[cisco_umbrella] Add DLP and Intrusion logs for SIG users

[LaZyDK]

What does this PR do?

Added DLP logs, Intrusion logs and Firewall logs for Umbrella SIG users.
https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning

Fixes audit logs being multiline.

Added event.severity, event.action, event.kind, event.category and event.type.

Proxylogs will now show up in SIEM -> Network -> HTTP as more HTTP ECS fields are used.

User identities is now in user.name.
Host identities is now in host.name.
Network identities is now in network.name.

Added found FQDNs to related.hosts.
Added files hashes from DLP logs to related.hash.

user_agent.original is now processed.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-04-04T08:06:53.077+0000

• Duration: 14 min 49 sec

Test stats 🧪

Test	Results
Failed	0
Passed	10
Skipped	0
Total	10

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[P1llus]

Some small nitpick, can see if I can help out here.

I can also confirm that indeed the CSVs for auditlog are multiline, and in quite a few different format types.
Since we do not have system tests for S3 inputs we would have to test this manually.

[P1llus]

I think we have to go back to where these are populated and create better logic for when not to populate those fields.
We also try to not use ignore_failure (ignore_missing is fine)

[LaZyDK]

These are populated by the audit log - so we should go back to Cisco to fix fields containing the string "null". 🥇
I can remove the ignore_failure real fast.

[P1llus]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	95.238% (20/21)	👎 -4.762
Lines	94.805% (511/539)	👍 9.723
Conditionals	100.0% (0/0)	💚

[efd6]

/test

[LaZyDK]

I will deliver small edits to event.severity and event.action today.

[LaZyDK]

Ready for comments.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

/test

[LaZyDK]

All tests are passing locally on my machine.

[efd6]

Needs a field definition. In "static test: Verify sample_event.json – cisco_umbrella.log"

 one or more errors found in document: [0] field "cisco.umbrella.content_type" is undefined

This isn't being generated anymore, so you removed it from fields.yml, but it's still in the sample event. So you'll need to rerun elastic-package test system -g.

[LaZyDK]

By some reason, the sample_event.json is never regenerated. Not even if I fill in the file with {}.
All tests run multiple times, including the exact line you wrote me.

[efd6]

Turns out there are no system tests. This means that the sample event was hand constructed or added. I'm in two (three?) minds; the options are to remove the sample event and update the docs, hand correct the event (not ideal), obtain a real sample event and replace with that (also not ideal but probably better). Writing a system test is not really feasible since s3 is the only input. I think I'd be OK with a combination of 2. and 3. where you've checked that a hand edited sample is valid when compared to a real event.

[LaZyDK]

New sample event, but with more information.

[efd6]

/test

[efd6]

🎉

[elasticmachine]

Package cisco_umbrella - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=cisco_umbrella