[Entity Analytics][Privileged user monitoring] Discover privileged users from the Entity Analytics Okta integration (#237129)

## Summary 
 
Enable discovering privileged users from the Okta entity analytics
integration. Users from any of the following roles will be considered
privileged:

  - Super Administrator
  - Organization Administrator
  - Group Administrator
  - Application Administrator
  - Mobile Administrator
  - Help Desk Administrator
  - Report Administrator
  - API Access Management Administrator
  - Group Membership Administrator
  - Read-only Administrator
  
If a user has one of these roles removed or is deleted, their privileged
status will be removed.

This PR also fixes deletion detection so that labels in
entity_analytics_monitoring.labels are also removed when their source
type is deleted.

For example: when a user is marked as stale during integrations sync,
any related entity_analytics_monitoring labels (such as roles or groups
from user matchers) will now be cleaned up as well.

Example labels for a user with roles matchers fields. 

```
 "entity_analytics_monitoring": {
      "labels": [
        {
          "field": "user.roles",
          "source": "efcd1d7d-8e22-4d81-b518-d841cc84cc29",
          "value": "Help Desk Administrator"
        }
      ]
```
Expected outcome for that user becoming stale: 
```
{
    "id": "OpjWn5kBU9rgIRFRDV7n",
    "entity_analytics_monitoring": {
      "labels": [] // 
    },
    "@timestamp": "2025-10-01T12:53:50.714Z",
    "event": {
      "ingested": "2025-10-01T12:53:50.714Z"
    },
    "user": {
      "is_privileged": false,
      "name": "Carlee.Littel"
    },
    "labels": {
      "source_ids": [],
      "sources": []
    }
  },
```

## How To Test 
1. Generate 100 (or many) users - a high number increases the likeliness
of users within a given full sync window.
`yarn start privileged-user-monitoring` select integrations sync, input
your number of users
1.5 Change the interval in
_security_solution/server/lib/entity_analytics/privilege_monitoring/constants.ts_
to a shorter time if you want to run multiple times
2. Run Kibana and open dev tools 
3. Enable advanced setting - privileged users monitoring 
4. Open dev tools, have a look at the integrations data generated, grab
one of the middle timestamps from a user (@timestamp, top level of the
document) --> Use this as a base for events completed and started
5. Create an entity event pair - started a few minutes before above
timestamp, completed - a few minutes after.
```
POST logs-entityanalytics_okta.entity-default/_bulk
{ "create": {} }
{ "@timestamp": "2025-09-28T13:20:53.851Z",
  "event": {
    "action": "started",
    "agent_id_status": "verified",
    "dataset": "entityanalytics_okta.entity",
    "kind": "asset",
    "start": "2025-09-28T13:20:53.851Z",
    "ingested": "2025-09-28T10:25:53.851Z"
  }
}
{ "create": {} }
{ "@timestamp": "2025-09-28T13:30:53.851Z",
  "event": {
    "action": "completed",
    "agent_id_status": "verified",
    "dataset": "entityanalytics_okta.entity",
    "kind": "asset",
    "end":"2025-09-28T13:30:53.851Z",
    "ingested": "2025-09-28T13:30:53.851Z"
  }
}
```
5. Run init `POST kbn:/api/entity_analytics/monitoring/engine/init  `
6. Inspect users from sync, see that the deleted / stale users
monitoring labels are removed, as above.

