Skip to content

Commit b03d358

Browse files
efd6efd6
authored
entityanalytics_ad: improve field mappings for device entities (#15642)
Test sample provided by user with sanitisation.
1 parent 532c964 commit b03d358

File tree

9 files changed

+826
-238
lines changed

9 files changed

+826
-238
lines changed

packages/entityanalytics_ad/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "0.17.0"
3+
changes:
4+
- description: Improve field mappings for device entities.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/15642
27
- version: "0.16.0"
38
changes:
49
- description: Add support for collection device entities.

packages/entityanalytics_ad/data_stream/entity/_dev/test/pipeline/test-device.json

Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
{
2+
"events": [
3+
{
4+
"@timestamp": "2025-10-09T21:34:29.084Z",
5+
"activedirectory": {
6+
"device": {
7+
"account_expires": "9223372036854775807",
8+
"account_never_expires": true,
9+
"bad_password_time": "133251039041149826",
10+
"bad_pwd_count": "0",
11+
"cn": "TEST12009",
12+
"dNSHostName": "TEST12009.org.test.local",
13+
"description": "Kretts, Topsy",
14+
"distinguished_name": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
15+
"instance_type": "4",
16+
"is_critical_system_object": false,
17+
"last_logon": "2025-10-07T13:39:18.7867226Z",
18+
"last_logon_timestamp": "2025-09-30T14:42:35.7840088Z",
19+
"logon_count": "2275",
20+
"member_of": [
21+
"CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
22+
"CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
23+
"CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
24+
"CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
25+
"CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
26+
"CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local"
27+
],
28+
"name": "TEST12009",
29+
"object_class": [
30+
"top",
31+
"person",
32+
"organizationalPerson",
33+
"user",
34+
"computer"
35+
],
36+
"object_guid": "5d02cebc-ffd5-4903-ad8e-d9ef36cd6cbb",
37+
"object_sid": "S-1-5-21-1133191089-1850170202-1535859923-274531",
38+
"operatingSystem": "Windows 11 Enterprise",
39+
"operatingSystemVersion": "10.0 (26100)",
40+
"privileged_group_member": false,
41+
"pwd_last_set": "2025-09-10T13:45:36.9983472Z",
42+
"sam_account_name": "TEST12009$",
43+
"service_principal_name": [
44+
"WSMAN/TEST12009",
45+
"WSMAN/TEST12009.org.test.local",
46+
"TERMSRV/TEST12009",
47+
"TERMSRV/TEST12009.org.test.local",
48+
"RestrictedKrbHost/TEST12009",
49+
"HOST/TEST12009",
50+
"RestrictedKrbHost/TEST12009.org.test.local",
51+
"HOST/TEST12009.org.test.local"
52+
],
53+
"when_changed": "2025-09-30T14:42:41Z",
54+
"when_created": "2022-03-02T21:14:42Z"
55+
},
56+
"groups": [
57+
{
58+
"distinguished_name": "CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
59+
"name": "GPOD Office Updates",
60+
"object_class": [
61+
"top",
62+
"group"
63+
],
64+
"object_guid": "36ef7eb9-0dac-4c83-8e7d-990dd25b1369",
65+
"sam_account_name": "GPOD Office Updates",
66+
"when_changed": "2025-10-09T14:02:02Z"
67+
},
68+
{
69+
"distinguished_name": "CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
70+
"name": "GPOD Test Defender for Endpoint",
71+
"object_class": [
72+
"top",
73+
"group"
74+
],
75+
"object_guid": "894d8230-aa33-4344-9d96-da049c82e9cf",
76+
"sam_account_name": "GPOD Test Defender for Endpoint",
77+
"when_changed": "2022-09-14T02:04:25Z"
78+
},
79+
{
80+
"distinguished_name": "CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
81+
"name": "GPOD Windows 11",
82+
"object_class": [
83+
"top",
84+
"group"
85+
],
86+
"object_guid": "f6533b99-a816-4408-a5a5-493ef2a22381",
87+
"sam_account_name": "GPOD Windows 11",
88+
"when_changed": "2025-10-09T21:11:28Z"
89+
},
90+
{
91+
"distinguished_name": "CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
92+
"name": "GPOD Applocker Enforce",
93+
"object_class": [
94+
"top",
95+
"group"
96+
],
97+
"object_guid": "d4ae2b30-7032-4fc2-b9c1-a369ff12f6d9",
98+
"sam_account_name": "GPOD Applocker Enforce",
99+
"when_changed": "2025-07-14T15:14:38Z"
100+
},
101+
{
102+
"distinguished_name": "CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
103+
"name": "GPOD Office 365 & OneDrive",
104+
"object_class": [
105+
"top",
106+
"group"
107+
],
108+
"object_guid": "2c526d70-2f92-41bb-bbd9-67a614ca09a6",
109+
"sam_account_name": "GPOD Office 365 & OneDrive",
110+
"when_changed": "2025-10-09T21:11:28Z"
111+
},
112+
{
113+
"distinguished_name": "CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local",
114+
"name": "GPOD Remote Desktop",
115+
"object_class": [
116+
"top",
117+
"group"
118+
],
119+
"object_guid": "d7798c2b-9b53-498a-b65e-57f0653fc669",
120+
"sam_account_name": "GPOD Remote Desktop",
121+
"when_changed": "2025-10-09T18:45:27Z"
122+
}
123+
],
124+
"id": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
125+
"when_changed": "2025-10-09T21:11:28Z"
126+
},
127+
"event": {
128+
"action": "device-discovered"
129+
},
130+
"labels": {
131+
"identity_source": "entity-analytics-entityanalytics_ad.device-8c3c1f67-428d-4a95-a6de-69a2b8f952c3"
132+
},
133+
"device": {
134+
"id": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local"
135+
}
136+
}
137+
]
138+
}

