Skip to content

EntityAnalytics AD: add support for ECS entity fields#18337

Draft
chemamartinez wants to merge 8 commits intoelastic:mainfrom
chemamartinez:18288-entityanalytics_ad-entity-fields
Draft

EntityAnalytics AD: add support for ECS entity fields#18337
chemamartinez wants to merge 8 commits intoelastic:mainfrom
chemamartinez:18288-entityanalytics_ad-entity-fields

Conversation

@chemamartinez
Copy link
Copy Markdown
Contributor

@chemamartinez chemamartinez commented Apr 10, 2026
edited
Loading

Proposed commit message

Adds ECS entity field support to the Entity Analytics
Active Directory integration for both users and devices.

Maps UAC flags, last logon timestamp, and DN-valued
attributes (`directReports`, `managedObjects`, `managedBy`)
to `user.entity.*` and `host.entity.*` fields covering MFA status,
domain management, last activity, and org relationships
(supervises, owns, administered_by).

DN values are parsed into structured `{id, name, domain}` arrays.
All three relationship attributes are collected by default,
but a note in the `User Attributes` setting warns that specifying
any value there switches the request to an explicit list, dropping
these attributes unless added manually.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@chemamartinez chemamartinez self-assigned this Apr 10, 2026
@chemamartinez chemamartinez added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:entityanalytics_ad Active Directory Entity Analytics labels Apr 10, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026

Vale Linting Results

Summary: 2 warnings found

⚠️ Warnings (2)
File Line Rule Message
packages/entityanalytics_ad/docs/README.md 350 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/entityanalytics_ad/docs/README.md 351 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 10, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 10, 2026

💚 Build Succeeded

cc @chemamartinez

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 10, 2026
macroscopeapp[bot]
macroscopeapp bot reviewed Apr 17, 2026
View reviewed changes
Comment thread packages/entityanalytics_ad/data_stream/entity/elasticsearch/ingest_pipeline/device.yml
int start = 0;
def dcParts = new ArrayList();
boolean cnFound = false;
while (start < dn.length()) {
Copy link
Copy Markdown

@macroscopeapp macroscopeapp bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Low ingest_pipeline/device.yml:265

The parseDn function in the set_device_relationships script splits Distinguished Names by searching for bare commas with dn.indexOf(',', start). Active Directory DNs can contain escaped commas within values (e.g., CN=Smith\, John,DC=example,DC=com). When a DN contains an escaped comma, the parser incorrectly splits at the escaped comma, producing wrong name and domain values in host.entity.relationships.

🤖 Copy this AI Prompt to have your agent fix this: 
In file packages/entityanalytics_ad/data_stream/entity/elasticsearch/ingest_pipeline/device.yml around line 265:

The `parseDn` function in the `set_device_relationships` script splits Distinguished Names by searching for bare commas with `dn.indexOf(',', start)`. Active Directory DNs can contain escaped commas within values (e.g., `CN=Smith\, John,DC=example,DC=com`). When a DN contains an escaped comma, the parser incorrectly splits at the escaped comma, producing wrong `name` and `domain` values in `host.entity.relationships`.

Comment thread packages/entityanalytics_ad/data_stream/entity/elasticsearch/ingest_pipeline/device.yml
}
return result;
}
def buildRel(def dns) {
Copy link
Copy Markdown

@macroscopeapp macroscopeapp bot Apr 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Low ingest_pipeline/device.yml:286

In the buildRel function, when a DN lacks a CN= or DC= component, the corresponding name or domain entry is skipped entirely while id is still added. This produces arrays of mismatched lengths — for example, 3 IDs but only 2 names — making it impossible for consumers to correlate which name belongs to which ID by index. Consider restructuring to emit parallel arrays where each position corresponds across fields, such as an array of objects where each object contains the matched id, name, and domain for a single DN.

🤖 Copy this AI Prompt to have your agent fix this: 
In file packages/entityanalytics_ad/data_stream/entity/elasticsearch/ingest_pipeline/device.yml around line 286:

In the `buildRel` function, when a DN lacks a `CN=` or `DC=` component, the corresponding `name` or `domain` entry is skipped entirely while `id` is still added. This produces arrays of mismatched lengths — for example, 3 IDs but only 2 names — making it impossible for consumers to correlate which name belongs to which ID by index. Consider restructuring to emit parallel arrays where each position corresponds across fields, such as an array of objects where each object contains the matched `id`, `name`, and `domain` for a single DN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@chemamartinez chemamartinez

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:entityanalytics_ad Active Directory Entity Analytics Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Entity Analytics Active Directory: add support for entity fields

3 participants

@chemamartinez @elasticmachine @andrewkroh