diff --git a/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml
index d28a7f6a2be..a6aa39d0b79 100644
--- a/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml
+++ b/packages/cisco_ise/_dev/deploy/docker/docker-compose.yml
@@ -1,5 +1,11 @@
 version: "2.3"
 services:
+  cisco_ise-log-filestream:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/* /var/log/"
   cisco_ise-log-tcp:
     image: docker.elastic.co/observability/stream:v0.8.0
     volumes:
diff --git a/packages/cisco_ise/changelog.yml b/packages/cisco_ise/changelog.yml
index a18b0150c42..9a4421f4396 100644
--- a/packages/cisco_ise/changelog.yml
+++ b/packages/cisco_ise/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.12.0"
+  changes:
+    - description: Add support for filestream input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7394
 - version: "1.11.1"
   changes:
     - description: Add missing ECS field mappings
diff --git a/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml
new file mode 100644
index 00000000000..ab621b50029
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/_dev/test/system/test-filestream-config.yml
@@ -0,0 +1,8 @@
+service: cisco_ise-log-filestream
+input: filestream
+data_stream:
+  vars:
+    preserve_original_event: true
+    preserve_duplicate_custom_fields: true
+    paths:
+      - '{{SERVICE_LOGS_DIR}}/*.log'
diff --git a/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs b/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs
new file mode 100644
index 00000000000..9fcdf9bb7ac
--- /dev/null
+++ b/packages/cisco_ise/data_stream/log/agent/stream/filestream.yml.hbs
@@ -0,0 +1,19 @@
+paths:
+{{#each paths as |path|}}
+- {{path}}
+{{/each}}
+prospector.scanner.exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisco_ise/data_stream/log/fields/ecs.yml b/packages/cisco_ise/data_stream/log/fields/ecs.yml
index de4f643acd2..6a5d79b5731 100644
--- a/packages/cisco_ise/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_ise/data_stream/log/fields/ecs.yml
@@ -110,6 +110,8 @@
   name: host.hostname
 - external: ecs
   name: host.ip
+- external: ecs
+  name: log.file.path
 - external: ecs
   name: log.level
 - external: ecs
diff --git a/packages/cisco_ise/data_stream/log/manifest.yml b/packages/cisco_ise/data_stream/log/manifest.yml
index d4378868946..64484360d6b 100644
--- a/packages/cisco_ise/data_stream/log/manifest.yml
+++ b/packages/cisco_ise/data_stream/log/manifest.yml
@@ -72,3 +72,41 @@ streams:
         show_user: false
         description: >-
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+  - input: filestream
+    template_path: filestream.yml.hbs
+    title: Cisco_ISE logs
+    description: Collect Cisco ISE logs via TCP input.
+    vars:
+      - name: paths
+        title: Paths
+        type: text
+        required: true
+        show_user: true
+        multi: true
+        default:
+          - /var/log/cisco_ise*
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisco_ise-log
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`.
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md
index 7d519422df3..d91327ac4fc 100644
--- a/packages/cisco_ise/docs/README.md
+++ b/packages/cisco_ise/docs/README.md
@@ -527,6 +527,7 @@ An example event for `log` looks as following:
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
 | input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
 | log.logger | The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. | keyword |
 | log.offset | Log offset | long |
diff --git a/packages/cisco_ise/manifest.yml b/packages/cisco_ise/manifest.yml
index 4327d43a7ac..dc8419ba66e 100644
--- a/packages/cisco_ise/manifest.yml
+++ b/packages/cisco_ise/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: cisco_ise
 title: Cisco ISE
-version: "1.11.1"
+version: "1.12.0"
 license: basic
 description: Collect logs from Cisco ISE with Elastic Agent.
 type: integration
@@ -95,5 +95,8 @@ policy_templates:
             required: true
             show_user: true
             default: 9026
+      - type: filestream
+        title: Collect Cisco ISE logs using filestream input
+        description: Collecting Cisco ISE logs using filestream input.
 owner:
   github: elastic/security-external-integrations