Skip to content

[Sentinel_one] Add ILM Policy for unified alert data stream#17964

Open
brijesh-elastic wants to merge 3 commits intoelastic:mainfrom
brijesh-elastic:sentinel_one-2.5.0
Open

[Sentinel_one] Add ILM Policy for unified alert data stream#17964
brijesh-elastic wants to merge 3 commits intoelastic:mainfrom
brijesh-elastic:sentinel_one-2.5.0

Conversation

@brijesh-elastic
Copy link
Collaborator

@brijesh-elastic brijesh-elastic commented Mar 23, 2026

Proposed commit message

sentinel_one: add ILM Policy for unified alert data stream

It bumps the minimum version to ^8.19.13 || ^9.2.7 || ^9.3.2 as per the (Elasticsearch PR)[1].

[1] https://github.com/elastic/elasticsearch/pull/142648

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/sentinel_one directory.
  • Run the following command to run tests.

elastic-package test -v

Related issues

@brijesh-elastic brijesh-elastic requested a review from kcreddy March 23, 2026 06:57
@brijesh-elastic brijesh-elastic self-assigned this Mar 23, 2026
@brijesh-elastic brijesh-elastic requested a review from a team as a code owner March 23, 2026 06:57
@brijesh-elastic brijesh-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:sentinel_one SentinelOne Category: Integration quality Category: Quality used for SI planning Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Mar 23, 2026
@elasticmachine
Copy link

elasticmachine commented Mar 23, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Contributor

github-actions bot commented Mar 23, 2026
edited
Loading

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

macroscopeapp[bot]
macroscopeapp bot reviewed Mar 23, 2026
View reviewed changes
packages/sentinel_one/data_stream/unified_alert/elasticsearch/ilm/default_policy.json
"hot": {
"actions": {
"rollover": {
"max_age": "15d",
Copy link

@macroscopeapp macroscopeapp bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Critical ilm/default_policy.json:7

The delete phase uses "min_age": "15d", which causes data to be deleted 15 days after index creation even though lifecycle.yml declares data_retention: "30d". Users will lose data 15 days earlier than expected. Update both the rollover max_age and delete min_age to "30d" to match the declared retention.

-				"max_age": "15d",
+				"max_age": "30d",
🚀 Reply "fix it for me" or copy this AI Prompt for your agent: 
In file packages/sentinel_one/data_stream/unified_alert/elasticsearch/ilm/default_policy.json around line 7:

The delete phase uses `"min_age": "15d"`, which causes data to be deleted 15 days after index creation even though `lifecycle.yml` declares `data_retention: "30d"`. Users will lose data 15 days earlier than expected. Update both the rollover `max_age` and delete `min_age` to `"30d"` to match the declared retention.

Copy link
Collaborator Author

@brijesh-elastic brijesh-elastic Mar 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to documentation, the min_age in delete phase is relative to the index roll over time.

So, the order is:

  1. Index creation: day 0
  2. Index rollover: after day 15
  3. Index deletion: day 30 (15 days from roll over)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 23, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Mar 23, 2026

💚 Build Succeeded

cc @brijesh-elastic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

@kcreddy kcreddy Awaiting requested review from kcreddy

At least 1 approving review is required to merge this pull request.

Assignees

@brijesh-elastic brijesh-elastic

Labels

Category: Integration quality Category: Quality used for SI planning documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:sentinel_one SentinelOne Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brijesh-elastic @elasticmachine