EntityAnalytics AD: add support for ECS entity fields

[chemamartinez]

Proposed commit message

Adds ECS entity field support to the Entity Analytics
Active Directory integration for both users and devices.

Maps UAC flags, last logon timestamp, and DN-valued
attributes (`directReports`, `managedObjects`, `managedBy`)
to `user.entity.*` and `host.entity.*` fields covering MFA status,
domain management, last activity, and org relationships
(supervises, owns, administered_by).

DN values are parsed into structured `{id, name, domain}` arrays.
All three relationship attributes are collected by default,
but a note in the `User Attributes` setting warns that specifying
any value there switches the request to an explicit list, dropping
these attributes unless added manually.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

• Closes Entity Analytics Active Directory: add support for entity fields #18288

[github-actions]

Vale Linting Results

Summary: 2 warnings found

⚠️ Warnings (2)

File	Line	Rule	Message
packages/entityanalytics_ad/docs/README.md	350	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/entityanalytics_ad/docs/README.md	351	Elastic.Latinisms	Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[macroscopeapp]

🟠 High ingest_pipeline/device.yml:120

The date processor for activedirectory.device.last_logon_timestamp (lines 114-124) lacks a - remove: step in its on_failure handler. When date parsing fails, the original string remains in the field, and since entityanalytics_ad.device.last_logon_timestamp is mapped as type: date, Elasticsearch will reject the document. This causes the document to be dropped. The other three date processors in this file (lines 75-87, 88-100, 101-113) all include the remove step in their on_failure handlers.

      on_failure:
+        - remove:
+            field: activedirectory.device.last_logon_timestamp
         - append:

🤖 Copy this AI Prompt to have your agent fix this:

In file packages/entityanalytics_ad/data_stream/entity/elasticsearch/ingest_pipeline/device.yml around lines 120-122:

The `date` processor for `activedirectory.device.last_logon_timestamp` (lines 114-124) lacks a `- remove:` step in its `on_failure` handler. When date parsing fails, the original string remains in the field, and since `entityanalytics_ad.device.last_logon_timestamp` is mapped as `type: date`, Elasticsearch will reject the document. This causes the document to be dropped. The other three date processors in this file (lines 75-87, 88-100, 101-113) all include the `remove` step in their `on_failure` handlers.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 8c016cd

cc @chemamartinez