x-pack/filebeat/input/entityanalytics/provider/okta: collect supervised users

[chemamartinez]

Proposed commit message

x-pack/filebeat/input/entityanalytics/provider/okta: collect supervised users

Add a new "supervises" value to the enrich_with option
of the Okta entity analytics provider. When enabled,
each user document is enriched with a supervises
field containing the list of users they manage.

Each entry includes the managed user's id, profile.email,
and profile.login (the Okta username). The list is derived
by querying the Okta API for users whose profile.managerId
matches the manager's user ID. The option is disabled by
default because it requires one additional API call per user,
which may exceed Okta rate limits in large deployments.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Related issues

• Closes x-pack/filebeat/input/entityanalytics/provider/okta: add enrichment to obtain supervises relationship #49781

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: deb7c5f8-75fb-4997-bbd6-1e7461fa5a1c

📥 Commits

Reviewing files that changed from the base of the PR and between 1278cb1 and 24b7521.

📒 Files selected for processing (2)

• x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go
• x-pack/filebeat/input/entityanalytics/provider/okta/statestore.go

🚧 Files skipped from review as they are similar to previous changes (1)

• x-pack/filebeat/input/entityanalytics/provider/okta/statestore.go

---

📝 Walkthrough

Walkthrough

This pull request adds a supervises enrichment option to the Okta entity analytics provider in Filebeat. It introduces GetUserSupervises to query /api/v1/users with search=profile.managerId eq "userID", new types SupervisedUser and SupervisedProfile, and extends the entity constraint to include SupervisedUser. Code updates wire the enrichment into user metadata publishing, persist supervises in the state store, add tests, and update docs and changelog. The option is disabled by default.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The pull request fully implements issue #49781: adds 'supervises' enrichment to Okta provider, populates user documents with managed users' id/email/login, makes it optional and disabled by default, and handles the per-user API call requirement.
Out of Scope Changes check	✅ Passed	All changes directly support the supervises enrichment objective: configuration, API integration, data structures, publishing logic, tests, state persistence, and changelog—no unrelated modifications present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta.go`:
- Around line 297-309: GetUserSupervises currently only returns the first page
from the "/api/v1/users" search and can drop supervised users; change the
implementation around the call to getDetails[SupervisedUser] so it paginates
like GetUserDetails/GetDeviceDetails: perform the initial request to the
constructed URL, decode and append results into a slice of SupervisedUser, then
follow subsequent pages by using okta.Next(h) in a loop (checking headers `h`
from the response) until there are no more pages, aggregating all pages before
returning; ensure you reuse the same query/endpoint construction (endpoint,
query, u) and preserve existing parameters (key, OmitNone, lim, log) while
returning the combined list.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7304ae79-4850-4613-b756-efa4d627343d

📥 Commits

Reviewing files that changed from the base of the PR and between 96df70e and 1278cb1.

📒 Files selected for processing (7)

• changelog/fragments/1774978179-okta-supervises-enrichment.yaml
• docs/reference/filebeat/filebeat-input-entity-analytics.md
• x-pack/filebeat/input/entityanalytics/provider/okta/conf.go
• x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta.go
• x-pack/filebeat/input/entityanalytics/provider/okta/okta.go
• x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go
• x-pack/filebeat/input/entityanalytics/provider/okta/statestore.go

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @chemamartinez? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[github-actions]

TL;DR

Buildkite failed in x-pack/filebeat: Run check/update because check-no-changes detected unformatted generated changes in two Okta provider files. Re-run formatting/update and commit the resulting diffs.

Remediation

• Run gofmt -w x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go x-pack/filebeat/input/entityanalytics/provider/okta/statestore.go (or make -C x-pack/filebeat update) and commit.
• Validate with make -C x-pack/filebeat check-no-changes (or full make -C x-pack/filebeat check update) before re-running CI.

Investigation details

Root Cause

check-no-changes failed because Go formatting drift exists in the PR commit for:

• x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go (const-block alignment around L57-L65)
• x-pack/filebeat/input/entityanalytics/provider/okta/statestore.go (struct-field alignment around L38-L45)

This is a configuration/formatting gate failure, not a logic/test regression.

Evidence

• Build: https://buildkite.com/elastic/beats/builds/43336
• Job/step: x-pack/filebeat: Run check/update
• Key log excerpt:

Error: some files are not up-to-date. Run 'make update' then review and commit the changes.
Modified: [x-pack/filebeat/input/entityanalytics/provider/okta/okta_test.go x-pack/filebeat/input/entityanalytics/provider/okta/statestore.go]

Local reproduction on PR head (1278cb18f55b0828d83fc087e429632a7ed7f33f) with gofmt -d shows only spacing/alignment edits in those exact files.

Verification

• Reproduced the same file-level drift with gofmt -d on PR head.
• Full make -C x-pack/filebeat check update was not fully verifiable in this runner due local Python toolchain mismatch (autopep8/lib2to3) unrelated to the Buildkite failure signal.

Follow-up

After committing formatting fixes, rerun Buildkite for this PR. If it still fails, share the new failed-step log and I’ll re-trace.

Note

🔒 Integrity filtering filtered 2 items

Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

• pr:x-pack/filebeat/input/entityanalytics/provider/okta: collect supervised users #49825 (pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• issue:x-pack/filebeat/input/entityanalytics/provider/okta: collect supervised users #49825 (issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[efd6]

Invalid Vale complaints.