Skip to content

[BeyondTrust EPM][Audit] Remove preserve_duplicate_custom_fields config param, expose S3 Access Point ARN, and relocate system test files to data stream level#19465

Merged
efd6 merged 6 commits into
elastic:feature/beyondtrust_epm-0.1.0from
akshraj-crest:datastream-audit-remove_preserve_duplicate_event_param
Jun 16, 2026
Merged

[BeyondTrust EPM][Audit] Remove preserve_duplicate_custom_fields config param, expose S3 Access Point ARN, and relocate system test files to data stream level#19465
efd6 merged 6 commits into
elastic:feature/beyondtrust_epm-0.1.0from
akshraj-crest:datastream-audit-remove_preserve_duplicate_event_param

Conversation

@akshraj-crest

@akshraj-crest akshraj-crest commented Jun 10, 2026

Copy link
Copy Markdown
Contributor
  • Enhancement

Proposed commit message

beyondtrust_epm: remove preserve_duplicate_custom_fields, add access_point_arn, move deploy files

Remove the preserve_duplicate_custom_fields configuration parameter
from both the CEL and aws-s3 input types. The ingest pipeline now
unconditionally removes custom fields that duplicate ECS-mapped
values instead of gating the removal on a tag.

Expose the access_point_arn option in the aws-s3 section of the
audit manifest. The stream template already referenced this
variable but it was never declared as a config parameter, so users
could not set it.

Move _dev/deploy/ from the package root into data_stream/audit/
so the test infrastructure sits alongside the data stream it
exercises.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@akshraj-crest akshraj-crest requested a review from a team as a code owner June 10, 2026 00:27
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Reviewers

Buildkite won't run for external contributors automatically; you need to add a comment:

  • /test : will kick off a build in Buildkite.

NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details.

@efd6

efd6 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

/test

@efd6 efd6 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does more than it says it does and does not explain the reason for the additional changes.

Two examples are given, but there are more.

# len(responses)). Page 1 returns pageCount > pageNumber, causing the CEL
# program to set want_more=true and request the next page. Page 2 returns
# pageNumber == pageCount, ending pagination.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

This change is not necessary.

services:
beyondtrust_epm:
image: docker.elastic.co/observability/stream:v0.20.0
image: docker.elastic.co/observability/stream:v0.21.0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert this, it is incidental to the change.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jun 10, 2026
@akshraj-crest akshraj-crest changed the title [BeyondTrust EPM][Audit] Remove preserve_duplicate_custom_fields config param. [BeyondTrust EPM][Audit] Remove preserve_duplicate_custom_fields config param, expose S3 Access Point ARN, and relocate system test files to data stream level Jun 11, 2026
@akshraj-crest akshraj-crest requested a review from efd6 June 11, 2026 04:18

@efd6 efd6 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit message for this probably should be something like:

beyondtrust_epm: remove preserve_duplicate_custom_fields, add access_point_arn, move deploy files

Remove the preserve_duplicate_custom_fields configuration parameter
from both the CEL and aws-s3 input types. The ingest pipeline now
unconditionally removes custom fields that duplicate ECS-mapped
values instead of gating the removal on a tag.

Expose the access_point_arn option in the aws-s3 section of the
audit manifest. The stream template already referenced this
variable but it was never declared as a config parameter, so users
could not set it.

Move _dev/deploy/ from the package root into data_stream/audit/
so the test infrastructure sits alongside the data stream it
exercises.

Comment thread packages/beyondtrust_epm/changelog.yml Outdated
Comment on lines +2 to +6
- version: 0.0.2
changes:
- description: Remove `preserve_duplicate_custom_fields` config param.
type: enhancement
link: https://github.com/elastic/integrations/pull/19465

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is being merged into a feature branch, so this means that 0.0.1 will never be released.

The change element should be included in the 0.0.1 version.

@akshraj-crest akshraj-crest requested a review from efd6 June 11, 2026 06:02
@akshraj-crest akshraj-crest force-pushed the datastream-audit-remove_preserve_duplicate_event_param branch from 30c7f38 to 1faa9d3 Compare June 11, 2026 06:04

@efd6 efd6 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after nit.

Comment thread packages/beyondtrust_epm/changelog.yml Outdated
@@ -1,6 +1,9 @@
# newer versions go on top
- version: 0.1.0
- version: 0.0.1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry…

Suggested change
- version: 0.0.1
- version: 0.1.0

Comment thread packages/beyondtrust_epm/manifest.yml Outdated
name: beyondtrust_epm
title: BeyondTrust EPM
version: 0.1.0
version: 0.0.1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

Suggested change
version: 0.0.1
version: 0.1.0

@akshraj-crest akshraj-crest requested a review from efd6 June 15, 2026 05:41

@efd6 efd6 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@efd6

efd6 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

/test

@elasticmachine

Copy link
Copy Markdown

💚 Build Succeeded

History

@efd6 efd6 merged commit cda0735 into elastic:feature/beyondtrust_epm-0.1.0 Jun 16, 2026
4 checks passed
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Package beyondtrust_epm - 0.1.0 containing this change is available at https://epr.elastic.co/package/beyondtrust_epm/0.1.0/

@andrewkroh andrewkroh added the Integration:beyondtrust_epm BeyondTrust EPM label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:beyondtrust_epm BeyondTrust EPM

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants