x-pack/filebeat/input/entityanalytics/provider/activedirectory: add empty group reporting#49093
Merged
Merged
Conversation
Contributor
🤖 GitHub commentsJust comment with:
|
Contributor
Vale Linting ResultsSummary: 1 suggestion found 💡 Suggestions (1)
The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
Contributor
🔍 Preview links for changed docs |
…mpty group reporting Add a configurable option (include_empty_groups, default false) to report Active Directory groups that have no direct members. Each empty group is published as a separate document with event.action group-discovered/group-modified/group-deleted and its attributes under activedirectory.group. Groups are queried with (&(objectClass=group)(!(member=*))) and state-tracked in a dedicated kvstore bucket so that groups gaining members or being removed from AD are detected as deletions during full sync, consistent with how user deletions work.
2e4272d to
445b28b
Compare
Contributor
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
vishaangelova
approved these changes
Feb 26, 2026
Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com>
vishaangelova
approved these changes
Feb 26, 2026
efd6
added a commit
to elastic/integrations
that referenced
this pull request
May 22, 2026
The beats entity-analytics input already collects all Active Directory groups for membership enrichment; their names and SIDs appear within user and device entities via the user.group fields. Groups with no direct members are invisible to this process because they have no member links to follow. The include_empty_groups option (elastic/beats#49093) makes the input emit standalone documents for these otherwise-invisible groups so they appear in the asset inventory. This change adds the integration-side support: a group ingest pipeline, a routing rule to direct group documents to a dedicated data stream, and ECS and vendor field definitions. The entity pipeline dispatch is updated to recognise group documents (ctx.group.id != null) and the fallback entity pipeline condition now excludes them. Pipeline tags are corrected to distinguish user, device, and group dispatch.
tejasc-metron
pushed a commit
to metron-labs/Doppel-Elastic-Security-SIEM
that referenced
this pull request
May 25, 2026
The beats entity-analytics input already collects all Active Directory groups for membership enrichment; their names and SIDs appear within user and device entities via the user.group fields. Groups with no direct members are invisible to this process because they have no member links to follow. The include_empty_groups option (elastic/beats#49093) makes the input emit standalone documents for these otherwise-invisible groups so they appear in the asset inventory. This change adds the integration-side support: a group ingest pipeline, a routing rule to direct group documents to a dedicated data stream, and ECS and vendor field definitions. The entity pipeline dispatch is updated to recognise group documents (ctx.group.id != null) and the fallback entity pipeline condition now excludes them. Pipeline tags are corrected to distinguish user, device, and group dispatch.
herrBez
pushed a commit
to herrBez/integrations
that referenced
this pull request
Jun 1, 2026
The beats entity-analytics input already collects all Active Directory groups for membership enrichment; their names and SIDs appear within user and device entities via the user.group fields. Groups with no direct members are invisible to this process because they have no member links to follow. The include_empty_groups option (elastic/beats#49093) makes the input emit standalone documents for these otherwise-invisible groups so they appear in the asset inventory. This change adds the integration-side support: a group ingest pipeline, a routing rule to direct group documents to a dedicated data stream, and ECS and vendor field definitions. The entity pipeline dispatch is updated to recognise group documents (ctx.group.id != null) and the fallback entity pipeline condition now excludes them. Pipeline tags are corrected to distinguish user, device, and group dispatch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
stresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.Disruptive User Impact
Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs