entityanalytics_entra_id: ingest extra fields selected via select in Custom Options (#14433)

This change updates the ingest pipeline to preserve extra fields selected 
through custom options. Previously, it only mapped the default fields
and removed remaining fields under the azure_ad field. Now, it
automatically maps the extra fields to the appropriate location
under the entityanalytics_entra_id field.

Author: navnit-elastic

packages/entityanalytics_entra_id/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.1"
+  changes:
+    - description: Fix pipeline to ingest extra fields selected via `select` configuration in `Custom Options`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14433
 - version: "1.8.0"
   changes:
     - description: Remove redundant installation instructions.

packages/entityanalytics_entra_id/data_stream/entity/_dev/test/pipeline/test-users.json

@@ -1,5 +1,43 @@
 {
     "events": [
+        {
+            "@timestamp": "2023-03-06T10:07:13.883Z",
+            "azure_ad": {
+                "userPrincipalName": "[email protected]",
+                "mail": "[email protected]",
+                "displayName": "First21480 Last11836",
+                "givenName": "First21480",
+                "surname": "Last11836",
+                "jobTitle": "Manager",
+                "officeLocation": "608 St N, Somewhere, ABC, XYZ",
+                "mobilePhone": "231-482-2649",
+                "businessPhones": [
+                    "55-692-8856",
+                    "552-265-6614"
+                ],
+                "accountEnabled": true,
+                "department": "Security"
+            },
+            "event": {
+                "action": "user-discovered"
+            },
+            "labels": {
+                "identity_source": "entra_id-1"
+            },
+            "user": {
+                "id": "aa534e49-edfd-4541-8256-8bbf34f122b4",
+                "group": [
+                    {
+                        "id": "e7089e3a-2c83-4f08-8280-7530ed39b6ca",
+                        "name": "Group 5202"
+                    },
+                    {
+                        "id": "526588ce-2828-4cb1-9c9b-e57026e94b82",
+                        "name": "Group 16739"
+                    }
+                ]
+            }
+        },
         {
             "@timestamp": "2023-03-06T10:07:13.883Z",
             "azure_ad": {

packages/entityanalytics_entra_id/data_stream/entity/_dev/test/pipeline/test-users.json-expected.json

@@ -1,5 +1,114 @@
 {
     "expected": [
+        {
+            "@timestamp": "2023-03-06T10:07:13.883Z",
+            "asset": {
+                "category": "entity",
+                "group": [
+                    {
+                        "id": "e7089e3a-2c83-4f08-8280-7530ed39b6ca",
+                        "name": "Group 5202"
+                    },
+                    {
+                        "id": "526588ce-2828-4cb1-9c9b-e57026e94b82",
+                        "name": "Group 16739"
+                    }
+                ],
+                "id": "aa534e49-edfd-4541-8256-8bbf34f122b4",
+                "type": "microsoft_entra_id_user"
+            },
+            "data_stream": {
+                "dataset": "entityanalytics_entra_id.user",
+                "namespace": "default",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "entityanalytics_entra_id": {
+                "user": {
+                    "account_enabled": true,
+                    "business_phones": [
+                        "55-692-8856",
+                        "552-265-6614"
+                    ],
+                    "department": "Security",
+                    "display_name": "First21480 Last11836",
+                    "given_name": "First21480",
+                    "group": [
+                        {
+                            "id": "e7089e3a-2c83-4f08-8280-7530ed39b6ca",
+                            "name": "Group 5202"
+                        },
+                        {
+                            "id": "526588ce-2828-4cb1-9c9b-e57026e94b82",
+                            "name": "Group 16739"
+                        }
+                    ],
+                    "id": "aa534e49-edfd-4541-8256-8bbf34f122b4",
+                    "job_title": "Manager",
+                    "mail": "[email protected]",
+                    "mobile_phone": "231-482-2649",
+                    "office_location": "608 St N, Somewhere, ABC, XYZ",
+                    "surname": "Last11836",
+                    "user_principal_name": "[email protected]"
+                }
+            },
+            "event": {
+                "category": [
+                    "iam"
+                ],
+                "kind": "asset",
+                "original": "{\"@timestamp\":\"2023-03-06T10:07:13.883Z\",\"azure_ad\":{\"businessPhones\":[\"55-692-8856\",\"552-265-6614\"],\"mail\":\"[email protected]\",\"mobilePhone\":\"231-482-2649\",\"officeLocation\":\"608 St N, Somewhere, ABC, XYZ\",\"displayName\":\"First21480 Last11836\",\"surname\":\"Last11836\",\"givenName\":\"First21480\",\"jobTitle\":\"Manager\",\"department\":\"Security\",\"accountEnabled\":true,\"userPrincipalName\":\"[email protected]\"},\"ecs\":{\"version\":\"8.11.0\"},\"event\":{\"action\":\"user-discovered\"},\"user\":{\"id\":\"aa534e49-edfd-4541-8256-8bbf34f122b4\",\"group\":[{\"name\":\"Group 5202\",\"id\":\"e7089e3a-2c83-4f08-8280-7530ed39b6ca\"},{\"name\":\"Group 16739\",\"id\":\"526588ce-2828-4cb1-9c9b-e57026e94b82\"}]},\"labels\":{\"identity_source\":\"entra_id-1\"},\"tags\":[\"preserve_original_event\",\"preserve_duplicate_custom_fields\"],\"_index\":\"logs-entityanalytics_entra_id.entity-default\",\"_id\":\"_id\",\"_version\":-3}",
+                "type": [
+                    "user",
+                    "info"
+                ]
+            },
+            "labels": {
+                "identity_source": "entra_id-1"
+            },
+            "related": {
+                "user": [
+                    "[email protected]",
+                    "[email protected]",
+                    "First21480 Last11836",
+                    "aa534e49-edfd-4541-8256-8bbf34f122b4"
+                ]
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "email": "[email protected]",
+                "enabled": true,
+                "first_name": "First21480",
+                "full_name": "First21480 Last11836",
+                "group": [
+                    {
+                        "id": "e7089e3a-2c83-4f08-8280-7530ed39b6ca",
+                        "name": "Group 5202"
+                    },
+                    {
+                        "id": "526588ce-2828-4cb1-9c9b-e57026e94b82",
+                        "name": "Group 16739"
+                    }
+                ],
+                "id": "aa534e49-edfd-4541-8256-8bbf34f122b4",
+                "job_title": "Manager",
+                "last_name": "Last11836",
+                "name": "[email protected]",
+                "phone": [
+                    "231-482-2649",
+                    "55-692-8856",
+                    "552-265-6614"
+                ],
+                "work": {
+                    "location_name": "608 St N, Somewhere, ABC, XYZ"
+                }
+            }
+        },
         {
             "@timestamp": "2023-03-06T10:07:13.883Z",
             "asset": {

packages/entityanalytics_entra_id/data_stream/entity/elasticsearch/ingest_pipeline/default.yml

@@ -46,11 +46,6 @@ processors:
       tag: pipeline_to_user
       if: ctx.user?.id != null
 
-  - remove:
-      field:
-        - azure_ad
-      tag: remove_azure_ad
-      ignore_missing: true
   - remove:
       field:
         - entityanalytics_entra_id.user.account_enabled