elastic · efd6 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025 · kcreddy
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.17.0"
+  changes:
+    - description: Improve field mappings for device entities.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15642
 - version: "0.16.0"
   changes:
     - description: Add support for collection device entities.

@@ -0,0 +1,138 @@
+{
+    "events": [
+        {
+            "@timestamp": "2025-10-09T21:34:29.084Z",
+            "activedirectory": {
+                "device": {
+                    "account_expires": "9223372036854775807",
+                    "account_never_expires": true,
+                    "bad_password_time": "133251039041149826",
+                    "bad_pwd_count": "0",
+                    "cn": "TEST12009",
+                    "dNSHostName": "TEST12009.org.test.local",
+                    "description": "Kretts, Topsy",
+                    "distinguished_name": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
+                    "instance_type": "4",
+                    "is_critical_system_object": false,
+                    "last_logon": "2025-10-07T13:39:18.7867226Z",
+                    "last_logon_timestamp": "2025-09-30T14:42:35.7840088Z",
+                    "logon_count": "2275",
+                    "member_of": [
+                        "CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local"
+                    ],
+                    "name": "TEST12009",
+                    "object_class": [
+                        "top",
+                        "person",
+                        "organizationalPerson",
+                        "user",
+                        "computer"
+                    ],
+                    "object_guid": "5d02cebc-ffd5-4903-ad8e-d9ef36cd6cbb",
+                    "object_sid": "S-1-5-21-1133191089-1850170202-1535859923-274531",
+                    "operatingSystem": "Windows 11 Enterprise",
+                    "operatingSystemVersion": "10.0 (26100)",
+                    "privileged_group_member": false,
+                    "pwd_last_set": "2025-09-10T13:45:36.9983472Z",
+                    "sam_account_name": "TEST12009$",
+                    "service_principal_name": [
+                        "WSMAN/TEST12009",
+                        "WSMAN/TEST12009.org.test.local",
+                        "TERMSRV/TEST12009",
+                        "TERMSRV/TEST12009.org.test.local",
+                        "RestrictedKrbHost/TEST12009",
+                        "HOST/TEST12009",
+                        "RestrictedKrbHost/TEST12009.org.test.local",
+                        "HOST/TEST12009.org.test.local"
+                    ],
+                    "when_changed": "2025-09-30T14:42:41Z",
+                    "when_created": "2022-03-02T21:14:42Z"
+                },
+                "groups": [
+                    {
+                        "distinguished_name": "CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Office Updates",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "36ef7eb9-0dac-4c83-8e7d-990dd25b1369",
+                        "sam_account_name": "GPOD Office Updates",
+                        "when_changed": "2025-10-09T14:02:02Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Test Defender for Endpoint",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "894d8230-aa33-4344-9d96-da049c82e9cf",
+                        "sam_account_name": "GPOD Test Defender for Endpoint",
+                        "when_changed": "2022-09-14T02:04:25Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Windows 11",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "f6533b99-a816-4408-a5a5-493ef2a22381",
+                        "sam_account_name": "GPOD Windows 11",
+                        "when_changed": "2025-10-09T21:11:28Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Applocker Enforce",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "d4ae2b30-7032-4fc2-b9c1-a369ff12f6d9",
+                        "sam_account_name": "GPOD Applocker Enforce",
+                        "when_changed": "2025-07-14T15:14:38Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Office 365 & OneDrive",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "2c526d70-2f92-41bb-bbd9-67a614ca09a6",
+                        "sam_account_name": "GPOD Office 365 & OneDrive",
+                        "when_changed": "2025-10-09T21:11:28Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Remote Desktop",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "d7798c2b-9b53-498a-b65e-57f0653fc669",
+                        "sam_account_name": "GPOD Remote Desktop",
+                        "when_changed": "2025-10-09T18:45:27Z"
+                    }
+                ],
+                "id": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
+                "when_changed": "2025-10-09T21:11:28Z"
+            },
+            "event": {
+                "action": "device-discovered"
+            },
+            "labels": {
+                "identity_source": "entity-analytics-entityanalytics_ad.device-8c3c1f67-428d-4a95-a6de-69a2b8f952c3"
+            },
+            "device": {
+                "id": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local"
+            }
+        }
+    ]
+}
@@ -0,0 +1,197 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-10-09T21:34:29.084Z",
+            "asset": {
+                "category": "entity",
+                "create_date": "2022-03-02T21:14:42.000Z",
+                "id": "S-1-5-21-1133191089-1850170202-1535859923-274531",
+                "last_updated": "2025-09-30T14:42:41.000Z",
+                "name": "test12009.org.test.local",
+                "type": "activedirectory_user"
+            },
+            "data_stream": {
+                "dataset": "entityanalytics_ad.device",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "device": {
+                "id": "S-1-5-21-1133191089-1850170202-1535859923-274531"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "entityanalytics_ad": {
+                "device": {
+                    "account_expires": "9223372036854775807",
+                    "account_never_expires": true,
+                    "bad_password_time": "133251039041149826",
+                    "bad_pwd_count": "0",
+                    "cn": "TEST12009",
+                    "description": "Kretts, Topsy",
+                    "distinguished_name": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
