x-pack/filebeat/input/entityanalytics/activedirectory: fix nested group membership by efd6 · Pull Request #48815 · elastic/beats

efd6 · 2026-02-11T22:26:12Z

Proposed commit message

x-pack/filebeat/input/entityanalytics/activedirectory: fix nested group membership

Use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID
1.2.840.113556.1.4.1941) in memberOf filters so that nested
group membership is resolved server-side at query time. The
previous plain memberOf filters only matched direct members.

Also escape DN values with ldap.EscapeFilter in the
changed-groups filter path, which was missing this safeguard
and could produce malformed queries when group names contain
LDAP filter metacharacters such as parentheses.

Note

Identified by inspection during other work.

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have made corresponding change to the default configuration files
I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

[ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

github-actions · 2026-02-11T22:26:21Z

🤖 GitHub comments

Just comment with:

run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

…up membership Use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941) in memberOf filters so that nested group membership is resolved server-side at query time. The previous plain memberOf filters only matched direct members. Also escape DN values with ldap.EscapeFilter in the changed-groups filter path, which was missing this safeguard and could produce malformed queries when group names contain LDAP filter metacharacters such as parentheses.

elasticmachine · 2026-02-11T22:56:31Z

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

…up membership (#48815) Use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941) in memberOf filters so that nested group membership is resolved server-side at query time. The previous plain memberOf filters only matched direct members. Also escape DN values with ldap.EscapeFilter in the changed-groups filter path, which was missing this safeguard and could produce malformed queries when group names contain LDAP filter metacharacters such as parentheses. (cherry picked from commit b0a0446)

…sted group membership (elastic#48815)" This reverts commit b0a0446.

…up membership (#48815) (#48898) Use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941) in memberOf filters so that nested group membership is resolved server-side at query time. The previous plain memberOf filters only matched direct members. Also escape DN values with ldap.EscapeFilter in the changed-groups filter path, which was missing this safeguard and could produce malformed queries when group names contain LDAP filter metacharacters such as parentheses. (cherry picked from commit b0a0446) Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co> Co-authored-by: Denis <denis.rechkunov@elastic.co>

…up membership (#48815) (#48897) Use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941) in memberOf filters so that nested group membership is resolved server-side at query time. The previous plain memberOf filters only matched direct members. Also escape DN values with ldap.EscapeFilter in the changed-groups filter path, which was missing this safeguard and could produce malformed queries when group names contain LDAP filter metacharacters such as parentheses. (cherry picked from commit b0a0446) Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co> Co-authored-by: Denis <denis.rechkunov@elastic.co>

…up membership (#48815) (#48896) Use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941) in memberOf filters so that nested group membership is resolved server-side at query time. The previous plain memberOf filters only matched direct members. Also escape DN values with ldap.EscapeFilter in the changed-groups filter path, which was missing this safeguard and could produce malformed queries when group names contain LDAP filter metacharacters such as parentheses. (cherry picked from commit b0a0446) Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co> Co-authored-by: Denis <denis.rechkunov@elastic.co>

efd6 self-assigned this Feb 11, 2026

efd6 added Filebeat Filebeat bugfix Team:Security-Service Integrations Security Service Integrations Team backport-8.19 Automated backport to the 8.19 branch backport-9.2 Automated backport to the 9.2 branch backport-9.3 Automated backport to the 9.3 branch labels Feb 11, 2026

botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Feb 11, 2026

efd6 force-pushed the entityanalytics_ad_groups_lookup branch from 1c419fe to 5db91fd Compare February 11, 2026 22:30

efd6 changed the title ~~x-pack/filebeat/input/entityanalytics/ad: fix nested group membership~~ Feb 11, 2026

efd6 marked this pull request as ready for review February 11, 2026 22:56

efd6 requested a review from a team as a code owner February 11, 2026 22:56

chemamartinez approved these changes Feb 17, 2026

View reviewed changes

efd6 merged commit b0a0446 into elastic:main Feb 17, 2026
12 of 17 checks passed

mergify bot mentioned this pull request Feb 17, 2026

[8.19](backport #48815) x-pack/filebeat/input/entityanalytics/activedirectory: fix nested group membership #48896

Merged

6 tasks

mergify bot mentioned this pull request Feb 17, 2026

[9.2](backport #48815) x-pack/filebeat/input/entityanalytics/activedirectory: fix nested group membership #48897

Merged

6 tasks

mergify bot mentioned this pull request Feb 17, 2026

[9.3](backport #48815) x-pack/filebeat/input/entityanalytics/activedirectory: fix nested group membership #48898

Merged

6 tasks

belimawr added a commit to belimawr/beats that referenced this pull request Feb 18, 2026

Revert "x-pack/filebeat/input/entityanalytics/activedirectory: fix ne…

18add83

…sted group membership (elastic#48815)" This reverts commit b0a0446.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x-pack/filebeat/input/entityanalytics/activedirectory: fix nested group membership#48815

x-pack/filebeat/input/entityanalytics/activedirectory: fix nested group membership#48815
efd6 merged 1 commit intoelastic:mainfrom
efd6:entityanalytics_ad_groups_lookup

efd6 commented Feb 11, 2026 •

edited

Loading

github-actions bot commented Feb 11, 2026

elasticmachine commented Feb 11, 2026

Uh oh!

Labels

3 participants

Conversation

efd6 commented Feb 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed commit message

Checklist

Disruptive User Impact

Author's Checklist

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

github-actions bot commented Feb 11, 2026

🤖 GitHub comments

elasticmachine commented Feb 11, 2026

Uh oh!

Labels

3 participants

efd6 commented Feb 11, 2026 •

edited

Loading