diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1c532e04cd74..f2f39edd0928 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -229,6 +229,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - [Journald] Fixes handling of `journalctl` restart. A known symptom was broken multiline messages when there was a restart of journalctl while aggregating the lines. {issue}41331[41331] {pull}42595[42595] - Fix entityanalytics activedirectory provider full sync use before initialization bug. {pull}42682[42682] - In the `http_endpoint` input, fix the check for a missing HMAC HTTP header. {pull}42756[42756] +- Prevent computer details being returned for user queries by Activedirectory Entity Analytics provider. {issue}11818[11818] {pull}42796[42796] *Heartbeat* diff --git a/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go b/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go index b52af0b699d3..56a7d41060a4 100644 --- a/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go +++ b/x-pack/filebeat/input/entityanalytics/provider/activedirectory/internal/activedirectory/activedirectory.go @@ -86,9 +86,9 @@ func GetDetails(url, user, pass string, base *ldap.DN, since time.Time, userAttr } // Get users in the directory... - userFilter := "(objectClass=user)" + userFilter := "(&(objectCategory=person)(objectClass=user))" if sinceFmtd != "" { - userFilter = "(&(objectClass=user)(whenChanged>=" + sinceFmtd + "))" + userFilter = "(&(objectCategory=person)(objectClass=user)(whenChanged>=" + sinceFmtd + "))" } usrs, err := search(conn, baseDN, userFilter, userAttrs, pagingSize) if err != nil { @@ -120,7 +120,7 @@ func GetDetails(url, user, pass string, base *ldap.DN, since time.Time, userAttr for i, u := range modGrps { modGrps[i] = "(memberOf=" + u + ")" } - query := "(&(objectClass=user)(|" + strings.Join(modGrps, "") + ")" + query := "(&(objectCategory=person)(objectClass=user)(|" + strings.Join(modGrps, "") + ")" usrs, err := search(conn, baseDN, query, userAttrs, pagingSize) if err != nil { errs = append(errs, fmt.Errorf("failed to collect users of changed groups%w: %w", ErrUsers, err))