diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 81f09ceaf96..fe5a7b9857f 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.43.0" + changes: + - description: Add missing field mappings in the `admin`, `device`, `drive`, `login` and `token` data streams. + type: enhancement + link: https://github.com/elastic/integrations/pull/14549 - version: "2.42.0" changes: - description: Use `terminate` processor instead of `fail` processor to handle agent errors. diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json index d9337852132..848e6af1cbc 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json @@ -776,4 +776,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json index b7f40ca4c22..989b636e3ce 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json @@ -1063,4 +1063,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json index 58b72a71610..6624cb44627 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json @@ -332,4 +332,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json index 218908b1a82..a3abeaf41fd 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json @@ -1723,4 +1723,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json index 0cab82ba5bd..bd2e09a04af 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json @@ -87,4 +87,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json index 4010b725096..8e813ed3ab6 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json @@ -653,4 +653,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json index f3ca9e92900..788a112a567 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json @@ -359,4 +359,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log index 6bb8cb62757..37a6db6ee13 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log @@ -3,6 +3,7 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"ALERT_ID","value":"1abc23d4-56e-f78ghi-9j0k-lm1n"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json index 8cb47fbe392..3cb2994256b 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json @@ -391,6 +391,84 @@ "name": "foo" } }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "CREATE_ALERT", + "category": [ + "iam" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"ALERT_ID\",\"value\":\"1abc23d4-56e-f78ghi-9j0k-lm1n\"}]}}", + "provider": "admin", + "type": [ + "creation" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "admin": { + "alert": { + "id": "1abc23d4-56e-f78ghi-9j0k-lm1n", + "name": "alert name" + } + }, + "event": { + "type": "DOMAIN_SETTINGS" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { @@ -6666,4 +6744,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json index 4275da4c117..11ddfa9d917 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json @@ -850,4 +850,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json index 38c4ad1349d..232466262e0 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json @@ -1233,4 +1233,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json index efa85507ec5..deac7ad79a7 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json @@ -667,4 +667,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json index ab894271d4f..26eb27269bb 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json @@ -2585,4 +2585,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json index 73c656a199f..8e83f040f77 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json @@ -1365,4 +1365,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log index 1a75621dca4..25c6df577d0 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log @@ -22,3 +22,5 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_CHARTS","name":"SECURITY_CHART_DRILLDOWN","parameters":[{"name":"CHART_FILTERS","value":"DATE BETWEEN 2024-11-01T04:00:00Z AND 2024-12-01T05:00:00Z"},{"name":"CHART_NAME","value":"user"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"SECURITY_INVESTIGATION","name":"SECURITY_INVESTIGATION_ACTION","parameters":[{"name":"INVESTIGATION_ACTION","value":"VIEW_EMAIL_HEADERS"},{"name":"INVESTIGATION_DATA_SOURCE","value":"GMAIL"},{"name":"INVESTIGATION_ENTITY_IDS","value":"(<12345e23.212a2002.1=3b4359.3g21@example.com> foo@bar.com)"},{"name":"INVESTIGATION_OBJECT_IDENTIFIER","value":"12abc3d-4ef5g67-4843-891c-4396afd6cbfe"},{"name":"INVESTIGATION_QUERY","value":"(empty)"},{"name":"INVESTIGATION_URL_DISPLAY_TEXT","value":"OPEN_INVESTIGATION"}]}} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json index 4425d1d74b1..5b5ffa6be66 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json @@ -2049,6 +2049,160 @@ "id": "1", "name": "foo" } + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "SECURITY_CHART_DRILLDOWN", + "category": [ + "iam" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_CHARTS\",\"name\":\"SECURITY_CHART_DRILLDOWN\",\"parameters\":[{\"name\":\"CHART_FILTERS\",\"value\":\"DATE BETWEEN 2024-11-01T04:00:00Z AND 2024-12-01T05:00:00Z\"},{\"name\":\"CHART_NAME\",\"value\":\"user\"}]}}", + "provider": "admin" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "admin": { + "chart": { + "filters": "DATE BETWEEN 2024-11-01T04:00:00Z AND 2024-12-01T05:00:00Z", + "name": "user" + } + }, + "event": { + "type": "SECURITY_CHARTS" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "SECURITY_INVESTIGATION_ACTION", + "category": [ + "iam" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"SECURITY_INVESTIGATION\",\"name\":\"SECURITY_INVESTIGATION_ACTION\",\"parameters\":[{\"name\":\"INVESTIGATION_ACTION\",\"value\":\"VIEW_EMAIL_HEADERS\"},{\"name\":\"INVESTIGATION_DATA_SOURCE\",\"value\":\"GMAIL\"},{\"name\":\"INVESTIGATION_ENTITY_IDS\",\"value\":\"(<12345e23.212a2002.1=3b4359.3g21@example.com> foo@bar.com)\"},{\"name\":\"INVESTIGATION_OBJECT_IDENTIFIER\",\"value\":\"12abc3d-4ef5g67-4843-891c-4396afd6cbfe\"},{\"name\":\"INVESTIGATION_QUERY\",\"value\":\"(empty)\"},{\"name\":\"INVESTIGATION_URL_DISPLAY_TEXT\",\"value\":\"OPEN_INVESTIGATION\"}]}}", + "provider": "admin" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "admin": { + "investigation": { + "action": "VIEW_EMAIL_HEADERS", + "data_source": "GMAIL", + "entity_ids": "(<12345e23.212a2002.1=3b4359.3g21@example.com> foo@bar.com)", + "object_identifier": "12abc3d-4ef5g67-4843-891c-4396afd6cbfe", + "query": "(empty)", + "url_display_text": "OPEN_INVESTIGATION" + } + }, + "event": { + "type": "SECURITY_INVESTIGATION" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json index e15c23a9922..147ebbaac0d 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json @@ -424,4 +424,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json index 981f2ee7007..a042d71d15e 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json @@ -6289,4 +6289,4 @@ } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml index 830b876f6b0..ee386be53aa 100644 --- a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml @@ -461,6 +461,51 @@ processors: field: google_workspace.admin.REAUTH_SETTING_OLD target_field: google_workspace.admin.old_value ignore_missing: true + - rename: + field: google_workspace.admin.ALERT_ID + tag: rename_alert_id + target_field: google_workspace.admin.alert.id + ignore_missing: true + - rename: + field: google_workspace.admin.CHART_FILTERS + tag: rename_chart_filters + target_field: google_workspace.admin.chart.filters + ignore_missing: true + - rename: + field: google_workspace.admin.CHART_NAME + tag: rename_chart_name + target_field: google_workspace.admin.chart.name + ignore_missing: true + - rename: + field: google_workspace.admin.INVESTIGATION_ACTION + tag: rename_investigation_action + target_field: google_workspace.admin.investigation.action + ignore_missing: true + - rename: + field: google_workspace.admin.INVESTIGATION_DATA_SOURCE + tag: rename_investigation_data_source + target_field: google_workspace.admin.investigation.data_source + ignore_missing: true + - rename: + field: google_workspace.admin.INVESTIGATION_ENTITY_IDS + tag: rename_investigation_entity_ids + target_field: google_workspace.admin.investigation.entity_ids + ignore_missing: true + - rename: + field: google_workspace.admin.INVESTIGATION_OBJECT_IDENTIFIER + tag: rename_investigation_object_identifier + target_field: google_workspace.admin.investigation.object_identifier + ignore_missing: true + - rename: + field: google_workspace.admin.INVESTIGATION_QUERY + tag: rename_investigation_query + target_field: google_workspace.admin.investigation.query + ignore_missing: true + - rename: + field: google_workspace.admin.INVESTIGATION_URL_DISPLAY_TEXT + tag: rename_investigation_url_display_text + target_field: google_workspace.admin.investigation.url_display_text + ignore_missing: true - rename: field: google_workspace.admin.ALERT_NAME target_field: google_workspace.admin.alert.name diff --git a/packages/google_workspace/data_stream/admin/fields/fields.yml b/packages/google_workspace/data_stream/admin/fields/fields.yml index 642107f70fe..ceb9579eaf0 100644 --- a/packages/google_workspace/data_stream/admin/fields/fields.yml +++ b/packages/google_workspace/data_stream/admin/fields/fields.yml @@ -257,3 +257,30 @@ type: keyword description: | The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: alert + type: group + fields: + - name: id + type: keyword + - name: chart + type: group + fields: + - name: filters + type: keyword + - name: name + type: keyword + - name: investigation + type: group + fields: + - name: action + type: keyword + - name: data_source + type: keyword + - name: entity_ids + type: keyword + - name: object_identifier + type: keyword + - name: query + type: keyword + - name: url_display_text + type: keyword diff --git a/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log b/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log index a615cd3111f..3bda4a7df38 100644 --- a/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log +++ b/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log @@ -1 +1,2 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"example.com","ipAddress":"67.43.156.13","etag":"string","events":{"type":"device_applications","name":"APPLICATION_EVENT","parameters":[{"name":"ACCOUNT_STATE","value":"REGISTERED"},{"name":"ACTION_EXECUTION_STATUS","value":"ACTION_REJECTED_BY_USER"},{"name":"ACTION_ID","value":"asd1234"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"APK_SHA256_HASH","value":"af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e9891562113d8a62add1bf"},{"name":"APPLICATION_ID","value":"af2bdbe1aa9f"},{"name":"APPLICATION_MESSAGE","value":"message"},{"name":"APPLICATION_REPORT_KEY","value":"sda21"},{"name":"APPLICATION_REPORT_SEVERITY","value":"ERROR"},{"name":"APPLICATION_REPORT_TIMESTAMP","value":"2020-10-03T15:00:00Z"},{"name":"APPLICATION_STATE","value":"INSTALLED"},{"name":"BASIC_INTEGRITY","value":"integrity"},{"name":"CTS_PROFILE_MATCH","value":"profile"},{"name":"DEVICE_COMPLIANCE","value":"COMPLIANT"},{"name":"DEVICE_COMPROMISED_STATE","value":"COMPROMISED"},{"name":"DEVICE_DEACTIVATION_REASON","value":"CAMERA_NOT_DISABLED"},{"name":"DEVICE_ID","value":"asdqwe12e"},{"name":"DEVICE_MODEL","value":"model"},{"name":"DEVICE_OWNERSHIP","value":"COMPANY_OWNED"},{"name":"DEVICE_PROPERTY","value":"BASIC_INTEGRITY"},{"name":"DEVICE_SETTING","value":"DEVELOPER_OPTIONS"},{"name":"DEVICE_STATUS_ON_APPLE_PORTAL","value":"ADDED"},{"name":"DEVICE_TYPE","value":"ANDROID"},{"name":"FAILED_PASSWD_ATTEMPTS","value":20},{"name":"IOS_VENDOR_ID","value":"asfdwer23"},{"name":"NEW_DEVICE_ID","value":"asfwr5tg"},{"name":"NEW_VALUE","value":"DEVICE_ADMINISTRATOR"},{"name":"OLD_VALUE","value":"DEVICE_OWNER"},{"name":"OS_EDITION","value":"edition"},{"name":"OS_PROPERTY","value":"property"},{"name":"OS_VERSION","value":"os11"},{"name":"PHA_CATEGORY","value":"BACKDOOR"},{"name":"POLICY_NAME","value":"policy