diff --git a/packages/google_workspace/_dev/build/build.yml b/packages/google_workspace/_dev/build/build.yml index 2bfcfc223b0..d19a3a31dc2 100644 --- a/packages/google_workspace/_dev/build/build.yml +++ b/packages/google_workspace/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: "git@v8.11.0" + reference: "git@v8.16.0" diff --git a/packages/google_workspace/_dev/build/docs/README.md b/packages/google_workspace/_dev/build/docs/README.md index dd18252a77f..8b212566dad 100644 --- a/packages/google_workspace/_dev/build/docs/README.md +++ b/packages/google_workspace/_dev/build/docs/README.md @@ -26,6 +26,7 @@ It is compatible with a subset of applications under the [Google Reports API v1] | [Access Transparency](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/access-transparency) [help](https://support.google.com/a/answer/9230474?hl=en) | The Access Transparency activity report returns information about various types of Access Transparency activity events. | | [Context Aware Access](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/context-aware-access) [help](https://support.google.com/a/answer/9394107?hl=en#zippy=) | The Context Aware Access activity report returns information about various types of Context-Aware Access Audit activity events. | | [GCP](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/gcp) | The GCP activity report returns information about various types of Google Cloud Platform activity events. | +| [Chrome](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/chrome) | The Chrome activity reports return information about Chrome browser and Chrome OS events. | ## Requirements @@ -42,7 +43,7 @@ This integration will make use of the following *oauth2 scope*: Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration. -Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `device`, `context_aware_access`, `drive`, `gcp`, `groups`, `group_enterprise`, `login`, `rules`, `saml`, `token` and `user accounts` logs. +Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `chrome`, `context_aware_access`, `device`, `drive`, `gcp`, `groups`, `group_enterprise`, `login`, `rules`, `saml`, `token` and `user accounts` logs. > NOTE: The `Delegated Account` value in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount. @@ -126,7 +127,7 @@ Once Service Account credentials are downloaded as a JSON file, then the integra ### Google Workspace Reports ECS fields -This is a list of Google Workspace Reports fields that are mapped to ECS that are common to al data sets. +This is a list of Google Workspace Reports fields that are mapped to ECS that are common to all data sets. | Google Workspace Reports | ECS Fields | |------------------------------|---------------------------------------------------------------| @@ -250,3 +251,11 @@ This is the `gcp` dataset. {{event "gcp"}} {{fields "gcp"}} + +### Chrome + +This is the `chrome` dataset. + +{{event "chrome"}} + +{{fields "chrome"}} diff --git a/packages/google_workspace/_dev/deploy/docker/config.yml b/packages/google_workspace/_dev/deploy/docker/config.yml index 72b3ec8b3c5..52648c013ec 100644 --- a/packages/google_workspace/_dev/deploy/docker/config.yml +++ b/packages/google_workspace/_dev/deploy/docker/config.yml @@ -134,6 +134,244 @@ rules: "parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}],"type":"APPLICATION_SETTINGS"}], "id":{"applicationName":"admin","customerId":"1","time":"2022-04-04T15:04:05Z","uniqueQualifier":1},"ipAddress":"98.235.162.24","kind":"admin#reports#activity", "ownerDomain":"elastic.com"}]} + - path: /admin/reports/v1/activity/users/all/applications/chrome + methods: ['GET'] + query_params: + maxResults: 1 + pageToken: page-2 + request_headers: + Authorization: + - "Bearer 1/fFAGRNJru1FTz70BzhT3Zg" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "kind": "admin#reports#activities", + "etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/C1x8QdrcyHCPjiOgJQSxFVZigtk\"", + "items": [ + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-12-09T14:18:25.405Z", + "uniqueQualifier": "-3640711002716937498", + "applicationName": "chrome", + "customerId": "C03puekhd" + }, + "etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\"", + "actor": { + "callerType": "USER", + "email": "kalpesh.kumar@example.io", + "profileId": "109689693170624712102" + }, + "events": [ + { + "type": "BROWSER_EXTENSION_INSTALL_TYPE", + "name": "BROWSER_EXTENSION_INSTALL", + "parameters": [ + { + "name": "TIMESTAMP", + "intValue": "1733753905405" + }, + { + "name": "EVENT_REASON", + "value": "BROWSER_EXTENSION_INSTALL" + }, + { + "name": "APP_ID", + "value": "lmjegmlicamnimmfhcmpkclmigmmcbeh" + }, + { + "name": "APP_NAME", + "value": "Application Launcher For Drive (by Google)" + }, + { + "name": "BROWSER_VERSION", + "value": "123.0.6312.112" + }, + { + "name": "CHROME_ORG_UNIT_ID", + "value": "02gajno12larrqx" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_NAME", + "value": "NXKUTSI002429051947600" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 15786.48.2" + }, + { + "name": "DEVICE_USER", + "value": "kalpesh.kumar@example.io" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e" + }, + { + "name": "EVENT_RESULT", + "value": "REPORTED" + }, + { + "name": "EXTENSION_ACTION", + "value": "INSTALL" + }, + { + "name": "EXTENSION_SOURCE", + "value": "CHROME_WEBSTORE" + }, + { + "name": "EXTENSION_VERSION", + "value": "3.10" + }, + { + "name": "ORG_UNIT_NAME", + "value": "example.io" + }, + { + "name": "PROFILE_USER_NAME", + "value": "kalpesh.kumar@example.io" + }, + { + "name": "USER_AGENT", + "value": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" + }, + { + "name": "VIRTUAL_DEVICE_ID", + "value": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60" + } + ] + } + ] + } + ] + } + - path: /admin/reports/v1/activity/users/all/applications/chrome + methods: ['GET'] + query_params: + maxResults: 1 + request_headers: + Authorization: + - "Bearer 1/fFAGRNJru1FTz70BzhT3Zg" + responses: + - status_code: 200 + headers: + Content-Type: + - "application/json" + body: |- + { + "kind": "admin#reports#activities", + "nextPageToken": "page-2", + "etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/C1x8QdrcyHCPjiOgJQSxFVZigtk\"", + "items": [ + { + "kind": "admin#reports#activity", + "id": { + "time": "2024-12-10T14:18:25.405Z", + "uniqueQualifier": "-3640711002716937498", + "applicationName": "chrome", + "customerId": "C03puekhd" + }, + "etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\"", + "actor": { + "callerType": "USER", + "email": "kalpesh.kumar@example.io", + "profileId": "109689693170624712102" + }, + "events": [ + { + "type": "BROWSER_EXTENSION_INSTALL_TYPE", + "name": "BROWSER_EXTENSION_INSTALL", + "parameters": [ + { + "name": "TIMESTAMP", + "intValue": "1733753905405" + }, + { + "name": "EVENT_REASON", + "value": "BROWSER_EXTENSION_INSTALL" + }, + { + "name": "APP_ID", + "value": "lmjegmlicamnimmfhcmpkclmigmmcbeh" + }, + { + "name": "APP_NAME", + "value": "Application Launcher For Drive (by Google)" + }, + { + "name": "BROWSER_VERSION", + "value": "123.0.6312.112" + }, + { + "name": "CHROME_ORG_UNIT_ID", + "value": "02gajno12larrqx" + }, + { + "name": "CLIENT_TYPE", + "value": "CHROME_OS_DEVICE" + }, + { + "name": "DEVICE_NAME", + "value": "NXKUTSI002429051947600" + }, + { + "name": "DEVICE_PLATFORM", + "value": "ChromeOS 15786.48.2" + }, + { + "name": "DEVICE_USER", + "value": "kalpesh.kumar@example.io" + }, + { + "name": "DIRECTORY_DEVICE_ID", + "value": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e" + }, + { + "name": "EVENT_RESULT", + "value": "REPORTED" + }, + { + "name": "EXTENSION_ACTION", + "value": "INSTALL" + }, + { + "name": "EXTENSION_SOURCE", + "value": "CHROME_WEBSTORE" + }, + { + "name": "EXTENSION_VERSION", + "value": "3.10" + }, + { + "name": "ORG_UNIT_NAME", + "value": "example.io" + }, + { + "name": "PROFILE_USER_NAME", + "value": "kalpesh.kumar@example.io" + }, + { + "name": "USER_AGENT", + "value": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" + }, + { + "name": "VIRTUAL_DEVICE_ID", + "value": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60" + } + ] + } + ] + } + ] + } - path: /admin/reports/v1/activity/users/all/applications/drive methods: [GET] query_params: diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index a815577bf0b..c6a7468877d 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "2.29.0" + changes: + - description: Add support of Chrome Audit Events. + type: enhancement + link: https://github.com/elastic/integrations/pull/12171 + - description: ECS version updated to 8.16.0. + type: enhancement + link: https://github.com/elastic/integrations/pull/12171 - version: "2.28.0" changes: - description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error". diff --git a/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json b/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json index 2d2bd26158b..ca17f013e9d 100644 --- a/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json +++ b/packages/google_workspace/data_stream/access_transparency/_dev/test/pipeline/test-access-transparency.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2023-01-01T06:24:42.442Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ACCESS", diff --git a/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml index ccbbedf6d09..9e2e73dbaf6 100644 --- a/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace access transparency logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json index a9d015d207f..d9337852132 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-application.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_APPLICATION_SETTING", @@ -103,7 +103,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_APPLICATION_SETTING", @@ -202,7 +202,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_APPLICATION_SETTING", @@ -301,7 +301,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REORDER_GROUP_BASED_POLICIES_EVENT", @@ -388,7 +388,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GPLUS_PREMIUM_FEATURES", @@ -467,7 +467,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_MANAGED_CONFIGURATION", @@ -545,7 +545,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_MANAGED_CONFIGURATION", @@ -623,7 +623,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_MANAGED_CONFIGURATION", @@ -702,7 +702,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json index 6a44e3521b7..b7f40ca4c22 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-calendar.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_BUILDING", @@ -81,7 +81,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_BUILDING", @@ -159,7 +159,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_BUILDING", @@ -242,7 +242,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_CALENDAR_RESOURCE", @@ -320,7 +320,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_CALENDAR_RESOURCE", @@ -398,7 +398,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_CALENDAR_RESOURCE_FEATURE", @@ -476,7 +476,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_CALENDAR_RESOURCE_FEATURE", @@ -554,7 +554,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_CALENDAR_RESOURCE_FEATURE", @@ -638,7 +638,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RENAME_CALENDAR_RESOURCE", @@ -717,7 +717,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_CALENDAR_RESOURCE", @@ -800,7 +800,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CALENDAR_SETTING", @@ -899,7 +899,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CANCEL_CALENDAR_EVENTS", @@ -982,7 +982,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RELEASE_CALENDAR_RESOURCES", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json index f081b431bd9..58b72a71610 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chat.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MEET_INTEROP_CREATE_GATEWAY", @@ -80,7 +80,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MEET_INTEROP_DELETE_GATEWAY", @@ -157,7 +157,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MEET_INTEROP_MODIFY_GATEWAY", @@ -235,7 +235,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHAT_SETTING", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json index 75cdb03be2f..218908b1a82 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-chromeos.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", @@ -105,7 +105,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DEVICE_STATE", @@ -185,7 +185,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_APPLICATION_SETTING", @@ -287,7 +287,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "SEND_CHROME_OS_DEVICE_COMMAND", @@ -365,7 +365,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", @@ -442,7 +442,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_DEVICE_SETTING", @@ -525,7 +525,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_DEVICE_STATE", @@ -607,7 +607,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", @@ -690,7 +690,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "INSERT_CHROME_OS_PRINT_SERVER", @@ -767,7 +767,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_CHROME_OS_PRINT_SERVER", @@ -844,7 +844,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_CHROME_OS_PRINT_SERVER", @@ -923,7 +923,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "INSERT_CHROME_OS_PRINTER", @@ -1000,7 +1000,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_CHROME_OS_PRINTER", @@ -1077,7 +1077,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_CHROME_OS_PRINTER", @@ -1156,7 +1156,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_SETTING", @@ -1239,7 +1239,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CHROME_OS_USER_SETTING", @@ -1322,7 +1322,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ISSUE_DEVICE_COMMAND", @@ -1404,7 +1404,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", @@ -1484,7 +1484,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", @@ -1561,7 +1561,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_DEVICE", @@ -1639,7 +1639,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CONTACTS_SETTING", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json index 1c9e5edb811..0cab82ba5bd 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-contacts.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CONTACTS_SETTING", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json index 41563b7194a..4010b725096 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-delegatedadmin.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ASSIGN_ROLE", @@ -92,7 +92,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_ROLE", @@ -170,7 +170,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_ROLE", @@ -248,7 +248,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_PRIVILEGE", @@ -329,7 +329,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_PRIVILEGE", @@ -410,7 +410,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RENAME_ROLE", @@ -488,7 +488,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_ROLE", @@ -566,7 +566,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNASSIGN_ROLE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json index d1537b2847d..f3ca9e92900 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TRANSFER_DOCUMENT_OWNERSHIP", @@ -90,7 +90,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DRIVE_DATA_RESTORE", @@ -176,7 +176,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DOCS_SETTING", @@ -275,7 +275,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DRIVE_DATA_RESTORE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json index 3deb7eae3d3..8cb47fbe392 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-domain.