Entity Analytics Input

The entity-analytics input supports the following configuration options plus the Common options described later.

The identity provider. Must be one of: activedirectory, azure-ad or okta.

The following configuration options are supported by all inputs.

Use the enabled option to enable and disable inputs. By default, enabled is set to true.

A list of tags that Filebeat includes in the tags field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.

Example:

filebeat.inputs:
- type: entity-analytics
  . . .
  tags: ["json"]

Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a fields sub-dictionary in the output document. To store the custom fields as top-level fields, set the fields_under_root option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.

filebeat.inputs:
- type: entity-analytics
  . . .
  fields:
    app_id: query_engine_12

If this option is set to true, the custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.

A list of processors to apply to the input data.

See Processors for information about specifying processors in your config.

The ingest pipeline ID to set for the events generated by this input.

If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.

If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the raw_index field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use output.elasticsearch.index or a processor.

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".

By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.

The activedirectory provider allows the input to retrieve users, with group memberships, from Active Directory.

A user with appropriate permissions must be set up in the Active Directory Server Manager in order for the provider to function properly.

The Active Directory provider periodically queries the Active Directory server, retrieving updates for users and groups, updates its internal cache of user and group metadata and group membership information, and ships updated user metadata to Elasticsearch.

Fetching and shipping updates occurs in one of two processes: full synchronizations and incremental updates. Full synchronizations will send the entire list of users and group membership in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users during that event. Changes on a user can come in many forms, whether it be a change to the user metadata, a user was added or modified, or group membership was changed.

During a full synchronization, all users and groups stored in state will be sent to the output, while incremental updates will only send users and group that have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:

{
    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "started",
        "start": "2022-11-04T09:57:19.786056-05:00"
    },
    "labels": {
        "identity_source": "activedirectory-1"
    }
}

User documents will show the current state of the user.

Example user document:

{
    "@timestamp": "2024-02-05T06:37:40.876026-05:00",
    "event": {
        "action": "user-discovered",
    },
    "activedirectory": {
        "id": "CN=Guest,CN=Users,DC=testserver,DC=local",
        "user": {
            "accountExpires": "2185-07-21T23:34:33.709551516Z",
            "badPasswordTime": "0",
            "badPwdCount": "0",
            "cn": "Guest",
            "codePage": "0",
            "countryCode": "0",
            "dSCorePropagationData": [
                "2024-01-22T06:37:40Z",
                "1601-01-01T00:00:01Z"
            ],
            "description": "Built-in account for guest access to the computer/domain",
            "distinguishedName": "CN=Guest,CN=Users,DC=testserver,DC=local",
            "instanceType": "4",
            "isCriticalSystemObject": true,
            "lastLogoff": "0",
            "lastLogon": "2185-07-21T23:34:33.709551616Z",
            "logonCount": "0",
            "memberOf": "CN=Guests,CN=Builtin,DC=testserver,DC=local",
            "name": "Guest",
            "objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=local",
            "objectClass": [
                "top",
                "person",
                "organizationalPerson",
                "user"
            ],
            "objectGUID": "hSt/40XJQU6cf+J2XoYMHw==",
            "objectSid": "AQUAAAAAAAUVAAAA0JU2Fq1k30YZ7UPx9QEAAA==",
            "primaryGroupID": "514",
            "pwdLastSet": "2185-07-21T23:34:33.709551616Z",
            "sAMAccountName": "Guest",
            "sAMAccountType": "805306368",
            "uSNChanged": "8197",
            "uSNCreated": "8197",
            "userAccountControl": "66082",
            "whenChanged": "2024-01-22T06:36:59Z",
            "whenCreated": "2024-01-22T06:36:59Z"
        },
        "whenChanged": "2024-01-22T06:36:59Z"
    },
    "user": {
        "id": "CN=Guest,CN=Users,DC=testserver,DC=local"
    },
    "labels": {
        "identity_source": "activedirectory-1"
    }
}

Example configuration:

filebeat.inputs:
- type: entity-analytics
  enabled: true
  id: activedirectory-1
  provider: activedirectory
  sync_interval: "12h"
  update_interval: "30m"
  ad_url: "ldaps://host.domain.tld"
  ad_base_dn: "CN=Users,DC=SERVER,DC=DOMAIN"
  ad_user: "USERNAME"
  ad_password: "PASSWORD"

The azure-ad provider supports the following configuration:

The Active Directory server URL. Field is required.