name"},{"name":"POLICY_SYNC_RESULT","value":"POLICY_SYNC_ABORTED"},{"name":"POLICY_SYNC_TYPE","value":"POLICY_APPLIED_TYPE"},{"name":"REGISTER_PRIVILEGE","value":"DEVICE_OWNER"},{"name":"RESOURCE_ID","value":"sads324"},{"name":"RISK_SIGNAL","value":"BASIC_INTEGRITY"},{"name":"SECURITY_EVENT_ID","value":2323523},{"name":"SECURITY_PATCH_LEVEL","value":"patch level"},{"name":"SERIAL_NUMBER","value":"asdsad1234"},{"name":"USER_EMAIL","value":"user@foo.com"},{"name":"VALUE","value":"value"},{"name":"WINDOWS_SYNCML_POLICY_STATUS_CODE","value":"200"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"example.com","ipAddress":"67.43.156.13","etag":"string","events":{"type":"device_updates","name":"DEVICE_SYNC_EVENT","parameters":[{"name":"BASIC_INTEGRITY","value":"integrity"},{"name":"CTS_PROFILE_MATCH","value":"profile"},{"name":"DEVICE_ID","value":"asdqwe12e"},{"name":"DEVICE_MODEL","value":"model"},{"name":"DEVICE_TYPE","value":"ANDROID"},{"name":"IOS_VENDOR_ID","value":"asfdwer23"},{"name":"OS_VERSION","value":"os11"},{"name":"RESOURCE_ID","value":"sads324"},{"name":"SECURITY_PATCH_LEVEL","value":"patch level"},{"name":"SERIAL_NUMBER","value":"asdsad1234"},{"name":"USER_EMAIL","value":"user@foo.com"},{"name":"LAST_SYNC_AUDIT_DATE","value":"1731689445476"}]}} diff --git a/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json b/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json index 2649ef439d4..6d62e066bbf 100644 --- a/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json +++ b/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json @@ -163,6 +163,125 @@ "id": "1", "name": "foo" } + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "DEVICE_SYNC_EVENT", + "id": "1", + "kind": [ + "event" + ], + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"example.com\",\"ipAddress\":\"67.43.156.13\",\"etag\":\"string\",\"events\":{\"type\":\"device_updates\",\"name\":\"DEVICE_SYNC_EVENT\",\"parameters\":[{\"name\":\"BASIC_INTEGRITY\",\"value\":\"integrity\"},{\"name\":\"CTS_PROFILE_MATCH\",\"value\":\"profile\"},{\"name\":\"DEVICE_ID\",\"value\":\"asdqwe12e\"},{\"name\":\"DEVICE_MODEL\",\"value\":\"model\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"ANDROID\"},{\"name\":\"IOS_VENDOR_ID\",\"value\":\"asfdwer23\"},{\"name\":\"OS_VERSION\",\"value\":\"os11\"},{\"name\":\"RESOURCE_ID\",\"value\":\"sads324\"},{\"name\":\"SECURITY_PATCH_LEVEL\",\"value\":\"patch level\"},{\"name\":\"SERIAL_NUMBER\",\"value\":\"asdsad1234\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@foo.com\"},{\"name\":\"LAST_SYNC_AUDIT_DATE\",\"value\":\"1731689445476\"}]}}", + "provider": "login" + }, + "google_workspace": { + "actor": { + "email": "foo@bar.com", + "profile": { + "id": "1" + }, + "type": "USER" + }, + "device": { + "basic_integrity": "integrity", + "cts_profile_match": "profile", + "id": "asdqwe12e", + "ios_vendor_id": "asfdwer23", + "last_sync_audit_date": "2024-11-15T16:50:45.476Z", + "model": "model", + "os": { + "version": "os11" + }, + "resource": { + "id": "sads324" + }, + "security": { + "patch_level": "patch level" + }, + "serial_number": "asdsad1234", + "type": "ANDROID", + "user_email": "user@foo.com" + }, + "etag": "string", + "event": { + "name": "DEVICE_SYNC_EVENT", + "type": "device_updates" + }, + "id": { + "application_name": "login", + "customer": { + "id": "1" + }, + "time": "2020-10-02T15:00:00.000Z", + "unique_qualifier": "1" + }, + "ip_address": "67.43.156.13", + "kind": "admin#reports#activity", + "organization": { + "domain": "example.com" + } + }, + "host": { + "os": { + "version": "os11" + } + }, + "organization": { + "id": "1" + }, + "related": { + "hosts": [ + "bar.com", + "example.com" + ], + "ip": [ + "67.43.156.13" + ], + "user": [ + "1", + "foo", + "foo@bar.com", + "user@foo.com" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "bar.com", + "email": [ + "foo@bar.com", + "user@foo.com" + ], + "id": "1", + "name": "foo" + } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml index c40b90f9a14..1a943e8ec75 100644 --- a/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml @@ -353,6 +353,23 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - date: + field: google_workspace.device.LAST_SYNC_AUDIT_DATE + tag: date_last_sync_audit_date + target_field: google_workspace.device.last_sync_audit_date + formats: + - UNIX_MS + - UNIX + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss + - yyyy-MM-dd'T'HH:mm:ssZ + - yyyy-MM-dd'T'HH:mm:ss.SSSZ + - yyyy/MM/dd HH:mm:ss z + if: ctx.google_workspace?.device?.LAST_SYNC_AUDIT_DATE != null && ctx.google_workspace.device.LAST_SYNC_AUDIT_DATE != