Skip to content

[axonius][alert_and_incident] Add Axonius Alert and Incident datastream#16603

Merged
chrisberkhout merged 8 commits intoelastic:feature/axonius-0.1.0from
muskan-agarwal26:datastream-alert_and_incident
Mar 11, 2026
Merged

[axonius][alert_and_incident] Add Axonius Alert and Incident datastream#16603
chrisberkhout merged 8 commits intoelastic:feature/axonius-0.1.0from
muskan-agarwal26:datastream-alert_and_incident

Conversation

@muskan-agarwal26
Copy link
Copy Markdown
Contributor

@muskan-agarwal26 muskan-agarwal26 commented Dec 17, 2025
edited
Loading

Proposed commit message

This new data stream collects alert findings and incidents data from the Axonius platform via the
/api/v2/assets/ endpoint. Axonius fields are mapped to their
corresponding ECS fields where possible.

Test samples were derived from live data samples, which were subsequently
sanitized.

API documentation: https://docs.axonius.com/docs/axonius-rest-api

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

To test the axonius package:

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/axonius directory.
  • Run the following command to run tests.

elastic-package test

2025/12/17 18:21:56  INFO New version is available - v0.117.1. Download from: https://github.com/elastic/elastic-package/releases/tag/v0.117.1
Run asset tests for the package
2025/12/17 18:21:57  INFO License text found in "/root/GITHUB/integrations/LICENSE.txt" will be included in package
--- Test results for package: axonius - START ---
╭─────────┬────────────────────┬───────────┬──────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM        │ TEST TYPE │ TEST NAME                                                        │ RESULT │ TIME ELAPSED │
├─────────┼────────────────────┼───────────┼──────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ axonius │                    │ asset     │ dashboard axonius-50841034-1314-4e26-8be3-47d38241c359 is loaded │ PASS   │      2.703µs │
│ axonius │                    │ asset     │ search axonius-852dd7b3-5b99-456b-8f00-9db6b8d6f4bd is loaded    │ PASS   │        481ns │
│ axonius │                    │ asset     │ search axonius-d3b2048c-016a-4ebb-9406-89687aa90aee is loaded    │ PASS   │        546ns │
│ axonius │ alert_and_incident │ asset     │ index_template logs-axonius.alert_and_incident is loaded         │ PASS   │        696ns │
│ axonius │ alert_and_incident │ asset     │ ingest_pipeline logs-axonius.alert_and_incident-0.1.0 is loaded  │ PASS   │        345ns │
╰─────────┴────────────────────┴───────────┴──────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: axonius - END   ---
Done
Run pipeline tests for the package
--- Test results for package: axonius - START ---
╭─────────┬────────────────────┬───────────┬───────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM        │ TEST TYPE │ TEST NAME                                         │ RESULT │ TIME ELAPSED │
├─────────┼────────────────────┼───────────┼───────────────────────────────────────────────────┼────────┼──────────────┤
│ axonius │ alert_and_incident │ pipeline  │ (ingest pipeline warnings test-alert-finding.log) │ PASS   │ 726.121672ms │
│ axonius │ alert_and_incident │ pipeline  │ (ingest pipeline warnings test-incident.log)      │ PASS   │ 712.669141ms │
│ axonius │ alert_and_incident │ pipeline  │ test-alert-finding.log                            │ PASS   │ 194.767219ms │
│ axonius │ alert_and_incident │ pipeline  │ test-incident.log                                 │ PASS   │ 209.348823ms │
╰─────────┴────────────────────┴───────────┴───────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: axonius - END   ---
Done
Run policy tests for the package
--- Test results for package: axonius - START ---
No test results
--- Test results for package: axonius - END   ---
Done
Run static tests for the package
--- Test results for package: axonius - START ---
╭─────────┬────────────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM        │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├─────────┼────────────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ axonius │ alert_and_incident │ static    │ Verify sample_event.json │ PASS   │ 220.387313ms │
╰─────────┴────────────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: axonius - END   ---
Done
Run system tests for the package
2025/12/17 18:22:05  INFO Installing package...
2025/12/17 18:22:05  INFO License text found in "/root/GITHUB/integrations/LICENSE.txt" will be included in package
2025/12/17 18:22:16  INFO Running test for data_stream "alert_and_incident" with configuration 'default'
2025/12/17 18:22:25  INFO Setting up independent Elastic Agent...
2025/12/17 18:22:39  INFO Setting up service...
2025/12/17 18:23:03  INFO Validating test case...
2025/12/17 18:23:04  INFO Tearing down service...
2025/12/17 18:23:05  INFO Write container logs to file: /root/GITHUB/integrations/build/container-logs/axonius-1765975985552405152.log
2025/12/17 18:23:08  INFO Tearing down agent...
2025/12/17 18:23:08  INFO Write container logs to file: /root/GITHUB/integrations/build/container-logs/elastic-agent-1765975988989458774.log
2025/12/17 18:23:36  INFO Uninstalling package...
--- Test results for package: axonius - START ---
╭─────────┬────────────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE │ DATA STREAM        │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────┼────────────────────┼───────────┼───────────┼────────┼───────────────┤
│ axonius │ alert_and_incident │ system    │ default   │ PASS   │ 47.688153488s │
╰─────────┴────────────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: axonius - END   ---
Done

