refactor!(beyondinsight_password_safe): modernize session data stream (#15010)

Apply improvements from managedsystem refactor to the session data
stream including enhanced CEL program with session management,
consistent event.original format, enum field conversions, and
comprehensive testing infrastructure.

Key improvements:
- Enhanced CEL program with proper session management and retry logic
- Automatic re-authentication when sessions expire (401 responses)
- Consistent event.original field containing JSON event data
- Enhanced ingest pipeline with enum-to-string conversions for human-readable values
- Moved event.dataset and event.module to constant_keyword mappings with static values
- Added pipeline test for nullable fields handling

API differences from managed{system,account}:
- Sessions API returns all sessions at once (no pagination unlike managedaccount/managedsystem)
- API has upper limit of 100,000 sessions maximum per response (this could be problematic)

Field improvements (breaking):
- Convert session_type numeric enum values to human-readable strings (regular, isa, admin)

Relates #14985

Author: andrewkroh

packages/beyondinsight_password_safe/changelog.yml

@@ -1,3 +1,11 @@
+- version: "0.9.0"
+  changes:
+    - description: For the `session` data stream, enhanced CEL program with proper session management, automatic re-authentication, and improved error handling.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15010
+    - description: For the `session` data stream, converted `session_type` enum field value to human-readable string instead of numeric code. Change `managed_system_id` and `managed_system_id` to a keyword data type.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/15010
 - version: "0.8.0"
   changes:
     - description: For the `useraudit` data stream, fixed pagination to avoid duplicate collection.

packages/beyondinsight_password_safe/data_stream/session/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,13 @@
+services:
+  beyondinsight-session-cel:
+    image: docker.elastic.co/observability/stream:v0.20.0
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8080'
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml

packages/beyondinsight_password_safe/data_stream/session/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,156 @@
+# BeyondInsight Password Safe - Sessions Test Mock Configuration
+#
+# Test Scenario: Simulates session retrieval with authentication and session expiration:
+# 1. Initial authentication via SignAppin endpoint (returns 200, sets session cookie)
+# 2. First Sessions request (returns 200, all session data - 3 sessions)
+# 3. Second Sessions request (returns 401, session expired) 
+# 4. Re-authentication via SignAppin endpoint (returns 200, new session cookie)
+# 5. Retry Sessions request (returns 200, session data again - 1 session)
+#
+# NOTE: Unlike managedaccount and managedsystem data streams, the Sessions API does NOT support
+# pagination with limit/offset parameters. The API returns all sessions at once with an upper 
+# cap of 100,000 sessions maximum.
+
+rules:
+  # Auth
+  - path: "/BeyondTrust/api/public/v3/Auth/SignAppin"
+    methods: ["POST"]
+    request_headers:
+      Authorization: ['PS-Auth key=test_api_key; runas=testuser; pwd=\[password\];']
+      Content-Type: ['application/json']
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type: ['application/json']
+          Set-Cookie: ['ASP.NET_SessionId={{ if eq .req_num 1 }}session_cookie1{{ else }}session_cookie2{{ end }}']
+        body: |
+          {{ minify_json `
+          {
+            "UserId": 1,
+            "SID": null,
+            "EmailAddress": "test.user@example.com",
+            "UserName": "testuser",
+            "Name": "Test User"
+          }
+          `}}
+
+  - path: "/BeyondTrust/api/public/v3/Sessions"
+    methods: ["GET"]
+    request_headers:
+      Content-Type: ['application/json']
+      Cookie: ['ASP.NET_SessionId=session_cookie1']
+    as_sequence: true
+    responses:
+      # Sessions - first request (successful)
+      - status_code: 200
+        headers:
+          Content-Type: ['application/json']
+        body: |-
+          {{ minify_json `
+          [
+            {
+              "SessionID": 1001,
+              "UserID": 123,
+              "NodeID": "node-001",
+              "Status": 1,
+              "ArchiveStatus": 1,
+              "Protocol": 0,
+              "StartTime": "2025-01-15T08:30:00Z",
+              "EndTime": "2025-01-15T10:45:00Z",
+              "Duration": 8100,
+              "AssetName": "web-server-01",
+              "ManagedSystemID": 456,
+              "ManagedAccountID": 789,
+              "ManagedAccountName": "admin_user",
+              "RecordKey": "rec_key_abc123",
+              "Token": "token_xyz789",
+              "ApplicationID": 101,
+              "RequestID": 201,
+              "SessionType": 1
+            },
+            {
+              "SessionID": 1002,
+              "UserID": 124,
+              "NodeID": "node-002",
+              "Status": 2,
+              "ArchiveStatus": 0,
+              "Protocol": 1,
+              "StartTime": "2025-01-15T09:00:00Z",
+              "EndTime": "2025-01-15T11:15:00Z",
+              "Duration": 8100,
+              "AssetName": "db-server-01",
+              "ManagedSystemID": 457,
+              "ManagedAccountID": 790,
+              "ManagedAccountName": "database_admin",
+              "RecordKey": "rec_key_def456",
+              "Token": "token_abc123",
+              "ApplicationID": null,
+              "RequestID": null,
+              "SessionType": 2
+            },
+            {
+              "SessionID": 1003,
+              "UserID": 125,
+              "NodeID": "node-003",
+              "Status": 8,
+              "ArchiveStatus": 6,
+              "Protocol": 0,
+              "StartTime": "2025-01-15T10:30:00Z",
+              "EndTime": "2025-01-15T12:00:00Z",
+              "Duration": 5400,
+              "AssetName": "app-server-01",
+              "ManagedSystemID": null,
+              "ManagedAccountID": 791,
+              "ManagedAccountName": "service_account",
+              "RecordKey": "rec_key_ghi789",
+              "Token": "token_def456",
+              "ApplicationID": 102,
+              "RequestID": 202,
+              "SessionType": 3
+            }
+          ]
+          `}}
+
+      # Sessions - second request (session expired)
+      - status_code: 401
+        headers:
+          Content-Type: ['application/json']
+        body: >-
+          "User not authenticated"
+
+  # Sessions - retry after re-authentication
+  - path: "/BeyondTrust/api/public/v3/Sessions"
+    methods: ["GET"]
+    request_headers:
+      Content-Type: ['application/json']
+      Cookie: ['ASP.NET_SessionId=session_cookie2']
+    as_sequence: true
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type: ['application/json']
+        body: |-
+          {{ minify_json `
+          [
+            {
+              "SessionID": 1004,
+              "UserID": 126,
+              "NodeID": "node-004",
+              "Status": 0,
+              "ArchiveStatus": 2,
+              "Protocol": 1,
+              "StartTime": "2025-01-15T11:00:00Z",
+              "EndTime": null,
+              "Duration": 0,
+              "AssetName": "test-server-192.0.2.100",
+              "ManagedSystemID": 458,
+              "ManagedAccountID": 792,
+              "ManagedAccountName": "test_user",
+              "RecordKey": "rec_key_jkl012",
+              "Token": "token_ghi789",
+              "ApplicationID": null,
+              "RequestID": null,
+              "SessionType": 1
+            }
+          ]
+          `}}

