Skip to content

x-pack/filebeat/input/entityanalytics/provider/okta: collect enrolled devices for users#49813

Open
chemamartinez wants to merge 3 commits intoelastic:mainfrom
chemamartinez:49780-entityanalytics_okta-get-enrolled-devices
Open

x-pack/filebeat/input/entityanalytics/provider/okta: collect enrolled devices for users#49813
chemamartinez wants to merge 3 commits intoelastic:mainfrom
chemamartinez:49780-entityanalytics_okta-get-enrolled-devices

Conversation

@chemamartinez
Copy link
Copy Markdown
Contributor

@chemamartinez chemamartinez commented Mar 31, 2026
edited
Loading

Proposed commit message

x-pack/filebeat/input/entityanalytics/provider/okta: collect enrolled devices for users

Adds enrolled_devices as a new optional value for the enrich_with
configuration option in the Okta entity analytics provider. When enabled,
each user is enriched with the list of devices enrolled for that user via
the List User Devices[1] Okta API endpoint (GET /api/v1/users/{userId}/devices).

The enrichment is opt-in and excluded from the default configuration to avoid
the extra per-user API call that would increase Okta rate limit consumption.
The enrolled devices are published in the devices field of the user event,
following the same pattern as existing enrichments (groups, roles, factors).

[1]: https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userresources/other/listuserdevices

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Related issues

@chemamartinez chemamartinez requested a review from efd6 March 31, 2026 14:44
@chemamartinez chemamartinez self-assigned this Mar 31, 2026
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Mar 31, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 31, 2026

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @chemamartinez? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@chemamartinez chemamartinez marked this pull request as ready for review March 31, 2026 14:51
@chemamartinez chemamartinez requested review from a team as code owners March 31, 2026 14:51
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Mar 31, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 31, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d5419c7e-0e51-4b80-bf99-89ca43a9b746

📥 Commits

Reviewing files that changed from the base of the PR and between 999b700 and 843ddfe.

📒 Files selected for processing (4)
  • docs/reference/filebeat/filebeat-input-entity-analytics.md
  • x-pack/filebeat/input/entityanalytics/provider/okta/conf.go
  • x-pack/filebeat/input/entityanalytics/provider/okta/okta.go
  • x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go
✅ Files skipped from review due to trivial changes (1)
  • x-pack/filebeat/input/entityanalytics/provider/okta/conf.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go
📝 Walkthrough

Walkthrough

Adds an optional devices/enrolled_devices enrichment to the Okta entity analytics provider in Filebeat. When enabled, the provider calls Okta’s "List User Devices" API per user and attaches the returned devices to each user record. Changes include a new GetUserDevices function, conditional enrichment and publishing of Devices, a devices field on the persisted User state, updated documentation and config comments to list devices as an allowed enrichment, and extended tests exercising the new enrichment. The option is disabled by default.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed PR implements all requirements from #49780: adds optional devices enrichment to Okta provider, calls List User Devices API per user, includes it in user data, and disables by default to avoid rate-limit impact.
Out of Scope Changes check ✅ Passed All changes align with linked issue scope: new GetUserDevices function, configuration updates, test coverage, state-store model extension, and documentation—no out-of-scope modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • 🛠️ Update Documentation: Commit on current branch
  • 🛠️ Update Documentation: Create PR

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

Comment @coderabbitai help to get the list of available commands and usage tips.

efd6
efd6 reviewed Apr 1, 2026
View reviewed changes
docs/reference/filebeat/filebeat-input-entity-analytics.md Outdated
The metadata to enrich users with. This is an array of values that may contain "groups", "roles" and "factors", or "none". If the array only contains "none", no metadata is collected for users. The default behavior is to collect "groups".
The metadata to enrich users with. This is an array of values that may contain "groups", "roles", "factors" and "enrolled_devices", or "none". If the array only contains "none", no metadata is collected for users. The default behavior is to collect "groups".

When "enrolled_devices" is included, each user is enriched with the list of devices enrolled for that user by calling the [List User Devices](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/userresources/other/listuserdevices) API. This requires one additional API request per user, so it is disabled by default to avoid hitting Okta rate limits.
Copy link
Copy Markdown
Contributor

@efd6 efd6 Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this Vale rule is an example of over-extension of the WCAG concerns and is related to elastic/vale-rules#116.

The rules above are another instance of #49805 (comment).

cc @theletterf

Copy link
Copy Markdown
Member

@theletterf theletterf Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+CC @jmikell821 (she's on it)

efd6
efd6 reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query only then LGTM

x-pack/filebeat/input/entityanalytics/provider/okta/conf.go Outdated
// EnrichWith specifies the additional data that
// will be used to enrich user data. It can include
// "groups", "roles" and "factors".
// "groups", "roles", "factors" and "enrolled_devices".
Copy link
Copy Markdown
Contributor

@efd6 efd6 Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this "enrolled_devices" rather than just "devices".

Copy link
Copy Markdown
Contributor Author

@chemamartinez chemamartinez Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because for the same provider we already have a dataset called devices, and a setting called collect_device_details, so calling it just devices as well made me think it could cause confusion.

Copy link
Copy Markdown
Contributor Author

@chemamartinez chemamartinez Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@efd6 updated.

@chemamartinez chemamartinez added the backport-9.3 Automated backport to the 9.3 branch label Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theletterf theletterf theletterf approved these changes

@efd6 efd6 efd6 approved these changes

Assignees

@chemamartinez chemamartinez

Labels

backport-9.3 Automated backport to the 9.3 branch enhancement Filebeat Filebeat input:entityanalytics Team:Security-Service Integrations Security Service Integrations Team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

x-pack/filebeat/input/entityanalytics/provider/okta: add enrichment to obtain owns relationship

4 participants

@chemamartinez @elasticmachine @theletterf @efd6