Author: CAWilson94

x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts

@@ -237,10 +237,6 @@ export const allowedExperimentalValues = Object.freeze({
   serviceEntityStoreEnabled: true,
   /**
 
-   /**
-   * Enables Integrations Sync for Privileged User Monitoring
-   */
-  integrationsSyncEnabled: false,
 
   /**
    * Disables the siem migrations feature

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/data_sources/bulk/soft_delete.ts

@@ -43,9 +43,14 @@ export const bulkSoftDeleteOperationsFactory =
             source: `
             ctx._source['@timestamp'] = params.now;
             ctx._source.event.ingested = params.now;
+            
             if (ctx._source.labels?.source_ids != null && !ctx._source.labels?.source_ids.isEmpty()) {
               ctx._source.labels.source_ids.removeIf(idx -> idx == params.source_id);
             }
+            
+            if (ctx._source.entity_analytics_monitoring != null && ctx._source.entity_analytics_monitoring.labels != null) {
+             ctx._source.entity_analytics_monitoring.labels.removeIf(l -> l != null && l.source == params.source_id);
+          }
 
             if (ctx._source.labels?.source_ids == null || ctx._source.labels.source_ids.isEmpty()) {
               if (ctx._source.labels?.sources != null) {

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/data_sources/data_sources_service.ts

@@ -17,11 +17,9 @@ export const createDataSourcesService = (
   soClient: SavedObjectsClientContract,
   maxUsersAllowed: number
 ) => {
-  const { deps } = dataClient;
   const esClient = dataClient.deps.clusterClient.asCurrentUser;
   const indexSyncService = createIndexSyncService(dataClient, maxUsersAllowed);
   const integrationsSyncService = createIntegrationsSyncService(dataClient, soClient);
-  const integrationsSyncFlag = deps.experimentalFeatures?.integrationsSyncEnabled ?? false;
 
   /**
    * This creates an index for the user to populate privileged users.
@@ -64,7 +62,7 @@ export const createDataSourcesService = (
   };
   const syncAllSources = async () => {
     const jobs = [indexSyncService.plainIndexSync(soClient)];
-    if (integrationsSyncFlag) jobs.push(integrationsSyncService.integrationsSync());
+    jobs.push(integrationsSyncService.integrationsSync());
 
     const settled = await Promise.allSettled(jobs);
     settled

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/data_sources/sync/integrations/deletion_detection/deletion_detection.ts

@@ -71,14 +71,12 @@ export const createDeletionDetectionService = (
         completedEventTimeStamp,
       });
 
-      dataClient.log(`debug`, `allIntegrationsUserNames: ${allIntegrationsUserNames}`);
       // get all users in the privileged index for this source that are not in integrations docs
       const staleUsers = await findStaleUsers(
         source.id,
         allIntegrationsUserNames,
         'entity_analytics_integration' // TODO: confirm index/type constant
       );
-      dataClient.log(`debug`, `staleUsers: ${staleUsers}`);
       const ops = bulkUtilsService.bulkSoftDeleteOperations(
         staleUsers,
         dataClient.index,

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/data_sources/sync/integrations/update_detection/privileged_status_update.ts

@@ -15,7 +15,7 @@ export const createPrivilegeStatusUpdateService = (dataClient: PrivilegeMonitori
     users: PrivMonBulkUser[],
     source: MonitoringEntitySource
   ) => {
-    dataClient.log('debug', `Updating internal index for users: ${JSON.stringify(users, null, 2)}`);
+    dataClient.log('debug', `Updating internal index for users ${users.length}`);
     await applyPrivilegedUpdates({ users, dataClient, source });
   };
 

x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/privilege_monitoring/engine/initialisation_service.ts

@@ -9,10 +9,8 @@ import moment from 'moment';
 import type { SavedObjectsClientContract } from '@kbn/core/server';
 import {
   MonitoringEngineComponentResourceEnum,
-  type CreateMonitoringEntitySource,
   type MonitoringEngineDescriptor,
 } from '../../../../../common/api/entity_analytics';
-import { defaultMonitoringUsersIndex } from '../../../../../common/entity_analytics/privileged_user_monitoring/utils';
 import type { PrivilegeMonitoringDataClient } from './data_client';
 import { PrivilegeMonitoringEngineActions } from '../auditing/actions';
 import { PRIVILEGE_MONITORING_ENGINE_STATUS } from '../constants';
@@ -63,13 +61,8 @@ export const createInitialisationService = (
     const descriptor = await descriptorClient.init();
     dataClient.log('info', `Initialized privileged monitoring engine saved object`);
 