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_ACCOUNT_AUTO_RENEWAL", @@ -81,7 +81,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_APPLICATION", @@ -160,7 +160,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_APPLICATION_TO_WHITELIST", @@ -238,7 +238,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_ADVERTISEMENT_OPTION", @@ -317,7 +317,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_ALERT", @@ -394,7 +394,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_ALERT_CRITERIA", @@ -471,7 +471,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_ALERT", @@ -548,7 +548,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ALERT_RECEIVERS_CHANGED", @@ -627,7 +627,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RENAME_ALERT", @@ -703,7 +703,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ALERT_STATUS_CHANGED", @@ -782,7 +782,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_DOMAIN_ALIAS", @@ -860,7 +860,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_DOMAIN_ALIAS", @@ -938,7 +938,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "SKIP_DOMAIN_ALIAS_MX", @@ -1016,7 +1016,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "VERIFY_DOMAIN_ALIAS_MX", @@ -1094,7 +1094,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "VERIFY_DOMAIN_ALIAS", @@ -1173,7 +1173,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", @@ -1252,7 +1252,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", @@ -1331,7 +1331,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ENABLE_API_ACCESS", @@ -1411,7 +1411,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "AUTHORIZE_API_CLIENT_ACCESS", @@ -1497,7 +1497,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_API_CLIENT_ACCESS", @@ -1579,7 +1579,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHROME_LICENSES_REDEEMED", @@ -1658,7 +1658,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_AUTO_ADD_NEW_SERVICE", @@ -1736,7 +1736,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_PRIMARY_DOMAIN", @@ -1814,7 +1814,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_WHITELIST_SETTING", @@ -1894,7 +1894,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", @@ -1977,7 +1977,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CONFLICT_ACCOUNT_ACTION", @@ -2056,7 +2056,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ENABLE_FEEDBACK_SOLICITATION", @@ -2136,7 +2136,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_CONTACT_SHARING", @@ -2215,7 +2215,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_PLAY_FOR_WORK_TOKEN", @@ -2292,7 +2292,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_USE_CUSTOM_LOGO", @@ -2371,7 +2371,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CUSTOM_LOGO", @@ -2448,7 +2448,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", @@ -2527,7 +2527,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DATA_LOCALIZATION_SETTING", @@ -2607,7 +2607,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", @@ -2684,7 +2684,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_PLAY_FOR_WORK_TOKEN", @@ -2761,7 +2761,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "VIEW_DNS_LOGIN_DETAILS", @@ -2838,7 +2838,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DOMAIN_DEFAULT_LOCALE", @@ -2917,7 +2917,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", @@ -2996,7 +2996,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DOMAIN_NAME", @@ -3074,7 +3074,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", @@ -3152,7 +3152,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", @@ -3231,7 +3231,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_TRUSTED_DOMAINS", @@ -3308,7 +3308,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_TRUSTED_DOMAINS", @@ -3385,7 +3385,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_EDU_TYPE", @@ -3464,7 +3464,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", @@ -3543,7 +3543,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_SSO_ENABLED", @@ -3622,7 +3622,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_SSL", @@ -3701,7 +3701,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", @@ -3778,7 +3778,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GENERATE_TRANSFER_TOKEN", @@ -3850,7 +3850,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_LOGIN_BACKGROUND_COLOR", @@ -3929,7 +3929,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_LOGIN_BORDER_COLOR", @@ -4008,7 +4008,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_LOGIN_ACTIVITY_TRACE", @@ -4087,7 +4087,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "PLAY_FOR_WORK_ENROLL", @@ -4165,7 +4165,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "PLAY_FOR_WORK_UNENROLL", @@ -4242,7 +4242,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MX_RECORD_VERIFICATION_CLAIM", @@ -4328,7 +4328,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_NEW_APP_FEATURES", @@ -4407,7 +4407,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", @@ -4486,7 +4486,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPLOAD_OAUTH_CERTIFICATE", @@ -4563,7 +4563,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REGENERATE_OAUTH_CONSUMER_SECRET", @@ -4640,7 +4640,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_OPEN_ID_ENABLED", @@ -4719,7 +4719,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_ORGANIZATION_NAME", @@ -4798,7 +4798,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_OUTBOUND_RELAY", @@ -4881,7 +4881,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_PASSWORD_MAX_LENGTH", @@ -4960,7 +4960,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_PASSWORD_MIN_LENGTH", @@ -5039,7 +5039,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", @@ -5118,7 +5118,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", @@ -5198,7 +5198,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_APPLICATION", @@ -5276,7 +5276,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_APPLICATION_FROM_WHITELIST", @@ -5354,7 +5354,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_RENEW_DOMAIN_REGISTRATION", @@ -5433,7 +5433,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_RESELLER_ACCESS", @@ -5509,7 +5509,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RULE_ACTIONS_CHANGED", @@ -5586,7 +5586,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_RULE", @@ -5663,7 +5663,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_RULE_CRITERIA", @@ -5740,7 +5740,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_RULE", @@ -5817,7 +5817,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RENAME_RULE", @@ -5893,7 +5893,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RULE_STATUS_CHANGED", @@ -5972,7 +5972,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_SECONDARY_DOMAIN", @@ -6050,7 +6050,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_SECONDARY_DOMAIN", @@ -6128,7 +6128,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "SKIP_SECONDARY_DOMAIN_MX", @@ -6206,7 +6206,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "VERIFY_SECONDARY_DOMAIN_MX", @@ -6284,7 +6284,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "VERIFY_SECONDARY_DOMAIN", @@ -6362,7 +6362,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_DOMAIN_SECONDARY_EMAIL", @@ -6441,7 +6441,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_SSO_SETTINGS", @@ -6519,7 +6519,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GENERATE_PIN", @@ -6591,7 +6591,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_RULE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json index 8077fb24d5e..4275da4c117 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DROP_FROM_QUARANTINE", @@ -83,7 +83,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "EMAIL_LOG_SEARCH", @@ -172,7 +172,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "EMAIL_UNDELETE", @@ -258,7 +258,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_EMAIL_SETTING", @@ -357,7 +357,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_GMAIL_SETTING", @@ -442,7 +442,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_GMAIL_SETTING", @@ -527,7 +527,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_GMAIL_SETTING", @@ -612,7 +612,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REJECT_FROM_QUARANTINE", @@ -692,7 +692,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RELEASE_FROM_QUARANTINE", @@ -772,7 +772,7 @@ { "@timestamp": "2022-03-07T04:48:46.816Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "EMAIL_LOG_SEARCH", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json index 1ba75721814..38c4ad1349d 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-groups.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_GROUP", @@ -90,7 +90,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_GROUP", @@ -177,7 +177,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_GROUP_DESCRIPTION", @@ -265,7 +265,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GROUP_LIST_DOWNLOAD", @@ -338,7 +338,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_GROUP_MEMBER", @@ -433,7 +433,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_GROUP_MEMBER", @@ -528,7 +528,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_GROUP_MEMBER", @@ -625,7 +625,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", @@ -722,7 +722,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", @@ -819,7 +819,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GROUP_MEMBER_BULK_UPLOAD", @@ -898,7 +898,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GROUP_MEMBERS_DOWNLOAD", @@ -971,7 +971,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_GROUP_NAME", @@ -1060,7 +1060,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_GROUP_SETTING", @@ -1153,7 +1153,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "WHITELISTED_GROUPS_UPDATED", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json index ea09995de1b..efa85507ec5 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-licenses.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ORG_USERS_LICENSE_ASSIGNMENT", @@ -84,7 +84,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", @@ -165,7 +165,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USER_LICENSE_ASSIGNMENT", @@ -252,7 +252,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_LICENSE_AUTO_ASSIGN", @@ -331,7 +331,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USER_LICENSE_REASSIGNMENT", @@ -419,7 +419,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ORG_LICENSE_REVOKE", @@ -500,7 +500,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USER_LICENSE_REVOKE", @@ -587,7 +587,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_DYNAMIC_LICENSE", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json index 932d398fa92..ab894271d4f 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-mobile.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ACTION_CANCELLED", @@ -97,7 +97,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ACTION_REQUESTED", @@ -191,7 +191,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_MOBILE_CERTIFICATE", @@ -276,7 +276,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "COMPANY_DEVICES_BULK_CREATION", @@ -353,7 +353,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "COMPANY_OWNED_DEVICE_BLOCKED", @@ -431,7 +431,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "COMPANY_DEVICE_DELETION", @@ -509,7 +509,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "COMPANY_OWNED_DEVICE_UNBLOCKED", @@ -587,7 +587,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "COMPANY_OWNED_DEVICE_WIPED", @@ -665,7 +665,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", @@ -756,7 +756,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", @@ -836,7 +836,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", @@ -922,7 +922,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_MOBILE_APPLICATION_SETTINGS", @@ -1014,7 +1014,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", @@ -1100,7 +1100,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOBILE_DEVICE_APPROVE", @@ -1188,7 +1188,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOBILE_DEVICE_BLOCK", @@ -1276,7 +1276,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOBILE_DEVICE_DELETE", @@ -1364,7 +1364,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOBILE_DEVICE_WIPE", @@ -1452,7 +1452,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_MOBILE_SETTING", @@ -1538,7 +1538,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_ADMIN_RESTRICTIONS_PIN", @@ -1618,7 +1618,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_MOBILE_WIRELESS_NETWORK", @@ -1701,7 +1701,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_MOBILE_WIRELESS_NETWORK", @@ -1784,7 +1784,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_MOBILE_WIRELESS_NETWORK", @@ -1867,7 +1867,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", @@ -1950,7 +1950,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_MOBILE_CERTIFICATE", @@ -2035,7 +2035,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", @@ -2107,7 +2107,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USE_GOOGLE_MOBILE_MANAGEMENT", @@ -2179,7 +2179,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", @@ -2251,7 +2251,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", @@ -2323,7 +2323,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOBILE_ACCOUNT_WIPE", @@ -2411,7 +2411,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", @@ -2499,7 +2499,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json index 9ab3854110f..73c656a199f 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-org.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHROME_LICENSES_ENABLED", @@ -86,7 +86,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", @@ -170,7 +170,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", @@ -253,7 +253,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", @@ -338,7 +338,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_DEVICE_ENROLLMENT_TOKEN", @@ -415,7 +415,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ASSIGN_CUSTOM_LOGO", @@ -492,7 +492,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNASSIGN_CUSTOM_LOGO", @@ -569,7 +569,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_ENROLLMENT_TOKEN", @@ -646,7 +646,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REVOKE_ENROLLMENT_TOKEN", @@ -723,7 +723,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHROME_LICENSES_ALLOWED", @@ -806,7 +806,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_ORG_UNIT", @@ -883,7 +883,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_ORG_UNIT", @@ -960,7 +960,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "EDIT_ORG_UNIT_DESCRIPTION", @@ -1037,7 +1037,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOVE_ORG_UNIT", @@ -1115,7 +1115,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "EDIT_ORG_UNIT_NAME", @@ -1193,7 +1193,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", @@ -1270,7 +1270,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_SERVICE_ENABLED", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json index edda8f50cce..4425d1d74b1 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-security.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ALLOW_STRONG_AUTHENTICATION", @@ -83,7 +83,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -166,7 +166,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -249,7 +249,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", @@ -335,7 +335,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_TO_TRUSTED_OAUTH2_APPS", @@ -419,7 +419,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", @@ -503,7 +503,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "BLOCK_ON_DEVICE_ACCESS", @@ -585,7 +585,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", @@ -678,7 +678,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", @@ -771,7 +771,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", @@ -864,7 +864,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", @@ -957,7 +957,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", @@ -1049,7 +1049,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_CAA_ENABLEMENT", @@ -1124,7 +1124,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CAA_ERROR_MESSAGE", @@ -1202,7 +1202,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_CAA_APP_ASSIGNMENTS", @@ -1292,7 +1292,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -1369,7 +1369,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -1446,7 +1446,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", @@ -1539,7 +1539,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ENFORCE_STRONG_AUTHENTICATION", @@ -1638,7 +1638,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", @@ -1718,7 +1718,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", @@ -1811,7 +1811,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "SESSION_CONTROL_SETTINGS_CHANGE", @@ -1894,7 +1894,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_SESSION_LENGTH", @@ -1971,7 +1971,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNBLOCK_ON_DEVICE_ACCESS", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json index afa81e7d07f..e15c23a9922 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-sites.