Entity Analytics Inputedit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

The Entity Analytics input collects identity assets, such as users, from external identity providers.

The following identity providers are supported:

Configuration optionsedit

The entity-analytics input supports the following configuration options plus the Common options described later.


The identity provider. Must be one of: azure-ad.

Common optionsedit

The following configuration options are supported by all inputs.


Use the enabled option to enable and disable inputs. By default, enabled is set to true.


A list of tags that Filebeat includes in the tags field of each published event. Tags make it easy to select specific events in Kibana or apply conditional filtering in Logstash. These tags will be appended to the list of tags specified in the general configuration.


- type: entity-analytics
  . . .
  tags: ["json"]

Optional fields that you can specify to add additional information to the output. For example, you might add fields that you can use for filtering log data. Fields can be scalar values, arrays, dictionaries, or any nested combination of these. By default, the fields that you specify here will be grouped under a fields sub-dictionary in the output document. To store the custom fields as top-level fields, set the fields_under_root option to true. If a duplicate field is declared in the general configuration, then its value will be overwritten by the value declared here.

- type: entity-analytics
  . . .
    app_id: query_engine_12

If this option is set to true, the custom fields are stored as top-level fields in the output document instead of being grouped under a fields sub-dictionary. If the custom field names conflict with other field names added by Filebeat, then the custom fields overwrite the other fields.


A list of processors to apply to the input data.

See Processors for information about specifying processors in your config.


The ingest pipeline ID to set for the events generated by this input.

The pipeline ID can also be configured in the Elasticsearch output, but this option usually results in simpler configuration files. If the pipeline is configured both in the input and output, the option from the input is used.


If this option is set to true, fields with null values will be published in the output document. By default, keep_null is set to false.


If present, this formatted string overrides the index for events from this input (for elasticsearch outputs), or sets the raw_index field of the event’s metadata (for other outputs). This string can only refer to the agent name and version and the event timestamp; for access to dynamic fields, use output.elasticsearch.index or a processor.

Example value: "%{[agent.name]}-myindex-%{+yyyy.MM.dd}" might expand to "filebeat-myindex-2019.11.01".


By default, all events contain host.name. This option can be set to true to disable the addition of this field to all events. The default value is false.


Azure Active Directory (azure-ad)edit

The azure-ad provider allows the input to retrieve users, with group memberships, from Azure Active Directory (AD).


The necessary API permissions need to be granted in Azure in order for the provider to function properly:

Permission Type





For a full guide on how to set up the necessary App Registration, permission granting, and secret configuration, follow this guide.

How It Worksedit


The Azure AD provider periodically contacts Azure Active Directory, retrieving updates for users and groups, updates its internal cache of user metadata and group membership information, and ships updated user metadata to Elasticsearch.

Fetching and shipping updates occurs in one of two processes: full synchronizations and incremental updates. Full synchronizations will send the entire list of users in state, along with write markers to indicate the start and end of the synchronization event. Incremental updates will only send data for changed users during that event. Changes on a user can come in many forms, whether it be a change to the user’s metadata, a user was added or deleted, or group membership was changed (either direct or transitive).

API Interactionsedit

The provider periodically retrieves changes to user and group metadata from the Microsoft Graph API for Azure Active Directory. This is done through calls to two API endpoints:

The /delta endpoint will provide changes that have occurred since the last call, with state being tracked through a delta token. If the /delta endpoint is called without a delta token, it will provide a full listing of users or groups, similar to the non-delta endpoint. Since many results may be returned, there is a paging mechanism that is used. In the response body, there are two fields that may appear, @odata.nextLink and @odata.deltaLink.

  • If a @odata.nextLink is returned, then there are more results to fetch, and the value of this field will contain the URL which should be immediately fetched.
  • If a @odata.deltaLink is returned, then there are currently no more results, and the value of this field (a URL) should be saved for the next time updates need to be fetched (the delta token).

The group metadata will be used to enrich users with group membership information. Direct memberships, along with transitive memberships, will provided on users.

Sending User Metadata to Elasticsearchedit

During a full synchronization, all users stored in state will be sent to the output, while incremental updates will only send users which have been updated. Full synchronizations will be bounded on either side by write marker documents, which will look something like this:

    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "started",
        "start": "2022-11-04T09:57:19.786056-05:00"
    "labels": {
        "identity_source": "azure-1"

User documents will show the current state of the user.

Example user document:

    "@timestamp": "2022-11-04T09:57:19.786056-05:00",
    "event": {
        "action": "user-discovered",
    "azure_ad": {
        "userPrincipalName": "example.user@example.com",
        "mail": "example.user@example.com",
        "displayName": "Example User",
        "givenName": "Example",
        "surname": "User",
        "jobTitle": "Software Engineer",
        "mobilePhone": "123-555-1000",
        "businessPhones": ["123-555-0122"]
    "user": {
        "id": "5ebc6a0f-05b7-4f42-9c8a-682bbc75d0fc",
        "group": [
                "id": "331676df-b8fd-4492-82ed-02b927f8dd80",
                "name": "group1"
                "id": "d140978f-d641-4f01-802f-4ecc1acf8935",
                "name": "group2"
    "labels": {
        "identity_source": "azure-1"


Example configuration:

- type: entity-analytics
  enabled: true
  id: azure-1
  provider: azure-ad
  sync_interval: "12h"
  update_interval: "30m"
  client_id: "CLIENT_ID"
  tenant_id: "TENANT_ID"
  secret: "SECRET"

The azure-ad provider supports the following configuration:


The Tenant ID. Field is required.


The client/application ID. Used for authentication. Field is required.


The secret value, used for authentication. Field is required.


The interval in which full synchronizations should occur. The interval must be longer than the update interval (update_interval) Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 24h (24 hours).


The interval in which incremental updates should occur. The interval must be shorter than the full synchronization interval (sync_interval). Expressed as a duration string (e.g., 1m, 3h, 24h). Defaults to 15m (15 minutes).


Override the default authentication login endpoint. Only change if directed to do so. Altering this value will also require a change to login_scopes.


Override the default authentication scopes. Only change if directed to do so.


This input exposes metrics under the HTTP monitoring endpoint. These metrics are exposed under the /inputs path. They can be used to observe the activity of the input.

Metric Description


The total number of full synchronizations.


The number of full synchronizations that failed due to an error.


Histogram of the elapsed full synchronizations times in nanoseconds (time of API contact to items sent to output).


The total number of incremental updates.


The number of incremental updates that failed due to an error.


Histogram of the elapsed incremental updates times in nanoseconds (time of API contact to items sent to output).

This input is experimental and is under active developement. Configuration options and behaviors may change without warning. Use with caution and do not use in production environments.