Related issues

Screenshots

image (5) image (6)

@muskan-agarwal26 muskan-agarwal26 requested a review from a team as a code owner December 17, 2025 12:52
@muskan-agarwal26 muskan-agarwal26 marked this pull request as draft December 17, 2025 12:52
@muskan-agarwal26 muskan-agarwal26 changed the base branch from main to feature/axonius-0.1.0 December 17, 2025 14:10
@muskan-agarwal26 muskan-agarwal26 changed the title [axonius][alert_and_incident] Add Axonius Alert and Incident datastream #16599 #16602 [axonius][alert_and_incident] Add Axonius Alert and Incident datastream Dec 18, 2025
@andrewkroh andrewkroh added dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:axonius [Integration not found in source] Crest Contributions from Crest developement team. New Integration Issue or pull request for creating a new integration package. labels Jan 8, 2026
@muskan-agarwal26 muskan-agarwal26 force-pushed the datastream-alert_and_incident branch from b694486 to 0f3f334 Compare February 6, 2026 05:27
@muskan-agarwal26 muskan-agarwal26 marked this pull request as ready for review February 6, 2026 05:28
@muskan-agarwal26 muskan-agarwal26 requested a review from a team as a code owner February 6, 2026 05:28
@chrisberkhout chrisberkhout self-requested a review February 6, 2026 12:15
@andrewkroh andrewkroh removed the New Integration Issue or pull request for creating a new integration package. label Feb 6, 2026
chrisberkhout
chrisberkhout reviewed Feb 6, 2026
View reviewed changes
Comment thread packages/axonius/changelog.yml Outdated
chrisberkhout
chrisberkhout reviewed Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had a high-level look and I have a few questions about the approach.

I see that this is a PR to a feature branch rather than to main. That's fine, but it would have been helpful to mention that in the PR description and maybe one sentence about the scope of this PR and where it fits in the project.

Comment thread packages/axonius/docs/README.md Outdated
Comment thread packages/axonius/data_stream/alert_and_incident/elasticsearch/ingest_pipeline/default.yml Outdated
Comment thread ...nius/data_stream/alert_and_incident/elasticsearch/ingest_pipeline/pipeline-alert-finding.yml Outdated
Comment thread packages/axonius/elasticsearch/transform/latest_alert_and_incident/transform.yml Outdated
Comment thread packages/axonius/img/axonius-alert-and-incident-dashboard.png Outdated
@cla-checker-service
Copy link
Copy Markdown

cla-checker-service Bot commented Feb 23, 2026
edited
Loading

💚 CLA has been signed

@muskan-crest
Resolved comments provided by @chrisberkhout.
9cc51ab 
1. Split alert_and_incident into alert_finding and incident.
@muskan-agarwal26 muskan-agarwal26 force-pushed the datastream-alert_and_incident branch from 2539f1b to 9cc51ab Compare February 23, 2026 12:23
chrisberkhout
chrisberkhout reviewed Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chrisberkhout chrisberkhout left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for splitting the alert_and_incident data stream into alert_finding and incident data streams!

Regarding the other points from the last review, I checked each and made some comments. I think most of those still need some attention.

@muskan-crest
Resolved comment provided by @chrisberkhout.
1dd2348 
1. Added transform info in readme.
2. Added filters on visual level, removed from dashboard level.
3. Removed event.data.* naming from custom mappings.
4. Added asset_type_list config param.
@chrisberkhout chrisberkhout mentioned this pull request Mar 9, 2026
Open
chrisberkhout
chrisberkhout requested changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please review the unresolved items from earlier reviews.

Comment thread packages/axonius/_dev/build/docs/README.md Outdated
Comment thread packages/axonius/data_stream/alert_and_incident/elasticsearch/ingest_pipeline/default.yml Outdated
Comment thread ...nius/data_stream/alert_and_incident/elasticsearch/ingest_pipeline/pipeline-alert-finding.yml Outdated
Comment thread packages/axonius/changelog.yml Outdated
Comment thread packages/axonius/img/axonius-alert-and-incident-dashboard.png Outdated
@muskan-crest
Resolved comment given by - @chrisberkhout.
31f75d1 
1. Shifted transform filter to visual level.
2. Suggestions in readme and changelog.
@chrisberkhout chrisberkhout merged commit 6d2b7db into elastic:feature/axonius-0.1.0 Mar 11, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

Assignees

No one assigned

Labels

Crest Contributions from Crest developement team. dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:axonius [Integration not found in source]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@muskan-agarwal26 @chrisberkhout @andrewkroh @muskan-crest