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_WEB_ADDRESS", @@ -91,7 +91,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_WEB_ADDRESS", @@ -179,7 +179,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_SITES_SETTING", @@ -265,7 +265,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", @@ -349,7 +349,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "VIEW_SITE_DETAILS", diff --git a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json index 0e730b41114..981f2ee7007 100644 --- a/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json +++ b/packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-user.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_2SV_SCRATCH_CODES", @@ -87,7 +87,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GENERATE_2SV_SCRATCH_CODES", @@ -171,7 +171,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REVOKE_3LO_DEVICE_TOKENS", @@ -259,7 +259,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REVOKE_3LO_TOKEN", @@ -346,7 +346,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_RECOVERY_EMAIL", @@ -430,7 +430,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_RECOVERY_PHONE", @@ -514,7 +514,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GRANT_ADMIN_PRIVILEGE", @@ -598,7 +598,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REVOKE_ADMIN_PRIVILEGE", @@ -682,7 +682,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REVOKE_ASP", @@ -769,7 +769,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", @@ -854,7 +854,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "BULK_UPLOAD", @@ -935,7 +935,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "BULK_UPLOAD_NOTIFICATION_SENT", @@ -1022,7 +1022,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CANCEL_USER_INVITE", @@ -1109,7 +1109,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_CUSTOM_FIELD", @@ -1198,7 +1198,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_EXTERNAL_ID", @@ -1284,7 +1284,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_GENDER", @@ -1370,7 +1370,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_IM", @@ -1456,7 +1456,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ENABLE_USER_IP_WHITELIST", @@ -1542,7 +1542,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_KEYWORD", @@ -1628,7 +1628,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_LANGUAGE", @@ -1714,7 +1714,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_LOCATION", @@ -1800,7 +1800,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_ORGANIZATION", @@ -1886,7 +1886,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_PHONE_NUMBER", @@ -1972,7 +1972,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_RECOVERY_EMAIL", @@ -2056,7 +2056,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_RECOVERY_PHONE", @@ -2140,7 +2140,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_RELATION", @@ -2226,7 +2226,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_USER_ADDRESS", @@ -2312,7 +2312,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_EMAIL_MONITOR", @@ -2408,7 +2408,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_DATA_TRANSFER_REQUEST", @@ -2496,7 +2496,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", @@ -2581,7 +2581,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_ACCOUNT_INFO_DUMP", @@ -2668,7 +2668,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_EMAIL_MONITOR", @@ -2755,7 +2755,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_MAILBOX_DUMP", @@ -2842,7 +2842,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_FIRST_NAME", @@ -2928,7 +2928,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "GMAIL_RESET_USER", @@ -3013,7 +3013,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_LAST_NAME", @@ -3099,7 +3099,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MAIL_ROUTING_DESTINATION_ADDED", @@ -3184,7 +3184,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MAIL_ROUTING_DESTINATION_REMOVED", @@ -3269,7 +3269,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ADD_NICKNAME", @@ -3354,7 +3354,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_NICKNAME", @@ -3439,7 +3439,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_PASSWORD", @@ -3523,7 +3523,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", @@ -3609,7 +3609,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DOWNLOAD_PENDING_INVITES_LIST", @@ -3681,7 +3681,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_RECOVERY_EMAIL", @@ -3765,7 +3765,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REMOVE_RECOVERY_PHONE", @@ -3849,7 +3849,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REQUEST_ACCOUNT_INFO", @@ -3933,7 +3933,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REQUEST_MAILBOX_DUMP", @@ -4025,7 +4025,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RESEND_USER_INVITE", @@ -4112,7 +4112,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RESET_SIGNIN_COOKIES", @@ -4196,7 +4196,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "SECURITY_KEY_REGISTERED_FOR_USER", @@ -4280,7 +4280,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "REVOKE_SECURITY_KEY", @@ -4364,7 +4364,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USER_INVITE", @@ -4451,7 +4451,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "VIEW_TEMP_PASSWORD", @@ -4538,7 +4538,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "TURN_OFF_2_STEP_VERIFICATION", @@ -4622,7 +4622,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNBLOCK_USER_SESSION", @@ -4706,7 +4706,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNENROLL_USER_FROM_TITANIUM", @@ -4790,7 +4790,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ARCHIVE_USER", @@ -4874,7 +4874,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPDATE_BIRTHDATE", @@ -4959,7 +4959,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "CREATE_USER", @@ -5043,7 +5043,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DELETE_USER", @@ -5127,7 +5127,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DOWNGRADE_USER_FROM_GPLUS", @@ -5211,7 +5211,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", @@ -5295,7 +5295,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "DOWNLOAD_USERLIST_CSV", @@ -5367,7 +5367,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "MOVE_USER_TO_ORG_UNIT", @@ -5455,7 +5455,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", @@ -5540,7 +5540,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "RENAME_USER", @@ -5625,7 +5625,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNENROLL_USER_FROM_STRONG_AUTH", @@ -5709,7 +5709,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "SUSPEND_USER", @@ -5793,7 +5793,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNARCHIVE_USER", @@ -5877,7 +5877,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNDELETE_USER", @@ -5961,7 +5961,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UNSUSPEND_USER", @@ -6045,7 +6045,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "UPGRADE_USER_TO_GPLUS", @@ -6129,7 +6129,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USERS_BULK_UPLOAD", @@ -6207,7 +6207,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", diff --git a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml index ca63f9e29cf..7728abf9f37 100644 --- a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace logs processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - append: field: event.category value: iam diff --git a/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json b/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json index 16e946b63ce..d401882d218 100644 --- a/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json +++ b/packages/google_workspace/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2022-07-10T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "email": { "attachments": { @@ -159,7 +159,7 @@ { "@timestamp": "2022-07-11T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Domain wide takeout", @@ -232,7 +232,7 @@ { "@timestamp": "2022-07-12T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "email": { "attachments": { @@ -376,7 +376,7 @@ { "@timestamp": "2022-07-13T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Google identity", @@ -453,7 +453,7 @@ { "@timestamp": "2022-07-14T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Google Operations", @@ -546,7 +546,7 @@ { "@timestamp": "2022-07-15T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "State Sponsored Attack", @@ -613,7 +613,7 @@ { "@timestamp": "2022-07-16T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "State Sponsored Attack", @@ -703,7 +703,7 @@ { "@timestamp": "2022-07-17T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "AppMaker Editor", @@ -782,7 +782,7 @@ { "@timestamp": "2022-07-18T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Security Center rules", @@ -874,7 +874,7 @@ { "@timestamp": "2022-07-19T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Data Loss Prevention", @@ -1009,7 +1009,7 @@ { "@timestamp": "2022-07-20T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Apps outage", @@ -1095,7 +1095,7 @@ { "@timestamp": "2022-07-21T10:49:29.436Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Sensitive Admin Action", @@ -1207,7 +1207,7 @@ { "@timestamp": "2021-08-10T14:06:29.101Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Google identity", @@ -1272,7 +1272,7 @@ { "@timestamp": "2022-07-27T03:31:28.440Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "Reporting Rule", diff --git a/packages/google_workspace/data_stream/alert/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/alert/elasticsearch/ingest_pipeline/default.yml index a93c02820ad..e63fea146c3 100644 --- a/packages/google_workspace/data_stream/alert/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/alert/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing Google Workspace Alert logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-chrome.log b/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-chrome.log new file mode 100644 index 00000000000..92ffa083621 --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-chrome.log @@ -0,0 +1,2 @@ +{"actor":{"callerType":"USER","email":"kalpesh@example.io","profileId":"10111170624712104"},"ipAddress":"81.2.69.142","etag":"abcdefgh/cBsNSJx2A9Lg8kiQCGLddmq827A","events":{"name":"BROWSER_EXTENSION_INSTALL","parameters":[{"intValue":"1733753905405","name":"TIMESTAMP"},{"name":"EVENT_REASON","value":"BROWSER_EXTENSION_INSTALL"},{"name":"APP_ID","value":"laaaaaaafhcmpkclmigmmcbeh"},{"name":"APP_NAME","value":"Application Launcher For Drive (by Google)"},{"name":"BROWSER_VERSION","value":"123.0.6312.112"},{"name":"CHROME_ORG_UNIT_ID","value":"abcdefgh"},{"name":"CLIENT_TYPE","value":"CHROME_OS_DEVICE"},{"name":"DEVICE_NAME","value":"NXKUTSI002429051947600"},{"name":"DEVICE_PLATFORM","value":"ChromeOS 15786.48.2"},{"name":"DEVICE_USER","value":"kalpesh@example.io"},{"name":"DIRECTORY_DEVICE_ID","value":"efa9510f-8cd2-4d85-b6c2-939cfb335e9e"},{"name":"EVENT_RESULT","value":"REPORTED"},{"name":"EXTENSION_ACTION","value":"INSTALL"},{"name":"EXTENSION_SOURCE","value":"CHROME_WEBSTORE"},{"name":"EXTENSION_VERSION","value":"3.10"},{"name":"ORG_UNIT_NAME","value":"example.io"},{"name":"PROFILE_USER_NAME","value":"kalpesh@example.io"},{"name":"USER_AGENT","value":"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"},{"name":"VIRTUAL_DEVICE_ID","value":"3d69c5a5-0afc-474b-a1a3-d3dc617e2a60"}],"type":"BROWSER_EXTENSION_INSTALL_TYPE"},"id":{"applicationName":"chrome","customerId":"C03puekhd","time":"2024-12-09T14:18:25.405Z","uniqueQualifier":"-3640711002716937498"},"kind":"admin#reports#activity"} +{"actor":{"callerType":"USER","email":"kalpesh@example.io","profileId":"109689111170624712105"},"etag":"abcdefgh/o-xkjZa6siXSekffMWaLMCnKxpg","events":{"name":"BROWSER_EXTENSION_INSTALL","parameters":[{"intValue":"1733753905286","name":"TIMESTAMP"},{"name":"EVENT_REASON","value":"BROWSER_EXTENSION_INSTALL"},{"name":"APP_ID","value":"aaaaaaaaabokpmkimbfghdkjmjhdgbg"},{"name":"APP_NAME","value":"Text"},{"name":"BROWSER_VERSION","value":"123.0.6312.112"},{"name":"CHROME_ORG_UNIT_ID","value":"abcdefgh"},{"name":"CLIENT_TYPE","value":"CHROME_OS_DEVICE"},{"name":"DEVICE_NAME","value":"NXKUTSI002429051947600"},{"name":"DEVICE_PLATFORM","value":"ChromeOS 15786.48.2"},{"name":"DEVICE_USER","value":"kalpesh@example.io"},{"name":"DIRECTORY_DEVICE_ID","value":"efa9510f-8cd2-4d85-b6c2-939cfb335e9e"},{"name":"EVENT_RESULT","value":"REPORTED"},{"name":"EXTENSION_ACTION","value":"INSTALL"},{"name":"EXTENSION_SOURCE","value":"CHROME_WEBSTORE"},{"name":"EXTENSION_VERSION","value":"0.8.4"},{"name":"ORG_UNIT_NAME","value":"example.io"},{"name":"PROFILE_USER_NAME","value":"kalpesh@example.io"},{"name":"USER_AGENT","value":"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"},{"name":"VIRTUAL_DEVICE_ID","value":"3d69c5a5-0afc-474b-a1a3-d3dc617e2a60"}],"type":"BROWSER_EXTENSION_INSTALL_TYPE"},"id":{"applicationName":"chrome","customerId":"C03puekhd","time":"2024-12-09T14:18:25.286Z","uniqueQualifier":"7437587313655252416"},"kind":"admin#reports#activity"} diff --git a/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-chrome.log-expected.json b/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-chrome.log-expected.json new file mode 100644 index 00000000000..4f10eed4ab8 --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-chrome.log-expected.json @@ -0,0 +1,236 @@ +{ + "expected": [ + { + "@timestamp": "2024-12-09T14:18:25.405Z", + "device": { + "model": { + "name": "NXKUTSI002429051947600" + } + }, + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "browser_extension_install", + "id": "-3640711002716937498", + "kind": "event", + "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"kalpesh@example.io\",\"profileId\":\"10111170624712104\"},\"ipAddress\":\"81.2.69.142\",\"etag\":\"abcdefgh/cBsNSJx2A9Lg8kiQCGLddmq827A\",\"events\":{\"name\":\"BROWSER_EXTENSION_INSTALL\",\"parameters\":[{\"intValue\":\"1733753905405\",\"name\":\"TIMESTAMP\"},{\"name\":\"EVENT_REASON\",\"value\":\"BROWSER_EXTENSION_INSTALL\"},{\"name\":\"APP_ID\",\"value\":\"laaaaaaafhcmpkclmigmmcbeh\"},{\"name\":\"APP_NAME\",\"value\":\"Application Launcher For Drive (by Google)\"},{\"name\":\"BROWSER_VERSION\",\"value\":\"123.0.6312.112\"},{\"name\":\"CHROME_ORG_UNIT_ID\",\"value\":\"abcdefgh\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_NAME\",\"value\":\"NXKUTSI002429051947600\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 15786.48.2\"},{\"name\":\"DEVICE_USER\",\"value\":\"kalpesh@example.io\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"efa9510f-8cd2-4d85-b6c2-939cfb335e9e\"},{\"name\":\"EVENT_RESULT\",\"value\":\"REPORTED\"},{\"name\":\"EXTENSION_ACTION\",\"value\":\"INSTALL\"},{\"name\":\"EXTENSION_SOURCE\",\"value\":\"CHROME_WEBSTORE\"},{\"name\":\"EXTENSION_VERSION\",\"value\":\"3.10\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"example.io\"},{\"name\":\"PROFILE_USER_NAME\",\"value\":\"kalpesh@example.io\"},{\"name\":\"USER_AGENT\",\"value\":\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36\"},{\"name\":\"VIRTUAL_DEVICE_ID\",\"value\":\"3d69c5a5-0afc-474b-a1a3-d3dc617e2a60\"}],\"type\":\"BROWSER_EXTENSION_INSTALL_TYPE\"},\"id\":{\"applicationName\":\"chrome\",\"customerId\":\"C03puekhd\",\"time\":\"2024-12-09T14:18:25.405Z\",\"uniqueQualifier\":\"-3640711002716937498\"},\"kind\":\"admin#reports#activity\"}", + "outcome": "success", + "provider": "chrome", + "reason": "BROWSER_EXTENSION_INSTALL" + }, + "google_workspace": { + "chrome": { + "actor": { + "caller_type": "USER", + "email": "kalpesh@example.io", + "profile_id": "10111170624712104" + }, + "app_id": "laaaaaaafhcmpkclmigmmcbeh", + "app_name": "Application Launcher For Drive (by Google)", + "browser_version": "123.0.6312.112", + "chrome_org_unit_id": "abcdefgh", + "client_type": "CHROME_OS_DEVICE", + "device_name": "NXKUTSI002429051947600", + "device_platform": "ChromeOS 15786.48.2", + "device_user": "kalpesh@example.io", + "directory_device_id": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e", + "etag": "abcdefgh/cBsNSJx2A9Lg8kiQCGLddmq827A", + "event_reason": "BROWSER_EXTENSION_INSTALL", + "event_result": "REPORTED", + "extension_action": "INSTALL", + "extension_source": "CHROME_WEBSTORE", + "extension_version": "3.10", + "id": { + "application_name": "chrome", + "customer_id": "C03puekhd", + "time": "2024-12-09T14:18:25.405Z", + "unique_qualifier": "-3640711002716937498" + }, + "ip_address": "81.2.69.142", + "kind": "admin#reports#activity", + "name": "BROWSER_EXTENSION_INSTALL", + "org_unit_name": "example.io", + "profile_user_name": "kalpesh@example.io", + "timestamp": "2024-12-09T14:18:25.405Z", + "type": "BROWSER_EXTENSION_INSTALL_TYPE", + "user_agent": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "virtual_device_id": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60" + } + }, + "host": { + "ip": [ + "81.2.69.142" + ], + "os": { + "full": "ChromeOS 15786.48.2" + } + }, + "observer": { + "product": "Chrome", + "vendor": "Google Workspace" + }, + "organization": { + "id": "C03puekhd" + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "kalpesh@example.io", + "10111170624712104" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142", + "user": { + "domain": "example.io", + "email": "kalpesh@example.io", + "id": "10111170624712104", + "name": "kalpesh" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.io", + "email": "kalpesh@example.io", + "id": "10111170624712104", + "name": "kalpesh" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "os": { + "full": "Chrome OS 14541.0.0", + "name": "Chrome OS", + "version": "14541.0.0" + }, + "version": "123.0.0.0" + } + }, + { + "@timestamp": "2024-12-09T14:18:25.286Z", + "device": { + "model": { + "name": "NXKUTSI002429051947600" + } + }, + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "browser_extension_install", + "id": "7437587313655252416", + "kind": "event", + "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"kalpesh@example.io\",\"profileId\":\"109689111170624712105\"},\"etag\":\"abcdefgh/o-xkjZa6siXSekffMWaLMCnKxpg\",\"events\":{\"name\":\"BROWSER_EXTENSION_INSTALL\",\"parameters\":[{\"intValue\":\"1733753905286\",\"name\":\"TIMESTAMP\"},{\"name\":\"EVENT_REASON\",\"value\":\"BROWSER_EXTENSION_INSTALL\"},{\"name\":\"APP_ID\",\"value\":\"aaaaaaaaabokpmkimbfghdkjmjhdgbg\"},{\"name\":\"APP_NAME\",\"value\":\"Text\"},{\"name\":\"BROWSER_VERSION\",\"value\":\"123.0.6312.112\"},{\"name\":\"CHROME_ORG_UNIT_ID\",\"value\":\"abcdefgh\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_NAME\",\"value\":\"NXKUTSI002429051947600\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 15786.48.2\"},{\"name\":\"DEVICE_USER\",\"value\":\"kalpesh@example.io\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"efa9510f-8cd2-4d85-b6c2-939cfb335e9e\"},{\"name\":\"EVENT_RESULT\",\"value\":\"REPORTED\"},{\"name\":\"EXTENSION_ACTION\",\"value\":\"INSTALL\"},{\"name\":\"EXTENSION_SOURCE\",\"value\":\"CHROME_WEBSTORE\"},{\"name\":\"EXTENSION_VERSION\",\"value\":\"0.8.4\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"example.io\"},{\"name\":\"PROFILE_USER_NAME\",\"value\":\"kalpesh@example.io\"},{\"name\":\"USER_AGENT\",\"value\":\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36\"},{\"name\":\"VIRTUAL_DEVICE_ID\",\"value\":\"3d69c5a5-0afc-474b-a1a3-d3dc617e2a60\"}],\"type\":\"BROWSER_EXTENSION_INSTALL_TYPE\"},\"id\":{\"applicationName\":\"chrome\",\"customerId\":\"C03puekhd\",\"time\":\"2024-12-09T14:18:25.286Z\",\"uniqueQualifier\":\"7437587313655252416\"},\"kind\":\"admin#reports#activity\"}", + "outcome": "success", + "provider": "chrome", + "reason": "BROWSER_EXTENSION_INSTALL" + }, + "google_workspace": { + "chrome": { + "actor": { + "caller_type": "USER", + "email": "kalpesh@example.io", + "profile_id": "109689111170624712105" + }, + "app_id": "aaaaaaaaabokpmkimbfghdkjmjhdgbg", + "app_name": "Text", + "browser_version": "123.0.6312.112", + "chrome_org_unit_id": "abcdefgh", + "client_type": "CHROME_OS_DEVICE", + "device_name": "NXKUTSI002429051947600", + "device_platform": "ChromeOS 15786.48.2", + "device_user": "kalpesh@example.io", + "directory_device_id": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e", + "etag": "abcdefgh/o-xkjZa6siXSekffMWaLMCnKxpg", + "event_reason": "BROWSER_EXTENSION_INSTALL", + "event_result": "REPORTED", + "extension_action": "INSTALL", + "extension_source": "CHROME_WEBSTORE", + "extension_version": "0.8.4", + "id": { + "application_name": "chrome", + "customer_id": "C03puekhd", + "time": "2024-12-09T14:18:25.286Z", + "unique_qualifier": "7437587313655252416" + }, + "kind": "admin#reports#activity", + "name": "BROWSER_EXTENSION_INSTALL", + "org_unit_name": "example.io", + "profile_user_name": "kalpesh@example.io", + "timestamp": "2024-12-09T14:18:25.286Z", + "type": "BROWSER_EXTENSION_INSTALL_TYPE", + "user_agent": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "virtual_device_id": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60" + } + }, + "host": { + "os": { + "full": "ChromeOS 15786.48.2" + } + }, + "observer": { + "product": "Chrome", + "vendor": "Google Workspace" + }, + "organization": { + "id": "C03puekhd" + }, + "related": { + "user": [ + "kalpesh@example.io", + "109689111170624712105" + ] + }, + "source": { + "user": { + "domain": "example.io", + "email": "kalpesh@example.io", + "id": "109689111170624712105", + "name": "kalpesh" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "domain": "example.io", + "email": "kalpesh@example.io", + "id": "109689111170624712105", + "name": "kalpesh" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "os": { + "full": "Chrome OS 14541.0.0", + "name": "Chrome OS", + "version": "14541.0.0" + }, + "version": "123.0.0.0" + } + } + ] +} \ No newline at end of file diff --git a/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-common-config.yml b/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/google_workspace/data_stream/chrome/_dev/test/system/test-default-config.yml b/packages/google_workspace/data_stream/chrome/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..1ce16f15bf5 --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/_dev/test/system/test-default-config.yml @@ -0,0 +1,14 @@ +input: cel +service: google_workspace +vars: + jwt_file: "{{SERVICE_LOGS_DIR}}/credentials.json" + delegated_account: test@example.com + api_host: http://{{Hostname}}:{{Port}} + enable_request_tracer: true +data_stream: + vars: + batch_size: 1 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/google_workspace/data_stream/chrome/agent/stream/cel.yml.hbs b/packages/google_workspace/data_stream/chrome/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..90ba7e8adfa --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/agent/stream/cel.yml.hbs @@ -0,0 +1,96 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{jwt_file}} +auth.oauth2.google.jwt_json: {{jwt_json}} +auth.oauth2.google.delegated_account: {{delegated_account}} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +resource.url: {{api_host}} +state: + user_key: {{user_key}} + initial_interval: {{initial_interval}} + batch_size: {{batch_size}} +program: | + ( + state.?want_more.orValue(false) ? + state + : + state.with({ + "start_time": state.?cursor.last_timestamp.orValue((now - duration(state.initial_interval)).format(time_layout.RFC3339)), + "end_time": now.format(time_layout.RFC3339), + }) + ).as(state, state.with( + request( + "GET", + state.url.trim_right("/") + "/admin/reports/v1/activity/users/" + state.user_key + "/applications/chrome?"+ { + "maxResults": [string(state.batch_size)], + "endTime": [string(state.end_time)], + "startTime": [string(state.start_time)], + ?"pageToken": has(state.next_page_token) ? optional.of([string(state.next_page_token)]) : optional.none(), + }.format_query() + ).do_request().as(resp, resp.StatusCode == 200 ? + bytes(resp.Body).decode_json().as(body,{ + "events": ( + has(body.items) + ? + body.items.map(item, item.events.map(event, item.drop("events").as(root, + {"message":root.with({"events": event}).encode_json()} + ))).flatten() + : + [] + ), + "cursor": { + "last_timestamp": state.end_time, + }, + "want_more": has(body.nextPageToken), + ?"next_page_token": body.?nextPageToken, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET:"+( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + )) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/google_workspace/data_stream/chrome/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/chrome/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..4aed38e1b6c --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,576 @@ +--- +description: Pipeline for processing Chrome Audit logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.16.0 + - set: + field: observer.vendor + tag: set_observer_vendor + value: 'Google Workspace' + - set: + field: observer.product + tag: set_observer_product + value: Chrome + - fail: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + message: error message set and no data to process. + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + if: ctx.event?.original != null + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + lang: painless + tag: script_to_flatten_event_parameters + if: ctx.json?.events?.parameters instanceof List + description: Script to flatten the event parameters. + source: > + if (ctx.google_workspace == null) { + ctx.google_workspace = new HashMap(); + } + if (ctx.google_workspace.chrome == null) { + ctx.google_workspace.chrome = new HashMap(); + } + for (int i = 0; i < ctx.json.events.parameters.length; ++i) { + if (ctx["json"]["events"]["parameters"][i]["value"] != null) { + ctx.google_workspace.chrome[ctx["json"]["events"]["parameters"][i]["name"].toLowerCase()] = ctx["json"]["events"]["parameters"][i]["value"]; + } + if (ctx["json"]["events"]["parameters"][i]["boolValue"] != null) { + ctx.google_workspace.chrome[ctx["json"]["events"]["parameters"][i]["name"].toLowerCase()] = ctx["json"]["events"]["parameters"][i]["boolValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["intValue"] != null) { + ctx.google_workspace.chrome[ctx["json"]["events"]["parameters"][i]["name"].toLowerCase()] = ctx["json"]["events"]["parameters"][i]["intValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiValue"] != null) { + ctx.google_workspace.chrome[ctx["json"]["events"]["parameters"][i]["name"].toLowerCase()] = ctx["json"]["events"]["parameters"][i]["multiValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiIntValue"] != null) { + ctx.google_workspace.chrome[ctx["json"]["events"]["parameters"][i]["name"].toLowerCase()] = ctx["json"]["events"]["parameters"][i]["multiIntValue"]; + } + if (ctx["json"]["events"]["parameters"][i]["multiBoolValue"] != null) { + ctx.google_workspace.chrome[ctx["json"]["events"]["parameters"][i]["name"].toLowerCase()] = ctx["json"]["events"]["parameters"][i]["multiBoolValue"]; + } + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.events.name + tag: rename_json_events_name + target_field: google_workspace.chrome.name + ignore_missing: true + - set: + field: event.kind + tag: set_event_into_event_kind + value: event + - set: + field: event.kind + tag: set_alert_into_event_kind + value: alert + if: ctx.google_workspace?.chrome?.name != null && ['malware_transfer', 'password_breach', 'sensitive_data_transfer', 'unsafe_site_visit'].contains(ctx.google_workspace.chrome.name.toLowerCase()) + - script: + description: Set event outcome based on event result. + if: ctx.google_workspace?.chrome?.event_result != null + tag: set_event_outcome_from_chrome_event_result + lang: painless + params: + allowed: success + blocked: failure + bypassed: success + detected: success + reported: success + warned: unknown + source: |- + if (ctx.event == null) { + ctx.event = new HashMap(); + } + ctx.event.outcome = params.get(ctx.google_workspace.chrome.event_result.toLowerCase()); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: url.full + tag: set_url_full_from_chrome_url + copy_from: google_workspace.chrome.url + ignore_empty_value: true + - uri_parts: + field: url.full + ignore_failure: true + - script: + description: Set event category based on event name. + if: ctx.google_workspace?.chrome?.name != null + tag: set_event_category_from_chrome_name + lang: painless + params: + chrome_os_add_user: iam + chrome_os_remove_user: iam + device_boot_state_change: configuration + chrome_os_login_failure_event: authentication + chrome_os_login_logout_event: authentication + chrome_os_login_event: authentication + chrome_os_logout_event: authentication + extension_request: configuration + login_event: authentication + malware_transfer: malware + source: |- + if (ctx.event == null) { + ctx.event = new HashMap(); + } + def category = new ArrayList(); + category.add(params.get(ctx.google_workspace.chrome.name.toLowerCase())); + ctx.event.put('category', category); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Set event type based on event name. + if: ctx.google_workspace?.chrome?.name != null + tag: set_event_type_from_chrome_name + lang: painless + params: + chrome_os_add_user: creation + chrome_os_remove_user: deletion + device_boot_state_change: change + chrome_os_login_failure_event: info + chrome_os_login_logout_event: info + chrome_os_login_event: start + chrome_os_logout_event: end + extension_request: info + login_event: info + malware_transfer: info + source: |- + if (ctx.event == null) { + ctx.event = new HashMap(); + } + def type = new ArrayList(); + type.add(params.get(ctx.google_workspace.chrome.name.toLowerCase())); + ctx.event.put('type', type); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.events.type + tag: rename_json_events_type + target_field: google_workspace.chrome.type + ignore_missing: true + - rename: + field: json.kind + tag: rename_json_kind + target_field: google_workspace.chrome.kind + ignore_missing: true + - rename: + field: json.etag + tag: rename_json_etag + target_field: google_workspace.chrome.etag + ignore_missing: true + - rename: + field: json.ownerDomain + tag: rename_json_ownerDomain + target_field: google_workspace.chrome.owner_domain + ignore_missing: true + - convert: + field: json.ipAddress + tag: convert_json_ipAddress_to_ip + target_field: google_workspace.chrome.ip_address + type: ip + ignore_missing: true + if: ctx.json?.ipAddress != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.id.time + tag: date_json_id_time + target_field: google_workspace.chrome.id.time + formats: + - ISO8601 + - UNIX_MS + if: ctx.json?.id?.time != null && ctx.json.id.time != