-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
entityanalytics_ad: new package for Active Directory user collection #9485
Conversation
ea9362e
to
8cc3eb1
Compare
8cc3eb1
to
092b4e3
Compare
Unfortunately, I am unable to run an active directory server on my M2 mac. Only testbuild versions of VirtualBox are available for ARM-based chips, and when I try to boot up a Windows 2022 ISO on that testbuild VirtualBox, it runs into a critical error.
|
@jaredburgettelastic Thanks. The field use here reflect the use in the Okta EA package. The fields that are mapped are the ones that were available for me to identify absent any documentation for the expected fields in the AD LDAP schema. From what you've raised, given the use in the Okta package, I think that this is likely OK to merge from the schema perspective with the anticipation that additional fields will be identified in future that will direct further ECS mappings being added. Does that sound reasonable to you? |
These were included for imformational purposes during early review and are kept in the PR history for future reference.
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
@efd6 Sure thing, we can take an iterative approach. Thank you! |
packages/entityanalytics_ad/data_stream/user/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/entityanalytics_ad/data_stream/user/elasticsearch/ingest_pipeline/entity.yml
Show resolved
Hide resolved
💚 Build Succeeded
History
cc @efd6 |
Quality Gate passedIssues Measures |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Package entityanalytics_ad - 0.0.1 containing this change is available at https://epr.elastic.co/search?package=entityanalytics_ad |
commit e2a688fbb1c8712ba0cad243713146867ac2f986 Author: milan-elastic <[email protected]> Date: Wed May 1 15:43:52 2024 +0530 Squashed commit of the following: commit a17de73aa84608f67a1baca4c094819b562e42e0 Author: milan-elastic <“[email protected]”> Date: Wed May 1 15:29:41 2024 +0530 Squashed commit of the following: commit fccdb1f83f0048b07df6ee82fbd91ca432c799b9 Author: milan-elastic <[email protected]> Date: Wed May 1 14:58:41 2024 +0530 add global filter on dashboard level for hadoop commit 686e49be78dc980b2f12d365580cb800fd7cf330 Merge: 024d864b4 01201a7 Author: “milan-elastic” <“[email protected]”> Date: Wed May 1 11:38:59 2024 +0530 Merge branch 'main' of github.com:milan-elastic/integrations into mongodb-atlas-database-logs commit 01201a7 Author: Eric Forte <[email protected]> Date: Tue Apr 30 10:46:55 2024 -0400 [Security Rules] Update security rules package to v8.13.5 (elastic#9762) * [Security Rules] Update security rules package to v8.13.5 * Add changelog entry for 8.13.5 --------- Co-authored-by: protectionsmachine <[email protected]> commit c9d1f1b Author: Eric Forte <[email protected]> Date: Tue Apr 30 09:30:30 2024 -0400 [Security Rules] Update security rules package to v8.13.5-beta.1 (elastic#9758) * [Security Rules] Update security rules package to v8.13.5-beta.1 * Add changelog entry for 8.13.5-beta.1 --------- Co-authored-by: protectionsmachine <[email protected]> commit a79f813 Author: Tetiana Kravchenko <[email protected]> Date: Tue Apr 30 11:32:37 2024 +0200 [kubernetes] Remove deprecated fields, add missing status.last_terminated_reason metric (elastic#9736) * remove deprecated fields Signed-off-by: Tetiana Kravchenko <[email protected]> * Update changelog.yml * add missing metric: last_terminated_reason; update description of the status.reason field Signed-off-by: Tetiana Kravchenko <[email protected]> --------- Signed-off-by: Tetiana Kravchenko <[email protected]> commit b1627a3 Author: ShourieG <[email protected]> Date: Tue Apr 30 13:03:29 2024 +0530 [integrations][http_endpoint] - Converted HTTP Endpoint Integration to input type (elastic#9732) * converted http_endpoint to input package type * updated changelog * updated original event in sample event commit 3a9b508 Author: Lalit Satapathy <[email protected]> Date: Tue Apr 30 11:49:09 2024 +0530 Remove separate codeowners for system package kibana paths. (elastic#9731) commit c90e817 Author: Krishna Chaitanya Reddy Burri <[email protected]> Date: Tue Apr 30 11:32:17 2024 +0530 [Crowdstrike,Azure] Fix flaky tests with ECS fields (elastic#9738) * Fix flaky pipeline tests. * `azure.graphactivitylogs`: Add missing ECS field definitions. * `crowdstrike.falcon`: Update `geoip` processor to `destination` instead of `source`. commit ace8fb4 Author: Aliabbas Attarwala <[email protected]> Date: Mon Apr 29 16:37:23 2024 +0530 [O11y][AWS] Rally benchmark `aws.cloudtrail` (elastic#9448) commit d4e4aa4 Author: niraj-elastic <[email protected]> Date: Mon Apr 29 14:45:46 2024 +0530 [Apache] Update grok pattern for accepting user-identity (elastic#9632) * update grok pattern * update changelog * address review comments * address review comments Co-authored-by: muthu-mps <[email protected]> * address review comments * address review comment --------- Co-authored-by: muthu-mps <[email protected]> commit dce5699 Author: Mario Rodriguez Molins <[email protected]> Date: Mon Apr 29 10:33:19 2024 +0200 Enable