elastic#1624: Add Cisco AMP package

packages/cisco_amp/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/cisco_amp/_dev/build/docs/README.md

@@ -0,0 +1,16 @@
+# Cisco AMP Integration
+
+This integration is for Cisco AMP logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco AMP logs.
+
+## Logs
+
+### AMP
+
+The `log` dataset collects Cisco AMP logs.
+
+{{event "log"}}
+
+{{fields "log"}}

packages/cisco_amp/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,14 @@
+version: '2.3'
+services:
+  amp:
+    image: docker.elastic.co/observability/stream:v0.5.0
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: 8080
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml

packages/cisco_amp/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,30 @@
+rules:
+  - path: /v1/events
+    methods: ["GET"]
+    request_headers:
+      authorization: Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg=
+    query_params:
+      offset: "{offset:.*}"
+      limit: "{limit:.*}"
+      start_date: "{start_date:.*}"
+    responses:
+      - status_code: 200
+        body: |-
+          {
+            "version": "v1.2.0",
+            "metadata": {
+              "links": {
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?limit={{ .request.vars.limit }}&offset=limit={{ .request.vars.offset }}",
+              },
+              "results": {
+                "total": 4,
+                "current_item_count": 1,
+                "index": 0,
+                "items_per_page": 1
+              }
+            },
+            "data": [
+              {"id":6180352115244794000,"timestamp":1582222838,"timestamp_nanoseconds":279000000,"date":"2020-02-20T18:20:38+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","group_guids":["6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"],"severity":"Medium","computer":{"connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","hostname":"Demo_Upatre","external_ip":"69.226.122.127","user":"A@TEMPLATE-W7X86","active":true,"network_addresses":[{"ip":"230.122.135.241","mac":"3f:1e:b2:28:25:24"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72","trajectory":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory","group":"https://api.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}},
+              {"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"[email protected]","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}
+            ]
+          }

packages/cisco_amp/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial migration from Filebeat Module
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/