x-pack/filebeat/input/entityanalytics: add minimal-state mode for agentless environments

[efd6]

The entity-analytics input stores state in a local bbolt database (one file per input at <data_dir>/kvstore/<input_id>.db). Agentless environments don't provide persistent local storage, so the input can't run there.

This issue tracks adding a minimal-state mode that stores only checkpoint data (continuation tokens, timestamps, entity ID sets) in the Elasticsearch state store — the same mechanism CEL and httpjson inputs already use in agentless deployments. The minimal-state mode coexists with the existing implementation behind a config option.

Approach

The current implementation stores full entity data (users, devices, groups) locally for deletion detection and, in EntraID's case, transitive group membership computation. All four providers can operate with just checkpoint state:

Provider	Current persistent state	Minimal state
EntraID	Users, devices, groups, relationship tree, delta URLs	User delta URL only
Active Directory	Users, devices, whenChanged timestamp	whenChanged timestamp + entity ID set
Okta	Users, devices, timestamps, pagination cursors	lastUpdated timestamp + entity ID set
Jamf	Computers, timestamps	Page cursor + entity ID set

EntraID achieves minimal state by fetching all groups with members on each sync and computing transitive membership in working storage rather than persisting the full entity graph between syncs.

For AD, Okta, and Jamf, deletion detection stores the previous sync's entity ID set in the ES state store.

A config option selects the implementation. Both modes produce identical output documents, so the legacy implementation remains available as a fallback during validation. The option will be hidden in agentless mode where minimal-state is required.

Implementation runtime

The minimal-state approach applies regardless of implementation runtime. Two paths are available:

1. Beats input: Add a minimal-state mode to the existing entity-analytics input. Requires refactoring to accept statestore.States (x-pack/filebeat/input/entityanalytics: refactor input to accept statestore.States #49160).
2. OTel receiver: Implement as a new OpenTelemetry receiver. The elasticsearchstorage extension provides ES-backed state storage in the OTel runtime, making this path viable.

The per-provider sync flows, state requirements, and output documents are identical in both cases.

Related work

• elastic/beats#41492 — Entity Analytics Input GA
• The agentless-controller needs to add entity-analytics to AGENTLESS_ELASTICSEARCH_STATE_STORE_INPUT_TYPES.
• Fleet integration packages will default to minimal-state mode and hide the option in agentless deployments.
• Downstream latest transforms can provide a "current state" view of entities and handle deletion detection via TTL. These are recommended but not required by this work.

Sub-issues

• x-pack/filebeat/input/entityanalytics: refactor input to accept statestore.States #49160 Refactor input to accept statestore.States and add config option for minimal-state mode
• x-pack/filebeat/input/entityanalytics: EntraID minimal-state mode #49161 EntraID: implement minimal-state mode
• x-pack/filebeat/input/entityanalytics: Active Directory minimal-state mode #49162 Active Directory: implement minimal-state mode
• x-pack/filebeat/input/entityanalytics: Okta minimal-state mode with bulk-fetch enrichment #49163 Okta: implement minimal-state mode with bulk-fetch enrichment
• x-pack/filebeat/input/entityanalytics: Jamf minimal-state mode #49164 Jamf: implement minimal-state mode

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

tl;dr: This is a valid and well-scoped epic; the best next step is to land the #49160 plumbing first (entityanalytics -> shared statestore.States + mode switch), then implement provider-specific minimal-state backends while keeping legacy kvstore mode as fallback.

1) Recommendation

Implement in two phases:

1. Core wiring refactor (x-pack/filebeat/input/entityanalytics: refactor input to accept statestore.States #49160 first): change entityanalytics.Plugin/provider factory signatures to accept shared state store dependencies (matching cel/httpjson patterns), and add a config switch for legacy (kvstore) vs minimal (ES statestore-backed checkpoint state).
2. Provider minimal-state implementations: EntraID (delta URL + in-memory membership rebuild), AD/Okta/Jamf (checkpoint + entity ID set for deletions), with parity tests to keep output documents identical across modes.