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: google_workspace.device.APPLICATION_REPORT_SEVERITY target_field: google_workspace.device.application.report.severity @@ -527,6 +544,7 @@ processors: - google_workspace.device.APPLICATION_REPORT_TIMESTAMP - google_workspace.device.FAILED_PASSWD_ATTEMPTS - google_workspace.device.SECURITY_EVENT_ID + - google_workspace.device.LAST_SYNC_AUDIT_DATE ignore_missing: true - remove: if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) diff --git a/packages/google_workspace/data_stream/device/fields/fields.yml b/packages/google_workspace/data_stream/device/fields/fields.yml index c49bb0061b0..c7483e83e64 100644 --- a/packages/google_workspace/data_stream/device/fields/fields.yml +++ b/packages/google_workspace/data_stream/device/fields/fields.yml @@ -67,6 +67,8 @@ - name: ios_vendor_id type: keyword description: Parameter to indicate the iOS Vendor Id. + - name: last_sync_audit_date + type: date - name: model type: keyword description: Parameter to indicate the device model. diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log index 25df4cf7297..c05efd6cbe6 100644 --- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log +++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log @@ -5,6 +5,7 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"deletion_reason","value":"empty_trash"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} @@ -19,6 +20,9 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"encryption_enforcement_option","value":"disabled"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"copy","parameters":[{"name":"billable","boolValue":false},{"name":"copy_type","value":"external"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"private"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"access","name":"access_url","parameters":[{"name":"accessed_url","value":["https://01abc-23-456-789-012.foo.bar"]},{"name":"actor_is_collaborator_account","boolValue":true},{"name":"billable","boolValue":false},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"script_id","value":"1abcD_efghiJklmNopQ"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"private"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} @@ -26,4 +30,5 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"acl_change","name":"publish_change","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"new_publish_visibility","value":"nobody"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"private"},{"name":"old_publish_visibility","value":"public_in_the_domain"}]}} {"actor":{"email":"[john.doe@example.com](mailto:john.doe@example.com)","profileId":"987654"},"etag":"-xyz1234567890/abcdefg","events":{"name":"email_as_attachment","parameters":[{"name":"target","value":"[jane.smith@example.org](mailto:jane.smith@example.org)"},{"name":"target_user","value":"[manager@example.com](mailto:manager@example.com)"},{"boolValue":true,"name":"primary_event"},{"boolValue":true,"name":"billable"},{"boolValue":false,"name":"owner_is_shared_drive"},{"name":"owner","value":"[admin@example.co](mailto:admin@example.co)"},{"name":"doc_id","value":"doc123-456"},{"name":"doc_type","value":"spreadsheet"},{"boolValue":false,"name":"is_encrypted"},{"name":"doc_title","value":"Quarterly Report"},{"name":"visibility","value":"shared_externally"},{"boolValue":false,"name":"actor_is_collaborator_account"},{"boolValue":false,"name":"owner_is_team_drive"}],"type":"access"},"id":{"applicationName":"drive","customerId":"customer12345","time":"2024-07-29T12:34:56.789Z","uniqueQualifier":"4567890"},"kind":"admin#reports#activity"} diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json index 655152d9049..c9abb741153 100644 --- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json +++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json @@ -654,6 +654,99 @@ "name": "foo" } }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "delete", + "category": [ + "file" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"deletion_reason\",\"value\":\"empty_trash\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "provider": "drive", + "type": [ + "deletion" + ] + }, + "file": { + "name": "document title", + "owner": "owner", + "type": "file" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "drive": { + "billable": false, + "deletion_reason": "empty_trash", + "file": { + "id": "1234", + "owner": { + "email": "owner@example.com", + "is_shared_drive": false + }, + "type": "document" + }, + "originating_app_id": "1234", + "primary_event": true, + "visibility": "people_with_link" + }, + "event": { + "type": "access" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "owner", + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { @@ -1951,6 +2044,283 @@ "name": "foo" } }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "upload", + "category": [ + "file" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"encryption_enforcement_option\",\"value\":\"disabled\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "provider": "drive", + "type": [ + "creation" + ] + }, + "file": { + "name": "document title", + "owner": "owner", + "type": "file" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "drive": { + "billable": false, + "encryption_enforcement_option": "disabled", + "file": { + "id": "1234", + "owner": { + "email": "owner@example.com", + "is_shared_drive": false + }, + "type": "document" + }, + "originating_app_id": "1234", + "primary_event": true, + "visibility": "people_with_link" + }, + "event": { + "type": "access" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "owner", + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "copy", + "category": [ + "file" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"copy\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"copy_type\",\"value\":\"external\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"private\"}]}}", + "provider": "drive" + }, + "file": { + "name": "document