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.id.uniqueQualifier + tag: rename_json_id_uniqueQualifier + target_field: google_workspace.chrome.id.unique_qualifier + ignore_missing: true + - rename: + field: json.id.applicationName + tag: rename_json_id_applicationName + target_field: google_workspace.chrome.id.application_name + ignore_missing: true + - rename: + field: json.id.customerId + tag: rename_json_id_customerId + target_field: google_workspace.chrome.id.customer_id + ignore_missing: true + - rename: + field: json.actor.profileId + tag: rename_json_actor_profileId + target_field: google_workspace.chrome.actor.profile_id + ignore_missing: true + - rename: + field: json.actor.email + tag: rename_json_actor_email + target_field: google_workspace.chrome.actor.email + ignore_missing: true + - rename: + field: json.actor.callerType + tag: rename_json_actor_callerType + target_field: google_workspace.chrome.actor.caller_type + ignore_missing: true + - rename: + field: json.actor.key + tag: rename_json_actor_key + target_field: google_workspace.chrome.actor.key + ignore_missing: true + - convert: + field: google_workspace.chrome.is_federated + tag: convert_is_federated + type: boolean + ignore_missing: true + if: ctx.google_workspace?.chrome?.is_federated != '' + on_failure: + - remove: + field: google_workspace.chrome.is_federated + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: google_workspace.chrome.content_size + tag: convert_content_size + type: long + ignore_missing: true + if: ctx.google_workspace?.chrome?.content_size != '' + on_failure: + - remove: + field: google_workspace.chrome.content_size + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: google_workspace.chrome.timestamp + tag: date_timestamp + target_field: google_workspace.chrome.timestamp + formats: + - ISO8601 + - UNIX_MS + if: ctx.google_workspace?.chrome?.timestamp != null && ctx.google_workspace.chrome.timestamp != '' + on_failure: + - remove: + field: google_workspace.chrome.timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.user + tag: append_login_user_name_into_related_user + value: '{{{google_workspace.chrome.login_user_name}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.login_user_name != null + - append: + field: related.user + tag: append_device_user_into_related_user + value: '{{{google_workspace.chrome.device_user}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.device_user != null + - append: + field: related.user + tag: append_profile_user_name_into_related_user + value: '{{{google_workspace.chrome.profile_user_name}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.profile_user_name != null + - append: + field: related.user + tag: append_trigger_user_into_related_user + value: '{{{google_workspace.chrome.trigger_user}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.trigger_user != null + - append: + field: related.user + tag: append_actor_profile_id_into_related_user + value: '{{{google_workspace.chrome.actor.profile_id}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.actor?.profile_id != null + - append: + field: related.user + tag: append_actor_email_into_related_user + value: '{{{google_workspace.chrome.actor.email}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.actor?.email != null + - append: + field: related.ip + tag: append_ip_address_into_related_user + value: '{{{google_workspace.chrome.ip_address}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.ip_address != null + - append: + field: related.hash + tag: append_content_hash_into_related_user + value: '{{{google_workspace.chrome.content_hash}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.content_hash != null + - set: + field: device.model.name + tag: set_device_model_name_from_chrome_device_name + copy_from: google_workspace.chrome.device_name + ignore_empty_value: true + - set: + field: host.os.full + tag: set_host_os_full_from_chrome_device_platform + copy_from: google_workspace.chrome.device_platform + ignore_empty_value: true + - dissect: + field: google_workspace.chrome.device_user + tag: dissect_device_user + if: ctx.google_workspace?.chrome?.device_user != null && ctx.google_workspace.chrome.device_user.contains('@') + pattern: '%{user.name}@%{user.domain}' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: user.name + tag: set_user_name_from_device_user + copy_from: google_workspace.chrome.device_user + if: ctx.user?.name == null + ignore_empty_value: true + - set: + field: event.reason + tag: set_event_reason_from_chrome_event_reason + copy_from: google_workspace.chrome.event_reason + ignore_empty_value: true + - set: + field: '@timestamp' + tag: set_@timestamp_from_chrome_id_time + copy_from: google_workspace.chrome.id.time + ignore_empty_value: true + - set: + field: device.id + tag: set_device_id_from_chrome_device_id + copy_from: google_workspace.chrome.device_id + ignore_empty_value: true + - user_agent: + field: google_workspace.chrome.user_agent + ignore_missing: true + - set: + field: event.hash + tag: set_event_hash_from_chrome_content_hash + copy_from: google_workspace.chrome.content_hash + ignore_empty_value: true + - set: + field: message + tag: set_message_from_chrome_user_justification + copy_from: google_workspace.chrome.user_justification + ignore_empty_value: true + - set: + field: file.path + tag: set_file_path_from_chrome_evidence_locker_filepath + copy_from: google_workspace.chrome.evidence_locker_filepath + ignore_empty_value: true + - set: + field: host.domain + tag: set_host_domain_from_chrome_owner_domain + copy_from: google_workspace.chrome.owner_domain + ignore_empty_value: true + - append: + field: host.ip + tag: append_google_workspace_chrome_ip_address_into_host_ip + value: '{{{google_workspace.chrome.ip_address}}}' + allow_duplicates: false + if: ctx.google_workspace?.chrome?.ip_address != null + - set: + field: user.id + tag: set_user_id_from_chrome_actor_profile_id + copy_from: google_workspace.chrome.actor.profile_id + ignore_empty_value: true + - set: + field: user.email + tag: set_user_email_from_chrome_actor_email + copy_from: google_workspace.chrome.actor.email + ignore_empty_value: true + - set: + field: event.id + tag: set_event_id_from_uniqueQualifier + copy_from: google_workspace.chrome.id.unique_qualifier + ignore_empty_value: true + - set: + field: event.provider + tag: set_event_provider_from_application_name + copy_from: google_workspace.chrome.id.application_name + ignore_empty_value: true + - set: + field: event.action + tag: set_event_action_from_name + copy_from: google_workspace.chrome.name + ignore_empty_value: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - split: + field: event.action + tag: split_event_action + separator: \s+ + ignore_missing: true + if: ctx.event?.action != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - join: + field: event.action + tag: join_event_action + separator: '-' + if: ctx.event?.action instanceof List + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: organization.id + tag: set_organization_id_from_customerId + copy_from: google_workspace.chrome.id.customer_id + ignore_empty_value: true + - set: + field: source.ip + tag: set_source_ip_from_ipAddress + copy_from: google_workspace.chrome.ip_address + ignore_empty_value: true + - geoip: + field: source.ip + tag: geoip_source_geo_from_source_ip + target_field: source.geo + ignore_missing: true + - geoip: + field: source.ip + tag: set_source_as_from_source_ip + database_file: GeoLite2-ASN.mmdb + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - set: + field: source.user.email + tag: set_source_user_email + copy_from: user.email + ignore_empty_value: true + - script: + lang: painless + tag: script_to_extract_source_user_name_and_domain + if: 'ctx?.source?.user?.email != null && ctx?.source?.user?.email.contains("@")' + source: > + String[] splitmail = ctx.source.user.email.splitOnToken('@'); + if (splitmail.length != 2) { + return; + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + ctx.source.user.name = splitmail[0]; + ctx.source.user.domain = splitmail[1]; + - set: + field: source.user.id + tag: set_source_user_id + copy_from: user.id + ignore_empty_value: true + - remove: + field: + - google_workspace.chrome.actor.email + - google_workspace.chrome.actor.profile_id + - google_workspace.chrome.content_hash + - google_workspace.chrome.device_id + - google_workspace.chrome.device_name + - google_workspace.chrome.device_platform + - google_workspace.chrome.event_reason + - google_workspace.chrome.evidence_locker_filepath + - google_workspace.chrome.id.application_name + - google_workspace.chrome.id.customer_id + - google_workspace.chrome.id.time + - google_workspace.chrome.id.unique_qualifier + - google_workspace.chrome.ip_address + - google_workspace.chrome.owner_domain + - google_workspace.chrome.url + - google_workspace.chrome.user_agent + - google_workspace.chrome.user_justification + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - remove: + field: json + tag: remove_json + ignore_missing: true + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error diff --git a/packages/google_workspace/data_stream/chrome/fields/base-fields.yml b/packages/google_workspace/data_stream/chrome/fields/base-fields.yml new file mode 100644 index 00000000000..0ebc2545b80 --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: google_workspace +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: google_workspace.chrome +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/google_workspace/data_stream/chrome/fields/beats.yml b/packages/google_workspace/data_stream/chrome/fields/beats.yml new file mode 100644 index 00000000000..4084f1dc7f5 --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/google_workspace/data_stream/chrome/fields/fields.yml b/packages/google_workspace/data_stream/chrome/fields/fields.yml new file mode 100644 index 00000000000..7c7d96ca0b0 --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/fields/fields.yml @@ -0,0 +1,161 @@ +- name: google_workspace + type: group + fields: + - name: chrome + type: group + fields: + - name: actor + type: group + fields: + - name: caller_type + type: keyword + - name: email + type: keyword + - name: key + type: keyword + - name: profile_id + type: keyword + - name: app_id + type: keyword + - name: app_name + type: keyword + description: App name. + - name: browser_version + type: keyword + description: Browser version event parameter. + - name: chrome_org_unit_id + type: keyword + - name: client_type + type: keyword + description: Event client type parameter. + - name: content_hash + type: keyword + description: Content hash event parameter. + - name: content_name + type: keyword + description: Content name event parameter. + - name: content_size + type: long + description: Content size event parameter. + - name: content_transfer_method + type: keyword + description: The method for content transferring. + - name: content_type + type: keyword + description: Content type event parameter. + - name: device_id + type: keyword + description: Device id event name. + - name: device_name + type: keyword + description: Device name event parameter. + - name: device_platform + type: keyword + description: Device platform event parameter. + - name: device_user + type: keyword + description: Device user name event parameter. + - name: directory_device_id + type: keyword + description: Directory API device ID of the device or browser on which the event happened. + - name: etag + type: keyword + - name: event_reason + type: keyword + description: Event reason event parameter. + - name: event_result + type: keyword + description: Event result event parameter. + - name: evidence_locker_filepath + type: keyword + description: A parameter that contains the filepath of the evidence locker. + - name: extension_action + type: keyword + - name: extension_source + type: keyword + - name: extension_version + type: keyword + - name: federated_origin + type: keyword + description: A parameter that contains the domain of the federated 3rd party provding the login flow. + - name: id + type: group + fields: + - name: application_name + type: keyword + - name: customer_id + type: keyword + - name: time + type: date + - name: unique_qualifier + type: keyword + - name: ip_address + type: ip + - name: is_federated + type: boolean + description: A parameter that contains whether the login is through a federated 3rd party. + - name: kind + type: keyword + - name: login_failure_reason + type: keyword + description: Login failure event reason parameter. + - name: login_user_name + type: keyword + description: A Parameter that contains the username used by the user when performing the login that triggered the login event report. + - name: name + type: keyword + - name: new_boot_mode + type: keyword + description: New device boot mode. + - name: org_unit_name + type: keyword + description: Org unit name. + - name: owner_domain + type: keyword + - name: previous_boot_mode + type: keyword + description: Previous device boot mode. + - name: profile_user_name + type: keyword + description: GSuite user name of the profile. + - name: remove_user_reason + type: keyword + description: Parameter explaining why a user was removed from a device. + - name: scan_id + type: keyword + description: A parameter that contains the scan id of the content analysis scan which triggered the event. + - name: server_scan_status + type: keyword + description: Status indicates the outcome of the event's server scan, which could be complete, require a manual audit due to configuration settings, or require a manual audit because the scan took too long. + - name: timestamp + type: date + description: The server timestamp of the Chrome Safe Browsing event. + - name: trigger_destination + type: keyword + description: A parameter that contains the destination of the rule which triggered the event. + - name: trigger_source + type: keyword + description: A parameter that contains the source of the rule which triggered the event. + - name: trigger_type + type: keyword + description: Event trigger type parameter. + - name: trigger_user + type: keyword + description: Trigger user event parameter. + - name: triggered_rules_reason + type: keyword + description: Triggered rules reason event parameter. + - name: type + type: keyword + - name: url + type: keyword + description: The URL that event happened on. + - name: user_agent + type: keyword + description: User agent event parameter. + - name: user_justification + type: keyword + description: A parameter that contains a justification message provided by users. + - name: virtual_device_id + type: keyword + description: Virtual device ID of the browser on which the event happened. diff --git a/packages/google_workspace/data_stream/chrome/manifest.yml b/packages/google_workspace/data_stream/chrome/manifest.yml new file mode 100644 index 00000000000..6403b35d83b --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/manifest.yml @@ -0,0 +1,102 @@ +title: Google Workspace Chrome logs +type: logs +streams: + - input: cel + template_path: cel.yml.hbs + title: Google Workspace Chrome logs + description: Collecting Google Workspace Chrome logs via API. + vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + required: true + show_user: true + default: 24h + description: How far back to pull the Google Workspace Chrome logs Google Workspace API. Supported units for this parameter are h/m/s. + - name: interval + type: text + title: Interval + description: >- + Duration between requests to the API. Google Workspace defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more at https://support.google.com/a/answer/7061566. NOTE: Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 2h + - name: batch_size + type: text + title: Batch Size + multi: false + required: true + show_user: false + description: Batch size for the response of the Google Workspace Chrome API. Maximum batch size can be 1000. + default: 1000 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + description: Tags for the data-stream. + default: + - forwarded + - google_workspace-chrome + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: false + show_user: false + title: Preserve duplicate custom fields + description: Preserve google_workspace.chrome fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: SSL Config for the host i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- diff --git a/packages/google_workspace/data_stream/chrome/sample_event.json b/packages/google_workspace/data_stream/chrome/sample_event.json new file mode 100644 index 00000000000..3e39db562cc --- /dev/null +++ b/packages/google_workspace/data_stream/chrome/sample_event.json @@ -0,0 +1,132 @@ +{ + "@timestamp": "2024-12-09T14:18:25.405Z", + "agent": { + "ephemeral_id": "7917124f-6a0b-493b-be4b-a928a4f17334", + "id": "499a39d7-b13c-4994-a354-0d3791cf15e6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.16.0" + }, + "data_stream": { + "dataset": "google_workspace.chrome", + "namespace": "12964", + "type": "logs" + }, + "device": { + "model": { + "name": "NXKUTSI002429051947600" + } + }, + "ecs": { + "version": "8.16.0" + }, + "elastic_agent": { + "id": "499a39d7-b13c-4994-a354-0d3791cf15e6", + "snapshot": false, + "version": "8.16.0" + }, + "event": { + "action": "browser_extension_install", + "agent_id_status": "verified", + "dataset": "google_workspace.chrome", + "id": "-3640711002716937498", + "ingested": "2024-12-24T07:36:34Z", + "kind": "event", + "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"kalpesh.kumar@example.io\",\"profileId\":\"109689693170624712102\"},\"etag\":\"\\\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\\\"\",\"events\":{\"name\":\"BROWSER_EXTENSION_INSTALL\",\"parameters\":[{\"intValue\":\"1733753905405\",\"name\":\"TIMESTAMP\"},{\"name\":\"EVENT_REASON\",\"value\":\"BROWSER_EXTENSION_INSTALL\"},{\"name\":\"APP_ID\",\"value\":\"lmjegmlicamnimmfhcmpkclmigmmcbeh\"},{\"name\":\"APP_NAME\",\"value\":\"Application Launcher For Drive (by Google)\"},{\"name\":\"BROWSER_VERSION\",\"value\":\"123.0.6312.112\"},{\"name\":\"CHROME_ORG_UNIT_ID\",\"value\":\"02gajno12larrqx\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_NAME\",\"value\":\"NXKUTSI002429051947600\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 