Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

entityanalytics_ad: new package for Active Directory user collection #9485

Merged
merged 3 commits into from
Apr 26, 2024

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Apr 2, 2024

Proposed commit message

See title.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

System testing requires an external Active Directory server to collect the user details from. Set this up or get access to an existing server.

This testing depends on 8.14.0-SHAPSHOT including f871b5c5f76b45c5724599d49bd0b0909959783d. The current DRA does not. It is possible to get around this by bringing up the stack as normal with elastic-package and inserting a copy of the relevant filebeat into the docker agent filesystem. First start an 8.13.0 stack.

In the x-pack/filebeat directory:

PACKAGES=tar.gz PLATFORMS=linux/amd64 DEV=true SNAPSHOT=true mage -v package
tar zxvf build/distributions/filebeat-8.14.0-SNAPSHOT-linux-x86_64.tar.gz filebeat-8.14.0-SNAPSHOT-linux-x86_64/filebeat
elastic-package stack up -v -d --version=8.13.0
docker cp filebeat-8.14.0-SNAPSHOT-linux-x86_64/filebeat <container ID>:/usr/share/elastic-agent/data/elastic-agent-1eb18c/components

Then in the integrations repo in the entityanalytics_ad package directory:

AD_ADDR=<ldap host url> # e.g. ldap://localhost
AD_USER=<ldap user> # e.g. CN=Administrator,CN=Users,DC=testserver,DC=local
AD_PASS=<password>
AD_BASE_DN=<base dn> # e.g. CN=Users,DC=testserver,DC=local
sed -i -r "\
    s|ldapurl|${AD_ADDR}|; \
    s/ldapbasedn/${AD_BASE_DN}/; \
    s/ldapuser/${AD_USER}/; \
    s/ldappassword/${AD_PASS}/; \
" data_stream/user/_dev/test/system/test-default-config.yml
elastic-package stack up -v -d --version=8.14.0-SNAPSHOT # See note above about stack version; do not run this if the filebeat build was required.
eval "$(elastic-package stack shellinit)"
elastic-package test system

(assumes GNU sed; if on another OS, install and use gsed)

Related issues

Screenshots

Front page

Config UI

@efd6 efd6 added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Apr 2, 2024
@efd6 efd6 self-assigned this Apr 2, 2024
@efd6 efd6 force-pushed the 8559-activedirectory branch 2 times, most recently from ea9362e to 8cc3eb1 Compare April 2, 2024 03:03
@efd6 efd6 force-pushed the 8559-activedirectory branch from 8cc3eb1 to 092b4e3 Compare April 2, 2024 03:04
@jaredburgettelastic
Copy link

Unfortunately, I am unable to run an active directory server on my M2 mac. Only testbuild versions of VirtualBox are available for ARM-based chips, and when I try to boot up a Windows 2022 ISO on that testbuild VirtualBox, it runs into a critical error.
So with that said, right now I can only provide feedback based on the information in the PR and the active directory specs. Hope some of this is helpful:

  • In the ingest pipeline, I see a single field being mapped to user.account.* , specifically password_change_date . Is there any reason for only that field? I see a couple others that seem like they would map directly to the "exported fields", such as user.account.change_date and user.account.create_date mapping to when_changed and when_created, respectively. I also don't see user.account.* defined in ECS today, is this something that is planned to be added to ECS? https://www.elastic.co/guide/en/ecs/8.13/ecs-user.html#ecs-user-nestings
  • Each entityanalytics_ad record has a groups field and a user field. My assumption is that they correspond to one another (i.e., "this user belongs to these groups"). If that is true, we should be able to provide a mapping to the ECS user.group.* field. Here is where ECS defines that nested mapping for user.group.* , and here is where ECS defines what groups can contain.
  • Lastly, I don't see anything regarding email addresses being mapped, but it's also not in any of the sample data. It would be great if I could have gotten an AD server set up to see if it indeed allows for/provides email data, but at the very least I see a few attributes in the AD spec that should corresponding to it (here and here). If we have this data, it would be mapped to user.email .

