From d3f48b972d87bba27532ae2ac357c5a2e841ce7a Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jsorianopastor@gmail.com>
Date: Wed, 4 Mar 2026 12:57:52 +0100
Subject: [PATCH 1/2] Fix issues found while migrating to simplified API

---
 .../data_stream/log/_dev/test/system/test-logfile-config.yml  | 3 +++
 .../archive_search_logs/_dev/test/system/test-v1-config.yml   | 2 +-
 .../audit_events/_dev/test/system/test-v1-config.yml          | 2 +-
 .../data_stream/dlp_logs/_dev/test/system/test-v1-config.yml  | 2 +-
 .../data_stream/siem_logs/_dev/test/system/test-v1-config.yml | 2 +-
 .../_dev/test/system/test-v1-config.yml                       | 2 +-
 .../_dev/test/system/test-v1-config.yml                       | 2 +-
 .../ttp_ap_logs/_dev/test/system/test-v1-config.yml           | 2 +-
 .../ttp_ip_logs/_dev/test/system/test-v1-config.yml           | 2 +-
 .../ttp_url_logs/_dev/test/system/test-v1-config.yml          | 2 +-
 .../events/_dev/test/system/test-default-config.yml           | 2 ++
 .../ja3_fingerprints/_dev/test/system/test-default-config.yml | 1 +
 .../indicator/_dev/test/system/test-default-config.yml        | 4 +++-
 13 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/system/test-logfile-config.yml b/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/system/test-logfile-config.yml
index ca61602f2f0..ce64582c1ff 100644
--- a/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/system/test-logfile-config.yml
+++ b/packages/microsoft_exchange_online_message_trace/data_stream/log/_dev/test/system/test-logfile-config.yml
@@ -1,5 +1,8 @@
 service: exchange-online-logfile
 input: logfile
+vars:
+  local_domains:
+    - "contoso.com"
 data_stream:
   vars:
     preserve_original_event: true
diff --git a/packages/mimecast/data_stream/archive_search_logs/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/archive_search_logs/_dev/test/system/test-v1-config.yml
index 90aca0d4190..ec1fc54092f 100644
--- a/packages/mimecast/data_stream/archive_search_logs/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/archive_search_logs/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/audit_events/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/audit_events/_dev/test/system/test-v1-config.yml
index 6ab1460ad03..09bfbd3b8e2 100644
--- a/packages/mimecast/data_stream/audit_events/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/audit_events/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/dlp_logs/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/dlp_logs/_dev/test/system/test-v1-config.yml
index 78881287e1d..4c166612288 100644
--- a/packages/mimecast/data_stream/dlp_logs/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/dlp_logs/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v1-config.yml
index 2012b1ddf25..e5215ae4a01 100644
--- a/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/siem_logs/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/system/test-v1-config.yml
index 2012b1ddf25..e5215ae4a01 100644
--- a/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/threat_intel_malware_customer/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/system/test-v1-config.yml
index 2012b1ddf25..e5215ae4a01 100644
--- a/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/threat_intel_malware_grid/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/system/test-v1-config.yml
index a65aaa124af..5ffcfae11cb 100644
--- a/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/ttp_ap_logs/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/system/test-v1-config.yml
index 78881287e1d..4c166612288 100644
--- a/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/ttp_ip_logs/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/system/test-v1-config.yml b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/system/test-v1-config.yml
index 78881287e1d..4c166612288 100644
--- a/packages/mimecast/data_stream/ttp_url_logs/_dev/test/system/test-v1-config.yml
+++ b/packages/mimecast/data_stream/ttp_url_logs/_dev/test/system/test-v1-config.yml
@@ -1,7 +1,7 @@
 input: httpjson
 service: mimecast
 vars:
-  api_key: test
+  app_key: test
   app_id: test
   access_key: xxxx
   secret_key: xxxx
diff --git a/packages/sailpoint_identity_sc/data_stream/events/_dev/test/system/test-default-config.yml b/packages/sailpoint_identity_sc/data_stream/events/_dev/test/system/test-default-config.yml
index a23136a5382..16b0fdc906f 100644
--- a/packages/sailpoint_identity_sc/data_stream/events/_dev/test/system/test-default-config.yml
+++ b/packages/sailpoint_identity_sc/data_stream/events/_dev/test/system/test-default-config.yml
@@ -6,6 +6,8 @@ vars:
   client_secret: eweqweqwqew
   api_host: http://{{Hostname}}:{{Port}}
   token_url: http://{{Hostname}}:{{Port}}/oauth/token
+  token_scopes:
+    - sp:scopes:all
 data_stream:
   vars:
     limit: 2
diff --git a/packages/ti_abusech/data_stream/ja3_fingerprints/_dev/test/system/test-default-config.yml b/packages/ti_abusech/data_stream/ja3_fingerprints/_dev/test/system/test-default-config.yml
index 7a2ccf3e97b..1cbd9030e32 100644
--- a/packages/ti_abusech/data_stream/ja3_fingerprints/_dev/test/system/test-default-config.yml
+++ b/packages/ti_abusech/data_stream/ja3_fingerprints/_dev/test/system/test-default-config.yml
@@ -5,6 +5,7 @@ data_stream:
     url: http://{{Hostname}}:{{Port}}/blacklist/ja3_fingerprints.csv
     preserve_original_event: true
 vars:
+  auth_key: test_auth_key
   enable_request_tracer: true
 assert:
   hit_count: 10
diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml b/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml
index e6cb8e93573..709e823bbb9 100644
--- a/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml
+++ b/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml
@@ -9,6 +9,8 @@ data_stream:
     page_size: 3
     preserve_original_event: true
     enable_request_tracer: true
-    revoked: "false"
+
+    # Setting not supported here, see https://github.com/elastic/kibana/issues/255976
+    # revoked: "false"
 assert:
   hit_count: 9

From 00dd715f6ed52a33e40419aa6c3151feb41b095c Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jsorianopastor@gmail.com>
Date: Wed, 4 Mar 2026 18:42:06 +0100
Subject: [PATCH 2/2] Force use of legacy API

---
 .../indicator/_dev/test/system/test-default-config.yml   | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml b/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml
index 709e823bbb9..77463d1e43e 100644
--- a/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml
+++ b/packages/ti_opencti/data_stream/indicator/_dev/test/system/test-default-config.yml
@@ -1,5 +1,10 @@
 input: cel
 service: opencti_stub
+# The simplified Fleet API coerces string "false"/"true" to booleans before
+# reaching the select-type validation, so "false" fails include() against the
+# string options. Force the legacy API until Fleet fixes the schema ordering.
+# See https://github.com/elastic/kibana/issues/255976
+policy_api_format: legacy
 vars:
   url: http://{{Hostname}}:{{Port}}
   api_key: test_api_key
@@ -9,8 +14,6 @@ data_stream:
     page_size: 3
     preserve_original_event: true
     enable_request_tracer: true
-
-    # Setting not supported here, see https://github.com/elastic/kibana/issues/255976
-    # revoked: "false"
+    revoked: "false"
 assert:
   hit_count: 9