15786.48.2\"},{\"name\":\"DEVICE_USER\",\"value\":\"kalpesh.kumar@example.io\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"efa9510f-8cd2-4d85-b6c2-939cfb335e9e\"},{\"name\":\"EVENT_RESULT\",\"value\":\"REPORTED\"},{\"name\":\"EXTENSION_ACTION\",\"value\":\"INSTALL\"},{\"name\":\"EXTENSION_SOURCE\",\"value\":\"CHROME_WEBSTORE\"},{\"name\":\"EXTENSION_VERSION\",\"value\":\"3.10\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"example.io\"},{\"name\":\"PROFILE_USER_NAME\",\"value\":\"kalpesh.kumar@example.io\"},{\"name\":\"USER_AGENT\",\"value\":\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36\"},{\"name\":\"VIRTUAL_DEVICE_ID\",\"value\":\"3d69c5a5-0afc-474b-a1a3-d3dc617e2a60\"}],\"type\":\"BROWSER_EXTENSION_INSTALL_TYPE\"},\"id\":{\"applicationName\":\"chrome\",\"customerId\":\"C03puekhd\",\"time\":\"2024-12-09T14:18:25.405Z\",\"uniqueQualifier\":\"-3640711002716937498\"},\"kind\":\"admin#reports#activity\"}", + "outcome": "success", + "provider": "chrome", + "reason": "BROWSER_EXTENSION_INSTALL" + }, + "google_workspace": { + "chrome": { + "actor": { + "caller_type": "USER", + "email": "kalpesh.kumar@example.io", + "profile_id": "109689693170624712102" + }, + "app_id": "lmjegmlicamnimmfhcmpkclmigmmcbeh", + "app_name": "Application Launcher For Drive (by Google)", + "browser_version": "123.0.6312.112", + "chrome_org_unit_id": "02gajno12larrqx", + "client_type": "CHROME_OS_DEVICE", + "device_name": "NXKUTSI002429051947600", + "device_platform": "ChromeOS 15786.48.2", + "device_user": "kalpesh.kumar@example.io", + "directory_device_id": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e", + "etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\"", + "event_reason": "BROWSER_EXTENSION_INSTALL", + "event_result": "REPORTED", + "extension_action": "INSTALL", + "extension_source": "CHROME_WEBSTORE", + "extension_version": "3.10", + "id": { + "application_name": "chrome", + "customer_id": "C03puekhd", + "time": "2024-12-09T14:18:25.405Z", + "unique_qualifier": "-3640711002716937498" + }, + "kind": "admin#reports#activity", + "name": "BROWSER_EXTENSION_INSTALL", + "org_unit_name": "example.io", + "profile_user_name": "kalpesh.kumar@example.io", + "timestamp": "2024-12-09T14:18:25.405Z", + "type": "BROWSER_EXTENSION_INSTALL_TYPE", + "user_agent": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "virtual_device_id": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60" + } + }, + "host": { + "os": { + "full": "ChromeOS 15786.48.2" + } + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Chrome", + "vendor": "Google Workspace" + }, + "organization": { + "id": "C03puekhd" + }, + "related": { + "user": [ + "kalpesh.kumar@example.io", + "109689693170624712102" + ] + }, + "source": { + "user": { + "domain": "example.io", + "email": "kalpesh.kumar@example.io", + "id": "109689693170624712102", + "name": "kalpesh.kumar" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "google_workspace-chrome" + ], + "user": { + "domain": "example.io", + "email": "kalpesh.kumar@example.io", + "id": "109689693170624712102", + "name": "kalpesh.kumar" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "os": { + "full": "Chrome OS 14541.0.0", + "name": "Chrome OS", + "version": "14541.0.0" + }, + "version": "123.0.0.0" + } +} \ No newline at end of file diff --git a/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json b/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json index a166df83b52..598dad51adc 100644 --- a/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json +++ b/packages/google_workspace/data_stream/context_aware_access/_dev/test/pipeline/test-context-aware-access.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2023-01-01T06:24:42.442Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ACCESS_DENY_EVENT", diff --git a/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml index ad02a605c79..a671425c467 100644 --- a/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace context aware access logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json b/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json index 43da800398b..2649ef439d4 100644 --- a/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json +++ b/packages/google_workspace/data_stream/device/_dev/test/pipeline/test-device.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "APPLICATION_EVENT", diff --git a/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml index e68b6dce985..96c66e595e5 100644 --- a/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace device logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json index 393833bfc9f..1f8f1564be1 100644 --- a/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json +++ b/packages/google_workspace/data_stream/drive/_dev/test/pipeline/test-drive.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "add_to_folder", @@ -97,7 +97,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "approval_canceled", @@ -191,7 +191,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "approval_comment_added", @@ -285,7 +285,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "approval_requested", @@ -379,7 +379,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "approval_reviewer_responded", @@ -473,7 +473,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "create", @@ -565,7 +565,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "delete", @@ -657,7 +657,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "download", @@ -749,7 +749,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "edit", @@ -841,7 +841,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "add_lock", @@ -933,7 +933,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "move", @@ -1029,7 +1029,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "preview", @@ -1121,7 +1121,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "print", @@ -1213,7 +1213,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "remove_from_folder", @@ -1307,7 +1307,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "rename", @@ -1401,7 +1401,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "untrash", @@ -1493,7 +1493,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "sheets_import_range", @@ -1585,7 +1585,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "trash", @@ -1677,7 +1677,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "remove_lock", @@ -1769,7 +1769,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "upload", @@ -1861,7 +1861,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "view", @@ -1954,7 +1954,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_acl_editors", @@ -2052,7 +2052,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_document_access_scope", @@ -2151,7 +2151,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_document_visibility", @@ -2250,7 +2250,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "shared_drive_membership_change", @@ -2349,7 +2349,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "shared_drive_settings_change", @@ -2448,7 +2448,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "sheets_import_range_access_change", @@ -2542,7 +2542,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_user_access", @@ -2642,7 +2642,7 @@ { "@timestamp": "2024-07-29T12:34:56.789Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "email_as_attachment", diff --git a/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml index 3fbfb4a9f21..ea32095cbee 100644 --- a/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace logs processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - append: field: event.category value: file diff --git a/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json b/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json index 9a310b0f7fe..1e264e312db 100644 --- a/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json +++ b/packages/google_workspace/data_stream/gcp/_dev/test/pipeline/test-gcp.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2023-01-01T06:24:42.442Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "IMPORT_SSH_PUBLIC_KEY", diff --git a/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml index c4b084d229c..2a71a901c22 100644 --- a/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace GCP logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json b/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json index 0afe9070836..f83977374db 100644 --- a/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json +++ b/packages/google_workspace/data_stream/group_enterprise/_dev/test/pipeline/test-group-enterprise.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "add_info_setting", diff --git a/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml index 0d7132b4366..7132b529640 100644 --- a/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace group enterprise logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json index 60004e036f0..b6a2d1a0d4a 100644 --- a/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json +++ b/packages/google_workspace/data_stream/groups/_dev/test/pipeline/test-groups.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_acl_permission", @@ -97,7 +97,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "accept_invitation", @@ -184,7 +184,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "approve_join_request", @@ -278,7 +278,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "join", @@ -365,7 +365,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "request_to_join", @@ -452,7 +452,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_basic_setting", @@ -542,7 +542,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "create_group", @@ -628,7 +628,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "delete_group", @@ -714,7 +714,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_identity_setting", @@ -804,7 +804,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "add_info_setting", @@ -893,7 +893,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_info_setting", @@ -983,7 +983,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "remove_info_setting", @@ -1072,7 +1072,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_new_members_restrictions_setting", @@ -1162,7 +1162,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_post_replies_setting", @@ -1252,7 +1252,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_spam_moderation_setting", @@ -1342,7 +1342,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "change_topic_setting", @@ -1432,7 +1432,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "moderate_message", @@ -1523,7 +1523,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "always_post_from_user", @@ -1617,7 +1617,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "add_user", @@ -1712,7 +1712,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "ban_user_with_moderation", @@ -1807,7 +1807,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "revoke_invitation", @@ -1901,7 +1901,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "invite_user", @@ -1995,7 +1995,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "reject_join_request", @@ -2089,7 +2089,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "reinvite_user", @@ -2183,7 +2183,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "remove_user", diff --git a/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml index 8e150c0dc2c..f471947ee4e 100644 --- a/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace logs processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - append: field: event.category value: iam diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json index c9667d13abb..014cbb84d5c 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "account_disabled_password_leak", @@ -84,7 +84,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "suspicious_login", @@ -166,7 +166,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "suspicious_login_less_secure_app", @@ -248,7 +248,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "suspicious_programmatic_login", @@ -330,7 +330,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "account_disabled_generic", @@ -411,7 +411,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "account_disabled_spamming_through_relay", @@ -492,7 +492,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "account_disabled_spamming", @@ -573,7 +573,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "account_disabled_hijacked", @@ -656,7 +656,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "gov_attack_warning", @@ -728,7 +728,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "login_failure", @@ -807,7 +807,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "login_challenge", @@ -885,7 +885,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "login_verification", @@ -963,7 +963,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "logout", @@ -1039,7 +1039,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "login_success", diff --git a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml index 25c0e6d0ab4..b0d328ca704 100644 --- a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace logs processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json b/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json index 3577aece7b3..0dcb88a338f 100644 --- a/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json +++ b/packages/google_workspace/data_stream/rules/_dev/test/pipeline/test-rules.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "rule_match", @@ -117,7 +117,7 @@ { "@timestamp": "2020-11-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "rule_match", diff --git a/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml index 5a1f642c74c..786a876717c 100644 --- a/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace rules logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json index 3200a0fecc3..586708919c8 100644 --- a/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json +++ b/packages/google_workspace/data_stream/saml/_dev/test/pipeline/test-saml.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "login_failure", @@ -85,7 +85,7 @@ { "@timestamp": "2020-10-02T15:00:01.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "login_success", diff --git a/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml index b623ad32b6a..1782046c28c 100644 --- a/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace logs processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - set: field: event.kind value: event diff --git a/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json b/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json index be072d532a2..6c71908e753 100644 --- a/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json +++ b/packages/google_workspace/data_stream/token/_dev/test/pipeline/test-token.