[axonius][exposure] Add Axonius Exposure datastream

[muskan-agarwal26]

Proposed commit message

The release includes exposure data stream and associated dashboard.

Axonius fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from live data samples, which were subsequently
sanitized.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

To test the axonius package:

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/axonius directory.
• Run the following command to run tests.

elastic-package test

2025/12/17 16:29:45  INFO New version is available - v0.117.1. Download from: https://github.com/elastic/elastic-package/releases/tag/v0.117.1
Run asset tests for the package
2025/12/17 16:29:46  INFO License text found in "/root/GITHUB/integrations/LICENSE.txt" will be included in package
--- Test results for package: axonius - START ---
╭─────────┬─────────────┬───────────┬──────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                                                        │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ axonius │             │ asset     │ dashboard axonius-284475dd-0313-43dd-8a82-3eee86ed97ef is loaded │ PASS   │      1.589µs │
│ axonius │             │ asset     │ search axonius-262be09c-91c0-4bb4-9eb1-149378464519 is loaded    │ PASS   │        351ns │
│ axonius │             │ asset     │ search axonius-90ec046b-f632-4975-81cc-061646fd5b18 is loaded    │ PASS   │        265ns │
│ axonius │ exposure    │ asset     │ index_template logs-axonius.exposure is loaded                   │ PASS   │        209ns │
│ axonius │ exposure    │ asset     │ ingest_pipeline logs-axonius.exposure-0.1.0 is loaded            │ PASS   │        221ns │
╰─────────┴─────────────┴───────────┴──────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: axonius - END   ---
Done
Run pipeline tests for the package
--- Test results for package: axonius - START ---
╭─────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                                                  │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ axonius │ exposure    │ pipeline  │ (ingest pipeline warnings test-exposure.log)               │ PASS   │ 711.462018ms │
│ axonius │ exposure    │ pipeline  │ (ingest pipeline warnings test-vulnerability-instance.log) │ PASS   │ 754.235553ms │
│ axonius │ exposure    │ pipeline  │ test-exposure.log                                          │ PASS   │ 266.141342ms │
│ axonius │ exposure    │ pipeline  │ test-vulnerability-instance.log                            │ PASS   │ 248.656434ms │
╰─────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: axonius - END   ---
Done
Run policy tests for the package
--- Test results for package: axonius - START ---
No test results
--- Test results for package: axonius - END   ---
Done
Run static tests for the package
--- Test results for package: axonius - START ---
╭─────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ axonius │ exposure    │ static    │ Verify sample_event.json │ PASS   │ 223.708697ms │
╰─────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: axonius - END   ---
Done
Run system tests for the package
2025/12/17 16:29:53  INFO Installing package...
2025/12/17 16:29:53  INFO License text found in "/root/GITHUB/integrations/LICENSE.txt" will be included in package
2025/12/17 16:30:05  INFO Running test for data_stream "exposure" with configuration 'default'
2025/12/17 16:30:13  INFO Setting up independent Elastic Agent...
2025/12/17 16:30:29  INFO Setting up service...
2025/12/17 16:30:52  INFO Validating test case...
2025/12/17 16:30:54  INFO Tearing down service...
2025/12/17 16:30:55  INFO Write container logs to file: /root/GITHUB/integrations/build/container-logs/axonius-1765969255854021416.log
2025/12/17 16:30:59  INFO Tearing down agent...
2025/12/17 16:30:59  INFO Write container logs to file: /root/GITHUB/integrations/build/container-logs/elastic-agent-1765969259738828652.log
2025/12/17 16:31:26  INFO Uninstalling package...
--- Test results for package: axonius - START ---
╭─────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ axonius │ exposure    │ system    │ default   │ PASS   │ 49.764893711s │
╰─────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: axonius - END   ---
Done

Related issues

• Relates [New Integration] Axonius #15034
• Relates [axonius] - Fix Cannot execute ILM policy delete step in other datastreams elasticsearch#139512

Screenshots

[ShourieG]

🤖 AI-Generated Review | Elastic Integration PR Review Bot

⚠️ This is an automated review generated by an AI assistant. Please verify all suggestions before applying changes. This review does not represent a human reviewer's opinion.

---

🔍 Pipeline Review Summary

Files Reviewed:

• packages/axonius/data_stream/exposure/elasticsearch/ingest_pipeline/default.yml
• packages/axonius/data_stream/exposure/elasticsearch/ingest_pipeline/pipeline-vulnerability-instance.yml

Integration: axonius
Data Stream: exposure

---

✅ Compliant Items

• Description: Both pipelines include a clear description field.
• Logical Processor Order: Parsing, extraction, transformation, and cleanup steps are present and ordered logically.
• Temporary Field Cleanup: Temporary fields (e.g., message, json) are removed at the end of the pipeline.
• ECS Categorization:
  • event.kind is set to event.
  • event.category is set using append as an array (e.g., vulnerability).
  • event.type is set using append as an array (e.g., info).
• @timestamp Extraction: Timestamp is extracted and set from parsed date fields.
• Error Handling:
  • Most critical processors (date, convert) use on_failure handlers to append error messages.
  • ignore_missing is used on most rename and convert processors.
• Field Mapping: Axonius fields are mapped to ECS fields where possible (e.g., vulnerability.id, vulnerability.description).
• No CDR Requirements: Axonius is not a cloud security integration, so CDR fields are not required and not flagged.

