+      name: Map `local_user_id` to `usr.id`
+      enabled: true
+      sources:
+        - local_user_id
+      sourceType: attribute
+      target: usr.id
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: Map `local_user_name` to `usr.name`
+      enabled: true
+      sources:
+        - local_user_name
+      sourceType: attribute
+      target: usr.name
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: Map `request_address` to `network.client.ip`
+      enabled: true
+      sources:
+        - request_address
+      sourceType: attribute
+      target: network.client.ip
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: geo-ip-parser
+      name: Extracting geolocation information from the Client IP
+      enabled: true
+      sources:
+        - network.client.ip
+      target: network.client.geoip
+      ip_processing_behavior: do-nothing
+    - type: attribute-remapper
+      name: Map `domain` to `dns.question.name`
+      enabled: true
+      sources:
+        - domain
+      sourceType: attribute
+      target: dns.question.name
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: Map `result` to `evt.outcome`
+      enabled: true
+      sources:
+        - result
+      sourceType: attribute
+      target: evt.outcome
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: Map `question_type` to `dns.question.type`
+      enabled: true
+      sources:
+        - question_type
+      sourceType: attribute
+      target: dns.question.type
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: category-processor
+      name: Define `status` based on `threat` and `evt.outcome`
+      enabled: true
+      categories:
+        - name: info
+          filter:
+            query: (@threat:true @evt.outcome:blocked) OR (@threat:false
+              @evt.outcome:allowed) OR (@threat:false @evt.outcome:blocked)
+        - name: warning
+          filter:
+            query: "@threat:true @evt.outcome:allowed"
+      target: status
+    - type: status-remapper
+      name: Define `status` as the official status of the log
+      enabled: true
+      sources:
+        - status
+    - type: attribute-remapper
+      name: Map `code` to `dns.flags.rcode`
+      enabled: true
+      sources:
+        - code
+      sourceType: attribute
+      target: dns.flags.rcode
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false