search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.16k stars 4.92k forks source link

[Filebeat][entity-analytics] Getting invalid error logging while running azure-ad provider #36447

Open brijesh-elastic opened 1 year ago

brijesh-elastic commented 1 year ago

While running the input, we see an error being logged, which is unnecessary.

Error {"log.level":"error","@timestamp":"2023-08-24T11:33:34.809+0530","log.logger":"input.entity-analytics-azure-ad","log.origin":{"[file.name](http://file.name/)":"azuread/azure.go","file.line":358},"message":"Unable to find user \"abcdefgh-3e30-1234-aaaa-fcacececva\" in state","[service.name](http://service.name/)":"filebeat","id":"azure-1","tenant_id":"abcdefgh-8e61-124-a06d-abcdefghijk","provider":"azure-ad","ecs.version":"1.6.0"}

By more looking, it looks like we’ve deleted that user in our tenant. That deleted user is fetched by the provider using the /users/delta endpoint. (Reference: https://learn.microsoft.com/en-us/graph/delta-query-overview#resource-representation-in-the-delta-query-response) and after that, it resulted in error logging by provider code logic.

elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

elasticmachine commented 8 months ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)