Skip to content

Commit

Permalink
[google_workspace] Add support of Chrome Audit Events (#12171)
Browse files Browse the repository at this point in the history 
Add the support of Chrome Audit Events through Chrome Data Stream.
Update ECS version to 8.16 in all the pipeline.
  • Loading branch information
@mohitjha-elastic
mohitjha-elastic authored Dec 24, 2024
1 parent 1aec29d commit 16bdfda
Show file tree
Hide file tree
Showing 64 changed files with 3,762 additions and 450 deletions.
2 changes: 1 addition & 1 deletion packages/google_workspace/_dev/build/build.yml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
dependencies:
ecs:
reference: "git@v8.11.0"
reference: "git@v8.16.0"
13 changes: 11 additions & 2 deletions packages/google_workspace/_dev/build/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ It is compatible with a subset of applications under the [Google Reports API v1]
| [Access Transparency](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/access-transparency) [help](https://support.google.com/a/answer/9230474?hl=en) | The Access Transparency activity report returns information about various types of Access Transparency activity events. |
| [Context Aware Access](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/context-aware-access) [help](https://support.google.com/a/answer/9394107?hl=en#zippy=) | The Context Aware Access activity report returns information about various types of Context-Aware Access Audit activity events. |
| [GCP](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/gcp) | The GCP activity report returns information about various types of Google Cloud Platform activity events. |
| [Chrome](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/chrome) | The Chrome activity reports return information about Chrome browser and Chrome OS events. |

## Requirements

Expand All @@ -42,7 +43,7 @@ This integration will make use of the following *oauth2 scope*:

Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration.

Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `device`, `context_aware_access`, `drive`, `gcp`, `groups`, `group_enterprise`, `login`, `rules`, `saml`, `token` and `user accounts` logs.
Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `chrome`, `context_aware_access`, `device`, `drive`, `gcp`, `groups`, `group_enterprise`, `login`, `rules`, `saml`, `token` and `user accounts` logs.

> NOTE: The `Delegated Account` value in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount.
Expand Down Expand Up @@ -126,7 +127,7 @@ Once Service Account credentials are downloaded as a JSON file, then the integra

### Google Workspace Reports ECS fields

This is a list of Google Workspace Reports fields that are mapped to ECS that are common to al data sets.
This is a list of Google Workspace Reports fields that are mapped to ECS that are common to all data sets.

| Google Workspace Reports | ECS Fields |
|------------------------------|---------------------------------------------------------------|
Expand Down Expand Up @@ -250,3 +251,11 @@ This is the `gcp` dataset.
{{event "gcp"}}

{{fields "gcp"}}

### Chrome

This is the `chrome` dataset.

