[beyondtrust_isi] Initial release of BeyondTrust ISI

[janvi-elastic]

Proposed commit message

The initial release includes Incident and Event data stream and associated dashboard.

BeyondTrust ISI fields are mapped to their corresponding ECS fields where possible.

Test samples were derived from documentation, which were subsequently
sanitized.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

To test the beyondtrust_isi package:

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/beyondtrust_isi directory.
• Run the following command to run tests.

elastic-package test

Run asset tests for the package
2026/05/22 12:49:10  INFO elastic-package v0.118.0 version-hash 816ceecf (build time: 2025-12-30T18:33:37+05:30)
2026/05/22 12:49:10  INFO elastic-stack: 8.18.0
--- Test results for package: beyondtrust_isi - START ---
╭─────────────────┬─────────────┬───────────┬──────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE         │ DATA STREAM │ TEST TYPE │ TEST NAME                                                                │ RESULT │ TIME ELAPSED │
├─────────────────┼─────────────┼───────────┼──────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ beyondtrust_isi │             │ asset     │ dashboard beyondtrust_isi-21ddadd6-181a-4179-9839-a7e67d9803e1 is loaded │ PASS   │      1.989µs │
│ beyondtrust_isi │             │ asset     │ dashboard beyondtrust_isi-a48e4a73-385b-48a7-92d9-e57e7324bc05 is loaded │ PASS   │        408ns │
│ beyondtrust_isi │ incident    │ asset     │ index_template logs-beyondtrust_isi.incident is loaded                   │ PASS   │        444ns │
│ beyondtrust_isi │ incident    │ asset     │ ingest_pipeline logs-beyondtrust_isi.incident-0.1.1 is loaded            │ PASS   │        334ns │
╰─────────────────┴─────────────┴───────────┴──────────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: beyondtrust_isi - END   ---
Done
Run pipeline tests for the package
2026/05/22 12:49:16  INFO elastic-package v0.118.0 version-hash 816ceecf (build time: 2025-12-30T18:33:37+05:30)
2026/05/22 12:49:16  INFO elastic-stack: 8.18.0
--- Test results for package: beyondtrust_isi - START ---
╭─────────────────┬─────────────┬───────────┬──────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE         │ DATA STREAM │ TEST TYPE │ TEST NAME                                    │ RESULT │ TIME ELAPSED │
├─────────────────┼─────────────┼───────────┼──────────────────────────────────────────────┼────────┼──────────────┤
│ beyondtrust_isi │ incident    │ pipeline  │ (ingest pipeline warnings test-incident.log) │ PASS   │ 289.619298ms │
│ beyondtrust_isi │ incident    │ pipeline  │ test-incident.log                            │ PASS   │ 187.268957ms │
╰─────────────────┴─────────────┴───────────┴──────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: beyondtrust_isi - END   ---
Done
Run policy tests for the package
2026/05/22 12:49:17  INFO elastic-package v0.118.0 version-hash 816ceecf (build time: 2025-12-30T18:33:37+05:30)
2026/05/22 12:49:17  INFO elastic-stack: 8.18.0
--- Test results for package: beyondtrust_isi - START ---
No test results
--- Test results for package: beyondtrust_isi - END   ---
Done
Run script tests for the package
PKG beyondtrust_isi
[no test files]
--- Test results for package: beyondtrust_isi - START ---
No test results
--- Test results for package: beyondtrust_isi - END   ---
Done
Run static tests for the package
2026/05/22 12:49:17  INFO elastic-package v0.118.0 version-hash 816ceecf (build time: 2025-12-30T18:33:37+05:30)
--- Test results for package: beyondtrust_isi - START ---
╭─────────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE         │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├─────────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ beyondtrust_isi │ incident    │ static    │ Verify sample_event.json │ PASS   │ 124.468922ms │
╰─────────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: beyondtrust_isi - END   ---
Done
Run system tests for the package
2026/05/22 12:49:17  INFO elastic-package v0.118.0 version-hash 816ceecf (build time: 2025-12-30T18:33:37+05:30)
2026/05/22 12:49:17  INFO elastic-stack: 8.18.0
2026/05/22 12:49:17  INFO Installing package...
2026/05/22 12:49:29  INFO Running test for data_stream "incident" with configuration 'default'
2026/05/22 12:49:38  INFO Setting up independent Elastic Agent...
2026/05/22 12:49:48  INFO Setting up service...
2026/05/22 12:50:09  INFO Validating test case...
2026/05/22 12:50:10  INFO Tearing down service...
2026/05/22 12:50:10  INFO Write container logs to file: /home/devuser/bitbucket/integrations/build/container-logs/beyondtrust_isi-1779434410460632210.log
2026/05/22 12:50:13  INFO Tearing down agent...
2026/05/22 12:50:13  INFO Write container logs to file: /home/devuser/bitbucket/integrations/build/container-logs/elastic-agent-1779434413599657226.log
2026/05/22 12:50:23  INFO Uninstalling package...
--- Test results for package: beyondtrust_isi - START ---
╭─────────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE         │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├─────────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ beyondtrust_isi │ incident    │ system    │ default   │ PASS   │ 40.764085956s │
╰─────────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: beyondtrust_isi - END   ---
Done

