Skip to content

entityanalytics_ad: add support for empty Active Directory groups#18235

Merged
efd6 merged 2 commits into
elastic:mainfrom
efd6:16519-entityanalitics_ad
May 22, 2026
Merged

entityanalytics_ad: add support for empty Active Directory groups#18235
efd6 merged 2 commits into
elastic:mainfrom
efd6:16519-entityanalitics_ad

Conversation

@efd6

@efd6 efd6 commented Apr 7, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

entityanalytics_ad: add group data stream and pipeline

The beats entity-analytics input already collects all Active Directory
groups for membership enrichment; their names and SIDs appear within
user and device entities via the user.group fields. Groups with no
direct members are invisible to this process because they have no
member links to follow.

The include_empty_groups option (elastic/beats#49093) makes the input
emit standalone documents for these otherwise-invisible groups so they
appear in the asset inventory. This change adds the integration-side
support: a group ingest pipeline, a routing rule to direct group
documents to a dedicated data stream, and ECS and vendor field
definitions.

The entity pipeline dispatch is updated to recognise group documents
(ctx.group.id != null) and the fallback entity pipeline condition
now excludes them. Pipeline tags are corrected to distinguish user,
device, and group dispatch.

Also adds system testing, including document routing tests (second commit).

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Apr 7, 2026
@efd6 efd6 added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:entityanalytics_ad Active Directory Entity Analytics labels Apr 7, 2026
@efd6 efd6 force-pushed the 16519-entityanalitics_ad branch from 0719417 to 470489a Compare April 7, 2026 04:30
@github-actions

github-actions Bot commented Apr 7, 2026

Copy link
Copy Markdown
Contributor

Vale Linting Results

Summary: 4 warnings found

⚠️ Warnings (4)
File Line Rule Message
packages/entityanalytics_ad/docs/README.md 383 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/entityanalytics_ad/docs/README.md 385 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/entityanalytics_ad/docs/README.md 409 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/entityanalytics_ad/docs/README.md 410 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@efd6 efd6 force-pushed the 16519-entityanalitics_ad branch from 470489a to 0ef99ef Compare April 7, 2026 04:39
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 7, 2026
@efd6 efd6 force-pushed the 16519-entityanalitics_ad branch from 0ef99ef to d163448 Compare May 6, 2026 02:08
@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

TL;DR

The Buildkite failure is from the Check go sources step detecting a dirty tree after mage check; specifically packages/entityanalytics_ad/_dev/deploy/docker/ldap-mock-service/main.go is rewritten during CI but that update was not committed.

Remediation

  • From the PR branch, run mage check at repo root and commit any resulting changes (at minimum packages/entityanalytics_ad/_dev/deploy/docker/ldap-mock-service/main.go).
  • Re-run the same CI check (.buildkite/scripts/check_sources.sh) or push the commit and confirm the Check go sources step is clean.
Investigation details

Root Cause

check_sources.sh runs mage -v check and then enforces a clean working tree via check_git_diff (.buildkite/scripts/check_sources.sh#L11-L14). In this build, that post-check diff check fails because the repository becomes dirty with:

  • packages/entityanalytics_ad/_dev/deploy/docker/ldap-mock-service/main.go: needs update

That indicates source normalization/generation expected by mage check was not fully committed in the PR.

Evidence

--- Check if any files modified
git update-index
packages/entityanalytics_ad/_dev/deploy/docker/ldap-mock-service/main.go: needs update
🚨 Error: The command exited with status 1

Verification

  • Not run locally in this workflow (read-only detective pass); conclusion is based on Buildkite logs and repository check script behavior.

Follow-up

If mage check produces unexpected edits repeatedly, capture git diff -- packages/entityanalytics_ad/_dev/deploy/docker/ldap-mock-service/main.go from the PR branch and include it in the next CI run for pinpointing the exact formatter/generator rule.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

  • entityanalytics_ad: add support for empty Active Directory groups #18235 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #18235 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #18235 search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@efd6 efd6 force-pushed the 16519-entityanalitics_ad branch 2 times, most recently from 326ee8f to 322c534 Compare May 6, 2026 06:23
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review May 6, 2026 06:57
@efd6 efd6 requested a review from a team as a code owner May 6, 2026 06:57
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@chrisberkhout chrisberkhout left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit description and the new group pipeline description both mention empty groups specifically.

I see the new option in the input config to include empty groups. Do we get information about non-empty groups? If so, is that existing data that's getting new support (pipeline and data stream) or is that data new?

Can you please rewrite the commit description and pipeline description to clarify the difference between existing and new support for groups, and empty vs non-empty groups.