The Active Directory Base Distinguished Name. Field is required.

The client user name. Used for authentication. The user must have Active Directory read access. Field is required.

The client’s password, used for authentication. Field is required.

The interval in which full synchronizations should occur. The interval must be longer than the update interval (update_interval) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 24h (24 hours).

The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (sync_interval). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 15m (15 minutes).

The azure-ad provider allows the input to retrieve users, with group memberships, from Azure Active Directory (AD).

The necessary API permissions need to be granted in Azure in order for the provider to function properly:

For a full guide on how to set up the necessary App Registration, permission granting, and secret configuration, follow this guide.

The Azure AD provider periodically contacts Azure Active Directory, retrieving updates for users, devices and groups, updates its internal cache of user and device metadata and group membership information, and ships updated user metadata to Elasticsearch.

Fetching and shipping updates occurs in one of two processes: full synchronizations and incremental updates. Full synchronizations will send the entire list of users and devices in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users and devices during that event. Changes on a user or device can come in many forms, whether it be a change to the user or device metadata, a user/device was added or deleted, or group membership was changed (either direct or transitive).

The provider periodically retrieves changes to user, device and group metadata from the Microsoft Graph API for Azure Active Directory. This is done through calls to three API endpoints:

The /delta endpoint will provide changes that have occurred since the last call, with state being tracked through a delta token. If the /delta endpoint is called without a delta token, it will provide a full listing of users, devices or groups, similar to the non-delta endpoint. Since many results may be returned, there is a paging mechanism that is used. In the response body, there are two fields that may appear, @odata.nextLink and @odata.deltaLink.

The group metadata will be used to enrich users and devices with group membership information. Direct memberships, along with transitive memberships, will be provided for users and devices.

During a full synchronization, all users and devices stored in state will be sent to the output, while incremental updates will only send users which have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:

{
    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "started",
        "start": "2022-11-04T09:57:19.786056-05:00"
    },
    "labels": {
        "identity_source": "azure-1"
    }
}

User documents will show the current state of the user.

Example user document:

{
    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "user-discovered",
    },
    "azure_ad": {
        "userPrincipalName": "[email protected]",
        "mail": "[email protected]",
        "displayName": "Example User",
        "givenName": "Example",
        "surname": "User",
        "jobTitle": "Software Engineer",
        "mobilePhone": "123-555-1000",
        "businessPhones": ["123-555-0122"]
    },
    "user": {
        "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
        "group": [
            {
                "id": "331676df-b8fd-4492-82ed-02b927f8dd80",
                "name": "group1"
            },
            {
                "id": "d140978f-d641-4f01-802f-4ecc1acf8935",
                "name": "group2"
            }
        ]
    },
    "labels": {
        "identity_source": "azure-1"
    }
}

Device documents will show the current state of the device.

Example device document:

{
    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "device-discovered",
    },
    "azure_ad": {
        "accountEnabled": true,
        "deviceId": "2fbbb8f9-ff67-4a21-b867-a344d18a4198",
        "displayName": "DESKTOP-LETW452G",
        "operatingSystem": "Windows",
        "operatingSystemVersion": "10.0.19043.1337",
        "physicalIds": {
            "extensionAttributes": {
                "extensionAttribute1": "BYOD-Device"
            }
        },
        "alternativeSecurityIds": [
            {
                "type": 2,
                "identityProvider": null,
                "key": "DGFSGHSGGTH345A...35DSFH0A"
            },
        ]
    },
    "device": {
        "id": "adbbe40a-0627-4328-89f1-88cac84dbc7f",
        "group": [
            {
                "id": "331676df-b8fd-4492-82ed-02b927f8dd80",
                "name": "group1"
            }
        ]
        "registered_owners": [
            {
                "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
                "userPrincipalName": "[email protected]",
                "mail": "[email protected]",
                "displayName": "Example User",
                "givenName": "Example",
                "surname": "User",
                "jobTitle": "Software Engineer",
                "mobilePhone": "123-555-1000",
                "businessPhones": ["123-555-0122"]
            },
        ],
        "registered_users": [
            {
                "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
                "userPrincipalName": "[email protected]",
                "mail": "[email protected]",
                "displayName": "Example User",
                "givenName": "Example",
                "surname": "User",
                "jobTitle": "Software Engineer",
                "mobilePhone": "123-555-1000",
                "businessPhones": ["123-555-0122"]
            },
        ],
    },
    "labels": {
        "identity_source": "azure-1"
    }
}

