From 888aa06640f08fa7d5acf7ec9d69a5ce27fe37ad Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 11:56:11 +0200 Subject: [PATCH 01/18] Add application settings --- filebeat/docs/fields.asciidoc | 110 +++++ filebeat/docs/modules/gsuite.asciidoc | 1 + x-pack/filebeat/filebeat.reference.yml | 8 + .../filebeat/module/gsuite/_meta/config.yml | 8 + .../module/gsuite/_meta/docs.asciidoc | 1 + .../module/gsuite/admin/_meta/fields.yml | 41 ++ .../module/gsuite/admin/config/config.yml | 50 ++ .../module/gsuite/admin/config/pipeline.js | 136 +++++ .../filebeat/module/gsuite/admin/manifest.yml | 24 + .../admin/test/gsuite-admin-test.json.log | 9 + .../gsuite-admin-test.json.log-expected.json | 466 ++++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- x-pack/filebeat/modules.d/gsuite.yml.disabled | 8 + 13 files changed, 863 insertions(+), 1 deletion(-) create mode 100644 x-pack/filebeat/module/gsuite/admin/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/admin/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0a380cc8834..180bc115054 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -61464,6 +61464,116 @@ type: keyword -- +*`gsuite.admin.application.edition`*:: ++ +-- +The GSuite edition. + +type: keyword + +-- + +*`gsuite.admin.application.name`*:: ++ +-- +The application's name. + +type: keyword + +-- + +*`gsuite.admin.group.email`*:: ++ +-- +The group's primary email address. + +type: keyword + +-- + +*`gsuite.admin.new_value`*:: ++ +-- +The new value for the setting. + +type: keyword + +-- + +*`gsuite.admin.old_value`*:: ++ +-- +The old value for the setting. + +type: keyword + +-- + +*`gsuite.admin.org_unit.name`*:: ++ +-- +The organizational unit name. + +type: keyword + +-- + +*`gsuite.admin.setting`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`gsuite.admin.group.priorities`*:: ++ +-- +Group priorities. + +type: keyword + +-- + +*`gsuite.admin.domain`*:: ++ +-- +The primary domain name. + +type: keyword + +-- + +*`gsuite.admin.managed_configuration`*:: ++ +-- +The name of the managed configuration. + +type: keyword + +-- + +*`gsuite.admin.mobile_app.package_id`*:: ++ +-- +The mobile application package ID. + +type: keyword + +-- + +*`gsuite.admin.non_featured_services_selection`*:: ++ +-- +Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + + +type: keyword + +-- + + *`gsuite.login.affected_email_address`*:: + -- diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc index 565617a40d6..c44cbb0a9a1 100644 --- a/filebeat/docs/modules/gsuite.asciidoc +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -24,6 +24,7 @@ It is compatible with a subset of applications under the https://developers.goog - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events] +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events] === Configure the module diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index e7bf1740d24..f28022993c8 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -735,6 +735,14 @@ filebeat.modules: # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s #------------------------------- HAProxy Module ------------------------------- - module: haproxy diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index 65b289a5010..4422edc0ac7 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -23,3 +23,11 @@ # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc index 9af088e36f9..e33621fa8cf 100644 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -19,6 +19,7 @@ It is compatible with a subset of applications under the https://developers.goog - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events] +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events] === Configure the module diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml new file mode 100644 index 00000000000..753ba4683dd --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -0,0 +1,41 @@ +- name: admin + type: group + fields: + - name: application.edition + type: keyword + description: The GSuite edition. + - name: application.name + type: keyword + description: The application's name. + - name: group.email + type: keyword + description: The group's primary email address. + - name: new_value + type: keyword + description: The new value for the setting. + - name: old_value + type: keyword + description: The old value for the setting. + - name: org_unit.name + type: keyword + description: The organizational unit name. + - name: setting + type: keyword + description: The setting name. + - name: group.priorities + type: keyword + description: Group priorities. + - name: domain + type: keyword + description: The primary domain name. + - name: managed_configuration + type: keyword + description: The name of the managed configuration. + - name: mobile_app.package_id + type: keyword + description: The mobile application package ID. + - name: non_featured_services_selection + type: keyword + description: > + Non-featured services selection. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml new file mode 100644 index 00000000000..b5c62d3657f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-admin + file: ${path.home}/module/gsuite/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js new file mode 100644 index 00000000000..d61d34efcc2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -0,0 +1,136 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + switch (evt.Get("event.action")) { + case "CHANGE_APPLICATION_SETTING": + case "UPDATE_MANAGED_CONFIGURATION": + case "GPLUS_PREMIUM_FEATURES": + case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + evt.Put("event.type", ["change"]); + break; + case "CREATE_APPLICATION_SETTING": + case "CREATE_MANAGED_CONFIGURATION": + evt.Put("event.type", ["creation"]); + break; + case "DELETE_APPLICATION_SETTING": + case "DELETE_MANAGED_CONFIGURATION": + evt.Put("event.type", ["deletion"]); + break; + case "REORDER_GROUP_BASED_POLICIES_EVENT": + evt.Put("event.type", ["group", "change"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.admin."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.admin.group.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.admin.APPLICATION_EDITION", + to: "gsuite.admin.application.edition", + }, + { + from: "gsuite.admin.APPLICATION_NAME", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.GROUP_EMAIL", + to: "gsuite.admin.group.email", + }, + { + from: "gsuite.admin.NEW_VALUE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_VALUE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ORG_UNIT_NAME", + to: "gsuite.admin.org_unit.name", + }, + { + from: "gsuite.admin.SETTING_NAME", + to: "gsuite.admin.setting", + }, + { + from: "gsuite.admin.GROUP_PRIORITIES", + to: "gsuite.admin.group.priorities", + }, + { + from: "gsuite.admin.DOMAIN_NAME", + to: "gsuite.admin.domain", + }, + { + from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", + to: "gsuite.admin.managed_configuration", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.mobile_app.package_id", + }, + { + from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", + to: "gsuite.admin.non_featured_services_selection", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setGroupInfo) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/admin/manifest.yml