Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build new input for ingesting user and group metadata from Azure AD #33866

Closed
14 tasks done
taylor-swanson opened this issue Nov 29, 2022 · 1 comment · Fixed by #34305
Closed
14 tasks done

Build new input for ingesting user and group metadata from Azure AD #33866

taylor-swanson opened this issue Nov 29, 2022 · 1 comment · Fixed by #34305
Assignees
@taylor-swanson
Labels
8.7-candidate

Comments

@taylor-swanson
Copy link
Contributor

taylor-swanson commented Nov 29, 2022
edited
Loading

Follow up issue to fully implement the proof of concept developed in: https://github.com/elastic/security-team/issues/5088

This input will support an integration which will produce user entity data that is locally enriched with the user's groups from Azure Active Directory (Azure AD). Data is produced in accordance to RFC 2022-09-07-user-host-entity-ingestion.

Discussions have also occurred around whether this input should be added to filebeat or if a new beat should be created. We are leaning towards adding to filebeat, since the new V2 architecture for agent inputs intends for filebeat and other beats to be obsoleted.

Regardless of if a new beat is created or filebeat is used, we may also need to create a new persistence mechanism to store user and group metadata. The existing registry may work for small directories with few users and groups, but it will likely not scale into larger environments with thousands of users and groups.

Acceptance Criteria

  • Collect user data from Azure AD API
  • Collect group membership data from Azure AD API
  • Generate one document per user that includes group membership data
  • Periodically get a list of users that were modified or deleted and generate new documents
  • Persist data to disk that allows the input to resume from previous state

Test Criteria

  • Verify users are synced.
  • Verify documents contain group membership info.
  • Update a user in Azure AD, verify the change is reflected in Elasticsearch as a new document.
  • Delete a user in Azure AD, verify the change is reflected in Elasticsearch as a new document that indicates a deleted status
  • Create a new user in Azure AD, verify the new user reflected in Elasticsearch
  • Verify that the data stream contains a "full sync marker" document with event.action: started when a new sync starts.
  • Verify that the data stream contains a "full sync marker" document with event.action: completed when a new sync completed.
  • Documentation exists that explains how the input works (what APIs it utilizes, how it persists information, etc)
  • Documentation exists that explains how to authenticate and authorize the input with least privileges.

References

Related
@taylor-swanson taylor-swanson self-assigned this Nov 29, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@taylor-swanson taylor-swanson mentioned this issue Nov 29, 2022
Closed
@taylor-swanson taylor-swanson mentioned this issue Jan 18, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taylor-swanson taylor-swanson

Labels
8.7-candidate
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add input for Azure AD Entity Analytics taylor-swanson/beats
2 participants
@elasticmachine @taylor-swanson