+                    "dns_host_name": "TEST12009.org.test.local",
+                    "instance_type": "4",
+                    "is_critical_system_object": false,
+                    "last_logon": "2025-10-07T13:39:18.7867226Z",
+                    "last_logon_timestamp": "2025-09-30T14:42:35.7840088Z",
+                    "logon_count": "2275",
+                    "member_of": [
+                        "CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
+                        "CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local"
+                    ],
+                    "name": "TEST12009",
+                    "object_class": [
+                        "top",
+                        "person",
+                        "organizationalPerson",
+                        "user",
+                        "computer"
+                    ],
+                    "object_dn": "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
+                    "object_guid": "5d02cebc-ffd5-4903-ad8e-d9ef36cd6cbb",
+                    "object_sid": "S-1-5-21-1133191089-1850170202-1535859923-274531",
+                    "operating_system": "Windows 11 Enterprise",
+                    "operating_system_version": "10.0 (26100)",
+                    "privileged_group_member": false,
+                    "pwd_last_set": "2025-09-10T13:45:36.9983472Z",
+                    "sam_account_name": "TEST12009$",
+                    "service_principal_name": [
+                        "WSMAN/TEST12009",
+                        "WSMAN/TEST12009.org.test.local",
+                        "TERMSRV/TEST12009",
+                        "TERMSRV/TEST12009.org.test.local",
+                        "RestrictedKrbHost/TEST12009",
+                        "HOST/TEST12009",
+                        "RestrictedKrbHost/TEST12009.org.test.local",
+                        "HOST/TEST12009.org.test.local"
+                    ],
+                    "when_changed": "2025-09-30T14:42:41Z",
+                    "when_created": "2022-03-02T21:14:42Z"
+                },
+                "groups": [
+                    {
+                        "distinguished_name": "CN=GPOD Office Updates,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Office Updates",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "36ef7eb9-0dac-4c83-8e7d-990dd25b1369",
+                        "sam_account_name": "GPOD Office Updates",
+                        "when_changed": "2025-10-09T14:02:02Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Test Defender for Endpoint,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Test Defender for Endpoint",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "894d8230-aa33-4344-9d96-da049c82e9cf",
+                        "sam_account_name": "GPOD Test Defender for Endpoint",
+                        "when_changed": "2022-09-14T02:04:25Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Windows 11,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Windows 11",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "f6533b99-a816-4408-a5a5-493ef2a22381",
+                        "sam_account_name": "GPOD Windows 11",
+                        "when_changed": "2025-10-09T21:11:28Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Applocker Enforce,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Applocker Enforce",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "d4ae2b30-7032-4fc2-b9c1-a369ff12f6d9",
+                        "sam_account_name": "GPOD Applocker Enforce",
+                        "when_changed": "2025-07-14T15:14:38Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Office 365 & OneDrive,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Office 365 & OneDrive",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "2c526d70-2f92-41bb-bbd9-67a614ca09a6",
+                        "sam_account_name": "GPOD Office 365 & OneDrive",
+                        "when_changed": "2025-10-09T21:11:28Z"
+                    },
+                    {
+                        "distinguished_name": "CN=GPOD Remote Desktop,OU=User Groups,DC=org,DC=test,DC=local",
+                        "name": "GPOD Remote Desktop",
+                        "object_class": [
+                            "top",
+                            "group"
+                        ],
+                        "object_guid": "d7798c2b-9b53-498a-b65e-57f0653fc669",
+                        "sam_account_name": "GPOD Remote Desktop",
+                        "when_changed": "2025-10-09T18:45:27Z"
+                    }
+                ],
+                "when_changed": "2025-10-09T21:11:28Z"
+            },
+            "event": {
+                "category": [
+                    "iam"
+                ],
+                "kind": "asset",
+                "type": [
+                    "info"
+                ]
+            },
+            "host": {
+                "domain": "org.test.local",
+                "hostname": "TEST12009",
+                "name": "test12009.org.test.local",
+                "os": {
+                    "full": "Windows 11 Enterprise",
+                    "version": "10.0 (26100)"
+                }
+            },
+            "labels": {
+                "identity_source": "entity-analytics-entityanalytics_ad.device-8c3c1f67-428d-4a95-a6de-69a2b8f952c3"
+            },
+            "related": {
+                "hosts": [
+                    "CN=TEST12009,OU=Policy Exception 3,OU=Computers,OU=Information Technology Services,OU=Executive,OU=Users and Computers,DC=org,DC=test,DC=local",
+                    "5d02cebc-ffd5-4903-ad8e-d9ef36cd6cbb"
+                ],
+                "user": [
+                    "TEST12009$"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "account": {
+                    "password_change_date": "2025-09-10T13:45:36.998Z"
+                },
+                "group": {
+                    "name": [
+                        "GPOD Applocker Enforce",
+                        "GPOD Office 365 & OneDrive",
+                        "GPOD Test Defender for Endpoint",
+                        "GPOD Remote Desktop",
+                        "GPOD Office Updates",
+                        "GPOD Windows 11"
+                    ]
+                },
+                "name": "TEST12009$"
+            }
+        }
+    ]
+}
@@ -365,4 +365,4 @@
             }
         }
     ]
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -365,4 +365,4 @@ @@
                 }
             }
         ]
-    }
+    }