Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Entity Analytics] Active Directory #8559

Closed
4 of 19 tasks
jamiehynds opened this issue Nov 22, 2023 · 3 comments · Fixed by #9485
Closed
4 of 19 tasks

[Entity Analytics] Active Directory #8559

jamiehynds opened this issue Nov 22, 2023 · 3 comments · Fixed by #9485
Assignees
@efd6
Labels
8.13 candidate Category: Security Initiatives Category: Security Initiatives used for SI planning Epic New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] v8.13.0

Comments

@jamiehynds
Copy link

jamiehynds commented Nov 22, 2023
edited by efd6
Loading

Description

Now that we have integrations to ingest contextual information relating to user/group/device data from Azure EntraID (formerly AzureAD), we need to ensure that users who have now moved to EntraID and still running Active Directory on-premises have the ability to ingest the same user/group/device data.

Our Active Directory Entity Analytics integration should have the ability to connect to Active Directory (presumably via LDAP) and ingest data such as usernames, department, title, group membership, last login, locked out status, last password change date and more. We can explore the full set of fields once we've figured out the LDAP connection and what fields are available to us.

As a user of the Security Solution I want to continuously sync user metadata from an Okta organization into Elasticsearch. Data is produced in accordance to RFC 2022-09-07-user-host-entity-ingestion.

Acceptance Criteria

  • Collect user data from Active Directory via a new provider in the entity_analytics Filebeat input.
  • Generate one document per user that includes group membership data
  • Periodically get a list of users that were modified or deprovisioned and generate new documents
  • Persist data to disk that allows the input to resume from previous state

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

  • Change follows the contributing guidelines
  • Supported versions of the monitoring target are documented
  • Supported operating systems are documented (if applicable)
  • Integration or System tests exist
  • Documentation exists
  • Fields follow ECS and naming conventions
  • At least a manual test with ES / Kibana / Agent has been performed.
  • Required Kibana version set to: v8.13.0

New Package

  • Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

  • Dashboards exists
  • Screenshots added or updated
  • Datastream filters added to visualizations

Log dataset changes

  • Pipeline tests exist (if applicable)
  • Generated output for at least 1 log file exists
  • Sample event (sample_event.json) exists
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds added the New Integration Issue or pull request for creating a new integration package. label Nov 22, 2023
@jamiehynds
Copy link
Author

Related issue: #4278

@SourinPaul
Copy link

@jamiehynds this issue is currently not in the security-teams repo. Hence, I could not assign the v8.13.0 label to this issue.

Can you please update this label? Thanks!

@narph narph added Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] and removed Team:Security-External Integrations labels Jan 25, 2024
This was referenced Feb 5, 2024
Merged
Merged
@narph narph added the Category: Security Initiatives Category: Security Initiatives used for SI planning label Mar 11, 2024
@efd6 efd6 mentioned this issue Mar 27, 2024
Merged
6 tasks
@mergify mergify bot mentioned this issue Mar 29, 2024
Closed
6 tasks
@efd6 efd6 mentioned this issue Apr 2, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
8.13 candidate Category: Security Initiatives Category: Security Initiatives used for SI planning Epic New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] v8.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

entityanalytics_ad: new package for Active Directory user collection efd6/integrations
5 participants
@narph @elasticmachine @jamiehynds @SourinPaul @efd6