[cisco_ise] Add Cisco ISE package (#2855)

Generated the skeleton of the Cisco ISE integration package.
Added a data stream.
Added data collection logic to the data stream.
Added the ingest pipeline for the data stream.
Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files
Added dashboards and visualizations.
Added test for pipeline for the data stream.
Added system test cases for the data stream.

Co-authored-by: Darshan Lukhi <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>

.github/CODEOWNERS

@@ -35,6 +35,7 @@
 /packages/cisco_duo @elastic/security-external-integrations
 /packages/cisco_ftd @elastic/security-external-integrations
 /packages/cisco_ios @elastic/security-external-integrations
+/packages/cisco_ise @elastic/security-external-integrations
 /packages/cisco @elastic/security-external-integrations
 /packages/cisco_meraki @elastic/security-external-integrations
 /packages/cisco_nexus @elastic/security-external-integrations

packages/cisco_ise/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/cisco_ise/_dev/build/docs/README.md

@@ -0,0 +1,36 @@
+# Cisco ISE
+
+The Cisco ISE integration collects and parses data from [Cisco Identity Services Engine](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html) (ISE) using TCP/UDP.
+
+## Compatibility
+
+This module has been tested against `Cisco ISE server version 3.1.0.518`.
+
+## Requirements
+
+- Enable the integration with the TCP/UDP input.
+- Sign in to Cisco ISE Portal.
+- Configure Remote Syslog Collection Locations.
+  - **Procedure**
+      1. In Cisco ISE Administrator Portal, go to **Administration** > **System** > **Logging** > **Remote Logging Targets**.
+      2. Click **Add**.
+      ![Cisco ISE server setup image](../img/cisco-ise-setup.png)
+      3. Enter all the **Required Details**.
+      4. Set the maximum length to **8192**.
+      5. Click **Submit**. 
+      6. Go to the **Remote Logging Targets** page and verify the creation of the new target.
+
+## Note
+- It is recommended to have **8192** as Maximum Message Length. Segmentation for certain logs coming from Cisco ISE might cause issues with field mappings. 
+
+## Logs
+
+Reference link for Cisco ISE Syslog: [Here](https://www.cisco.com/c/en/us/td/docs/security/ise/syslog/Cisco_ISE_Syslogs/m_SyslogsList.html) 
+
+### log
+
+This is the `log` dataset.
+
+{{event "log"}}
+
+{{fields "log"}}

packages/cisco_ise/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,14 @@
+version: '2.3'
+services:
+  cisco_ise-log-tcp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    entrypoint: /bin/bash
+    command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9025 -p=tcp /sample_logs/log.log"
+  cisco_ise-log-udp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    entrypoint: /bin/bash
+    command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9026 -p=udp /sample_logs/log.log"

packages/cisco_ise/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2855

packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event

packages/cisco_ise/data_stream/log/_dev/test/pipeline/test-pipeline-ad-connector.log

@@ -0,0 +1,13 @@
+<180>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083094 1 0 2022-03-03 10:42:25.842 +00:00 0000083161 25012 WARN AD-Connector: Domain join failed, AD-Admin=ise.host.local, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Error-Details=The user account is invalid, AD-Forest=host.local, [email protected], AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/47, AD-Organization-Unit=, AD-Site=Default-First-Site-Name,
+<182>Mar 3 10:43:05 isehost CISE_AD_Connector 0000041246 1 0 2022-03-03 10:43:05.020 +00:00 0000041292 25013 INFO AD-Connector: Domain leave succeeded,  AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Hostname=isehost, AD-IP-Address=89.160.20.156, AD-Log-Id=1645707128/8, AD-Site=Default-First-Site-Name,
+<182>Mar 3 10:43:05 isehost CISE_AD_Connector 0000041242 1 0 2022-03-03 10:43:05.018 +00:00 0000041288 25015 INFO AD-Connector: DNS SRV query succeeded, AD-Domain=host.local, AD-Log-Id=1645707128/4, AD-Srv-Query=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.host.local, AD-Srv-Record=host.local\, 81.2.69.1431.98, AD-Srv-Record=host.local\, 89.160.20.156, AD-Srv-Record=host.local\, 81.2.69.1431.94,
+<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083074 1 0 2022-03-03 10:40:58.891 +00:00 0000083141 25016 ERROR AD-Connector: DNS SRV query failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/37, AD-Srv-Query=_ldap._tcp.dc._msdcs.89.160.20.112,
+<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083091 1 0 2022-03-03 10:42:25.835 +00:00 0000083158 25017 INFO AD-Connector: DC discovery succeeded, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/44, AD-Site=Default-First-Site-Name,
+<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083075 1 0 2022-03-03 10:40:58.892 +00:00 0000083142 25018 ERROR AD-Connector: DC discovery failed, AD-Domain=89.160.20.112, AD-Error-Details=The domain name specified in the query was not found, AD-Log-Id=1645524126/38,
+<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083093 1 0 2022-03-03 10:42:25.837 +00:00 0000083160 25033 INFO AD-Connector: DNS A/AAAA query succeeded, AD-Domain-Controller=host.local., AD-Hostname=host.local., AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/46,
+<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083092 1 0 2022-03-03 10:42:25.835 +00:00 0000083159 25037 INFO AD-Connector: DC record cached, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-IP-Address=89.160.20.156, AD-Log-Id=1645524126/45, AD-Site=Default-First-Site-Name,
+<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 1 0 2022-03-03 10:42:25.835 +00:00 0000083156 25041 INFO AD-Connector: ISE Server site discovered, AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645524126/42, AD-Site=Default-First-Site-Name,
+<179>Mar 3 10:40:58 cisco-ise-host CISE_AD_Connector 0000083076 1 0 2022-03-03 10:40:58.892 +00:00 0000083143 25046 ERROR AD-Connector: Joined domain is unavailable, AD-Domain=89.160.20.112, AD-Log-Id=1645524126/39,
+<179>Mar 14 05:59:30 cisco-ise-host CISE_AD_Connector 0000000032 1 0 2022-03-14 05:59:30.442 +00:00 0000000122 25058 ERROR AD-Connector: ISE is not joined to an Active Directory Domain Controller, ConfigVersionId=10, AD-Domain=10.0.14.108,
+<182>Mar 3 10:42:25 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,
+<182>Mar 3 10:42:25 +02:00 cisco-ise-host CISE_AD_Connector 0000083089 2 1 AD-Domain=host.local, AD-Domain-Controller=host.local, AD-Log-Id=1645676126/42, AD-Site=Default-First-Site-Name,