Example configuration:

filebeat.inputs:
- type: entity-analytics
  enabled: true
  id: azure-1
  provider: azure-ad
  dataset: "all"
  sync_interval: "12h"
  update_interval: "30m"
  client_id: "CLIENT_ID"
  tenant_id: "TENANT_ID"
  secret: "SECRET"

The azure-ad provider supports the following configuration:

The Tenant ID. Field is required.

The client/application ID. Used for authentication. Field is required.

The secret value, used for authentication. Field is required.

The datasets to collect from the API. This can be one of "all", "users" or "devices", or may be left empty for the default behavior which is to collect all entities. When the dataset is set to "devices", some user entity data is collected in order to populate the registered users and registered owner fields for each device.

The interval in which full synchronizations should occur. The interval must be longer than the update interval (update_interval) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 24h (24 hours).

The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (sync_interval). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 15m (15 minutes).

Override the default authentication login endpoint. Only change if directed to do so. Altering this value will also require a change to login_scopes.

Override the default authentication scopes. Only change if directed to do so.

Override the default user query selections. This is a list of optional query parameters. The default is ["accountEnabled", "userPrincipalName", "mail", "displayName", "givenName", "surname", "jobTitle", "officeLocation", "mobilePhone", "businessPhones"].

Override the default group query selections. This is a list of optional query parameters. The default is ["displayName", "members"].

Override the default device query selections. This is a list of optional query parameters. The default is ["accountEnabled", "deviceId", "displayName", "operatingSystem", "operatingSystemVersion", "physicalIds", "extensionAttributes", "alternativeSecurityIds"].

It is possible to log HTTP requests and responses to the EntraID API to a local file-system for debugging configurations. This option is enabled by setting tracer.enabled to true and setting the tracer.filename value. Additional options are available to tune log rotation behavior. To delete existing logs, set tracer.enabled to false without unsetting the filename option.

Enabling this option compromises security and should only be used for debugging.

To differentiate the trace files generated from different input instances, a placeholder * can be added to the filename and will be replaced with the input instance id. For Example, http-request-trace-*.ndjson.

The jamf provider allows the input to retrieve computer records from the Jamf API.

The Jamf provider periodically contacts the Jamf API, retrieving updates for computers, updates its internal cache of managed computer metadata, and ships updated metadata to Elasticsearch.

Fetching and shipping updates occurs in one of two processes: full synchronizations and incremental updates. Full synchronizations will send the entire list of computers in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed computers records during that event. Changes on a user or device can come in many forms, whether it be a change to the user’s metadata, or a user was added or deleted.

The provider periodically retrieves changes to user/device metadata from the Jamf computers-preview API. This is done through calls to:

Updates are tracked by the provider by retaining a record of the time of the last noted update in the returned user list. During provider updates the Jamf provider makes use of the Jamf API’s query filtering to only request records updated at or since the provider’s recorded last update.

During a full synchronization, all users/devices stored in state will be sent to the output, while incremental updates will only send users and devices that have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:

{
    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "started",
        "start": "2022-11-04T09:57:19.786056-05:00"
    },
    "labels": {
        "identity_source": "jamf-1"
    }
}

Documents will show the current state of the computer record.

Example document:

{
    "device": {
        "id": "5982CE36-4526-580B-B4B9-ECC6782535BC"
    },
    "event": {
        "action": "device-discovered"
    },
    "jamf": {
        "location": {
            "username": "john.doe",
            "position": "Unknown Developer"
        },
        "site": null,
        "name": "acme-C07DM3AZQ6NV",
        "udid": "5982CE36-4526-580B-B4B9-ECC6782535BC",
        "serialNumber": "C07DM3AZQ6NV",
        "operatingSystemVersion": "14.0",
        "operatingSystemBuild": "23A344",
        "operatingSystemSupplementalBuildVersion": null,
        "operatingSystemRapidSecurityResponse": null,
        "macAddress": "64:0B:D7:AA:E4:B2",
        "assetTag": null,
        "modelIdentifier": "Macmini9,1",
        "mdmAccessRights": 0,
        "lastContactDate": "2024-04-18T14:26:51.514Z",
        "lastReportDate": "2024-06-19T15:54:37.692Z",
        "lastEnrolledDate": "2023-02-22T10:46:17.199Z",
        "ipAddress": null,
        "managementId": "1a59c510-b3a9-41cb-8afa-3d4187ac60d0",
        "isManaged": true
    },
    "labels": {
        "identity_source": "jamf-1"
    }
}