packages/entityanalytics_ad/data_stream/entity/_dev/test/pipeline/test-device.json-expected.json

Lines changed: 198 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,198 @@
1+
{
2+
"expected": [
3+
{
4+
"@timestamp": "2025-10-09T21:34:29.084Z",
5+
"asset": {
6+
"category": "entity",
7+
"create_date": "2022-03-02T21:14:42.000Z",
8+
"id": "S-1-5-21-1133191089-1850170202-1535859923-274531",
9+
"last_updated": "2025-09-30T14:42:41.000Z",
10+
"name": "test12009.org.test.local",
11+
"type": "activedirectory_user"
12+
},
13+
"data_stream": {
14+
"dataset": "entityanalytics_ad.device",
15+
"namespace": "default",
16+
"type": "logs"
17+
},
18+
"device": {
19+
"id": "S-1-5-21-1133191089-1850170202-1535859923-274531"
20+
},
21+
"ecs": {
22+
"version": "8.11.0"
23+
},
24+
"entityanalytics_ad": {
25+
"device": {
26+
"account_expires": "9223372036854775807",
27+
"account_never_expires": true,
28+
"bad_password_time": "133251039041149826",
29+
"bad_pwd_count": "0",
30+
"cn": "TEST12009",
31+
"description": "Kretts, Topsy",
32+
"distinguished_name": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
33+
"dns_host_name": "TEST12009.org.test.local",
34+
"instance_type": "4",
35+
"is_critical_system_object": false,
36+
"last_logon": "2025-10-07T13:39:18.7867226Z",
37+
"last_logon_timestamp": "2025-09-30T14:42:35.7840088Z",
38+
"logon_count": "2275",
39+
"member_of": [
40+
"CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
41+
"CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
42+
"CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
43+
"CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
44+
"CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
45+
"CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local"
46+
],
47+
"name": "TEST12009",
48+
"object_class": [
49+
"top",
50+
"person",
51+
"organizationalPerson",
52+
"user",
53+
"computer"
54+
],
55+
"object_dn": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
56+
"object_guid": "5d02cebc-ffd5-4903-ad8e-d9ef36cd6cbb",
57+
"object_sid": "S-1-5-21-1133191089-1850170202-1535859923-274531",
58+
"operating_system": "Windows 11 Enterprise",
59+
"operating_system_version": "10.0 (26100)",
60+
"privileged_group_member": false,
61+
"pwd_last_set": "2025-09-10T13:45:36.9983472Z",
62+
"sam_account_name": "TEST12009$",
63+
"service_principal_name": [
64+
"WSMAN/TEST12009",
65+
"WSMAN/TEST12009.org.test.local",
66+
"TERMSRV/TEST12009",
67+
"TERMSRV/TEST12009.org.test.local",
68+
"RestrictedKrbHost/TEST12009",
69+
"HOST/TEST12009",
70+
"RestrictedKrbHost/TEST12009.org.test.local",
71+
"HOST/TEST12009.org.test.local"
72+
],
73+
"when_changed": "2025-09-30T14:42:41Z",
74+
"when_created": "2022-03-02T21:14:42Z"
75+
},
76+
"groups": [
77+
{
78+
"distinguished_name": "CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
79+
"name": "GPOD Office Updates",
80+
"object_class": [
81+
"top",
82+
"group"
83+
],
84+
"object_guid": "36ef7eb9-0dac-4c83-8e7d-990dd25b1369",
85+
"sam_account_name": "GPOD Office Updates",
86+
"when_changed": "2025-10-09T14:02:02Z"
87+
},
88+
{
89+
"distinguished_name": "CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
