Get user.name from user.id in Entity Analytics Azure Entra ID dataset

willemdh · May 8, 2024, 6:46am

Hello,

So now we have the entity analytics, is it on Elastic's to do to enrich certain datasets with the real user.name from the user.id ?

For example in the Azure Graph API logs only a user.id field is known. The username could be added from the entity analytics entra id dataset.

Because we need to use the Elastic Integration Logstash filter, we cannot use enrich processor, as that is unsupported. So is the only way to achieve this, by doing it in Logstash with the Elasticsearch filter plugin then?

Elasticsearch filter plugin | Logstash Reference [8.13] | Elastic

Willem

strawgate · May 8, 2024, 8:20pm

Hi!

Have you explored doing the enrichment via an elasticsearch Ingest pipeline: Enrich processor | Elasticsearch Guide [8.13] | Elastic

You could also do this enrichment at query time if you're working with ES|QL: Data enrichment | Elasticsearch Guide [8.13] | Elastic

willemdh · May 20, 2024, 3:03pm

Hey,

Tried

PUT /_enrich/policy/microsoft-azure-entra-id-users-policy
{
  "match": {
    "indices": "logs-entityanalytics_entra_id.user-default",
    "match_field": "user.id",
    "enrich_fields": ["user.full_name", "user.name", "user.email"]
  }
}

But I get:

{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index [logs-entityanalytics_entra_id.user-default]",
        "index_uuid": "_na_",
        "resource.type": "index_or_alias",
        "excluded_ds": "true",
        "resource.id": "logs-entityanalytics_entra_id.user-default",
        "index": "logs-entityanalytics_entra_id.user-default"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index [logs-entityanalytics_entra_id.user-default]",
    "index_uuid": "_na_",
    "resource.type": "index_or_alias",
    "excluded_ds": "true",
    "resource.id": "logs-entityanalytics_entra_id.user-default",
    "index": "logs-entityanalytics_entra_id.user-default"
  },
  "status": 404
}

I guess it doesnt work on datastreams. Is there a builtin way to schedule it? So that it contains the most recent entra id user info?

Willem

strawgate · May 22, 2024, 9:26pm

I guess it doesnt work on datastreams. Is there a builtin way to schedule it? So that it contains the most recent entra id user info?

I'm not exactly sure but I would probably start by looking at making a transform on your data stream to a summarized index and then using that summarized index as the source for your enrich policy

erikg · May 30, 2024, 7:48pm

Hey @willemdh

Enrich policies do work on datastreams
In your example:

"indices": "logs-entityanalytics_entra_id.user-default"

you to update like this:
"indices": "logs-entityanalytics_entra_id.user-default-*"

tokcum · June 19, 2024, 7:25pm

Thank you @erikg . That worked for me.

system · July 17, 2024, 7:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.