Example configuration:

filebeat.inputs:
- type: entity-analytics
  enabled: true
  id: jamf-1
  provider: jamf
  dataset: "all"
  sync_interval: "12h"
  update_interval: "30m"
  jamf_tenant: "JAMF_TENANT"
  jamf_username: "JAMF_USERNAME"
  jamf_password: "JAMF_PASSWORD"

The jamf provider supports the following configuration:

The Jamf tenant host. Field is required.

The Jamf username, used for authentication. Field is required.

The Jamf user password, used for authentication. Field is required.

The number of computer records to collect with each API request. Defaults to API default.

The interval in which full synchronizations should occur. The interval must be longer than the update interval (update_interval) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 24h (24 hours).

The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (sync_interval). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 15m (15 minutes).

+==== tracer.enabled

It is possible to log HTTP requests and responses to the Jamf API to a local file-system for debugging configurations. This option is enabled by setting tracer.enabled to true and setting the tracer.filename value. Additional options are available to tune log rotation behavior. To delete existing logs, set tracer.enabled to false without unsetting the filename option.

Enabling this option compromises security and should only be used for debugging.

To differentiate the trace files generated from different input instances, a placeholder * can be added to the filename and will be replaced with the input instance id. For Example, http-request-trace-*.ndjson.

The okta provider allows the input to retrieve users and devices from the Okta user API.

The necessary API permissions need to be granted in Okta in order for the provider to function properly. In the administration dashboard for your Okta account, navigate to Security>API and in the Tokens tab click the "Create token" button to create a new token. Copy the token value and retain this to configure the provider. Note that the token will not be presented again, so it must be copied now. This value will use given to the provider via the okta_token configuration field.

Devices API access needs to be activated by Okta support.

The Okta provider periodically contacts the Okta API, retrieving updates for users and devices, updates its internal cache of user metadata, and ships updated user/device metadata to Elasticsearch.

Fetching and shipping updates occurs in one of two processes: full synchronizations and incremental updates. Full synchronizations will send the entire list of users and devices in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users and devices during that event. Changes on a user or device can come in many forms, whether it be a change to the user’s metadata, or a user was added or deleted.

The provider periodically retrieves changes to user/device metadata from the Okta User and Device APIs. This is done through calls to:

Updates are tracked by the provider by retaining a record of the time of the last noted update in the returned user list. During provider updates the Okta provider makes use of the Okta API’s query filtering to only request records updated at or since the provider’s recorded last update.

During a full synchronization, all users/devices stored in state will be sent to the output, while incremental updates will only send users and devices that have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:

{
    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "started",
        "start": "2022-11-04T09:57:19.786056-05:00"
    },
    "labels": {
        "identity_source": "okta-1"
    }
}

User documents will show the current state of the user.

Example user document:

{
    "@timestamp": "2023-07-04T09:57:19.786056-05:00",
    "event": {
        "action": "user-discovered",
    },
    "okta": {
        "id": "userid",
        "status": "RECOVERY",
        "created": "2023-06-02T09:33:00.189752+09:30",
        "activated": "0001-01-01T00:00:00Z",
        "statusChanged": "2023-06-02T09:33:00.189752+09:30",
        "lastLogin": "2023-06-02T09:33:00.189752+09:30",
        "lastUpdated": "2023-06-02T09:33:00.189753+09:30",
        "passwordChanged": "2023-06-02T09:33:00.189753+09:30",
        "type": {
            "id": "typeid"
        },
        "profile": {
            "login": "[email protected]",
            "email": "[email protected]",
            "firstName": "name",
            "lastName": "surname"
        },
        "credentials": {
            "password": {},
            "provider": {
                "type": "OKTA",
                "name": "OKTA"
            }
        },
        "_links": {
            "self": {
                "href": "https://localhost/api/v1/users/userid"
            }
        }
    },
    "user": {
        "id": "userid",
    },
    "labels": {
        "identity_source": "okta-1"
    }
}

Device documents will show the current state of the device, including any associated users.