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2023-01-01T06:24:42.442Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "authorize", diff --git a/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml index 8b0a17949bf..df4a10416c1 100644 --- a/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace token logs. processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - rename: field: message target_field: event.original diff --git a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json index 9b8e5357423..950b8217b7a 100644 --- a/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json +++ b/packages/google_workspace/data_stream/user_accounts/_dev/test/pipeline/test-user-accounts.log-expected.json @@ -3,7 +3,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "2sv_disable", @@ -76,7 +76,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "2sv_enroll", @@ -149,7 +149,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "password_edit", @@ -222,7 +222,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "recovery_email_edit", @@ -295,7 +295,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "recovery_phone_edit", @@ -368,7 +368,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "recovery_secret_qa_edit", @@ -441,7 +441,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "titanium_enroll", @@ -514,7 +514,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "titanium_unenroll", @@ -587,7 +587,7 @@ { "@timestamp": "2020-10-02T15:00:00.000Z", "ecs": { - "version": "8.11.0" + "version": "8.16.0" }, "event": { "action": "email_forwarding_out_of_domain", diff --git a/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml index 2d3a816c8e4..1c3c1a5f2ba 100644 --- a/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml @@ -3,7 +3,7 @@ description: Pipeline for parsing google_workspace logs processors: - set: field: ecs.version - value: '8.11.0' + value: '8.16.0' - set: field: event.kind value: event diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md index ce22087b60c..63c004fa5b8 100644 --- a/packages/google_workspace/docs/README.md +++ b/packages/google_workspace/docs/README.md @@ -26,6 +26,7 @@ It is compatible with a subset of applications under the [Google Reports API v1] | [Access Transparency](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/access-transparency) [help](https://support.google.com/a/answer/9230474?hl=en) | The Access Transparency activity report returns information about various types of Access Transparency activity events. | | [Context Aware Access](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/context-aware-access) [help](https://support.google.com/a/answer/9394107?hl=en#zippy=) | The Context Aware Access activity report returns information about various types of Context-Aware Access Audit activity events. | | [GCP](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/gcp) | The GCP activity report returns information about various types of Google Cloud Platform activity events. | +| [Chrome](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/chrome) | The Chrome activity reports return information about Chrome browser and Chrome OS events. | ## Requirements @@ -42,7 +43,7 @@ This integration will make use of the following *oauth2 scope*: Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration. -Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `device`, `context_aware_access`, `drive`, `gcp`, `groups`, `group_enterprise`, `login`, `rules`, `saml`, `token` and `user accounts` logs. +Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `chrome`, `context_aware_access`, `device`, `drive`, `gcp`, `groups`, `group_enterprise`, `login`, `rules`, `saml`, `token` and `user accounts` logs. > NOTE: The `Delegated Account` value in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount. @@ -126,7 +127,7 @@ Once Service Account credentials are downloaded as a JSON file, then the integra ### Google Workspace Reports ECS fields -This is a list of Google Workspace Reports fields that are mapped to ECS that are common to al data sets. +This is a list of Google Workspace Reports fields that are mapped to ECS that are common to all data sets. | Google Workspace Reports | ECS Fields | |------------------------------|---------------------------------------------------------------| @@ -2791,3 +2792,214 @@ An example event for `gcp` looks as following: | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | + +### Chrome + +This is the `chrome` dataset. + +An example event for `chrome` looks as following: + +```json +{ + "@timestamp": "2024-12-09T14:18:25.405Z", + "agent": { + "ephemeral_id": "7917124f-6a0b-493b-be4b-a928a4f17334", + "id": "499a39d7-b13c-4994-a354-0d3791cf15e6", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.16.0" + }, + "data_stream": { + "dataset": "google_workspace.chrome", + "namespace": "12964", + "type": "logs" + }, + "device": { + "model": { + "name": "NXKUTSI002429051947600" + } + }, + "ecs": { + "version": "8.16.0" + }, + "elastic_agent": { + "id": "499a39d7-b13c-4994-a354-0d3791cf15e6", + "snapshot": false, + "version": "8.16.0" + }, + "event": { + "action": "browser_extension_install", + "agent_id_status": "verified", + "dataset": "google_workspace.chrome", + "id": "-3640711002716937498", + "ingested": "2024-12-24T07:36:34Z", + "kind": "event", + "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"kalpesh.kumar@example.io\",\"profileId\":\"109689693170624712102\"},\"etag\":\"\\\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\\\"\",\"events\":{\"name\":\"BROWSER_EXTENSION_INSTALL\",\"parameters\":[{\"intValue\":\"1733753905405\",\"name\":\"TIMESTAMP\"},{\"name\":\"EVENT_REASON\",\"value\":\"BROWSER_EXTENSION_INSTALL\"},{\"name\":\"APP_ID\",\"value\":\"lmjegmlicamnimmfhcmpkclmigmmcbeh\"},{\"name\":\"APP_NAME\",\"value\":\"Application Launcher For Drive (by Google)\"},{\"name\":\"BROWSER_VERSION\",\"value\":\"123.0.6312.112\"},{\"name\":\"CHROME_ORG_UNIT_ID\",\"value\":\"02gajno12larrqx\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_NAME\",\"value\":\"NXKUTSI002429051947600\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 15786.48.2\"},{\"name\":\"DEVICE_USER\",\"value\":\"kalpesh.kumar@example.io\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"efa9510f-8cd2-4d85-b6c2-939cfb335e9e\"},{\"name\":\"EVENT_RESULT\",\"value\":\"REPORTED\"},{\"name\":\"EXTENSION_ACTION\",\"value\":\"INSTALL\"},{\"name\":\"EXTENSION_SOURCE\",\"value\":\"CHROME_WEBSTORE\"},{\"name\":\"EXTENSION_VERSION\",\"value\":\"3.10\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"example.io\"},{\"name\":\"PROFILE_USER_NAME\",\"value\":\"kalpesh.kumar@example.io\"},{\"name\":\"USER_AGENT\",\"value\":\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36\"},{\"name\":\"VIRTUAL_DEVICE_ID\",\"value\":\"3d69c5a5-0afc-474b-a1a3-d3dc617e2a60\"}],\"type\":\"BROWSER_EXTENSION_INSTALL_TYPE\"},\"id\":{\"applicationName\":\"chrome\",\"customerId\":\"C03puekhd\",\"time\":\"2024-12-09T14:18:25.405Z\",\"uniqueQualifier\":\"-3640711002716937498\"},\"kind\":\"admin#reports#activity\"}", + "outcome": "success", + "provider": "chrome", + "reason": "BROWSER_EXTENSION_INSTALL" + }, + "google_workspace": { + "chrome": { + "actor": { + "caller_type": "USER", + "email": "kalpesh.kumar@example.io", + "profile_id": "109689693170624712102" + }, + "app_id": "lmjegmlicamnimmfhcmpkclmigmmcbeh", + "app_name": "Application Launcher For Drive (by Google)", + "browser_version": "123.0.6312.112", + "chrome_org_unit_id": "02gajno12larrqx", + "client_type": "CHROME_OS_DEVICE", + "device_name": "NXKUTSI002429051947600", + "device_platform": "ChromeOS 15786.48.2", + "device_user": "kalpesh.kumar@example.io", + "directory_device_id": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e", + "etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\"", + "event_reason": "BROWSER_EXTENSION_INSTALL", + "event_result": "REPORTED", + "extension_action": "INSTALL", + "extension_source": "CHROME_WEBSTORE", + "extension_version": "3.10", + "id": { + "application_name": "chrome", + "customer_id": "C03puekhd", + "time": "2024-12-09T14:18:25.405Z", + "unique_qualifier": "-3640711002716937498" + }, + "kind": "admin#reports#activity", + "name": "BROWSER_EXTENSION_INSTALL", + "org_unit_name": "example.io", + "profile_user_name": "kalpesh.kumar@example.io", + "timestamp": "2024-12-09T14:18:25.405Z", + "type": "BROWSER_EXTENSION_INSTALL_TYPE", + "user_agent": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "virtual_device_id": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60" + } + }, + "host": { + "os": { + "full": "ChromeOS 15786.48.2" + } + }, + "input": { + "type": "cel" + }, + "observer": { + "product": "Chrome", + "vendor": "Google Workspace" + }, + "organization": { + "id": "C03puekhd" + }, + "related": { + "user": [ + "kalpesh.kumar@example.io", + "109689693170624712102" + ] + }, + "source": { + "user": { + "domain": "example.io", + "email": "kalpesh.kumar@example.io", + "id": "109689693170624712102", + "name": "kalpesh.kumar" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "google_workspace-chrome" + ], + "user": { + "domain": "example.io", + "email": "kalpesh.kumar@example.io", + "id": "109689693170624712102", + "name": "kalpesh.kumar" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36", + "os": { + "full": "Chrome OS 14541.0.0", + "name": "Chrome OS", + "version": "14541.0.0" + }, + "version": "123.0.0.0" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| google_workspace.chrome.actor.caller_type | | keyword | +| google_workspace.chrome.actor.email | | keyword | +| google_workspace.chrome.actor.key | | keyword | +| google_workspace.chrome.actor.profile_id | | keyword | +| google_workspace.chrome.app_id | | keyword | +| google_workspace.chrome.app_name | App name. | keyword | +| google_workspace.chrome.browser_version | Browser version event parameter. | keyword | +| google_workspace.chrome.chrome_org_unit_id | | keyword | +| google_workspace.chrome.client_type | Event client type parameter. | keyword | +| google_workspace.chrome.content_hash | Content hash event parameter. | keyword | +| google_workspace.chrome.content_name | Content name event parameter. | keyword | +| google_workspace.chrome.content_size | Content size event parameter. | long | +| google_workspace.chrome.content_transfer_method | The method for content transferring. | keyword | +| google_workspace.chrome.content_type | Content type event parameter. | keyword | +| google_workspace.chrome.device_id | Device id event name. | keyword | +| google_workspace.chrome.device_name | Device name event parameter. | keyword | +| google_workspace.chrome.device_platform | Device platform event parameter. | keyword | +| google_workspace.chrome.device_user | Device user name event parameter. | keyword | +| google_workspace.chrome.directory_device_id | Directory API device ID of the device or browser on which the event happened. | keyword | +| google_workspace.chrome.etag | | keyword | +| google_workspace.chrome.event_reason | Event reason event parameter. | keyword | +| google_workspace.chrome.event_result | Event result event parameter. | keyword | +| google_workspace.chrome.evidence_locker_filepath | A parameter that contains the filepath of the evidence locker. | keyword | +| google_workspace.chrome.extension_action | | keyword | +| google_workspace.chrome.extension_source | | keyword | +| google_workspace.chrome.extension_version | | keyword | +| google_workspace.chrome.federated_origin | A parameter that contains the domain of the federated 3rd party provding the login flow. | keyword | +| google_workspace.chrome.id.application_name | | keyword | +| google_workspace.chrome.id.customer_id | | keyword | +| google_workspace.chrome.id.time | | date | +| google_workspace.chrome.id.unique_qualifier | | keyword | +| google_workspace.chrome.ip_address | | ip | +| google_workspace.chrome.is_federated | A parameter that contains whether the login is through a federated 3rd party. | boolean | +| google_workspace.chrome.kind | | keyword | +| google_workspace.chrome.login_failure_reason | Login failure event reason parameter. | keyword | +| google_workspace.chrome.login_user_name | A Parameter that contains the username used by the user when performing the login that triggered the login event report. | keyword | +| google_workspace.chrome.name | | keyword | +| google_workspace.chrome.new_boot_mode | New device boot mode. | keyword | +| google_workspace.chrome.org_unit_name | Org unit name. | keyword | +| google_workspace.chrome.owner_domain | | keyword | +| google_workspace.chrome.previous_boot_mode | Previous device boot mode. | keyword | +| google_workspace.chrome.profile_user_name | GSuite user name of the profile. | keyword | +| google_workspace.chrome.remove_user_reason | Parameter explaining why a user was removed from a device. | keyword | +| google_workspace.chrome.scan_id | A parameter that contains the scan id of the content analysis scan which triggered the event. | keyword | +| google_workspace.chrome.server_scan_status | Status indicates the outcome of the event's server scan, which could be complete, require a manual audit due to configuration settings, or require a manual audit because the scan took too long. | keyword | +| google_workspace.chrome.timestamp | The server timestamp of the Chrome Safe Browsing event. | date | +| google_workspace.chrome.trigger_destination | A parameter that contains the destination of the rule which triggered the event. | keyword | +| google_workspace.chrome.trigger_source | A parameter that contains the source of the rule which triggered the event. | keyword | +| google_workspace.chrome.trigger_type | Event trigger type parameter. | keyword | +| google_workspace.chrome.trigger_user | Trigger user event parameter. | keyword | +| google_workspace.chrome.triggered_rules_reason | Triggered rules reason event parameter. | keyword | +| google_workspace.chrome.type | | keyword | +| google_workspace.chrome.url | The URL that event happened on. | keyword | +| google_workspace.chrome.user_agent | User agent event parameter. | keyword | +| google_workspace.chrome.user_justification | A parameter that contains a justification message provided by users. | keyword | +| google_workspace.chrome.virtual_device_id | Virtual device ID of the browser on which the event happened. | keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | + diff --git a/packages/google_workspace/img/google-workspace-chrome-screenshot.png b/packages/google_workspace/img/google-workspace-chrome-screenshot.png new file mode 100644 index 00000000000..9beb215a163 Binary files /dev/null and b/packages/google_workspace/img/google-workspace-chrome-screenshot.png differ diff --git a/packages/google_workspace/kibana/dashboard/google_workspace-7b55f304-7a6b-4131-bc36-591e35732394.json b/packages/google_workspace/kibana/dashboard/google_workspace-7b55f304-7a6b-4131-bc36-591e35732394.json new file mode 100644 index 00000000000..0c4e73c6e91 --- /dev/null +++ b/packages/google_workspace/kibana/dashboard/google_workspace-7b55f304-7a6b-4131-bc36-591e35732394.json @@ -0,0 +1,1335 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "987752b3-5402-4b37-8929-3aa91ddca6a8": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "google_workspace.chrome.type", + "id": "987752b3-5402-4b37-8929-3aa91ddca6a8", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event Type" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "c4f9cdd2-9116-443e-abf8-0e447a5651e2": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "google_workspace.chrome.name", + "id": "c4f9cdd2-9116-443e-abf8-0e447a5651e2", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event Name" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "Overview of Google Workspace Chrome.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "google_workspace.chrome" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "google_workspace.chrome" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n- [Access Transparency and GCP](#/dashboard/google_workspace-e9a62e70-9583-11ed-82ba-c3ec829933e4)\n- [Admin](#/dashboard/google_workspace-8925d900-3b43-11ed-8bdd-f5c5df6c1370)\n- [Alert](#/dashboard/google_workspace-d6287d50-0107-11ed-825d-df764a9c0c57)\n- **[Chrome (This Page)](#/dashboard/google_workspace-7b55f304-7a6b-4131-bc36-591e35732394)**\n- [Context Aware Access](#/dashboard/google_workspace-d79f1730-9585-11ed-82ba-c3ec829933e4)\n- [Device](#/dashboard/google_workspace-4c5a4cc0-8cbc-11ed-add3-0fec96545f1c)\n- [Drive](#/dashboard/google_workspace-f8210e80-3b28-11ed-8bdd-f5c5df6c1370)\n- [Group Enterprise](#/dashboard/google_workspace-3fb94480-8cbc-11ed-add3-0fec96545f1c)\n- [Groups](#/dashboard/google_workspace-d3cf6d50-3bfb-11ed-8bdd-f5c5df6c1370)\n- [Login](#/dashboard/google_workspace-f163f270-3b13-11ed-8bdd-f5c5df6c1370)\n- [Rules](#/dashboard/google_workspace-3be0b490-3430-11ed-9f31-c9178ccae8cd)\n- [Saml](#/dashboard/google_workspace-ec193fd0-3ab6-11ed-8bdd-f5c5df6c1370)\n- [Token](#/dashboard/google_workspace-26c10e40-8cbc-11ed-add3-0fec96545f1c)\n- [User Accounts](#/dashboard/google_workspace-ca3ff140-3b3f-11ed-8bdd-f5c5df6c1370)\n\n**Overview**\n\nThe dashboard provides a variety of visualizations for tracking chrome audit events. It includes a Line Chart to show event trends over time and Bar Charts for analyzing events by device and user. Pie Charts highlight event outcomes, server scan statuses, and boot modes, giving insights into system health and behavior. A Top 10 URLs Table reveals high-traffic web resources, while Saved Searches offer detailed views of essential content and user data, including device and login information. These visualizations enable comprehensive analysis and informed decision-making regarding system performance and audit activity.