@efd6 efd6 force-pushed the 16519-entityanalitics_ad branch from 322c534 to feef661 Compare May 20, 2026 21:58
@efd6 efd6 requested a review from a team as a code owner May 20, 2026 21:58
@efd6

efd6 commented May 20, 2026

Copy link
Copy Markdown
Contributor Author

Can you please rewrite the commit description and pipeline description to clarify the difference between existing and new support for groups, and empty vs non-empty groups.

Done. PTAL

@efd6 efd6 requested a review from chrisberkhout May 20, 2026 21:58
@chrisberkhout chrisberkhout reopened this May 21, 2026
@chrisberkhout

Copy link
Copy Markdown
Contributor

Sorry for the closer/reopen. I hit the wrong button.

@chrisberkhout chrisberkhout left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please rewrite the commit description and pipeline description to clarify the difference between existing and new support for groups, and empty vs non-empty groups.

Done. PTAL

Thanks! That's much clearer.

Another possibility would be to have the empty group docs in the user data stream, just without the user fields, so they line up with existing group data. But keeping them separate probably is better, and it's well explained in the README, etc.


It's separate from this change, but the LLM caught a point where the proposed commit message differs from the implementation. The proposed commit message says:

their names and SIDs appear within user and device entities via the user.group and device.group fields

However, for devices, they're put into user.group, and that's what we see in the existing pipeline test output.

Comment thread packages/entityanalytics_ad/data_stream/group/fields/beats.yml
Comment thread packages/entityanalytics_ad/data_stream/group/manifest.yml Outdated
efd6 added 2 commits May 22, 2026 07:58
Wire the include_empty_groups option from the beats input into the
integration package. This adds a group ingest pipeline, a routing
rule to direct group documents to a dedicated data stream, ECS and
vendor field definitions for groups, and a new group data stream
with its own manifest and field files.

The entity pipeline dispatch is updated to recognise group documents
(ctx.group.id != null) and the fallback entity pipeline condition
now excludes them. Pipeline tags are corrected to distinguish user,
device, and group dispatch.
Add a gldap-based LDAP mock server that serves synthetic user, device,
and group entries for local and CI testing without a real Active
Directory server.

Add a script test (routed_data_streams.txt) that verifies documents
are routed from the entity data stream to the user, device, and group
destination data streams. This covers a gap in the standard system
test runner which cannot assert on routed data streams.

Also add a pipeline test for the group ingest pipeline and a system
test config wired to the LDAP mock.
@efd6 efd6 force-pushed the 16519-entityanalitics_ad branch from feef661 to d2027b1 Compare May 21, 2026 22:33
@efd6 efd6 requested a review from chrisberkhout May 21, 2026 22:33
@elasticmachine

Copy link
Copy Markdown

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 merged commit f7d9727 into elastic:main May 22, 2026
11 checks passed
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

Package entityanalytics_ad - 0.19.0 containing this change is available at https://epr.elastic.co/package/entityanalytics_ad/0.19.0/

tejasc-metron pushed a commit to metron-labs/Doppel-Elastic-Security-SIEM that referenced this pull request May 25, 2026
The beats entity-analytics input already collects all Active Directory
groups for membership enrichment; their names and SIDs appear within
user and device entities via the user.group fields. Groups with no
direct members are invisible to this process because they have no
member links to follow.

The include_empty_groups option (elastic/beats#49093) makes the input
emit standalone documents for these otherwise-invisible groups so they
appear in the asset inventory. This change adds the integration-side
support: a group ingest pipeline, a routing rule to direct group
documents to a dedicated data stream, and ECS and vendor field
definitions.

The entity pipeline dispatch is updated to recognise group documents
(ctx.group.id != null) and the fallback entity pipeline condition
now excludes them. Pipeline tags are corrected to distinguish user,
device, and group dispatch.
herrBez pushed a commit to herrBez/integrations that referenced this pull request Jun 1, 2026
The beats entity-analytics input already collects all Active Directory
groups for membership enrichment; their names and SIDs appear within
user and device entities via the user.group fields. Groups with no
direct members are invisible to this process because they have no
member links to follow.

The include_empty_groups option (elastic/beats#49093) makes the input
emit standalone documents for these otherwise-invisible groups so they
appear in the asset inventory. This change adds the integration-side
support: a group ingest pipeline, a routing rule to direct group
documents to a dedicated data stream, and ECS and vendor field
definitions.

The entity pipeline dispatch is updated to recognise group documents
(ctx.group.id != null) and the fallback entity pipeline condition
now excludes them. Pipeline tags are corrected to distinguish user,
device, and group dispatch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:entityanalytics_ad Active Directory Entity Analytics Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

4 participants