---

⚠️ Issues Found

Issue 1: Missing Pipeline-Level on_failure Handler

Severity: 🔴 High
Location: packages/axonius/data_stream/exposure/elasticsearch/ingest_pipeline/default.yml line 875
Problem: The pipeline does not include a top-level on_failure handler. This is required to ensure that any unhandled errors are captured and categorized as pipeline errors.
Recommendation:

on_failure:
  - set:
      field: error.message
      value: 'Pipeline processing failed: {{{_ingest.on_failure_message}}}'
  - set:
      field: event.kind
      value: pipeline_error

Issue 2: event.category and event.type Should Be Arrays

Severity: 🟡 Medium
Location: packages/axonius/data_stream/exposure/elasticsearch/ingest_pipeline/default.yml line ~20
Problem: The pipeline uses append to set event.category and event.type, but if the field is not initialized as an array, this can result in a string value instead of an array, violating ECS requirements.
Recommendation:

- set:
    field: event.category
    value: ['vulnerability']
    tag: set_event_category
- set:
    field: event.type
    value: ['info']
    tag: set_event_type

Alternatively, ensure the field is always an array after append.

Issue 3: Some convert and date Processors Missing ignore_failure

Severity: 🟡 Medium
Location: packages/axonius/data_stream/exposure/elasticsearch/ingest_pipeline/pipeline-vulnerability-instance.yml various lines
Problem: While most processors use on_failure, some convert and date processors do not include ignore_failure: true, which is best practice to prevent pipeline errors from type mismatches.
Recommendation:

- convert:
    field: json.event.data.axonius_risk_score
    tag: convert_event_data_axonius_risk_score_to_double
    target_field: axonius.exposure.event.data.axonius_risk_score
    type: double
    ignore_missing: true
    ignore_failure: true
    on_failure:
      - append:
          field: error.message
          value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'

Add ignore_failure: true to all convert and date processors.

Issue 4: No Null Checks in Some Conditionals

Severity: 🟡 Medium
Location: packages/axonius/data_stream/exposure/elasticsearch/ingest_pipeline/default.yml various lines
Problem: Some if conditions use ctx.json.field without null checks, which can cause errors if the field is missing.
Recommendation:

if: ctx.json?.event?.data?.added != null && ctx.json.event.data.added != ''

Ensure all conditionals use safe navigation (?.) and null checks.

---

💡 Suggestions for Improvement

• Use set for ECS Arrays: Prefer set with array values for ECS fields over append unless you are merging multiple values.
• Field Namespacing: Continue to use the axonius.exposure.* namespace for custom fields to avoid ECS conflicts.
• Performance: Consider using native processors over scripts wherever possible (currently compliant).
• Documentation: Add comments in the pipeline for complex transformations for future maintainers.

---

📋 Checklist Status

• ECS categorization complete
• Missing pipeline-level on_failure handler
• Temporary fields cleaned up
• @timestamp extraction present
• Error handling on most critical processors
• Some processors missing ignore_failure
• No CDR requirements (not a cloud security integration)
• Processor order logical
• Field mapping ECS-compliant

---

Summary:
The Axonius exposure ingest pipelines are well-structured and mostly ECS-compliant, with good error handling and field mapping. The main issues are the lack of a pipeline-level on_failure handler, potential ECS array violations for categorization fields, and missing ignore_failure on some processors. Addressing these will ensure robust, maintainable, and ECS-compliant pipelines.

[ShourieG]

🤖 AI Review: 🔴 Missing Pipeline-Level on_failure Handler

The pipeline does not include a top-level on_failure handler. This is required to ensure that any unhandled errors are captured and categorized as pipeline errors.

Suggested fix:

on_failure:
  - set:
      field: error.message
      value: 'Pipeline processing failed: {{{_ingest.on_failure_message}}}'
  - set:
      field: event.kind
      value: pipeline_error

---

_{🤖 AI-generated comment by Elastic Integration PR Review Bot}

[muskan-agarwal26]

I have already added one at the bottom, line 861
Please check @ShourieG

[efd6]

Suggested commit message:

axonius: add exposure data stream with vulnerability and asset data

This new data stream collects vulnerability instances, vulnerabilities, 
and vulnerability repository data from the Axonius platform via the 
/api/v2/assets/ endpoint. Axonius fields are mapped to their 
corresponding ECS fields where possible.

Test samples were derived from live data samples, which were subsequently
sanitized.

API documentation: https://docs.axonius.com/docs/axonius-rest-api

[elastic-vault-github-plugin-prod]

Package axonius - 0.1.0 containing this change is available at https://epr.elastic.co/package/axonius/0.1.0/