@efd6
Copy link
Contributor Author

efd6 commented Apr 13, 2024

@jaredburgettelastic Thanks.

The field use here reflect the use in the Okta EA package. The fields that are mapped are the ones that were available for me to identify absent any documentation for the expected fields in the AD LDAP schema.

From what you've raised, given the use in the Okta package, I think that this is likely OK to merge from the schema perspective with the anticipation that additional fields will be identified in future that will direct further ECS mappings being added. Does that sound reasonable to you?

These were included for imformational purposes during early review and
are kept in the PR history for future reference.
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review April 14, 2024 21:34
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 requested a review from a team April 14, 2024 21:34
@jaredburgettelastic
Copy link

@efd6 Sure thing, we can take an iterative approach. Thank you!

@efd6 efd6 changed the title entitiyanalytics_ad: new package for Active Directory user collection entityanalytics_ad: new package for Active Directory user collection Apr 16, 2024
@efd6 efd6 requested a review from chemamartinez April 25, 2024 22:17
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

Copy link
Contributor

@chemamartinez chemamartinez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@efd6 efd6 merged commit 1cb5fad into elastic:main Apr 26, 2024
5 checks passed
@elasticmachine
Copy link

Package entityanalytics_ad - 0.0.1 containing this change is available at https://epr.elastic.co/search?package=entityanalytics_ad

milan-elastic added a commit to milan-elastic/integrations that referenced this pull request May 1, 2024
commit e2a688fbb1c8712ba0cad243713146867ac2f986
Author: milan-elastic <[email protected]>
Date:   Wed May 1 15:43:52 2024 +0530

    Squashed commit of the following:

    commit a17de73aa84608f67a1baca4c094819b562e42e0
    Author: milan-elastic <“[email protected]”>
    Date:   Wed May 1 15:29:41 2024 +0530

        Squashed commit of the following:

        commit fccdb1f83f0048b07df6ee82fbd91ca432c799b9
        Author: milan-elastic <[email protected]>
        Date:   Wed May 1 14:58:41 2024 +0530

            add global filter on dashboard level for hadoop

        commit 686e49be78dc980b2f12d365580cb800fd7cf330
        Merge: 024d864b4 01201a7
        Author: “milan-elastic” <“[email protected]”>
        Date:   Wed May 1 11:38:59 2024 +0530

            Merge branch 'main' of github.com:milan-elastic/integrations into mongodb-atlas-database-logs

        commit 01201a7
        Author: Eric Forte <[email protected]>
        Date:   Tue Apr 30 10:46:55 2024 -0400

            [Security Rules] Update security rules package to v8.13.5 (elastic#9762)

            * [Security Rules] Update security rules package to v8.13.5

            * Add changelog entry for 8.13.5

            ---------

            Co-authored-by: protectionsmachine <[email protected]>

        commit c9d1f1b
        Author: Eric Forte <[email protected]>
        Date:   Tue Apr 30 09:30:30 2024 -0400

            [Security Rules] Update security rules package to v8.13.5-beta.1 (elastic#9758)

            * [Security Rules] Update security rules package to v8.13.5-beta.1

            * Add changelog entry for 8.13.5-beta.1

            ---------

            Co-authored-by: protectionsmachine <[email protected]>

        commit a79f813
        Author: Tetiana Kravchenko <[email protected]>
        Date:   Tue Apr 30 11:32:37 2024 +0200

            [kubernetes] Remove deprecated fields, add missing status.last_terminated_reason metric (elastic#9736)

            * remove deprecated fields

            Signed-off-by: Tetiana Kravchenko <[email protected]>

            * Update changelog.yml

            * add missing metric: last_terminated_reason; update description of the status.reason field

            Signed-off-by: Tetiana Kravchenko <[email protected]>

            ---------

            Signed-off-by: Tetiana Kravchenko <[email protected]>

        commit b1627a3
        Author: ShourieG <[email protected]>
        Date:   Tue Apr 30 13:03:29 2024 +0530

            [integrations][http_endpoint] - Converted HTTP Endpoint Integration to input type (elastic#9732)