title", + "owner": "owner", + "type": "file" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "drive": { + "billable": false, + "copy_type": "external", + "file": { + "id": "1234", + "owner": { + "email": "owner@example.com", + "is_shared_drive": false + }, + "type": "document" + }, + "new_value": "can_comment", + "old_value": "can_view", + "originating_app_id": "1234", + "primary_event": true, + "visibility": "private" + }, + "event": { + "type": "access" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "owner", + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "access_url", + "category": [ + "file" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"access\",\"name\":\"access_url\",\"parameters\":[{\"name\":\"accessed_url\",\"value\":[\"https://01abc-23-456-789-012.foo.bar\"]},{\"name\":\"actor_is_collaborator_account\",\"boolValue\":true},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"script_id\",\"value\":\"1abcD_efghiJklmNopQ\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"private\"}]}}", + "provider": "drive" + }, + "file": { + "name": "document title", + "owner": "owner", + "type": "file" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "drive": { + "accessed_url": [ + "https://01abc-23-456-789-012.foo.bar" + ], + "actor_is_collaborator_account": true, + "billable": false, + "file": { + "owner": { + "email": "owner@example.com", + "is_shared_drive": false + }, + "type": "document" + }, + "primary_event": true, + "script_id": "1abcD_efghiJklmNopQ", + "visibility": "private" + }, + "event": { + "type": "access" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "owner", + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { @@ -2639,6 +3009,99 @@ "name": "foo" } }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "publish_change", + "category": [ + "file" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"acl_change\",\"name\":\"publish_change\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"new_publish_visibility\",\"value\":\"nobody\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"old_publish_visibility\",\"value\":\"public_in_the_domain\"}]}}", + "provider": "drive" + }, + "file": { + "name": "document title", + "owner": "owner", + "type": "file" + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "drive": { + "billable": false, + "file": { + "id": "1234", + "owner": { + "email": "owner@example.com", + "is_shared_drive": false + }, + "type": "document" + }, + "new_publish_visibility": "nobody", + "new_value": "can_comment", + "old_publish_visibility": "public_in_the_domain", + "old_value": "can_view", + "originating_app_id": "1234", + "primary_event": true, + "visibility": "private" + }, + "event": { + "type": "acl_change" + }, + "kind": "admin#reports#activity", + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "owner", + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, { "@timestamp": "2024-07-29T12:34:56.789Z", "ecs": { diff --git a/packages/google_workspace/data_stream/drive/fields/fields.yml b/packages/google_workspace/data_stream/drive/fields/fields.yml index 2dc5087e622..103dfacbb29 100644 --- a/packages/google_workspace/data_stream/drive/fields/fields.yml +++ b/packages/google_workspace/data_stream/drive/fields/fields.yml @@ -1,9 +1,30 @@ - name: google_workspace.drive type: group fields: + - name: accessed_url + type: keyword + description: The URLs that were accessed. - name: billable type: boolean description: Whether this activity is billable. + - name: copy_type + type: keyword + description: Indicates whether the original item and new item are owned by the same organization. + - name: deletion_reason + type: keyword + description: The reason an item was deleted. + - name: encryption_enforcement_option + type: keyword + description: The client-side encryption policy being applied to the user at time of the item's creation. + - name: new_publish_visibility + type: keyword + description: New Publish Visibility Value. + - name: old_publish_visibility + type: keyword + description: Old Publish Visibility Value. + - name: script_id + type: keyword + description: The document ID of the executing script. - name: source_folder_id type: keyword - name: source_folder_title @@ -62,7 +83,7 @@ - name: target_domain type: keyword description: | - The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + The domain for which the access scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. - name: added_role type: keyword description: | diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log index d43cdc7931e..8882c935173 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log @@ -13,4 +13,5 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"password"},{"name":"is_suspicious","boolValue":true},{"name":"login_type","value":"google_password"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"risky_sensitive_action_allowed","parameters":[{"name":"login_challenge_method","value":"password"},{"name":"is_suspicious","boolValue":true},{"name":"login_type","value":"google_password"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"sensitive_action_name","value":"Allowing access to data"}]}} {"actor":{"email":"tl.zeous.daclitan@company.com","profileId":"111111111"},"etag":"Q2W123123123123","events":{"name":"login_verification","parameters":[{"name":"login_type","value":"google_password"},{"multiValue":["security_key"],"name":"login_challenge_method"},{"name":"login_challenge_status","value":"passed"},{"boolValue":true,"name":"is_second_factor"}],"type":"login"},"id":{"applicationName":"login","customerId":"123","time":"2025-02-27T05:59:58.481Z","uniqueQualifier":"123"},"ipAddress":"81.2.69.144","kind":"admin#reports#activity"} diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json