Skip to content

x-pack/filebeat/input/entityanalytics/provider/activedirectory: add empty group reporting#49093

Merged
efd6 merged 2 commits into
elastic:mainfrom
efd6:i16519-entityanalytics_ad
Mar 3, 2026
Merged

x-pack/filebeat/input/entityanalytics/provider/activedirectory: add empty group reporting#49093
efd6 merged 2 commits into
elastic:mainfrom
efd6:i16519-entityanalytics_ad

Conversation

@efd6

@efd6 efd6 commented Feb 25, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

x-pack/filebeat/input/entityanalytics/provider/activedirectory: add empty group reporting

Add a configurable option (include_empty_groups, default false) to
report Active Directory groups that have no direct members. Each
empty group is published as a separate document with event.action
group-discovered/group-modified/group-deleted and its attributes
under activedirectory.group.

Groups are queried with (&(objectClass=group)(!(member=*))) and
state-tracked in a dedicated kvstore bucket so that groups gaining
members or being removed from AD are detected as deletions during
full sync, consistent with how user deletions work.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 self-assigned this Feb 25, 2026
@efd6 efd6 added enhancement Filebeat Filebeat backport-skip Skip notification from the automated backport with mergify Team:Security-Service Integrations Security Service Integrations Team input:entityanalytics labels Feb 25, 2026
@botelastic botelastic Bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Feb 25, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
@github-actions

github-actions Bot commented Feb 25, 2026

Copy link
Copy Markdown
Contributor

Vale Linting Results

Summary: 1 suggestion found

💡 Suggestions (1)
File Line Rule Message
docs/reference/filebeat/filebeat-input-entity-analytics.md 359 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions

github-actions Bot commented Feb 25, 2026

Copy link
Copy Markdown
Contributor
…mpty group reporting

Add a configurable option (include_empty_groups, default false) to
report Active Directory groups that have no direct members. Each
empty group is published as a separate document with event.action
group-discovered/group-modified/group-deleted and its attributes
under activedirectory.group.

Groups are queried with (&(objectClass=group)(!(member=*))) and
state-tracked in a dedicated kvstore bucket so that groups gaining
members or being removed from AD are detected as deletions during
full sync, consistent with how user deletions work.
@efd6 efd6 force-pushed the i16519-entityanalytics_ad branch from 2e4272d to 445b28b Compare February 25, 2026 03:38
@efd6 efd6 marked this pull request as ready for review February 25, 2026 05:33
@efd6 efd6 requested review from a team as code owners February 25, 2026 05:33
@elasticmachine

Copy link
Copy Markdown
Contributor

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@vishaangelova vishaangelova left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs LGTM, just a tiny suggestion to add an applies_to for the new option.

Comment thread docs/reference/filebeat/filebeat-input-entity-analytics.md
Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com>

@chemamartinez chemamartinez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@efd6 efd6 enabled auto-merge (squash) March 3, 2026 19:32
@efd6 efd6 merged commit 74efc12 into elastic:main Mar 3, 2026
37 of 41 checks passed
efd6 added a commit to elastic/integrations that referenced this pull request May 22, 2026
The beats entity-analytics input already collects all Active Directory
groups for membership enrichment; their names and SIDs appear within
user and device entities via the user.group fields. Groups with no
direct members are invisible to this process because they have no
member links to follow.

The include_empty_groups option (elastic/beats#49093) makes the input
emit standalone documents for these otherwise-invisible groups so they
appear in the asset inventory. This change adds the integration-side
support: a group ingest pipeline, a routing rule to direct group
documents to a dedicated data stream, and ECS and vendor field
definitions.

The entity pipeline dispatch is updated to recognise group documents
(ctx.group.id != null) and the fallback entity pipeline condition
now excludes them. Pipeline tags are corrected to distinguish user,
device, and group dispatch.
tejasc-metron pushed a commit to metron-labs/Doppel-Elastic-Security-SIEM that referenced this pull request May 25, 2026
The beats entity-analytics input already collects all Active Directory
groups for membership enrichment; their names and SIDs appear within
user and device entities via the user.group fields. Groups with no
direct members are invisible to this process because they have no
member links to follow.

The include_empty_groups option (elastic/beats#49093) makes the input
emit standalone documents for these otherwise-invisible groups so they
appear in the asset inventory. This change adds the integration-side
support: a group ingest pipeline, a routing rule to direct group
documents to a dedicated data stream, and ECS and vendor field
definitions.

The entity pipeline dispatch is updated to recognise group documents
(ctx.group.id != null) and the fallback entity pipeline condition
now excludes them. Pipeline tags are corrected to distinguish user,
device, and group dispatch.
herrBez pushed a commit to herrBez/integrations that referenced this pull request Jun 1, 2026
The beats entity-analytics input already collects all Active Directory
groups for membership enrichment; their names and SIDs appear within
user and device entities via the user.group fields. Groups with no
direct members are invisible to this process because they have no
member links to follow.

The include_empty_groups option (elastic/beats#49093) makes the input
emit standalone documents for these otherwise-invisible groups so they
appear in the asset inventory. This change adds the integration-side
support: a group ingest pipeline, a routing rule to direct group
documents to a dedicated data stream, and ECS and vendor field
definitions.

The entity pipeline dispatch is updated to recognise group documents
(ctx.group.id != null) and the fallback entity pipeline condition
now excludes them. Pipeline tags are corrected to distinguish user,
device, and group dispatch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-skip Skip notification from the automated backport with mergify enhancement Filebeat Filebeat input:entityanalytics Team:Security-Service Integrations Security Service Integrations Team

4 participants