{{event "chrome"}}

{{fields "chrome"}}
238 changes: 238 additions & 0 deletions packages/google_workspace/_dev/deploy/docker/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,244 @@ rules:
"parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}],"type":"APPLICATION_SETTINGS"}],
"id":{"applicationName":"admin","customerId":"1","time":"2022-04-04T15:04:05Z","uniqueQualifier":1},"ipAddress":"98.235.162.24","kind":"admin#reports#activity",
"ownerDomain":"elastic.com"}]}
- path: /admin/reports/v1/activity/users/all/applications/chrome
methods: ['GET']
query_params:
maxResults: 1
pageToken: page-2
request_headers:
Authorization:
- "Bearer 1/fFAGRNJru1FTz70BzhT3Zg"
responses:
- status_code: 200
headers:
Content-Type:
- "application/json"
body: |-
{
"kind": "admin#reports#activities",
"etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/C1x8QdrcyHCPjiOgJQSxFVZigtk\"",
"items": [
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-12-09T14:18:25.405Z",
"uniqueQualifier": "-3640711002716937498",
"applicationName": "chrome",
"customerId": "C03puekhd"
},
"etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\"",
"actor": {
"callerType": "USER",
"email": "[email protected]",
"profileId": "109689693170624712102"
},
"events": [
{
"type": "BROWSER_EXTENSION_INSTALL_TYPE",
"name": "BROWSER_EXTENSION_INSTALL",
"parameters": [
{
"name": "TIMESTAMP",
"intValue": "1733753905405"
},
{
"name": "EVENT_REASON",
"value": "BROWSER_EXTENSION_INSTALL"
},
{
"name": "APP_ID",
"value": "lmjegmlicamnimmfhcmpkclmigmmcbeh"
},
{
"name": "APP_NAME",
"value": "Application Launcher For Drive (by Google)"
},
{
"name": "BROWSER_VERSION",
"value": "123.0.6312.112"
},
{
"name": "CHROME_ORG_UNIT_ID",
"value": "02gajno12larrqx"
},
{
"name": "CLIENT_TYPE",
"value": "CHROME_OS_DEVICE"
},
{
"name": "DEVICE_NAME",
"value": "NXKUTSI002429051947600"
},
{
"name": "DEVICE_PLATFORM",
"value": "ChromeOS 15786.48.2"
},
{
"name": "DEVICE_USER",
"value": "[email protected]"
},
{
"name": "DIRECTORY_DEVICE_ID",
"value": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e"
},
{
"name": "EVENT_RESULT",
"value": "REPORTED"
},
{
"name": "EXTENSION_ACTION",
"value": "INSTALL"
},
{
"name": "EXTENSION_SOURCE",
"value": "CHROME_WEBSTORE"
},
{
"name": "EXTENSION_VERSION",
"value": "3.10"
},
{
"name": "ORG_UNIT_NAME",
"value": "example.io"
},
{
"name": "PROFILE_USER_NAME",
"value": "[email protected]"
},
{
"name": "USER_AGENT",
"value": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
},
{
"name": "VIRTUAL_DEVICE_ID",
"value": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60"
}
]
}
]
}
]
}
- path: /admin/reports/v1/activity/users/all/applications/chrome
methods: ['GET']
query_params:
maxResults: 1
request_headers:
Authorization:
- "Bearer 1/fFAGRNJru1FTz70BzhT3Zg"
responses:
- status_code: 200
headers:
Content-Type:
- "application/json"
body: |-
{
"kind": "admin#reports#activities",
"nextPageToken": "page-2",
"etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/C1x8QdrcyHCPjiOgJQSxFVZigtk\"",
"items": [
{
"kind": "admin#reports#activity",
"id": {
"time": "2024-12-10T14:18:25.405Z",
"uniqueQualifier": "-3640711002716937498",
"applicationName": "chrome",
"customerId": "C03puekhd"
},
"etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\"",
"actor": {
"callerType": "USER",
"email": "[email protected]",
"profileId": "109689693170624712102"
},
"events": [
{
"type": "BROWSER_EXTENSION_INSTALL_TYPE",
"name": "BROWSER_EXTENSION_INSTALL",
"parameters": [
{
"name": "TIMESTAMP",
"intValue": "1733753905405"
},
{
"name": "EVENT_REASON",
"value": "BROWSER_EXTENSION_INSTALL"
},
{
"name": "APP_ID",
"value": "lmjegmlicamnimmfhcmpkclmigmmcbeh"
},
{
"name": "APP_NAME",
"value": "Application Launcher For Drive (by Google)"
},
{
"name": "BROWSER_VERSION",
"value": "123.0.6312.112"
},
{
"name": "CHROME_ORG_UNIT_ID",
"value": "02gajno12larrqx"
},
{
"name": "CLIENT_TYPE",
"value": "CHROME_OS_DEVICE"
},
{
"name": "DEVICE_NAME",
"value": "NXKUTSI002429051947600"
},
{
"name": "DEVICE_PLATFORM",
"value": "ChromeOS 15786.48.2"
},
{
"name": "DEVICE_USER",
"value": "[email protected]"
},
{
"name": "DIRECTORY_DEVICE_ID",
"value": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e"
},
{
"name": "EVENT_RESULT",
"value": "REPORTED"
},
{
"name": "EXTENSION_ACTION",
"value": "INSTALL"
},
{
"name": "EXTENSION_SOURCE",
"value": "CHROME_WEBSTORE"
},
{
"name": "EXTENSION_VERSION",
"value": "3.10"
},
{
"name": "ORG_UNIT_NAME",
"value": "example.io"
},
{
"name": "PROFILE_USER_NAME",
"value": "[email protected]"
},
{
"name": "USER_AGENT",
"value": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
},
{
"name": "VIRTUAL_DEVICE_ID",
"value": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60"
}
]
}
]
}
]
}
- path: /admin/reports/v1/activity/users/all/applications/drive
methods: [GET]
query_params:
Expand Down
8 changes: 8 additions & 0 deletions packages/google_workspace/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# newer versions go on top
- version: "2.29.0"
changes:
- description: Add support of Chrome Audit Events.
type: enhancement
link: https://github.com/elastic/integrations/pull/12171
- description: ECS version updated to 8.16.0.
type: enhancement
link: https://github.com/elastic/integrations/pull/12171
- version: "2.28.0"
changes:
- description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error".
Expand Down
2 changes: 1 addition & 1 deletion ..._stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
{
"@timestamp": "2023-01-01T06:24:42.442Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "ACCESS",
Expand Down
2 changes: 1 addition & 1 deletion ...oogle_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace access transparency logs.
processors:
- set:
field: ecs.version
value: '8.11.0'
value: '8.16.0'
- rename:
field: message
target_field: event.original
Expand Down
18 changes: 9 additions & 9 deletions ...e_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "CHANGE_APPLICATION_SETTING",
Expand Down Expand Up @@ -103,7 +103,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "CREATE_APPLICATION_SETTING",
Expand Down Expand Up @@ -202,7 +202,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "DELETE_APPLICATION_SETTING",
Expand Down Expand Up @@ -301,7 +301,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "REORDER_GROUP_BASED_POLICIES_EVENT",
Expand Down Expand Up @@ -388,7 +388,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "GPLUS_PREMIUM_FEATURES",
Expand Down Expand Up @@ -467,7 +467,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "CREATE_MANAGED_CONFIGURATION",
Expand Down Expand Up @@ -545,7 +545,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "DELETE_MANAGED_CONFIGURATION",
Expand Down Expand Up @@ -623,7 +623,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "UPDATE_MANAGED_CONFIGURATION",
Expand Down Expand Up @@ -702,7 +702,7 @@
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"ecs": {
"version": "8.11.0"
"version": "8.16.0"
},
"event": {
"action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED",
Expand Down
Loading

0 comments on commit 16bdfda

Please sign in to comment.