Screenshots

---

Note: We don't have live instance. So we have created dashboard based on documentation. And the fields in dashboard used have field type in suffix. This integration follows a phased development process where individual data streams were reviewed and merged into a feature branch through separate PRs:

• Event data stream: [beyondtrust_isi][event] Add beyondtrust_isi event datastream #18683
• Incident data stream: [beyondtrust_isi][incident] Add beyondtrust_isi incident datastream #18682

All PR's have been reviewed and merged in this feature branch, which is now ready for integration into the main branch.

[github-actions]

TL;DR

Buildkite failed before tests because the PR merge simulation could not merge main into the PR head due to a conflict in .github/CODEOWNERS. Rebase/merge main into feature/beyondtrust__isi-0.1.0 and resolve that conflict, then rerun CI.

Remediation

• Update the branch with latest main and resolve .github/CODEOWNERS conflict, keeping the new owner entry for beyondtrust_isi.
• Push the resolved branch and rerun the Buildkite build (the failing step is pipeline upload/post-checkout, so no package tests were reached yet).

Investigation details

Root Cause

Buildkite's post-checkout hook performs an explicit merge of BUILDKITE_COMMIT into a temporary branch based on target branch main:

• .buildkite/hooks/post-checkout:47 runs git merge --no-edit "${BUILDKITE_COMMIT}".
• The merge failed with a content conflict in .github/CODEOWNERS, causing hook exit and build failure.

PR changes include a CODEOWNERS edit adding:

• .github/CODEOWNERS patch: +/packages/beyondtrust_isi @elastic/security-service-integrations``

That overlaps with upstream changes in the same file region and triggers the merge conflict in CI.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/43299
• Job/step: :pipeline::arrow_up: Upload Pipeline: .buildkite/pipeline.yml
• Key log excerpt (/tmp/gh-aw/buildkite-logs/integrations-pipelinearrow_up-upload-pipeline-buildkitepipelineyml.txt):

Auto-merging .github/CODEOWNERS
CONFLICT (content): Merge conflict in .github/CODEOWNERS
Automatic merge failed; fix conflicts and then commit the result.
Merge failed: 1
Error: running "repository post-checkout" shell hook: ... exited with status 1

Verification

• Not run: package/unit/system tests were not reached because the build failed during PR post-checkout merge.

Follow-up

After resolving CODEOWNERS and rerunning CI, any remaining failures (if any) will reflect actual package/test issues rather than branch merge state.

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[janvi-elastic]

/test

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 2ec38a3

Failed CI Steps

• :pipeline:⬆️ Upload Pipeline: .buildkite/pipeline.yml

History

• 💔 Build #43322 failed 2ec38a3
• 💔 Build #43299 failed fbad874