90+
"name": "GPOD Test Defender for Endpoint",
91+
"object_class": [
92+
"top",
93+
"group"
94+
],
95+
"object_guid": "894d8230-aa33-4344-9d96-da049c82e9cf",
96+
"sam_account_name": "GPOD Test Defender for Endpoint",
97+
"when_changed": "2022-09-14T02:04:25Z"
98+
},
99+
{
100+
"distinguished_name": "CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
101+
"name": "GPOD Windows 11",
102+
"object_class": [
103+
"top",
104+
"group"
105+
],
106+
"object_guid": "f6533b99-a816-4408-a5a5-493ef2a22381",
107+
"sam_account_name": "GPOD Windows 11",
108+
"when_changed": "2025-10-09T21:11:28Z"
109+
},
110+
{
111+
"distinguished_name": "CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
112+
"name": "GPOD Applocker Enforce",
113+
"object_class": [
114+
"top",
115+
"group"
116+
],
117+
"object_guid": "d4ae2b30-7032-4fc2-b9c1-a369ff12f6d9",
118+
"sam_account_name": "GPOD Applocker Enforce",
119+
"when_changed": "2025-07-14T15:14:38Z"
120+
},
121+
{
122+
"distinguished_name": "CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
123+
"name": "GPOD Office 365 & OneDrive",
124+
"object_class": [
125+
"top",
126+
"group"
127+
],
128+
"object_guid": "2c526d70-2f92-41bb-bbd9-67a614ca09a6",
129+
"sam_account_name": "GPOD Office 365 & OneDrive",
130+
"when_changed": "2025-10-09T21:11:28Z"
131+
},
132+
{
133+
"distinguished_name": "CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local",
134+
"name": "GPOD Remote Desktop",
135+
"object_class": [
136+
"top",
137+
"group"
138+
],
139+
"object_guid": "d7798c2b-9b53-498a-b65e-57f0653fc669",
140+
"sam_account_name": "GPOD Remote Desktop",
141+
"when_changed": "2025-10-09T18:45:27Z"
142+
}
143+
],
144+
"when_changed": "2025-10-09T21:11:28Z"
145+
},
146+
"event": {
147+
"category": [
148+
"iam"
149+
],
150+
"kind": "asset",
151+
"type": [
152+
"info"
153+
]
154+
},
155+
"host": {
156+
"domain": "org.test.local",
157+
"hostname": "TEST12009",
158+
"name": "test12009.org.test.local",
159+
"os": {
160+
"full": "Windows 11 Enterprise",
161+
"version": "10.0 (26100)"
162+
}
163+
},
164+
"labels": {
165+
"identity_source": "entity-analytics-entityanalytics_ad.device-8c3c1f67-428d-4a95-a6de-69a2b8f952c3"
166+
},
167+
"related": {
168+
"hosts": [
169+
"test12009.org.test.local",
170+
"CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
171+
"5d02cebc-ffd5-4903-ad8e-d9ef36cd6cbb"
172+
],
173+
"user": [
174+
"TEST12009$"
175+
]
176+
},
177+
"tags": [
178+
"preserve_duplicate_custom_fields"
179+
],
180+
"user": {
181+
"account": {
182+
"password_change_date": "2025-09-10T13:45:36.998Z"
183+
},
184+
"group": {
185+
"name": [
186+
"GPOD Applocker Enforce",
187+
"GPOD Office 365 & OneDrive",
188+
"GPOD Test Defender for Endpoint",
189+
"GPOD Remote Desktop",
190+
"GPOD Office Updates",
191+
"GPOD Windows 11"
192+
]
193+
},
194+
"name": "TEST12009$"
195+
}
196+
}
197+
]
198+
}

packages/entityanalytics_ad/data_stream/entity/_dev/test/pipeline/test-user.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -365,4 +365,4 @@
365365
}
366366
}
367367
]
368-
}
368+
}

0 commit comments

Comments
 (0)