            * converted http_endpoint to input package type

            * updated changelog

            * updated original event in sample event

        commit 3a9b508
        Author: Lalit Satapathy <[email protected]>
        Date:   Tue Apr 30 11:49:09 2024 +0530

            Remove separate codeowners for system package kibana paths. (elastic#9731)

        commit c90e817
        Author: Krishna Chaitanya Reddy Burri <[email protected]>
        Date:   Tue Apr 30 11:32:17 2024 +0530

            [Crowdstrike,Azure] Fix flaky tests with ECS fields (elastic#9738)

            * Fix flaky pipeline tests.

               * `azure.graphactivitylogs`: Add missing ECS field definitions.

               * `crowdstrike.falcon`: Update `geoip` processor to `destination` instead of `source`.

        commit ace8fb4
        Author: Aliabbas Attarwala <[email protected]>
        Date:   Mon Apr 29 16:37:23 2024 +0530

            [O11y][AWS] Rally benchmark `aws.cloudtrail` (elastic#9448)

        commit d4e4aa4
        Author: niraj-elastic <[email protected]>
        Date:   Mon Apr 29 14:45:46 2024 +0530

            [Apache] Update grok pattern for accepting user-identity (elastic#9632)

            * update grok pattern

            * update changelog

            * address review comments

            * address review comments

            Co-authored-by: muthu-mps <[email protected]>

            * address review comments

            * address review comment

            ---------

            Co-authored-by: muthu-mps <[email protected]>

        commit dce5699
        Author: Mario Rodriguez Molins <[email protected]>
        Date:   Mon Apr 29 10:33:19 2024 +0200

            Enable publishing packages from integrations-publish pipeline (elastic#9712)

            Enable publishing packages from integrations-publish pipeline,
            and remove corresponding step from the main pipeline.

        commit c7bc530
        Author: Chema Martínez <[email protected]>
        Date:   Sat Apr 27 08:57:55 2024 +0200

            [zscaler_zia] Fix mapping of source.ip and source.nat.ip (elastic#9727)

            * Fix mapping of source.ip and source.nat.ip

            * Update changelog

            * updated web datastream pipeline tests

            ---------

            Co-authored-by: Shourie Ganguly <[email protected]>

        commit 4750ea8
        Author: Mario Rodriguez Molins <[email protected]>
        Date:   Fri Apr 26 13:09:53 2024 +0200

            [nginx] Update nginx config to listen in ipv6 too (elastic#9720)

        commit 25b0988
        Author: Mario Rodriguez Molins <[email protected]>
        Date:   Fri Apr 26 10:45:03 2024 +0200

            [Buildkite] Update filter to use api source (elastic#9717)

        commit 45327cf
        Author: Mario Rodriguez Molins <[email protected]>
        Date:   Fri Apr 26 10:13:22 2024 +0200

            [Buildkite] Update filter condition to allow just from webhook source (elastic#9714)

        commit 024d864b49f1dd333529f96e06de6dec15aac703
        Author: milan-elastic <[email protected]>
        Date:   Fri Apr 26 13:00:47 2024 +0530

            add dashboard level filter for apache tomcat

        commit 1cb5fad
        Author: Dan Kortschak <[email protected]>
        Date:   Fri Apr 26 16:23:35 2024 +0930

            entityanalytics_ad: new package for Active Directory user collection (elastic#9485)

        commit 37c598f
        Author: CarsonHrusovsky <[email protected]>
        Date:   Thu Apr 25 18:13:26 2024 -0500

            [BBOT] New integration for Black Lantern Security scanner (elastic#9651)

        commit d13e474
        Author: Mario Rodriguez Molins <[email protected]>
        Date:   Thu Apr 25 11:55:39 2024 +0200

            [Buildkite] Skip install package command in serverless builds for some packages (elastic#9686)

        commit 0c2198b
        Author: Mario Rodriguez Molins <[email protected]>
        Date:   Thu Apr 25 11:41:42 2024 +0200

