elastic · efd6 · Jun 16, 2025
@@ -2,11 +2,18 @@
 
 This Active Directory Entity Analytics integration allows users to securely stream User Entities data to Elastic Security via the Active Directory LDAP look-ups. When integrated with Elastic Security, this valuable data can be leveraged within Elastic for risk-scoring scenarios (e.g., context enrichments) and detecting advanced analytics (UBA) use cases.
 
+## Upgrading to v0.15.0 from v0.14 and lower of the integration
+
+In v0.15.0 of the integration the user and device data was split into separate data streams. The data ingested into your index will be the same but you may need to update device searches if you were using them.
+
+**NOTE**: When you upgrade from v1 you will need to reconfigure the integration and enable it due to internal changes in the package. See [Resolve conflicts](https://www.elastic.co/guide/en/fleet/current/upgrade-integration.html#resolve-conflicts) in the Fleet documentation for details.
+
 ## Data streams
 
 The Active Directory Entity Analytics integration collects one type of data: user.
 
 - **User** is used to retrieve all user entries available from an Active Directory server.
+- **Device** is used to retrieve all device logs available from an Active Directory server.
 
 ## Requirements
 
@@ -33,14 +40,78 @@ The Active Directory provider periodically contacts the server, retrieving updat
 
 Fetching and shipping updates occurs in one of two processes: **full synchronizations** and **incremental updates**. Full synchronizations will send the entire list of users in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users during that event. Changes on a user can come in many forms, whether it be a change to the user’s metadata, or a user was added or deleted. By default, full synchronizations occur every 24 hours and incremental updates occur every 15 minutes. These intervals may be customized to suit your use case.
 
+## Sample Events
+
+A user document:
+
+```json
+{
+    "@timestamp": "2024-02-05T06:37:40.876026-05:00",
+    "event": {
+        "action": "user-discovered",
+    },
+    "activedirectory": {
+        "id": "CN=Guest,CN=Users,DC=testserver,DC=local",
+        "user": {
+            "accountExpires": "2185-07-21T23:34:33.709551516Z",
+            "badPasswordTime": "0",
+            "badPwdCount": "0",
+            "cn": "Guest",
+            "codePage": "0",
+            "countryCode": "0",
+            "dSCorePropagationData": [
+                "2024-01-22T06:37:40Z",
+                "1601-01-01T00:00:01Z"
+            ],
+            "description": "Built-in account for guest access to the computer/domain",
+            "distinguishedName": "CN=Guest,CN=Users,DC=testserver,DC=local",
+            "instanceType": "4",
+            "isCriticalSystemObject": true,
+            "lastLogoff": "0",
+            "lastLogon": "2185-07-21T23:34:33.709551616Z",
+            "logonCount": "0",
+            "memberOf": "CN=Guests,CN=Builtin,DC=testserver,DC=local",
+            "name": "Guest",
+            "objectCategory": "CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=local",
+            "objectClass": [
+                "top",
+                "person",
+                "organizationalPerson",
+                "user"
+            ],
+            "objectGUID": "hSt/40XJQU6cf+J2XoYMHw==",
+            "objectSid": "AQUAAAAAAAUVAAAA0JU2Fq1k30YZ7UPx9QEAAA==",
+            "primaryGroupID": "514",
+            "pwdLastSet": "2185-07-21T23:34:33.709551616Z",
+            "sAMAccountName": "Guest",
+            "sAMAccountType": "805306368",
+            "uSNChanged": "8197",
+            "uSNCreated": "8197",
+            "userAccountControl": "66082",
+            "whenChanged": "2024-01-22T06:36:59Z",
+            "whenCreated": "2024-01-22T06:36:59Z"
+        },
+        "whenChanged": "2024-01-22T06:36:59Z"
+    },
+    "user": {
+        "id": "CN=Guest,CN=Users,DC=testserver,DC=local"
+    },
+    "labels": {
+        "identity_source": "activedirectory-1"
+    }
+}
+```
+
 ## Logs reference
 
 ### User
 
 This is the `User` dataset.
 
-#### Example
+{{fields "user"}}
 
-{{event "user"}}
+### Device
 
-{{fields "user"}}
+This is the `Device` dataset.
+
+{{fields "device"}}
@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "0.16.0"
+  changes:
+    - description: Add support for collection device entities.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14223
+    - description: Split data stream by entity type.
+      type: breaking
+      link: https://github.com/elastic/integrations/pull/14223
 - version: "0.15.0"
   changes:
     - description: ECS version updated to 8.17.0.

@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: entityanalytics_ad
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: entityanalytics_ad.device
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
@@ -0,0 +1,3 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
@@ -0,0 +1,104 @@
+- name: asset
+  type: group
+  fields:
+    - name: category
+      type: keyword
+    - name: costCenter
+      type: keyword
+    - name: create_date
+      type: date
+    - name: id
+      type: keyword
+    - name: last_seen
+      type: date
+    - name: last_status_change_date
+      type: date
+    - name: last_updated
+      type: date
+    - name: name
+      type: keyword
+    - name: status
+      type: keyword
+    - name: type
+      type: keyword
+    - name: vendor
+      type: keyword
+- name: labels
+  type: group
+  fields:
+    - name: identity_source
+      type: keyword
+- name: user
+  type: group
+  fields:
+    - name: account
+      type: group
+      fields:
+        - name: activated_date
+          type: date
+        - name: change_date
+          type: date
+        - name: create_date
+          type: date
+        - name: password_change_date
+          type: date
+        - name: status
+          type: group
+          fields:
+            - name: deprovisioned
+              type: boolean
+            - name: locked_out
+              type: boolean
+            - name: password_expired
+              type: boolean
+            - name: recovery
+              type: boolean
+            - name: suspended
+              type: boolean
+    - name: geo
+      type: group
+      fields:
+        - name: city_name
+          type: keyword
+        - name: country_iso_code
+          type: keyword
+        - name: name
+          type: keyword
+        - name: postal_code
+          type: keyword
+        - name: region_name
+          type: keyword
+        - name: timezone
+          type: keyword
+    - name: organization
+      type: group
+      fields:
+        - name: name
+          type: keyword
+    - name: profile
+      type: group
+      fields:
+        - name: department
+          type: keyword
+        - name: first_name
+          type: keyword
+        - name: id
+          type: keyword
+        - name: job_title
+          type: keyword
+        - name: last_name
+          type: keyword
+        - name: manager
+          type: keyword
+        - name: mobile_phone
+          type: keyword
+        - name: other_identities
+          type: keyword
+        - name: primaryPhone
+          type: keyword
+        - name: secondEmail
+          type: keyword
+        - name: status
+          type: keyword
+        - name: type
+          type: keyword