2) Findings

Key code evidence

• Entityanalytics is currently path+local-kvstore based (not shared statestore):
  • x-pack/filebeat/input/entityanalytics/input.go:28-38 (Plugin(logger, p *paths.Path))
  • x-pack/filebeat/input/entityanalytics/provider/provider.go:30 (FactoryFunc func(logger *logp.Logger, p *paths.Path) ...)
  • x-pack/filebeat/input/entityanalytics/internal/kvstore/input.go:75-80 (writes (data)/kvstore/(input_id).db)
• Default x-pack input registration does not pass store to entityanalytics today:
  • x-pack/filebeat/input/default-inputs/inputs_other.go:39
  • x-pack/filebeat/input/default-inputs/inputs_darwin.go:40
  • x-pack/filebeat/input/default-inputs/inputs_windows.go:40
  • x-pack/filebeat/input/default-inputs/inputs_aix.go:24
• Agentless ES state-store routing already exists generically in Filebeat:
  • filebeat/features/features.go:25-59 (AGENTLESS_ELASTICSEARCH_STATE_STORE_INPUT_TYPES)
  • filebeat/beater/store.go:90-94 (StoreFor selects ES store by input type)
  • filebeat/input/v2/input-cursor/manager.go:100-103 (input-type based ES initialization path)
• Integration evidence for currently enabled types:
  • x-pack/filebeat/tests/integration/managerV2_test.go:787 sets AGENTLESS_ELASTICSEARCH_STATE_STORE_INPUT_TYPES=httpjson,cel.
• Providers currently persist full entities locally (supports issue rationale):
  • EntraID: .../provider/azuread/statestore.go:21-49,85-123
  • Active Directory: .../provider/activedirectory/statestore.go:18-25,90-115
  • Okta: .../provider/okta/statestore.go:18-26,104-130
  • Jamf: .../provider/jamf/statestore.go:18-24,78-93

3) Verification

Commands run

$ go test ./x-pack/filebeat/input/entityanalytics/... ./filebeat/features/...
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics                               0.006s
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/collections          0.007s
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore              0.068s
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider                      0.015s
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory      0.104s
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/azuread              0.078s
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/jamf                 0.027s
ok   github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/okta                14.629s
ok   github.com/elastic/beats/v7/filebeat/features                                                    0.004s

All targeted tests passed; this confirms current behavior is stable and the issue is enhancement/plumbing work rather than an immediate regression.

4) Detailed Action Plan

Concrete implementation sequence

1. Refactor signatures and wiring
   • Update x-pack/filebeat/input/entityanalytics/input.go plugin and manager to accept shared store dependency.
   • Update x-pack/filebeat/input/entityanalytics/provider/provider.go factory signature accordingly.
   • Update all x-pack/filebeat/input/default-inputs/inputs_*.go callsites to pass store (like cel/httpjson).
2. Add input/provider mode config
   • Add explicit mode (legacy/minimal) in entityanalytics config parsing/validation.
   • Keep legacy kvstore path behavior unchanged for fallback.
3. Introduce minimal-state backends by provider
   • EntraID: persist only user delta checkpoint; compute transitive memberships in-memory each sync.
   • AD/Okta/Jamf: persist checkpoint (whenChanged/lastUpdated/page cursor) + previous entity ID set for delete detection.
4. Agentless behavior and gating
   • Ensure entity-analytics is included in agentless ES-store enabled input types in controller wiring as noted in issue.
   • In agentless mode, require/hide minimal mode (legacy unavailable).
5. Tests
   • Unit tests for new config/mode validation and provider state transitions.
   • Integration test patterned after managerV2_test.go agentless env flow to validate state persistence across restart for entity-analytics.
   • Parity assertions: same emitted ECS docs across legacy/minimal for representative datasets.

5) Related Items

Issues, files, references

Type	Link	Relevance
Epic	#49159	Parent scope
Sub-issue	#49160	Required wiring refactor (statestore.States + mode switch)
Sub-issue	#49161	EntraID minimal-state
Sub-issue	#49162	Active Directory minimal-state
Sub-issue	#49163	Okta minimal-state
Sub-issue	#49164	Jamf minimal-state
Existing epic	#41492	Entity Analytics GA context
File	x-pack/filebeat/input/entityanalytics/input.go	Plugin/manager entry point
File	x-pack/filebeat/input/entityanalytics/internal/kvstore/input.go	Local DB path creation
File	filebeat/features/features.go	Agentless ES-store input-type gating
File	filebeat/beater/store.go	Store selection by input type

---

What is this? | From workflow: Issue Triage

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.