[SIEMINT-123] DDSaaS: incident.io: Integration v1.0.0 (#18595)

* Added incident.io integration assets

* Removed saved views from manifest

* Resolved log pipeline tests check failure

* Fixed pipeline tests file identation

* Changed tab spacing of pipeline tests yaml

* Changed tab spacing of pipeline tests yaml

* Reformatted pipeline tests file

* Reformatted pipeline tests file

* Fixed identation

* log sample fixed

* log sample fixed

* Updated README and monitor descriptions

* incorporated PR review suggestions

* Update critical_public_incident.json

* Update high_number_of_public_incidents.json

* Update public_incident_reopened.json

* Clean up monitor names

---------

Co-authored-by: Bhavik Parmar <bhavik.parmar@crestdatasys.com>
Co-authored-by: Bhavik Parmar <84003960+bparmar-crest@users.noreply.github.com>
Co-authored-by: Chris Laverdiere <chris.laverdiere@datadoghq.com>
Co-authored-by: Chris Laverdiere <cmlaverdiere@gmail.com>
Co-authored-by: Doug Gunter <douglas.gunter@datadoghq.com>

Author: 4 people

.github/CODEOWNERS

@@ -276,6 +276,11 @@ datadog_checks_base/datadog_checks/base/checks/windows/              @DataDog/wi
 /greenhouse/manifest.json                                             @DataDog/saas-integrations @DataDog/documentation
 /greenhouse/assets/logs/                                              @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
 
+/incident_io/                                                        @DataDog/saas-integrations
+/incident_io/*.md                                                    @DataDog/saas-integrations @DataDog/documentation
+/incident_io/manifest.json                                           @DataDog/saas-integrations @DataDog/documentation
+/incident_io/assets/logs/                                            @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend
+
 /lastpass/                                                          @DataDog/saas-integrations
 /lastpass/*.md                                                      @DataDog/saas-integrations @DataDog/documentation
 /lastpass/manifest.json                                             @DataDog/saas-integrations @DataDog/documentation

.github/workflows/config/labeler.yml

@@ -261,6 +261,8 @@ integration/iis:
 - iis/**/*
 integration/impala:
 - impala/**/*
+integration/incident_io:
+- incident_io/**/*
 integration/istio:
 - istio/**/*
 integration/jboss_wildfly:

incident_io/CHANGELOG.md

@@ -0,0 +1,7 @@
+# CHANGELOG - incident.io
+
+## 1.0.0 / 2024-09-04
+
+***Added***:
+
+* Initial Release

incident_io/README.md

@@ -0,0 +1,51 @@
+## Overview
+
+[incident.io][1] helps companies declare, collaborate, communicate around, and learn from events that disturb their normal course of business-from critical infrastructure being down, to data breaches and security incidents. It is a service that helps teams manage incidents and outages effectively. It typically provides features like incident reporting, tracking, and resolution workflows.
+
+Integrate your incident.io account with Datadog to gain insights into incident-related activities.
+
+## Setup
+
+Follow the instructions below to configure this integration for incident.io incident events through a Webhook.
+
+### Configuration
+
+#### Webhook configuration
+Configure the Datadog endpoint to forward events of incident.io incidents as logs to Datadog. For more details, see the incident.io [webhooks][2] documentation.
+
+1. Select an existing API key or create a new one by clicking one of the buttons below: <!-- UI Component to be added by Datadog team -->
+2. Log in to your [incident.io account][3] as org owner.
+3. Go to **Settings > Webhooks**.
+4. Click **Add Endpoint**.
+5. Fill in the webhook URL that you generated in step 1.
+6. Select the type of incident events that you want to push to Datadog under the **Subscribe to events** section.
+7. Click **Create**.
+
+## Data Collected
+
+### Logs
+The incident.io integration ingests the following logs:
+- Public incident event logs
+- Private incident event logs
+- Action and follow up event logs 
+
+### Metrics
+
+incident.io does not include any metrics.
+
+### Service Checks
+
+incident.io does not include any service checks.
+
+### Events
+
+incident.io does not include any events.
+
+## Support
+
+Need help? Contact [Datadog support][4].
+
+[1]: https://incident.io/
+[2]: https://api-docs.incident.io/tag/Webhooks/
+[3]: https://app.incident.io/
+[4]: https://docs.datadoghq.com/help/