packages/beyondinsight_password_safe/data_stream/session/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,9 @@
+{
+    "events": [
+        {
+            "event": {
+                "original": "{\"SessionID\": 1003, \"UserID\": 125, \"NodeID\": \"node-003\", \"Status\": 8, \"ArchiveStatus\": 6, \"Protocol\": 0, \"StartTime\": \"2025-01-15T10:30:00Z\", \"EndTime\": null, \"Duration\": 0, \"AssetName\": \"app-server-01\", \"ManagedSystemID\": null, \"ManagedAccountID\": 791, \"ManagedAccountName\": \"service_account\", \"RecordKey\": \"rec_key_ghi789\", \"Token\": \"token_def456\", \"ApplicationID\": null, \"RequestID\": null, \"SessionType\": 3}"
+            }
+        }
+    ]
+}

packages/beyondinsight_password_safe/data_stream/session/_dev/test/pipeline/test-session-nullable.json

@@ -0,0 +1,48 @@
+{
+    "expected": [
+        {
+            "beyondinsight_password_safe": {
+                "session": {
+                    "archive_status": "unknown",
+                    "asset_name": "app-server-01",
+                    "duration": 0,
+                    "managed_account_id": "791",
+                    "managed_account_name": "service_account",
+                    "node_id": "node-003",
+                    "protocol": "rdp",
+                    "record_key": "rec_key_ghi789",
+                    "session_id": "1003",
+                    "session_type": "admin",
+                    "start_time": "2025-01-15T10:30:00Z",
+                    "status": "logged_off",
+                    "token": "token_def456",
+                    "user_id": "125"
+                }
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "session"
+                ],
+                "duration": 0,
+                "id": "1003",
+                "kind": "event",
+                "original": "{\"SessionID\": 1003, \"UserID\": 125, \"NodeID\": \"node-003\", \"Status\": 8, \"ArchiveStatus\": 6, \"Protocol\": 0, \"StartTime\": \"2025-01-15T10:30:00Z\", \"EndTime\": null, \"Duration\": 0, \"AssetName\": \"app-server-01\", \"ManagedSystemID\": null, \"ManagedAccountID\": 791, \"ManagedAccountName\": \"service_account\", \"RecordKey\": \"rec_key_ghi789\", \"Token\": \"token_def456\", \"ApplicationID\": null, \"RequestID\": null, \"SessionType\": 3}",
+                "start": "2025-01-15T10:30:00.000Z",
+                "type": [
+                    "info"
+                ]
+            },
+            "network": {
+                "protocol": "rdp"
+            },
+            "related": {
+                "user": [
+                    "125"
+                ]
+            }
+        }
+    ]
+}

packages/beyondinsight_password_safe/data_stream/session/_dev/test/pipeline/test-session-nullable.json-expected.json

