Skip to content

entityanalytics_ad: improve field mappings for device entities #15642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 22, 2025
Merged

entityanalytics_ad: improve field mappings for device entities #15642

merged 4 commits into from
Oct 22, 2025
+826 −238

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Oct 14, 2025

Proposed commit message

entityanalytics_ad: improve field mappings for device entities

Test sample provided by user with sanitisation.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Oct 14, 2025
@efd6 efd6 added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:entityanalytics_ad Active Directory Entity Analytics labels Oct 14, 2025
@efd6
entityanalytics_ad: improve field mappings for device entities
5778c3e 
Test sample provided by user with sanitisation.
@efd6 efd6 force-pushed the 15150-entityanalytics_ad branch from c5ae185 to 5778c3e Compare October 14, 2025 01:56
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 14, 2025
edited
Loading

🚀 Benchmarks report

Package entityanalytics_ad 👍(0) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
entity 1418.44 909.92 -508.52 (-35.85%) 💔

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review October 14, 2025 02:23
@efd6 efd6 requested a review from a team as a code owner October 14, 2025 02:23
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 force-pushed the 15150-entityanalytics_ad branch from 7c55810 to 5778c3e Compare October 14, 2025 03:39
kcreddy
kcreddy reviewed Oct 21, 2025
View reviewed changes
packages/entityanalytics_ad/data_stream/entity/elasticsearch/ingest_pipeline/device.yml
- script:
lang: painless
ignore_failure: false
tag: Set User Account Control
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag: Set User Account Control
tag: script_set_user_account_control

Following the convention used inside this pipeline already.

...ages/entityanalytics_ad/data_stream/entity/_dev/test/pipeline/test-device.json-expected.json
},
"related": {
"hosts": [
"CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if related.hosts is good place for adding distinguished names. WDYT?

Copy link
Contributor

@kcreddy kcreddy Oct 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copying from host.name (ex: test12009.org.test.local) might be better fit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, host.name should be in there. I'm wondering though is the DN is not an "alias" per the documentation (yes, this is tenuous). We could do both.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 requested a review from kcreddy October 22, 2025 00:33
@efd6 efd6 merged commit b03d358 into elastic:main Oct 22, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package entityanalytics_ad - 0.17.0 containing this change is available at https://epr.elastic.co/package/entityanalytics_ad/0.17.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels

enhancement New feature or request Integration:entityanalytics_ad Active Directory Entity Analytics Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

entityanalytics_ad: improve ecs mappings

3 participants

@efd6 @elasticmachine @kcreddy