Example device document:

{
    "@timestamp": "2023-07-04T09:57:19.786056-05:00",
    "event": {
        "action": "device-discovered",
    },
    "okta": {
        "created": "2019-10-02T18:03:07Z",
        "id": "deviceid",
        "lastUpdated": "2019-10-02T18:03:07Z",
        "profile": {
            "diskEncryptionType": "ALL_INTERNAL_VOLUMES",
            "displayName": "Example Device name 1",
            "platform": "WINDOWS",
            "registered": true,
            "secureHardwarePresent": false,
            "serialNumber": "XXDDRFCFRGF3M8MD6D",
            "sid": "S-1-11-111"
        },
        "resourceAlternateID": "",
        "resourceDisplayName": {
            "sensitive": false,
            "value": "Example Device name 1"
        },
        "resourceID": "deviceid",
        "resourceType": "UDDevice",
        "status": "ACTIVE",
        "_links": {
            "activate": {
                "hints": {
                    "allow": [
                        "POST"
                    ]
                },
                "href": "https://localhost/api/v1/devices/deviceid/lifecycle/activate"
            },
            "self": {
                "hints": {
                    "allow": [
                        "GET",
                        "PATCH",
                        "PUT"
                    ]
                },
                "href": "https://localhost/api/v1/devices/deviceid"
            },
            "users": {
                "hints": {
                    "allow": [
                        "GET"
                    ]
                },
                "href": "https://localhost/api/v1/devices/deviceid/users"
            }
        },
        "users": [
            {
                "id": "userid",
                "status": "RECOVERY",
                "created": "2023-05-14T13:37:20Z",
                "activated": "0001-01-01T00:00:00Z",
                "statusChanged": "2023-05-15T01:50:30Z",
                "lastLogin": "2023-05-15T01:59:20Z",
                "lastUpdated": "2023-05-15T01:50:32Z",
                "passwordChanged": "2023-05-15T01:50:32Z",
                "type": {
                    "id": "typeid"
                },
                "profile": {
                    "login": "[email protected]",
                    "email": "[email protected]",
                    "firstName": "name",
                    "lastName": "surname"
                },
                "credentials": {
                    "password": {},
                    "provider": {
                        "type": "OKTA",
                        "name": "OKTA"
                    }
                },
                "_links": {
                    "self": {
                        "href": "https://localhost/api/v1/users/userid"
                    }
                }
            }
        ]
    },
    "device": {
        "id": "deviceid",
    },
    "labels": {
        "identity_source": "okta-1"
    }
}

Example configuration:

filebeat.inputs:
- type: entity-analytics
  enabled: true
  id: okta-1
  provider: okta
  dataset: "all"
  sync_interval: "12h"
  update_interval: "30m"
  okta_domain: "OKTA_DOMAIN"
  okta_token: "OKTA_TOKEN"

The okta provider supports the following configuration:

The Okta domain. Field is required.

The Okta secret token, used for authentication. Field is required.

Whether the input should collect device and device-associated user details from the Okta API. Device details must be activated on the Okta account for this option.

The datasets to collect from the API. This can be one of "all", "users" or "devices", or may be left empty for the default behavior which is to collect all entities. When the dataset is set to "devices", some user entity data is collected in order to populate the registered users and registered owner fields for each device.

The interval in which full synchronizations should occur. The interval must be longer than the update interval (update_interval) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 24h (24 hours).

The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (sync_interval). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 15m (15 minutes).

It is possible to log HTTP requests and responses to the Okta API to a local file-system for debugging configurations. This option is enabled by setting tracer.enabled to true and setting the tracer.filename value. Additional options are available to tune log rotation behavior. To delete existing logs, set tracer.enabled to false without unsetting the filename option.

Enabling this option compromises security and should only be used for debugging.

To differentiate the trace files generated from different input instances, a placeholder * can be added to the filename and will be replaced with the input instance id. For Example, http-request-trace-*.ndjson.

This input exposes metrics under the HTTP monitoring endpoint. These metrics are exposed under the /inputs path. They can be used to observe the activity of the input.