            [Buildkite] Add retry suffix for logs (elastic#9703)

        commit d932e79
        Author: Simon Kötting <[email protected]>
        Date:   Thu Apr 25 07:35:45 2024 +0200

            [Exchange Server] GA of Integration, Add Dashbord Panel Titles & System Tests (elastic#9560)

            * Add Dashboard Titles

            * Add Dashboard Titles

            * Change Version to GA

            * adjust PR in Changelog

            * Add System Tests to all datstreams

            * fix imap system test config

            * remove Folder structure out of system tests sample logs

            * Fix mapping

            * Add convert for inode field

            * specify numeric_keyword_fields in system tests

        commit dba2901
        Author: Dan Kortschak <[email protected]>
        Date:   Thu Apr 25 10:21:30 2024 +0930

            rapid7_insightvm: canonicalize host.name to lower case and map subdomain to host.hostname (elastic#9665)

        commit 4284262
        Author: Panos Koutsovasilis <[email protected]>
        Date:   Wed Apr 24 20:34:13 2024 +0300

            fix(fim): add auto option for backend and make it the default one (elastic#9702)

        commit c563bb3
        Author: Panos Koutsovasilis <[email protected]>
        Date:   Wed Apr 24 19:40:04 2024 +0300

            [juniper_netscreen]: include log.file.device_id and log.file.inode in base-fields (elastic#9658)

            * fix(juniper_netscreen): include log.file.device_id and log.file.inode in base-fields.yml

            * fix(juniper_netscreen): update README.md

        commit f187d0d
        Author: Panos Koutsovasilis <[email protected]>
        Date:   Wed Apr 24 19:11:28 2024 +0300

            [juniper_junos]: include log.file.device_id and log.file.inode in base-fields (elastic#9657)

            * fix(juniper_junos): include log.file.device_id and log.file.inode in base-fields.yml

            * fix(juniper_junos): update README.md
@mbudge
Copy link

mbudge commented Jun 19, 2024

Is this integration available yet?

I can't see it on the available integrations.

Thanks

Screenshot 2024-06-19 at 16 27 22

@jamiehynds
Copy link

@mbudge yep, it's available. 8.14 is the minimum required Kibana version though, so won't appear until you're running 8.14.

Also check to make sure the 'Display beta integrations' toggle is enabled (under the categories in Fleet). That often catches folks out when integrations are in beta/tech preview.

@Gelios7
Copy link

Gelios7 commented Jun 28, 2024

When testing the work of the Entity_AD integration, I found that the settings of the integration itself are limited to the directory "CN=Users" at the program level. For example, most of our users do not find "CN=Users" in the directory, and in the settings I cannot set a user path that does not include "CN=Users" for "Active Directory User", because I get an error in the logs, too refers to the "Active Directory Base DN" setting, it is not possible to specify the root "Base DN" to read the assets of all users in Active Directory.
For example, our users are on different paths:
CN=test_user,OU=technical_account,OU=Admins,DC=test,DC=doman,DC=int
That is, you need to be able to specify the "Active Directory Base DN" or the root path: DC=test,DC=doman,DC=int or specify several paths where users are located:
OU=technical_account,OU=Admins,DC=test,DC=doman,DC=int
OU=Administrator_users ,OU=Admins,DC=test,DC=doman,DC=int
OU=Main_Office_Users ,DC=test,DC=domain,DC=int
The first option, in my opinion, will be correct, because the connector will see all users in the domain.
This also applies to the "Active Directory User" setting, it is necessary to be able to specify the path to any user, not only those included in the path "CN=Users", for example:
CN=test_user,OU=technical_account,OU=Admins,DC=test,DC=doman,DC=int

If this is not done, the integration will be inferior to use and will have limited functionality.
I can assume that the same situation can be for "device" assets.

@andrewkroh andrewkroh added the Integration:entityanalytics_ad Active Directory Entity Analytics label Jul 22, 2024
@andrewkroh andrewkroh added the New Integration Issue or pull request for creating a new integration package. label Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Integration:entityanalytics_ad Active Directory Entity Analytics New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Entity Analytics] Active Directory
8 participants