index a3722d38915..a9a9e27bce6 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json @@ -1195,6 +1195,86 @@ "name": "foo" } }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "risky_sensitive_action_allowed", + "category": [ + "configuration" + ], + "id": "1", + "kind": "event", + "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"login\",\"name\":\"risky_sensitive_action_allowed\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"password\"},{\"name\":\"is_suspicious\",\"boolValue\":true},{\"name\":\"login_type\",\"value\":\"google_password\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"sensitive_action_name\",\"value\":\"Allowing access to data\"}]}}", + "outcome": "success", + "provider": "login", + "type": [ + "info" + ] + }, + "google_workspace": { + "actor": { + "type": "USER" + }, + "event": { + "type": "login" + }, + "kind": "admin#reports#activity", + "login": { + "challenge_method": "password", + "challenge_status": "Challenge Passed.", + "is_suspicious": true, + "sensitive_action_name": "Allowing access to data", + "type": "google_password" + }, + "organization": { + "domain": "elastic.com" + } + }, + "organization": { + "id": "1" + }, + "related": { + "ip": [ + "67.43.156.13" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, { "@timestamp": "2025-02-27T05:59:58.481Z", "ecs": { diff --git a/packages/google_workspace/data_stream/login/fields/fields.yml b/packages/google_workspace/data_stream/login/fields/fields.yml index 23e4416babd..b71519baafc 100644 --- a/packages/google_workspace/data_stream/login/fields/fields.yml +++ b/packages/google_workspace/data_stream/login/fields/fields.yml @@ -27,3 +27,5 @@ type: boolean - name: is_suspicious type: boolean + - name: sensitive_action_name + type: keyword diff --git a/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log b/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log index 50ff3b29ee1..6adddeaf735 100644 --- a/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log +++ b/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log @@ -1 +1,2 @@ {"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"etag":"\"CTyc505ppdmJR2motHVsU17kzItOkPo5vYViqlSF0rU/_JGuGElaExAZGVCsPXBMf-HkFqo\"","events":{"name":"authorize","parameters":[{"name":"client_id","value":"923474483785-sqf6uk8vq1rqe853il0g2h4m98ji2fq6.apps.googleusercontent.com"},{"name":"app_name","value":"Gmail Add-on"},{"name":"api_name","value":"token"},{"name":"method_name","value":"oauth"},{"name":"num_response_bytes","value":1223},{"name":"client_type","value":"WEB"},{"multiMessageValue":[{"parameter":[{"name":"scope_name","value":"https://www.googleapis.com/auth/gmail.addons.current.message.readonly"},{"multiValue":["GMAIL"],"name":"product_bucket"}]},{"parameter":[{"name":"scope_name","value":"https://www.googleapis.com/auth/gmail.addons.execute"},{"multiValue":["GMAIL"],"name":"product_bucket"}]},{"parameter":[{"name":"scope_name","value":"https://www.googleapis.com/auth/script.external_request"},{"multiValue":["APPS_SCRIPT_RUNTIME"],"name":"product_bucket"}]},{"parameter":[{"name":"scope_name","value":"https://www.googleapis.com/auth/script.storage"},{"multiValue":["APPS_SCRIPT_RUNTIME"],"name":"product_bucket"}]},{"parameter":[{"name":"scope_name","value":"https://www.googleapis.com/auth/userinfo.email"},{"multiValue":["IDENTITY","OTHER"],"name":"product_bucket"}]}],"name":"scope_data"},{"multiValue":["https://www.googleapis.com/auth/gmail.addons.current.message.readonly","https://www.googleapis.com/auth/gmail.addons.execute","https://www.googleapis.com/auth/script.external_request","https://www.googleapis.com/auth/script.storage","https://www.googleapis.com/auth/userinfo.email"],"name":"scope"}]},"id":{"applicationName":"token","customerId":"C02umwv6u","time":"2023-01-01T06:24:42.442Z","uniqueQualifier":"-6709442587437772138"},"ipAddress":"89.160.20.112","kind":"admin#reports#activity"} +{"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"etag":"\"CTyc505ppdmJR2motHVsU17kzItOkPo5vYViqlSF0rU/_JGuGElaExAZGVCsPXBMf-HkFqo\"","events":{"name":"activity","parameters":[{"name":"client_id","value":"923474483785-sqf6uk8vq1rqe853il0g2h4m98ji2fq6.apps.googleusercontent.com"},{"name":"app_name","value":"Gmail Add-on"},{"name":"api_name","value":"token"},{"name":"method_name","value":"oauth"},{"name":"num_response_bytes","value":1223},{"name":"client_type","value":"WEB"},{"name":"product_bucket","value":"GSUITE_ADMIN"}]},"id":{"applicationName":"token","customerId":"C02umwv6u","time":"2023-01-01T06:24:42.442Z","uniqueQualifier":"-6709442587437772138"},"ipAddress":"89.160.20.112","kind":"admin#reports#activity"} diff --git a/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json b/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json index 6c71908e753..df86db3d421 100644 --- a/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json +++ b/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json @@ -149,6 +149,114 @@ "id": "1", "name": "foo" } + }, + { + "@timestamp": "2023-01-01T06:24:42.442Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "activity", + "category": [ + "iam" + ], + "id": "-6709442587437772138", + "kind": [ + "event" + ], + "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"etag\":\"\\\"CTyc505ppdmJR2motHVsU17kzItOkPo5vYViqlSF0rU/_JGuGElaExAZGVCsPXBMf-HkFqo\\\"\",\"events\":{\"name\":\"activity\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"923474483785-sqf6uk8vq1rqe853il0g2h4m98ji2fq6.apps.googleusercontent.com\"},{\"name\":\"app_name\",\"value\":\"Gmail Add-on\"},{\"name\":\"api_name\",\"value\":\"token\"},{\"name\":\"method_name\",\"value\":\"oauth\"},{\"name\":\"num_response_bytes\",\"value\":1223},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"name\":\"product_bucket\",\"value\":\"GSUITE_ADMIN\"}]},\"id\":{\"applicationName\":\"token\",\"customerId\":\"C02umwv6u\",\"time\":\"2023-01-01T06:24:42.442Z\",\"uniqueQualifier\":\"-6709442587437772138\"},\"ipAddress\":\"89.160.20.112\",\"kind\":\"admin#reports#activity\"}", + "provider": "token", + "type": [ + "info" + ] + }, + "google_workspace": { + "actor": { + "email": "foo@bar.com", + "profile": { + "id": "1" + }, + "type": "USER" + }, + "etag": "\"CTyc505ppdmJR2motHVsU17kzItOkPo5vYViqlSF0rU/_JGuGElaExAZGVCsPXBMf-HkFqo\"", + "event": { + "name": "activity" + }, + "id": { + "application_name": "token", + "customer": { + "id": "C02umwv6u" + }, + "time": "2023-01-01T06:24:42.442Z", + "unique_qualifier": "-6709442587437772138" + }, + "ip_address": "89.160.20.112", + "kind": "admin#reports#activity", + "token": { + "api_name": "token", + "app_name": "Gmail Add-on", + "client": { + "id": "923474483785-sqf6uk8vq1rqe853il0g2h4m98ji2fq6.apps.googleusercontent.com", + "type": "WEB" + }, + "method_name": "oauth", + "num_response_bytes": 1223, + "product_bucket": "GSUITE_ADMIN" + } + }, + "organization": { + "id": "C02umwv6u" + }, + "related": { + "hosts": [ + "bar.com" + ], + "ip": [ + "89.160.20.112" + ], + "user": [ + "1", + "foo", + "foo@bar.com" + ] + }, + "source": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "bar.com", + "email": "foo@bar.com", + "id": "1", + "name": "foo" + } } ] -} \ No newline at end of file +} diff --git a/packages/google_workspace/data_stream/token/fields/fields.yml b/packages/google_workspace/data_stream/token/fields/fields.yml index ef9267dccf2..5c985798ace 100644 --- a/packages/google_workspace/data_stream/token/fields/fields.yml +++ b/packages/google_workspace/data_stream/token/fields/fields.yml @@ -22,6 +22,8 @@ - name: num_response_bytes type: long description: The number of response bytes in the OAuth Activity. + - name: product_bucket + type: keyword - name: scope type: group fields: diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md index 48547f1be67..247971df556 100644 --- a/packages/google_workspace/docs/README.md +++ b/packages/google_workspace/docs/README.md @@ -540,6 +540,7 @@ An example event for `login` looks as following: | google_workspace.login.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | | google_workspace.login.is_second_factor | | boolean | | google_workspace.login.is_suspicious | | boolean | +| google_workspace.login.sensitive_action_name | | keyword | | google_workspace.login.timestamp | UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | long | | google_workspace.login.type | Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | | google_workspace.organization.domain | The domain that is affected by the report's event. | keyword | @@ -893,6 +894,7 @@ An example event for `admin` looks as following: | event.module | Event module | constant_keyword | | google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | | google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.admin.alert.id | | keyword | | google_workspace.admin.alert.name | The alert name. | keyword | | google_workspace.admin.api.client.name | The API client name. | keyword | | google_workspace.admin.api.scopes | The API scopes. | keyword | @@ -906,6 +908,8 @@ An example event for `admin` looks as following: | google_workspace.admin.application.package_id | The mobile application package ID. | keyword | | google_workspace.admin.bulk_upload.failed | Number of failed records in bulk upload operation. | long | | google_workspace.admin.bulk_upload.total | Number of total records in bulk upload operation. | long | +| google_workspace.admin.chart.filters | | keyword | +| google_workspace.admin.chart.name | | keyword | | google_workspace.admin.chrome_licenses.allowed | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | | google_workspace.admin.chrome_licenses.enabled | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword | | google_workspace.admin.chrome_os.session_type | Chrome OS session type. | keyword | @@ -940,6 +944,12 @@ An example event for `admin` looks as following: | google_workspace.admin.group.email | The group's primary email address. | keyword | | google_workspace.admin.group.priorities | Group priorities. | keyword | | google_workspace.admin.info_type | This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword | +| google_workspace.admin.investigation.action | | keyword | +| google_workspace.admin.investigation.data_source | | keyword | +| google_workspace.admin.investigation.entity_ids | | keyword | +| google_workspace.admin.investigation.object_identifier | | keyword | +| google_workspace.admin.investigation.query | | keyword | +| google_workspace.admin.investigation.url_display_text | | keyword | | google_workspace.admin.managed_configuration | The name of the managed configuration. | keyword | | google_workspace.admin.mdm.token | The MDM vendor enrollment token. | keyword | | google_workspace.admin.mdm.vendor | The MDM vendor's name. | keyword | @@ -1117,31 +1127,38 @@ An example event for `drive` looks as following: | event.module | Event module | constant_keyword | | google_workspace.actor.key | Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. | keyword | | google_workspace.actor.type | The type of actor. Values can be: \*USER\*: Another user in the same domain. \*EXTERNAL_USER\*: A user outside the domain. \*KEY\*: A non-human actor. | keyword | +| google_workspace.drive.accessed_url | The URLs that were accessed. | keyword | | google_workspace.drive.actor_is_collaborator_account | Whether the actor is a collaborator account. | boolean | | google_workspace.drive.added_role | Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | | google_workspace.drive.billable | Whether this activity is billable. | boolean | +| google_workspace.drive.copy_type | Indicates whether the original item and new item are owned by the same organization. | keyword | +| google_workspace.drive.deletion_reason | The reason an item was deleted. | keyword | | google_workspace.drive.destination_folder_id | | keyword | | google_workspace.drive.destination_folder_title | | keyword | +| google_workspace.drive.encryption_enforcement_option | The client-side encryption policy being applied to the user at time of the item's creation. | keyword | | google_workspace.drive.file.id | | keyword | | google_workspace.drive.file.owner.email | | keyword | | google_workspace.drive.file.owner.is_shared_drive | Boolean flag denoting whether owner is a shared drive. | boolean | | google_workspace.drive.file.type | Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | | google_workspace.drive.is_encrypted | Whether the file is client-side encrypted. | boolean | | google_workspace.drive.membership_change_type | Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.new_publish_visibility | New Publish Visibility Value. | keyword | | google_workspace.drive.new_value | When a setting or property of the file changes, the new value for it will appear here. | keyword | +| google_workspace.drive.old_publish_visibility | Old Publish Visibility Value. | keyword | | google_workspace.drive.old_value | When a setting or property of the file changes, the old value for it will appear here. | keyword | | google_workspace.drive.old_visibility | When visibility changes, this holds the old value. | keyword | | google_workspace.drive.originating_app_id | The Google Cloud Project ID of the application that performed the action. | keyword | | google_workspace.drive.owner_is_team_drive | Whether the owner is a Team Drive. | boolean | | google_workspace.drive.primary_event | Whether this is a primary event. A single user action in Drive may generate several events. | boolean | | google_workspace.drive.removed_role | Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | +| google_workspace.drive.script_id | The document ID of the executing script. | keyword | | google_workspace.drive.shared_drive_id | The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. | keyword | | google_workspace.drive.shared_drive_settings_change_type | Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | | google_workspace.drive.sheets_import_range_recipient_doc | Doc ID of the recipient of a sheets import range. | keyword | | google_workspace.drive.source_folder_id | | keyword | | google_workspace.drive.source_folder_title | | keyword | | google_workspace.drive.target | Target user or group. | keyword | -| google_workspace.drive.target_domain | The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. | keyword | +| google_workspace.drive.target_domain | The domain for which the access scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. | keyword | | google_workspace.drive.target_user | The email address of the user or group whose access permissions were changed, or the name of the domain for which access permissions were changed. | keyword | | google_workspace.drive.visibility | Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword | | google_workspace.drive.visibility_change | When visibility changes, this holds the new overall visibility of the file. | keyword | @@ -1852,6 +1869,7 @@ An example event for `device` looks as following: | google_workspace.device.failed_passwd_attempts | Parameter to indicate the number of failed screen unlock attempts. | long | | google_workspace.device.id | Parameter to indicate the Device Id. | keyword | | google_workspace.device.ios_vendor_id | Parameter to indicate the iOS Vendor Id. | keyword | +| google_workspace.device.last_sync_audit_date | | date | | google_workspace.device.model | Parameter to indicate the device model. | keyword | | google_workspace.device.new_device_id | Parameter to indicate the new Device Id. | keyword | | google_workspace.device.new_value | Parameter to indicate the new value. | keyword | @@ -2292,6 +2310,7 @@ An example event for `token` looks as following: | google_workspace.token.client.type | The client type. | keyword | | google_workspace.token.method_name | The method name which was used in the OAuth Activity. | keyword | | google_workspace.token.num_response_bytes | The number of response bytes in the OAuth Activity. | long | +| google_workspace.token.product_bucket | | keyword | | google_workspace.token.scope.data | Scope Data. | flattened | | google_workspace.token.scope.value | Scopes under which access was granted / revoked. | keyword | | input.type | Type of Filebeat input. | keyword | diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index e31e714ac66..b8c4907183f 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace -version: "2.42.0" +version: "2.43.0" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent.