Skip to content

{sentinel_one,m365_defender,ti_abusech,ti_anomali,trend_micro_vision_one}: Add script tests#17928

Open
kcreddy wants to merge 4 commits intoelastic:mainfrom
kcreddy:script-testting
Open

{sentinel_one,m365_defender,ti_abusech,ti_anomali,trend_micro_vision_one}: Add script tests#17928
kcreddy wants to merge 4 commits intoelastic:mainfrom
kcreddy:script-testting

Conversation

@kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Mar 20, 2026
edited
Loading

Proposed commit message

Add script tests for 5 integrations

Add script tests covering auth failures, server errors, and recovery 
for all data streams in the following integrations:

sentinel_one (11 data streams)
- CEL (threat_event, unified_alert, application, application_risk):
  assert error events are indexed on 401/403; verify error.code and
  error.message before asserting recovery
- httpjson (threat, group, activity, agent): verify data collection
  recovers after 401/503 by asserting eventual document arrival

m365_defender (3 data streams)
- incident, alert (httpjson): assert recovery from 403 and 429 (with
  Retry-After header)
- vulnerability (CEL): assert error events indexed on 401 and 403
  during token and export API requests

ti_abusech (6 data streams)
- ja3_fingerprints, sslblacklist (GET, no auth): assert error event
  indexed on 503
- malwarebazaar, threatfox, url, malware (POST/GET with auth key):
  assert no documents collected when an invalid auth key is configured

ti_anomali (1 data stream)
- intelligence (CEL): assert error event indexed on invalid credentials

trend_micro_vision_one (6 data streams)
- alert, audit, detection (httpjson): assert recovery after 401
- endpoint_activity, network_activity (CEL): assert error event
  indexed on 401
- telemetry (CEL): assert error event indexed when
  GET /v3.0/datalake/dataPipelines returns 401 on first run

Note

No changelog is required as it doesn't have user impact.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Run elastic-package test script on each integration.
Sample output

--- Test results for package: m365_defender - START ---
╭───────────────┬─────────────┬───────────┬────────────────────┬────────┬─────────────────╮
│ PACKAGE       │ DATA STREAM │ TEST TYPE │ TEST NAME          │ RESULT │    TIME ELAPSED │
├───────────────┼─────────────┼───────────┼────────────────────┼────────┼─────────────────┤
│ m365_defender │ alert       │ script    │ env                │ PASS   │     72.919584ms │
│ m365_defender │ alert       │ script    │ forbidden_recovery │ PASS   │ 1m26.532725584s │
│ m365_defender │ alert       │ script    │ throttled_recovery │ PASS   │  1m3.089040958s │
╰───────────────┴─────────────┴───────────┴────────────────────┴────────┴─────────────────╯
--- Test results for package: m365_defender - END   ---
Done

Related issues

@kcreddy kcreddy self-assigned this Mar 20, 2026
@kcreddy kcreddy added Integration:ti_abusech abuse.ch Integration:sentinel_one SentinelOne Integration:m365_defender Microsoft Defender XDR Integration:trend_micro_vision_one Trend Micro Vision One Integration:ti_anomali Anomali ThreatStream Category: Integration quality Category: Quality used for SI planning Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Mar 20, 2026
@kcreddy kcreddy marked this pull request as ready for review March 20, 2026 12:31
@kcreddy kcreddy requested a review from a team as a code owner March 20, 2026 12:31
@elasticmachine
Copy link

elasticmachine commented Mar 20, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions github-actions bot mentioned this pull request Mar 20, 2026
Open
7 tasks
@elasticmachine
Copy link

elasticmachine commented Mar 20, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @kcreddy

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 20, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

efd6
efd6 reviewed Mar 22, 2026
View reviewed changes
packages/ti_abusech/data_stream/ja3_fingerprints/_dev/test/scripts/server_error.txt

-- test_config.yaml --
input: cel
data_stream:
Copy link
Contributor

@efd6 efd6 Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
data_stream:
vars:
auth_key: test_auth_key
data_stream:

packages/ti_abusech/data_stream/sslblacklist/_dev/test/scripts/server_error.txt

-- test_config.yaml --
input: cel
data_stream:
Copy link
Contributor

@efd6 efd6 Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
data_stream:
vars:
auth_key: test_auth_key
data_stream:

...ges/trend_micro_vision_one/data_stream/endpoint_activity/_dev/test/scripts/invalid_token.txt
Comment on lines +42 to +44
# Verify the error code matches the 401 response.
exec jq -r '.hits.hits[0]._source.error.code' got_docs.json
stdout '^401$'
Copy link
Contributor

@efd6 efd6 Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Verify the error code matches the 401 response.
exec jq -r '.hits.hits[0]._source.error.code' got_docs.json
stdout '^401$'
# Verify the error message indicates the 401 response.
exec jq -r '.hits.hits[0]._source.error.message' got_docs.json
stdout 'Unauthorized'

...ages/trend_micro_vision_one/data_stream/network_activity/_dev/test/scripts/invalid_token.txt
Comment on lines +42 to +44
# Verify the error code matches the 401 response.
exec jq -r '.hits.hits[0]._source.error.code' got_docs.json
stdout '^401$'
Copy link
Contributor

@efd6 efd6 Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Verify the error code matches the 401 response.
exec jq -r '.hits.hits[0]._source.error.code' got_docs.json
stdout '^401$'
# Verify the error message indicates the 401 response.
exec jq -r '.hits.hits[0]._source.error.message' got_docs.json
stdout 'Unauthorized'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@kcreddy kcreddy

Labels

Category: Integration quality Category: Quality used for SI planning Integration:crowdstrike CrowdStrike Integration:m365_defender Microsoft Defender XDR Integration:sentinel_one SentinelOne Integration:ti_abusech abuse.ch Integration:ti_anomali Anomali ThreatStream Integration:trend_micro_vision_one Trend Micro Vision One Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kcreddy @elasticmachine @efd6 @andrewkroh