publishing packages from integrations-publish pipeline (elastic#9712) Enable publishing packages from integrations-publish pipeline, and remove corresponding step from the main pipeline. commit c7bc530 Author: Chema Martínez <[email protected]> Date: Sat Apr 27 08:57:55 2024 +0200 [zscaler_zia] Fix mapping of source.ip and source.nat.ip (elastic#9727) * Fix mapping of source.ip and source.nat.ip * Update changelog * updated web datastream pipeline tests --------- Co-authored-by: Shourie Ganguly <[email protected]> commit 4750ea8 Author: Mario Rodriguez Molins <[email protected]> Date: Fri Apr 26 13:09:53 2024 +0200 [nginx] Update nginx config to listen in ipv6 too (elastic#9720) commit 25b0988 Author: Mario Rodriguez Molins <[email protected]> Date: Fri Apr 26 10:45:03 2024 +0200 [Buildkite] Update filter to use api source (elastic#9717) commit 45327cf Author: Mario Rodriguez Molins <[email protected]> Date: Fri Apr 26 10:13:22 2024 +0200 [Buildkite] Update filter condition to allow just from webhook source (elastic#9714) commit 024d864b49f1dd333529f96e06de6dec15aac703 Author: milan-elastic <[email protected]> Date: Fri Apr 26 13:00:47 2024 +0530 add dashboard level filter for apache tomcat commit 1cb5fad Author: Dan Kortschak <[email protected]> Date: Fri Apr 26 16:23:35 2024 +0930 entityanalytics_ad: new package for Active Directory user collection (elastic#9485) commit 37c598f Author: CarsonHrusovsky <[email protected]> Date: Thu Apr 25 18:13:26 2024 -0500 [BBOT] New integration for Black Lantern Security scanner (elastic#9651) commit d13e474 Author: Mario Rodriguez Molins <[email protected]> Date: Thu Apr 25 11:55:39 2024 +0200 [Buildkite] Skip install package command in serverless builds for some packages (elastic#9686) commit 0c2198b Author: Mario Rodriguez Molins <[email protected]> Date: Thu Apr 25 11:41:42 2024 +0200 [Buildkite] Add retry suffix for logs (elastic#9703) commit d932e79 Author: Simon Kötting <[email protected]> Date: Thu Apr 25 07:35:45 2024 +0200 [Exchange Server] GA of Integration, Add Dashbord Panel Titles & System Tests (elastic#9560) * Add Dashboard Titles * Add Dashboard Titles * Change Version to GA * adjust PR in Changelog * Add System Tests to all datstreams * fix imap system test config * remove Folder structure out of system tests sample logs * Fix mapping * Add convert for inode field * specify numeric_keyword_fields in system tests commit dba2901 Author: Dan Kortschak <[email protected]> Date: Thu Apr 25 10:21:30 2024 +0930 rapid7_insightvm: canonicalize host.name to lower case and map subdomain to host.hostname (elastic#9665) commit 4284262 Author: Panos Koutsovasilis <[email protected]> Date: Wed Apr 24 20:34:13 2024 +0300 fix(fim): add auto option for backend and make it the default one (elastic#9702) commit c563bb3 Author: Panos Koutsovasilis <[email protected]> Date: Wed Apr 24 19:40:04 2024 +0300 [juniper_netscreen]: include log.file.device_id and log.file.inode in base-fields (elastic#9658) * fix(juniper_netscreen): include log.file.device_id and log.file.inode in base-fields.yml * fix(juniper_netscreen): update README.md commit f187d0d Author: Panos Koutsovasilis <[email protected]> Date: Wed Apr 24 19:11:28 2024 +0300 [juniper_junos]: include log.file.device_id and log.file.inode in base-fields (elastic#9657) * fix(juniper_junos): include log.file.device_id and log.file.inode in base-fields.yml * fix(juniper_junos): update README.md
@mbudge yep, it's available. 8.14 is the minimum required Kibana version though, so won't appear until you're running 8.14. Also check to make sure the 'Display beta integrations' toggle is enabled (under the categories in Fleet). That often catches folks out when integrations are in beta/tech preview. |
When testing the work of the Entity_AD integration, I found that the settings of the integration itself are limited to the directory "CN=Users" at the program level. For example, most of our users do not find "CN=Users" in the directory, and in the settings I cannot set a user path that does not include "CN=Users" for "Active Directory User", because I get an error in the logs, too refers to the "Active Directory Base DN" setting, it is not possible to specify the root "Base DN" to read the assets of all users in Active Directory. If this is not done, the integration will be inferior to use and will have limited functionality. |
Proposed commit message
See title.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
System testing requires an external Active Directory server to collect the user details from. Set this up or get access to an existing server.
This testing depends on 8.14.0-SHAPSHOT including f871b5c5f76b45c5724599d49bd0b0909959783d. The current DRA does not. It is possible to get around this by bringing up the stack as normal with
elastic-package
and inserting a copy of the relevant filebeat into the docker agent filesystem. First start an 8.13.0 stack.In the x-pack/filebeat directory:
Then in the integrations repo in the entityanalytics_ad package directory:
(assumes GNU
sed
; if on another OS, install and usegsed
)Related issues
Screenshots