Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher: add device handling #35807

Merged
merged 4 commits into from Jun 21, 2023
Merged

x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher: add device handling #35807

merged 4 commits into from Jun 21, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Jun 19, 2023

What does this PR do?

Adds device support to the Azure AD entity analytics input provider.

Why is it important?

Milestone task needed for security solution.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 added enhancement Filebeat Filebeat Team:Security-External Integrations backport-skip Skip notification from the automated backport with mergify 8.9-candidate labels Jun 19, 2023
@efd6 efd6 self-assigned this Jun 19, 2023
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jun 19, 2023
@efd6 efd6 force-pushed the st5940-azure-device branch 2 times, most recently from 71e0e07 to 9d1adf7 Compare June 19, 2023 02:10
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 19, 2023
edited by jenkins-beats-ci bot

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-06-21T21:27:18.235+0000

  • Duration: 71 min 49 sec

Test stats 🧪

Test Results
Failed 0
Passed 3048
Skipped 178
Total 3226

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@efd6 efd6 marked this pull request as ready for review June 19, 2023 03:21
@efd6 efd6 requested a review from a team as a code owner June 19, 2023 03:21
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

bhapas
bhapas reviewed Jun 20, 2023
View reviewed changes
Copy link
Contributor

@bhapas bhapas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks Good.

Just a thought though : There are instances where a lot of code is duplicated between users groups and devices. Not sure if we can think of a solution that helps to add more entities in future in a simple way?

x-pack/filebeat/input/entityanalytics/provider/azuread/azure.go Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/azure.go Outdated Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/azure.go Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/azure_test.go Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/device.go
"github.com/elastic/elastic-agent-libs/mapstr"
)

// TODO: Implement fetchers for the registered owners and users
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A github issue link to the TODO ?

x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/device.go Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/device.go Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/group.go Show resolved Hide resolved
@mergify
Copy link
Contributor

mergify bot commented Jun 20, 2023

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b st5940-azure-device upstream/st5940-azure-device
git merge upstream/main
git push upstream st5940-azure-device

taylor-swanson
taylor-swanson reviewed Jun 20, 2023
View reviewed changes
x-pack/filebeat/docs/inputs/input-entity-analytics.asciidoc Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/azure.go Outdated Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/azure.go Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/azure.go
@@ -165,6 +165,21 @@ func (p *azure) runFullSync(inputCtx v2.Context, store *kvstore.Store, client be
tracker.Wait()
}

if len(state.devices) != 0 {
tracker := kvstore.NewTxTracker(ctx)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering, do we want a single set of writer markers to bound both users and devices? If we want them separate, do we want to attach any sort of field to indicate what the write markers are associated with? (device or user).

Thoughts, @andrewkroh?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, either is acceptable to me. If it is two separate marks then someone who is querying would need to be know if it was associated to the users or devices.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ISTM a single set makes more sense. devices are users are really pretty much the same kind of entity (at the moment more so, with the TODO additions less so).

x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher/device.go Show resolved Hide resolved
x-pack/filebeat/input/entityanalytics/provider/azuread/statestore.go Outdated

return nil
}); err != nil && !errIsItemNotFound(err) {
return nil, fmt.Errorf("unable to get users from state: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/users/devices

@mergify
Copy link
Contributor

mergify bot commented Jun 21, 2023

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b st5940-azure-device upstream/st5940-azure-device
git merge upstream/main
git push upstream st5940-azure-device

efd6 added 4 commits June 22, 2023 06:56
@efd6
x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher: add d…
a9f2c7d 
…evice handling
@efd6
address pr comments
9737957
@efd6
address pr comment
2d21dd8
@efd6
address pr comment
6f4faa5 
Wrap update and sync publication of users and devices together into single
tracker/write marker operations.
@efd6 efd6 added backport-v8.9.0 Automated backport with mergify and removed backport-skip Skip notification from the automated backport with mergify labels Jun 21, 2023
@efd6 efd6 merged commit a98c576 into elastic:main Jun 21, 2023
21 checks passed
mergify bot pushed a commit that referenced this pull request Jun 21, 2023
@efd6 @mergify
x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher: add d…
53fd045 
…evice handling (#35807)

(cherry picked from commit a98c576)
@mergify mergify bot mentioned this pull request Jun 21, 2023
Merged
efd6 added a commit that referenced this pull request Jun 22, 2023
@mergify @efd6
x-pack/filebeat/input/entityanalytics/provider/azuread/fetcher: add d…
1245830 
…evice handling (#35807) (#35878)

(cherry picked from commit a98c576)

Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bhapas bhapas bhapas left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

@taylor-swanson taylor-swanson taylor-swanson approved these changes

Assignees

@efd6 efd6

Labels
8.9-candidate backport-v8.9.0 Automated backport with mergify enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@efd6 @elasticmachine @andrewkroh @taylor-swanson @bhapas