@@ -1,22 +1,8 @@
 {
     "events": [
         {
-            "message": {
-                "SessionID": 3,
-                "UserID": 2,
-                "NodeID": "a5c29153-b351-41f1-a12b-0c4da9408d79",
-                "Status": 0,
-                "ArchiveStatus": 0,
-                "Protocol": 1,
-                "StartTime": "2021-09-01T12:30:00Z",
-                "EndTime": "2021-09-01T13:30:00Z",
-                "Duration": 3600,
-                "AssetName": "server01",
-                "ManagedSystemID": 345,
-                "ManagedAccountID": 678,
-                "ManagedAccountName": "user01",
-                "RecordKey": "292837abc123",
-                "Token": "94872987429837429387"
+            "event": {
+                "original": "{\"SessionID\": 1001, \"UserID\": 123, \"NodeID\": \"node-001\", \"Status\": 1, \"ArchiveStatus\": 1, \"Protocol\": 0, \"StartTime\": \"2025-01-15T08:30:00Z\", \"EndTime\": \"2025-01-15T10:45:00Z\", \"Duration\": 8100, \"AssetName\": \"web-server-01\", \"ManagedSystemID\": 456, \"ManagedAccountID\": 789, \"ManagedAccountName\": \"admin_user\", \"RecordKey\": \"rec_key_abc123\", \"Token\": \"token_xyz789\", \"ApplicationID\": 101, \"RequestID\": 201, \"SessionType\": 1}"
             }
         }
     ]

packages/beyondinsight_password_safe/data_stream/session/_dev/test/pipeline/test-session.json

@@ -3,20 +3,24 @@
         {
             "beyondinsight_password_safe": {
                 "session": {
-                    "archive_status": "not_archived",
-                    "asset_name": "server01",
-                    "duration": 3600,
-                    "end_time": "2021-09-01T13:30:00Z",
-                    "managed_account_id": 678,
-                    "managed_account_name": "user01",
-                    "managed_system_id": 345,
-                    "node_id": "a5c29153-b351-41f1-a12b-0c4da9408d79",
-                    "protocol": "ssh",
-                    "record_key": "292837abc123",
-                    "session_id": 3,
-                    "start_time": "2021-09-01T12:30:00Z",
-                    "status": "not_started",
-                    "user_id": 2
+                    "application_id": "101",
+                    "archive_status": "archived",
+                    "asset_name": "web-server-01",
+                    "duration": 8100,
+                    "end_time": "2025-01-15T10:45:00Z",
+                    "managed_account_id": "789",
+                    "managed_account_name": "admin_user",
+                    "managed_system_id": "456",
+                    "node_id": "node-001",
+                    "protocol": "rdp",
+                    "record_key": "rec_key_abc123",
+                    "request_id": "201",
+                    "session_id": "1001",
+                    "session_type": "regular",
+                    "start_time": "2025-01-15T08:30:00Z",
+                    "status": "in_progress",
+                    "token": "token_xyz789",
+                    "user_id": "123"
                 }
             },
             "ecs": {
@@ -26,25 +30,22 @@
                 "category": [
                     "session"
                 ],
-                "dataset": "beyondinsight_password_safe.session",
-                "duration": 3600,
-                "end": "2021-09-01T13:30:00.000Z",
-                "id": "3",
+                "duration": 8100000000000,
+                "end": "2025-01-15T10:45:00.000Z",
+                "id": "1001",
                 "kind": "event",
-                "module": "beyondinsight_password_safe",
-                "start": "2021-09-01T12:30:00.000Z",
+                "original": "{\"SessionID\": 1001, \"UserID\": 123, \"NodeID\": \"node-001\", \"Status\": 1, \"ArchiveStatus\": 1, \"Protocol\": 0, \"StartTime\": \"2025-01-15T08:30:00Z\", \"EndTime\": \"2025-01-15T10:45:00Z\", \"Duration\": 8100, \"AssetName\": \"web-server-01\", \"ManagedSystemID\": 456, \"ManagedAccountID\": 789, \"ManagedAccountName\": \"admin_user\", \"RecordKey\": \"rec_key_abc123\", \"Token\": \"token_xyz789\", \"ApplicationID\": 101, \"RequestID\": 201, \"SessionType\": 1}",
+                "start": "2025-01-15T08:30:00.000Z",
                 "type": [
                     "info"
                 ]
             },
             "network": {
-                "protocol": [
-                    "ssh"
-                ]
+                "protocol": "rdp"
             },
             "related": {
                 "user": [
-                    "2"
+                    "123"
                 ]
             }
         }

packages/beyondinsight_password_safe/data_stream/session/_dev/test/pipeline/test-session.json-expected.json

@@ -1,15 +1,14 @@
 input: cel
-service: beyondinsight
-numeric_keyword_fields:
-  - beyondinsight_password_safe.session.session_id
-  - beyondinsight_password_safe.session.user_id
+service: beyondinsight-session-cel
 vars:
   url: http://{{Hostname}}:{{Port}}/BeyondTrust/api/public/v3
-  apikey: abcd1234byiapitoken
+  apikey: test_api_key
   username: testuser
   password: password
-  initial_interval: 10s
-  interval: 10s
-  limit: 1000
+  enable_request_tracer: true
+data_stream:
+  vars:
+    interval: 15s
+    preserve_original_event: true
 assert:
-  hit_count: 1
+  hit_count: 4