Skip to content

[Cybereason] Add system test coverage #17017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
moxarth-rathod wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Cybereason] Add system test coverage #17017

moxarth-rathod wants to merge 2 commits into from
+2,022 −231

Conversation

@moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented Jan 21, 2026
edited
Loading

Proposed commit message

cybereason: add system tests and increase base64 icon field limits to 4096

Add system tests for all data streams.

Also address field indexing issues identified by the new tests where
base64-encoded icons were being ignored due to insufficient field
length limits. The limits are increased from the default to 4096
characters for icon-related fields in suspicions_process and
malop_process data streams.

Test logs were generated from existing pipeline test logs.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@moxarth-rathod moxarth-rathod self-assigned this Jan 21, 2026
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner January 21, 2026 10:50
@moxarth-rathod moxarth-rathod added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:cybereason Cybereason Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jan 21, 2026
@elasticmachine
Copy link

elasticmachine commented Jan 21, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 21, 2026
edited
Loading

🚀 Benchmarks report

Package cybereason 👍(2) 💚(2) 💔(2)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
malop_process 805.15 451.06 -354.09 (-43.98%) 💔
malware 10526.32 8000 -2526.32 (-24%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jan 21, 2026
efd6
efd6 reviewed Jan 22, 2026
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the commit message. At the moment it does not make any comment on the test addition. The work here is more complex than the proposed commit message would suggest. There are new test samples in the docker config, so the origin of these should be described in the commit message.

@moxarth-rathod @efd6
Apply suggestions from code review
eb37304 
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
@elasticmachine
Copy link

elasticmachine commented Jan 22, 2026

💚 Build Succeeded

History

cc @moxarth-rathod

@moxarth-rathod moxarth-rathod requested a review from efd6 January 22, 2026 07:18
efd6
efd6 reviewed Jan 22, 2026
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest:

cybereason: add system tests and increase base64 icon field limits to 4096

Add system tests for all data streams.

Also address field indexing issues identified by the new tests where
base64-encoded icons were being ignored due to insufficient field
length limits. The limits are increased from the default to 4096
characters for icon-related fields in suspicions_process and
malop_process data streams.

Test logs were generated from existing pipeline test logs.

packages/cybereason/data_stream/logon_session/_dev/test/system/test-cel-config.yml
U69uQBo/agO7
-----END CERTIFICATE-----
assert:
hit_count: 1
Copy link
Contributor

@efd6 efd6 Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I confirm that where we have assert.hit_count: 1 you have made this choice because the agent is not paginating?

Copy link
Contributor Author

@moxarth-rathod moxarth-rathod Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, only the malware data stream has pagination.

@moxarth-rathod moxarth-rathod requested a review from efd6 January 23, 2026 05:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 Awaiting requested review from efd6

At least 1 approving review is required to merge this pull request.

Assignees

@moxarth-rathod moxarth-rathod

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:cybereason Cybereason Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@moxarth-rathod @elasticmachine @efd6 @andrewkroh