-    if (deps.experimentalFeatures?.integrationsSyncEnabled ?? false) {
-      // upsert index AND integration sources
-      await InitSourceCreationService.upsertSources(monitoringIndexSourceClient);
-    } else {
-      // upsert ONLY index source
-      await createOrUpdateDefaultDataSource(monitoringIndexSourceClient);
-    }
+    // upsert index AND integration sources
+    await InitSourceCreationService.upsertSources(monitoringIndexSourceClient);
 
     try {
       dataClient.log('debug', 'Creating privilege user monitoring event.ingested pipeline');
@@ -123,66 +116,5 @@ export const createInitialisationService = (
     return descriptor;
   };
 
-  const createOrUpdateDefaultDataSource = async (
-    monitoringIndexSourceClient: MonitoringEntitySourceDescriptorClient
-  ) => {
-    const sourceName = dataClient.index;
-
-    const defaultIndexSource: CreateMonitoringEntitySource = {
-      type: 'index',
-      managed: true,
-      indexPattern: defaultMonitoringUsersIndex(deps.namespace),
-      name: sourceName,
-    };
-
-    const existingSources = await monitoringIndexSourceClient.find({
-      name: sourceName,
-    });
-
-    if (existingSources.saved_objects.length > 0) {
-      dataClient.log('info', 'Default index source already exists, updating it.');
-      const existingSource = existingSources.saved_objects[0];
-      try {
-        await monitoringIndexSourceClient.update({
-          id: existingSource.id,
-          ...defaultIndexSource,
-        });
-      } catch (e) {
-        dataClient.log(
-          'error',
-          `Failed to update default index source for privilege monitoring: ${e.message}`
-        );
-        dataClient.audit(
-          PrivilegeMonitoringEngineActions.INIT,
-          MonitoringEngineComponentResourceEnum.privmon_engine,
-          'Failed to update default index source for privilege monitoring',
-          e
-        );
-      }
-    } else {
-      dataClient.log('info', 'Creating default index source for privilege monitoring.');
-
-      try {
-        // TODO: failing test, empty sources array. FIX
-        const indexSourceDescriptor = monitoringIndexSourceClient.create(defaultIndexSource);
-
-        dataClient.log(
-          'debug',
-          `Created index source for privilege monitoring: ${JSON.stringify(indexSourceDescriptor)}`
-        );
-      } catch (e) {
-        dataClient.log(
-          'error',
-          `Failed to create default index source for privilege monitoring: ${e.message}`
-        );
-        dataClient.audit(
-          PrivilegeMonitoringEngineActions.INIT,
-          MonitoringEngineComponentResourceEnum.privmon_engine,
-          'Failed to create default index source for privilege monitoring',
-          e
-        );
-      }
-    }
-  };
   return { init };
 };

x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/ess.config.ts

@@ -18,9 +18,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
       serverArgs: [
         ...functionalConfig.get('kbnTestServer.serverArgs'),
         '--xpack.securitySolution.entityAnalytics.monitoring.privileges.users.maxPrivilegedUsersAllowed=100',
-        `--xpack.securitySolution.enableExperimental=${JSON.stringify([
-          'integrationsSyncEnabled',
-        ])}`,
+        `--xpack.securitySolution.enableExperimental=${JSON.stringify([])}`,
       ],
     },
     testFiles: [require.resolve('..')],

x-pack/solutions/security/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/serverless.config.ts

@@ -15,7 +15,6 @@ export default createTestConfig({
       { product_line: 'cloud', product_tier: 'complete' },
     ])}`,
     '--xpack.securitySolution.entityAnalytics.monitoring.privileges.users.maxPrivilegedUsersAllowed=100',
-    `--xpack.securitySolution.enableExperimental=${JSON.stringify(['integrationsSyncEnabled'])}`,
   ],
   testFiles: [require.resolve('..')],
   junit: {