incident_io/assets/dashboards/incident-io_incidents_overview.json

@@ -0,0 +1,184 @@
+id: incident-io
+metric_id: incident-io
+backend_only: false
+facets:
+  - groups:
+      - Event
+    name: Event Name
+    path: evt.name
+    source: log
+pipeline:
+  type: pipeline
+  name: incident.io
+  enabled: true
+  filter:
+    query: "source:incident-io"
+  processors:
+    - type: attribute-remapper
+      name: Map `event_type` to `evt.name`
+      enabled: true
+      sources:
+        - event_type
+      sourceType: attribute
+      target: evt.name
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: attribute-remapper
+      name: Map `private_incident.action_created_v1`, `private_incident.action_updated_v1`, `private_incident.follow_up_created_v1`, `private_incident.follow_up_updated_v1`, `private_incident.incident_created_v2`, `private_incident.incident_updated_v2`, `private_incident.membership_granted_v1`, `private_incident.membership_revoked_v1`, `public_incident.action_created_v1`, `public_incident.action_updated_v1`, `public_incident.follow_up_created_v1`, `public_incident.follow_up_updated_v1`, `public_incident.incident_created_v2`, `public_incident.incident_status_updated_v2`, `public_incident.incident_updated_v2` to `data`
+      enabled: true
+      sources:
+        - private_incident.action_created_v1
+        - private_incident.action_updated_v1
+        - private_incident.follow_up_created_v1
+        - private_incident.follow_up_updated_v1
+        - private_incident.incident_created_v2
+        - private_incident.incident_updated_v2
+        - private_incident.membership_granted_v1
+        - private_incident.membership_revoked_v1
+        - public_incident.action_created_v1
+        - public_incident.action_updated_v1
+        - public_incident.follow_up_created_v1
+        - public_incident.follow_up_updated_v1
+        - public_incident.incident_created_v2
+        - public_incident.incident_status_updated_v2
+        - public_incident.incident_updated_v2
+      sourceType: attribute
+      target: data
+      targetType: attribute
+      preserveSource: false
+      overrideOnConflict: false
+    - type: pipeline
+      name: Creation Events
+      enabled: true
+      filter:
+        query: "@evt.name:(public_incident.action_created_v1 OR
+          public_incident.follow_up_created_v1)"
+      processors:
+        - type: date-remapper
+          name: Define `data.created_at` as the official date of the log
+          enabled: true
+          sources:
+            - data.created_at
+    - type: pipeline
+      name: Update Events
+      enabled: true
+      filter:
+        query: "@evt.name:(public_incident.action_updated_v1 OR
+          public_incident.follow_up_updated_v1)"
+      processors:
+        - type: date-remapper
+          name: Define `data.updated_at` as the official date of the log
+          enabled: true
+          sources:
+            - data.updated_at
+    - type: pipeline
+      name: Incident Created Event
+      enabled: true
+      filter:
+        query: "@evt.name:public_incident.incident_created_v2"
+      processors:
+        - type: date-remapper
+          name: Define `data.created_at` as the official date of the log
+          enabled: true
+          sources:
+            - data.created_at
+        - type: attribute-remapper
+          name: Map `data.id` to `data.incident_id`
+          enabled: true
+          sources:
+            - data.id
+          sourceType: attribute
+          target: data.incident_id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+    - type: pipeline
+      name: Incident Updated Event
+      enabled: true
+      filter:
+        query: "@evt.name:public_incident.incident_updated_v2"
+      processors:
+        - type: date-remapper
+          name: Define `data.updated_at` as the official date of the log
+          enabled: true
+          sources:
+            - data.updated_at
+        - type: attribute-remapper
+          name: Map `data.id` to `data.incident_id`
+          enabled: true
+          sources:
+            - data.id
+          sourceType: attribute
+          target: data.incident_id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+    - type: pipeline
+      name: Incident Status Update Event
+      enabled: true
+      filter:
+        query: "@evt.name:public_incident.incident_status_updated_v2"
+      processors:
+        - type: date-remapper
+          name: Define `data.incident.updated_at` as the official date of the log
+          enabled: true
+          sources:
+            - data.incident.updated_at
+        - type: attribute-remapper
+          name: Map `data.incident.name` to `data.name`
+          enabled: true
+          sources:
+            - data.incident.name
+          sourceType: attribute
+          target: data.name
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `data.incident.reference` to `data.reference`
+          enabled: true
+          sources:
+            - data.incident.reference
+          sourceType: attribute
+          target: data.reference
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `data.incident.id` to `data.incident_id`
+          enabled: true
+          sources:
+            - data.incident.id
+          sourceType: attribute
+          target: data.incident_id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+        - type: attribute-remapper
+          name: Map `data.incident.incident_type.name` to `data.incident_type.name`
+          enabled: true
+          sources:
+            - data.incident.incident_type.name
+          sourceType: attribute
+          target: data.incident_type.name
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false
+    - type: pipeline
+      name: Private Incident Events
+      enabled: true
+      filter:
+        query: "@evt.name:(private_incident.incident_created_v2 OR
+          private_incident.incident_updated_v2)"
+      processors:
+        - type: attribute-remapper
+          name: Map `data.id` to `data.incident_id`
+          enabled: true
+          sources:
+            - data.id
+          sourceType: attribute
+          target: data.incident_id
+          targetType: attribute
+          preserveSource: false
+          overrideOnConflict: false