elastic · P1llus · Dec 8, 2021 · Oct 20, 2021 · Oct 20, 2021 · Oct 21, 2021
diff --git a/packages/pulse_connect_secure/_dev/build/build.yml b/packages/pulse_connect_secure/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@1.12
diff --git a/packages/pulse_connect_secure/_dev/build/docs/README.md b/packages/pulse_connect_secure/_dev/build/docs/README.md
@@ -0,0 +1,9 @@
+# Pulse Connect Secure Integration
+
+This integration is for [Pulse Connect Secure](https://www.pulsesecure.net/products/remote-access-overview/). 
+
+## Log
+
+{{event "log"}}
+
+{{fields "log"}}
diff --git a/packages/pulse_connect_secure/_dev/deploy/docker/docker-compose.yml b/packages/pulse_connect_secure/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,17 @@
+version: '2.3'
+services:
+  pulse_connect_secure-log-udp:
+    image: docker.elastic.co/observability/stream:v0.6.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/test-syslog.log
+  pulse_connect_secure-log-tcp:
+    image: docker.elastic.co/observability/stream:v0.6.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9515 -p=tcp /sample_logs/test-syslog.log
+  pulse_connect_secure-log-tls:
+    image: docker.elastic.co/observability/stream:v0.6.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9516 -p=tls --insecure /sample_logs/test-syslog.log
diff --git a/packages/pulse_connect_secure/_dev/deploy/docker/sample_logs/test-syslog.log b/packages/pulse_connect_secure/_dev/deploy/docker/sample_logs/test-syslog.log
@@ -0,0 +1,7 @@
+Oct 19 09:16:53 pcs-node1 1 2021-10-19T09:16:53+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:53 - pcs-node1 - [55.53.160.32] user.name(REALM)[] - Primary authentication successful for user.name/REALM from 55.53.160.32
+Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Agent login succeeded for user.name/REALM (session:sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) from 55.53.160.32 with Pulse-Secure/9.1.13.11723 (Windows 10) Pulse/9.1.13.11723.
+Oct 19 09:10:35 pcs-node1 1 2021-10-19T09:10:35+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:10:35 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - VPN Tunneling: Session started for user (session: sid74fa8e00ca601280318287f67dfaee7cc6da40db0be6ac75) with IPv4 address 172.22.27.209, hostname Desktop
+Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [55.53.160.32] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off)
+Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off)
+Oct 19 09:11:19 pcs-node1 1 2021-10-19T09:11:19+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:11:19 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - User user.name denied access as the client version '9.1.11.6725' is lower than the minimum client version configured
+Oct 19 09:16:34 pcs-node1 1 2021-10-19T09:16:34+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 09:16:34 - pcs-node1 - [55.53.160.32] user.name(REALM)[REALM_ROLES] - Session timed out for user.name/REALM (session:sid03ac4653fd74a5ac36cffb2783be3309590f3d616617a4a7) due to inactivity (last access at 09:05:47 2021/10/19). Idle session identified during routine system scan.
diff --git a/packages/pulse_connect_secure/changelog.yml b/packages/pulse_connect_secure/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: initial release
+      type: enhancement # can be one of: enhancement, bugfix, breaking-change
+      link: https://github.com/elastic/integrations/pull/1998
diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,10 @@
+dynamic_fields:
+  event.ingested: ".*"
+fields:
+  "@timestamp": "2020-04-28T11:07:58.223Z"
+  tags:
+    - preserve_original_event
+  _tmp:
+    internal_networks:
+      - private
+    tz_offset: America/Chicago
diff --git a/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log b/packages/pulse_connect_secure/data_stream/log/_dev/test/pipeline/test-log-admin.log
@@ -0,0 +1,10 @@
+Oct 19 10:20:40 pcs-node1 1 2021-10-19T10:20:40+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:40 - pcs-node1 - [55.53.160.32] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/welcome.cgi?p=forced-off)
+Oct 19 10:20:41 pcs-node1 1 2021-10-19T10:20:41+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:41 - pcs-node1 - [127.0.0.1] System()[] - Connection from IP 55.53.160.32 not authenticated yet (URL=/dana-na/auth/url_o2d6zvh39ac6C92s/welcome.cgi?p=forced-off)
+Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM
+Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM
+Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Login failed. Reason: Wrong Password
+Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Primary authentication failed for admin/Administrators from 55.53.160.32
+Oct 19 10:20:57 pcs-node1 1 2021-10-19T10:20:57+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:20:57 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[ADMIN_ROLE] - Login failed using auth server Administrators (Local Authentication). Reason: Failed
+Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Source IP realm restrictions successfully passed for admin/ADMIN_REALM
+Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - User Limit realm restrictions successfully passed for admin/ADMIN_REALM
+Oct 19 10:21:07 pcs-node1 1 2021-10-19T10:21:07+02:00 10.5.2.3 PulseSecure: - - - 2021-10-19 10:21:07 - pcs-node1 - [55.53.160.32] admin(ADMIN_REALM)[] - Primary authentication successful for admin/Administrators fr