entityanalytics_ad: add support for empty Active Directory groups#18235
Conversation
0719417 to
470489a
Compare
Vale Linting ResultsSummary: 4 warnings found
|
| File | Line | Rule | Message |
|---|---|---|---|
| packages/entityanalytics_ad/docs/README.md | 383 | Elastic.Latinisms | Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'. |
| packages/entityanalytics_ad/docs/README.md | 385 | Elastic.QuotesPunctuation | Place punctuation inside closing quotation marks. |
| packages/entityanalytics_ad/docs/README.md | 409 | Elastic.Latinisms | Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'. |
| packages/entityanalytics_ad/docs/README.md | 410 | Elastic.Latinisms | Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
470489a to
0ef99ef
Compare
0ef99ef to
d163448
Compare
This comment has been minimized.
This comment has been minimized.
TL;DRThe Buildkite failure is from the Check go sources step detecting a dirty tree after Remediation
Investigation detailsRoot Cause
That indicates source normalization/generation expected by Evidence
Verification
Follow-upIf Note 🔒 Integrity filter blocked 3 itemsThe following items were blocked because they don't meet the GitHub integrity level.
To allow these resources, lower tools:
github:
min-integrity: approved # merged | approved | unapproved | noneWhat is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
326ee8f to
322c534
Compare
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
chrisberkhout
left a comment
There was a problem hiding this comment.
The commit description and the new group pipeline description both mention empty groups specifically.
I see the new option in the input config to include empty groups. Do we get information about non-empty groups? If so, is that existing data that's getting new support (pipeline and data stream) or is that data new?
Can you please rewrite the commit description and pipeline description to clarify the difference between existing and new support for groups, and empty vs non-empty groups.
322c534 to
feef661
Compare
Done. PTAL |
|
Sorry for the closer/reopen. I hit the wrong button. |
There was a problem hiding this comment.
Can you please rewrite the commit description and pipeline description to clarify the difference between existing and new support for groups, and empty vs non-empty groups.
Done. PTAL
Thanks! That's much clearer.
Another possibility would be to have the empty group docs in the user data stream, just without the user fields, so they line up with existing group data. But keeping them separate probably is better, and it's well explained in the README, etc.
It's separate from this change, but the LLM caught a point where the proposed commit message differs from the implementation. The proposed commit message says:
their names and SIDs appear within user and device entities via the user.group and device.group fields
However, for devices, they're put into user.group, and that's what we see in the existing pipeline test output.
Wire the include_empty_groups option from the beats input into the integration package. This adds a group ingest pipeline, a routing rule to direct group documents to a dedicated data stream, ECS and vendor field definitions for groups, and a new group data stream with its own manifest and field files. The entity pipeline dispatch is updated to recognise group documents (ctx.group.id != null) and the fallback entity pipeline condition now excludes them. Pipeline tags are corrected to distinguish user, device, and group dispatch.
Add a gldap-based LDAP mock server that serves synthetic user, device, and group entries for local and CI testing without a real Active Directory server. Add a script test (routed_data_streams.txt) that verifies documents are routed from the entity data stream to the user, device, and group destination data streams. This covers a gap in the standard system test runner which cannot assert on routed data streams. Also add a pipeline test for the group ingest pipeline and a system test config wired to the LDAP mock.
feef661 to
d2027b1
Compare
💚 Build Succeeded
History
cc @efd6 |
|
Package entityanalytics_ad - 0.19.0 containing this change is available at https://epr.elastic.co/package/entityanalytics_ad/0.19.0/ |
The beats entity-analytics input already collects all Active Directory groups for membership enrichment; their names and SIDs appear within user and device entities via the user.group fields. Groups with no direct members are invisible to this process because they have no member links to follow. The include_empty_groups option (elastic/beats#49093) makes the input emit standalone documents for these otherwise-invisible groups so they appear in the asset inventory. This change adds the integration-side support: a group ingest pipeline, a routing rule to direct group documents to a dedicated data stream, and ECS and vendor field definitions. The entity pipeline dispatch is updated to recognise group documents (ctx.group.id != null) and the fallback entity pipeline condition now excludes them. Pipeline tags are corrected to distinguish user, device, and group dispatch.
The beats entity-analytics input already collects all Active Directory groups for membership enrichment; their names and SIDs appear within user and device entities via the user.group fields. Groups with no direct members are invisible to this process because they have no member links to follow. The include_empty_groups option (elastic/beats#49093) makes the input emit standalone documents for these otherwise-invisible groups so they appear in the asset inventory. This change adds the integration-side support: a group ingest pipeline, a routing rule to direct group documents to a dedicated data stream, and ECS and vendor field definitions. The entity pipeline dispatch is updated to recognise group documents (ctx.group.id != null) and the fallback entity pipeline condition now excludes them. Pipeline tags are corrected to distinguish user, device, and group dispatch.
Proposed commit message
Also adds system testing, including document routing tests (second commit).
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots