Skip to content

x-pack/filebeat/input/entityanalytics/provider/okta: collect enrolled devices for users#49813

Merged
chemamartinez merged 5 commits intoelastic:mainfrom
chemamartinez:49780-entityanalytics_okta-get-enrolled-devices
Apr 6, 2026
Merged

x-pack/filebeat/input/entityanalytics/provider/okta: collect enrolled devices for users#49813
chemamartinez merged 5 commits intoelastic:mainfrom
chemamartinez:49780-entityanalytics_okta-get-enrolled-devices

Conversation

@chemamartinez
Copy link
Copy Markdown
Contributor

@chemamartinez chemamartinez commented Mar 31, 2026
edited
Loading

Proposed commit message

x-pack/filebeat/input/entityanalytics/provider/okta: collect enrolled devices for users

Adds enrolled_devices as a new optional value for the enrich_with
configuration option in the Okta entity analytics provider. When enabled,
each user is enriched with the list of devices enrolled for that user via
the List User Devices[1] Okta API endpoint (GET /api/v1/users/{userId}/devices).

The enrichment is opt-in and excluded from the default configuration to avoid
the extra per-user API call that would increase Okta rate limit consumption.
The enrolled devices are published in the devices field of the user event,
following the same pattern as existing enrichments (groups, roles, factors).

[1]: https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userresources/other/listuserdevices

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Related issues

@chemamartinez chemamartinez requested a review from efd6 March 31, 2026 14:44
@chemamartinez chemamartinez self-assigned this Mar 31, 2026
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Mar 31, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 31, 2026

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @chemamartinez? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@chemamartinez chemamartinez marked this pull request as ready for review March 31, 2026 14:51
@chemamartinez chemamartinez requested review from a team as code owners March 31, 2026 14:51
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 31, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 31, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c44f6ed-4b22-4995-a5f0-d3a467f9ec73

📥 Commits

Reviewing files that changed from the base of the PR and between 4f02c27 and 17be832.

📒 Files selected for processing (5)
  • docs/reference/filebeat/filebeat-input-entity-analytics.md
  • x-pack/filebeat/input/entityanalytics/provider/okta/conf.go
  • x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta.go
  • x-pack/filebeat/input/entityanalytics/provider/okta/okta.go
  • x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go
🚧 Files skipped from review as they are similar to previous changes (3)
  • x-pack/filebeat/input/entityanalytics/provider/okta/okta.go
  • x-pack/filebeat/input/entityanalytics/provider/okta/conf.go
  • x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go
📝 Walkthrough

Walkthrough

Introduces an opt-in devices enrichment (alias enrolled_devices) for the Okta entity analytics provider. When enabled, Filebeat calls Okta’s List User Devices API per user and attaches returned devices to each user record. Adds GetUserDevices, persists a Devices []okta.Device field in the user state-store, includes devices in published user documents, updates config/docs/comments to list devices, extends tests, and adds a changelog fragment. The enrichment is disabled by default.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed PR successfully implements all objectives from #49780: adds optional device enrichment via Okta's List User Devices API endpoint, excludes from defaults to avoid rate-limit pressure, and follows existing enrichment patterns.
Out of Scope Changes check ✅ Passed All changes are directly scoped to device enrichment feature: documentation updates, configuration field updates, API wrapper function, enrichment logic, state persistence, and tests.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • 🛠️ Update Documentation: Commit on current branch
  • 🛠️ Update Documentation: Create PR

Comment @coderabbitai help to get the list of available commands and usage tips.

efd6
efd6 reviewed Apr 1, 2026
View reviewed changes
efd6
efd6 reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query only then LGTM

@chemamartinez chemamartinez added the backport-9.3 Automated backport to the 9.3 branch label Apr 1, 2026
@chemamartinez chemamartinez removed the backport-9.3 Automated backport to the 9.3 branch label Apr 3, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Apr 3, 2026

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @chemamartinez? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Apr 6, 2026

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 49780-entityanalytics_okta-get-enrolled-devices upstream/49780-entityanalytics_okta-get-enrolled-devices
git merge upstream/main
git push upstream 49780-entityanalytics_okta-get-enrolled-devices

@chemamartinez chemamartinez merged commit 771c572 into elastic:main Apr 6, 2026
33 of 36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theletterf theletterf theletterf approved these changes

@efd6 efd6 efd6 approved these changes

Assignees

@chemamartinez chemamartinez

Labels

enhancement Filebeat Filebeat input:entityanalytics Team:Security-Service Integrations Security Service Integrations Team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

x-pack/filebeat/input/entityanalytics/provider/okta: add enrichment to obtain owns relationship

4 participants

@chemamartinez @elasticmachine @theletterf @efd6