\n\n**[Integration Page](/app/integrations/detail/google_workspace-2.26.0/)**", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 34, + "i": "ee29a520-6bb7-42ab-b78a-e11630f21185", + "w": 15, + "x": 0, + "y": 0 + }, + "panelIndex": "ee29a520-6bb7-42ab-b78a-e11630f21185", + "title": "Table of Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d957730f-a9bc-4e9b-a378-01ed28a7912b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "d957730f-a9bc-4e9b-a378-01ed28a7912b": { + "columnOrder": [ + "bdad512c-c295-41f1-b3a6-d731056e88af", + "734409d6-37fa-4639-842f-51e273aa1bd3" + ], + "columns": { + "734409d6-37fa-4639-842f-51e273aa1bd3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "bdad512c-c295-41f1-b3a6-d731056e88af": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Outcome", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "734409d6-37fa-4639-842f-51e273aa1bd3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 6 + }, + "scale": "ordinal", + "sourceField": "google_workspace.chrome.event_result" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "d957730f-a9bc-4e9b-a378-01ed28a7912b", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "734409d6-37fa-4639-842f-51e273aa1bd3" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "bdad512c-c295-41f1-b3a6-d731056e88af" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "7d5c729b-f75d-48c5-8afc-468c8124696b", + "w": 17, + "x": 15, + "y": 0 + }, + "panelIndex": "7d5c729b-f75d-48c5-8afc-468c8124696b", + "title": "Events by Outcome [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-18750564-b022-4a1f-a08c-5ce06b4e9fa4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "18750564-b022-4a1f-a08c-5ce06b4e9fa4": { + "columnOrder": [ + "ad4594c2-b18e-40c5-9303-0cbca38c9cba", + "2cd1e990-ce14-4f5e-a071-c14fb9010236" + ], + "columns": { + "2cd1e990-ce14-4f5e-a071-c14fb9010236": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ad4594c2-b18e-40c5-9303-0cbca38c9cba": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Previous Boot Mode", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "2cd1e990-ce14-4f5e-a071-c14fb9010236", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "google_workspace.chrome.previous_boot_mode" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "18750564-b022-4a1f-a08c-5ce06b4e9fa4", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "2cd1e990-ce14-4f5e-a071-c14fb9010236" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ad4594c2-b18e-40c5-9303-0cbca38c9cba" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "3929841e-4313-46eb-a459-73cf2ee11272", + "w": 16, + "x": 32, + "y": 0 + }, + "panelIndex": "3929841e-4313-46eb-a459-73cf2ee11272", + "title": "Events by Previous Boot Mode [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8c84645d-0748-4336-99c2-ef8121524a8a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8c84645d-0748-4336-99c2-ef8121524a8a": { + "columnOrder": [ + "95b0023d-887a-453b-ac16-6d251b6db629", + "6d974b96-a7ba-4ebf-973d-899b2d437e64" + ], + "columns": { + "6d974b96-a7ba-4ebf-973d-899b2d437e64": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "95b0023d-887a-453b-ac16-6d251b6db629": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Server Scan Status", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6d974b96-a7ba-4ebf-973d-899b2d437e64", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 4 + }, + "scale": "ordinal", + "sourceField": "google_workspace.chrome.server_scan_status" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8c84645d-0748-4336-99c2-ef8121524a8a", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "6d974b96-a7ba-4ebf-973d-899b2d437e64" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "95b0023d-887a-453b-ac16-6d251b6db629" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "e9387ea3-f384-42ff-8583-71494b2e138b", + "w": 17, + "x": 15, + "y": 18 + }, + "panelIndex": "e9387ea3-f384-42ff-8583-71494b2e138b", + "title": "Events by Server Scan Status [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f6b0475d-fbf2-4b39-b7e4-96445c74b4dc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "f6b0475d-fbf2-4b39-b7e4-96445c74b4dc": { + "columnOrder": [ + "20237696-934e-4ea2-ba5f-dec33b7e1542", + "37b24cc0-b8ed-40f8-b17d-01cfa9d3885c" + ], + "columns": { + "20237696-934e-4ea2-ba5f-dec33b7e1542": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "New Boot Mode", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "37b24cc0-b8ed-40f8-b17d-01cfa9d3885c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "google_workspace.chrome.new_boot_mode" + }, + "37b24cc0-b8ed-40f8-b17d-01cfa9d3885c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f6b0475d-fbf2-4b39-b7e4-96445c74b4dc", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "37b24cc0-b8ed-40f8-b17d-01cfa9d3885c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "20237696-934e-4ea2-ba5f-dec33b7e1542" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "44f321cd-e8fd-4117-b044-5a23aec086ac", + "w": 16, + "x": 32, + "y": 18 + }, + "panelIndex": "44f321cd-e8fd-4117-b044-5a23aec086ac", + "title": "Events by New Boot Mode [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8c016fa5-87f7-49dc-aaa1-e97e5ea40cb5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "8c016fa5-87f7-49dc-aaa1-e97e5ea40cb5": { + "columnOrder": [ + "b3661d73-7076-47e8-aa7f-624e7444d4a6", + "9d84dbcf-23fe-4ce2-8d39-7ddd2d11707a", + "8828d780-785f-4935-9f0b-f299e1a43ea8" + ], + "columns": { + "8828d780-785f-4935-9f0b-f299e1a43ea8": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "9d84dbcf-23fe-4ce2-8d39-7ddd2d11707a": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "b3661d73-7076-47e8-aa7f-624e7444d4a6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "8828d780-785f-4935-9f0b-f299e1a43ea8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "google_workspace.chrome.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "8828d780-785f-4935-9f0b-f299e1a43ea8" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "8c016fa5-87f7-49dc-aaa1-e97e5ea40cb5", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "b3661d73-7076-47e8-aa7f-624e7444d4a6", + "xAccessor": "9d84dbcf-23fe-4ce2-8d39-7ddd2d11707a" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f11cfd8b-48ec-4938-9b0f-38a3ec50fb02", + "w": 24, + "x": 0, + "y": 34 + }, + "panelIndex": "f11cfd8b-48ec-4938-9b0f-38a3ec50fb02", + "title": "Events over Time [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-caf7b4c3-2f2d-4e2f-a284-f7a5f6c7177a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "caf7b4c3-2f2d-4e2f-a284-f7a5f6c7177a": { + "columnOrder": [ + "d2aa9c77-a4a7-4969-8582-ad123f46c5e5", + "fc67ddd4-6ffb-4212-a396-36a4e03f2457" + ], + "columns": { + "d2aa9c77-a4a7-4969-8582-ad123f46c5e5": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "fc67ddd4-6ffb-4212-a396-36a4e03f2457", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "device.model.name" + }, + "fc67ddd4-6ffb-4212-a396-36a4e03f2457": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "fc67ddd4-6ffb-4212-a396-36a4e03f2457" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "caf7b4c3-2f2d-4e2f-a284-f7a5f6c7177a", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "d2aa9c77-a4a7-4969-8582-ad123f46c5e5" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "41f95e86-09ff-41aa-b8a5-b6a0f49ae011", + "w": 24, + "x": 24, + "y": 34 + }, + "panelIndex": "41f95e86-09ff-41aa-b8a5-b6a0f49ae011", + "title": "Events by Device Name [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ad202ca3-65ed-4e4b-b5b9-8fa4fa3d138f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ad202ca3-65ed-4e4b-b5b9-8fa4fa3d138f": { + "columnOrder": [ + "4bebb9f7-c79b-412c-8f9b-4e24bd0f3c07", + "3028600c-e391-4d52-9038-63f79c37c155" + ], + "columns": { + "3028600c-e391-4d52-9038-63f79c37c155": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "4bebb9f7-c79b-412c-8f9b-4e24bd0f3c07": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3028600c-e391-4d52-9038-63f79c37c155", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "3028600c-e391-4d52-9038-63f79c37c155" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "ad202ca3-65ed-4e4b-b5b9-8fa4fa3d138f", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "4bebb9f7-c79b-412c-8f9b-4e24bd0f3c07" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3e4d2dd3-d62f-4e62-899a-ca52440d9c36", + "w": 24, + "x": 0, + "y": 49 + }, + "panelIndex": "3e4d2dd3-d62f-4e62-899a-ca52440d9c36", + "title": "Events by Device User [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a40db16c-0c6f-4f44-a53d-c1aa05185c4f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "a40db16c-0c6f-4f44-a53d-c1aa05185c4f": { + "columnOrder": [ + "b4fd7223-f5b9-424b-9a9d-cee59c901127", + "7ed128d3-582d-4ced-b777-81fd18e84375" + ], + "columns": { + "7ed128d3-582d-4ced-b777-81fd18e84375": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "b4fd7223-f5b9-424b-9a9d-cee59c901127": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "URL", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "7ed128d3-582d-4ced-b777-81fd18e84375", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "url.original" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "b4fd7223-f5b9-424b-9a9d-cee59c901127", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "7ed128d3-582d-4ced-b777-81fd18e84375", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "a40db16c-0c6f-4f44-a53d-c1aa05185c4f", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "eafebe59-339b-4bb3-8389-59baa1b2b019", + "w": 24, + "x": 24, + "y": 49 + }, + "panelIndex": "eafebe59-339b-4bb3-8389-59baa1b2b019", + "title": "Top 10 URLs [Logs Google Workspace]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "97c0097d-6961-4727-a2b8-b5a81af69d17", + "w": 48, + "x": 0, + "y": 64 + }, + "panelIndex": "97c0097d-6961-4727-a2b8-b5a81af69d17", + "panelRefName": "panel_97c0097d-6961-4727-a2b8-b5a81af69d17", + "title": "Content Essential Details [Logs Google Workspace]", + "type": "search" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "83a08353-d43e-4b59-9ac9-5ec3f545e87b", + "w": 48, + "x": 0, + "y": 79 + }, + "panelIndex": "83a08353-d43e-4b59-9ac9-5ec3f545e87b", + "panelRefName": "panel_83a08353-d43e-4b59-9ac9-5ec3f545e87b", + "title": "User Essential Details [Logs Google Workspace]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Google Workspace] Chrome", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-12-12T07:16:39.645Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "google_workspace-7b55f304-7a6b-4131-bc36-591e35732394", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7d5c729b-f75d-48c5-8afc-468c8124696b:indexpattern-datasource-layer-d957730f-a9bc-4e9b-a378-01ed28a7912b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3929841e-4313-46eb-a459-73cf2ee11272:indexpattern-datasource-layer-18750564-b022-4a1f-a08c-5ce06b4e9fa4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e9387ea3-f384-42ff-8583-71494b2e138b:indexpattern-datasource-layer-8c84645d-0748-4336-99c2-ef8121524a8a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44f321cd-e8fd-4117-b044-5a23aec086ac:indexpattern-datasource-layer-f6b0475d-fbf2-4b39-b7e4-96445c74b4dc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f11cfd8b-48ec-4938-9b0f-38a3ec50fb02:indexpattern-datasource-layer-8c016fa5-87f7-49dc-aaa1-e97e5ea40cb5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "41f95e86-09ff-41aa-b8a5-b6a0f49ae011:indexpattern-datasource-layer-caf7b4c3-2f2d-4e2f-a284-f7a5f6c7177a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3e4d2dd3-d62f-4e62-899a-ca52440d9c36:indexpattern-datasource-layer-ad202ca3-65ed-4e4b-b5b9-8fa4fa3d138f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "eafebe59-339b-4bb3-8389-59baa1b2b019:indexpattern-datasource-layer-a40db16c-0c6f-4f44-a53d-c1aa05185c4f", + "type": "index-pattern" + }, + { + "id": "google_workspace-b95cf166-2f93-42c0-bf69-6ce3e2309a5b", + "name": "97c0097d-6961-4727-a2b8-b5a81af69d17:panel_97c0097d-6961-4727-a2b8-b5a81af69d17", + "type": "search" + }, + { + "id": "google_workspace-8817b016-61c1-4d10-bdc2-e30e9fd93d4c", + "name": "83a08353-d43e-4b59-9ac9-5ec3f545e87b:panel_83a08353-d43e-4b59-9ac9-5ec3f545e87b", + "type": "search" + }, + { + "id": "logs-*", + "name": "controlGroup_987752b3-5402-4b37-8929-3aa91ddca6a8:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_c4f9cdd2-9116-443e-abf8-0e447a5651e2:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/google_workspace/kibana/search/google_workspace-8817b016-61c1-4d10-bdc2-e30e9fd93d4c.json b/packages/google_workspace/kibana/search/google_workspace-8817b016-61c1-4d10-bdc2-e30e9fd93d4c.json new file mode 100644 index 00000000000..e87ccdb18ed --- /dev/null +++ b/packages/google_workspace/kibana/search/google_workspace-8817b016-61c1-4d10-bdc2-e30e9fd93d4c.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "columns": [ + "user.name", + "google_workspace.chrome.profile_user_name", + "google_workspace.chrome.trigger_user", + "message" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"google_workspace.chrome\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "User Essential Details [Logs Google Workspace]", + "viewMode": "documents" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-12-12T08:48:19.293Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "google_workspace-8817b016-61c1-4d10-bdc2-e30e9fd93d4c", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/google_workspace/kibana/search/google_workspace-b95cf166-2f93-42c0-bf69-6ce3e2309a5b.json b/packages/google_workspace/kibana/search/google_workspace-b95cf166-2f93-42c0-bf69-6ce3e2309a5b.json new file mode 100644 index 00000000000..bb7d132030e --- /dev/null +++ b/packages/google_workspace/kibana/search/google_workspace-b95cf166-2f93-42c0-bf69-6ce3e2309a5b.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "columns": [ + "event.hash", + "google_workspace.chrome.content_name", + "google_workspace.chrome.content_size", + "google_workspace.chrome.content_type", + "google_workspace.chrome.content_transfer_method" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"google_workspace.chrome\" " + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Content Essential Details [Logs Google Workspace]", + "viewMode": "documents" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-12-12T08:37:47.968Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "google_workspace-b95cf166-2f93-42c0-bf69-6ce3e2309a5b", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index b0814a086f0..746e05a411d 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace -version: "2.28.0" +version: "2.29.0" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent. @@ -11,10 +11,14 @@ categories: - productivity_security conditions: kibana: - version: "^8.13.0" + version: "^8.16.0" elastic: subscription: basic screenshots: + - src: /img/google-workspace-chrome-screenshot.png + title: Google Workspace Chrome Screenshot + size: 600x600 + type: image/png - src: /img/google-workspace-rules-screenshot.png title: Google Workspace Rules Screenshot size: 600x600 @@ -122,6 +126,67 @@ policy_templates: default: https://www.googleapis.com title: "Collect access_transparency, admin, alert, context_aware_access, device, drive, gcp, groups, group_enterprise, login, rules, saml, token and user accounts logs (input: httpjson)" description: "Collecting access_transparency, admin, alert, context_aware_access, device, drive, gcp, groups, group_enterprise, login, rules, saml, token and user accounts logs (input: httpjson)" + - type: cel + title: Collect Google Workspace Chrome logs via API + description: Collecting Google Workspace Chrome logs via API. + vars: + - name: jwt_file + type: text + title: Jwt File + description: | + Specifies the path to the JWT credentials file. + NOTE: Please use either JWT File or JWT JSON parameter. + multi: false + required: false + show_user: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: jwt_json + type: password + title: Jwt JSON + description: | + Raw contents of the JWT file. Useful when hosting a file along with the agent is not possible. + NOTE: Please use either JWT File or JWT JSON parameter. + multi: false + required: false + show_user: true + secret: true + - name: delegated_account + type: text + title: Delegated Account + description: Email of the admin user used to access the API. + multi: false + required: true + show_user: true + - name: http_client_timeout + type: text + title: Http Client Timeout + description: 'Duration of the time limit on HTTP requests. Supported time units are ns, us, ms, s, m, h.' + multi: false + required: true + show_user: true + default: 60s + - name: user_key + type: text + title: User Key + description: Specifies the user key to fetch reports from. + multi: false + required: true + show_user: true + default: all + - name: api_host + type: text + title: API Host. + description: The Google Workspace API Host. The path will be automatically set. + multi: false + required: true + show_user: false + default: https://www.googleapis.com owner: github: elastic/security-service-integrations type: elastic