b/x-pack/filebeat/module/gsuite/admin/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log new file mode 100644 index 00000000000..2d2d36e96a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json new file mode 100644 index 00000000000..162335bc984 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -0,0 +1,466 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.priorities": [ + "a", + "b" + ], + "gsuite.admin.setting": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GPLUS_PREMIUM_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2346, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.managed_configuration": "a", + "gsuite.admin.mobile_app.package_id": "1234", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.managed_configuration": "a", + "gsuite.admin.mobile_app.package_id": "1234", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.managed_configuration": "a", + "gsuite.admin.mobile_app.package_id": "1234", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4114, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index b0cebd8b1fd..6044e3d2cb2 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkVlFvGzcMfs+vILqHAcViY3v0w4Bg8IqhyVrE7bBiGM60xPMR1ok3iXJ7+/WDdL7EcWysW9whwPRkiORHfh9J+S5hQ/0M1jGx0gWAsjqawYvh4sUFgKVoAnfK4mfw/QUA7LzhRmxyOahmcjbOiu0SPLa0h5iPpRqT06o4zqBGF0eT9l32DpK6O+dHCfN5NSSNHRmu2eySTi7uHG4kELCvJbSYgwFXkvQwAAx6WBHUkrwFVGhUuzibTi1tyUlHIU7WImtHEyPtFG3L/jLazTRQJ0HjdPvtNFBNgbyhKRrlLStTnDqOuqtlX499TdCohElmfGcaBdhQ/1GC3bs/IUM+7xoqYSD1DvPigf0XdIlGprMHJoCX7xfz25czuPKiDQVIkQKwB20IIrYEVlpkPzkMm//6bn7789V1NcYPkZI0sqUSfiLy9fxD8ffiL5vUoh+LPq7PhvqnyfPGux66QJG8wseGPCzvlV8CR1i+nn9YTuCHYRRy6UsjPqaWQrWhfpmFzbeB/kgUVQLUEuDNVdIGvrt+A1dvfxptESQAemBLXrlmGnyDrEQBjZHkNT6mSlvyeuZReLUoG1Kgv4EWu44s1EFaWLJSG3/7fVJs+cdOiqHtEnjNHh102DtB+7CDczQN1OwokpaZanBLgGC5LmugkA1Sw3YYu0yfcwF5Hy0psvtPti4f+oRtlx8wTJb1q51j/0j+DXt7PuGHcYiSgqED4XOiz9T55hnrJWGNnv8s7+pkWPOnyTcIOCCBNqh5LbGuyShZWPW79ctkvo67bXlUlZP1kTr2/0vgyGu8jzBmrKhFdhVaGyjGg0pP0buHMQ06R35NVUvaiP1sgL/RCOA6U7zHhwF/Aj/mVwdyN/MAdhIjrxyNK1haDyr/Zmzy9HrLn8ap6adF5slR4jWyS4Gqg4fsLKR32AXo2RD+EkRNoPLngS4+L7Icq0hGvK3q8gd6lPhKxBH6kwApdmxY0vGtOoweIyO27mmb3XWOTXmwqnxzvqYtsHWweLufoeT8P21Ibs+JmfGsjPlJXfXn43s7fGzl780aFlc314BJm7w0QwOO1yJhnTxr1aE256sF4H358B3Aj2eOippiZcQeb7oTv/6HU5dJD7CQYU/kHdbV5d5WX6qIkgNKjocV/RUAAP//BvI0zA==" + return "eJzcWFtv2zgTfc+vGLQPBYovNr599MMCRqOmQZ2kiJNii8WCHpMjiTDF0ZKUU++vX5CSUl97s1sUq5cEInnOzOHcrHNY0GoEhW90oDOAoIOhETxrXzw7A1DkpdN10GxH8PsZAHS74ZpVY+KhXJNRfpTWzsFiRWuI8VGUY2OCSBtHkKPx/VJY1XG346Z+2rxDGJ/LltTXJHWuZUc6OHvacM2OQNucXYXxMOCcm7B9ACRamBPk3FgFGKAMofaj4VDRkgzX5PygYC4MDSRXQ1SVtudeLYaOanbBD5f/HzrKyZGVNEQZ9FIHTX5otA+dLet6rGuCMrAbRI+flnoBFrR6ZKfW3h+QIT73JaVjwHmHebax/h5NQ72no40lgJcP0+zu5QjGlkNJDhpPDrSFUBJ4rAgUV6jtYPtY9sd9dncznoj+fHuSm+C1onT8wMm32Ye037I9L5sKbW/0fn0WtDpOnltrVlA78mQDPJZkYfZJ+RloD7O32YfZAF61oRBNn0m2vqnIiQWtZlHY+NbR3w35wA5ydnA7bkIJv01uYfzuql/zwA7QglZkg841tXsdzzkASsmNDX7XVVqSDScOhctpypAE/T+osK5JQe64gpkOVPk//xqktfhPJ0V77ex0oS0aqHFlGNXmDWYoS8i1IU8hxVSJSwIEpfOUBgHiAuewbMMuuq+jATEfFQXU5qdkXXzoI1Z1LGDYKB2edxtXO/IvtFWnE74NB8+Nk7QlfCT6Sp2vf2G92BVo9T+prg7aND9OvlbAFglCiSGmJeY5yUAK5qsu/aIzL3yXLbv1Irq9Y8d6L4E91XgDoa6Nlq1bpHT8u2XmId92/Iv+9BnYIg2+SBnfHMO3hvXCJ/z9nEmSAVWozTF0CeaFh9rpCt0KEiCgUo68389s6VGkunAMr6XHtrik2pIaFYWgbbGfk406npON+iZOV4jG6nD0la5nGhqImJ+52M6mYwg7iC9GT+00u1REvpftMuLAJ5z9bDvV5Zs96sOzqy6HHavQYkFKSLa5LhqHx+Z/hO1nhw4cNsAP2MFzbUhgXQ9qlAssSOhtrm+yowVcLw/QAcPVxYFEZStywtA4UsKTW2pJXngyJI9RZbvqA9ywPe+JoCeCJ6Lt6RHgdRywIDauKG3N3uu5oX7aSF0OAn9Ph4yN2ir9sW+Qq27bmm7nXXr4568n4+mbydXlm3uRXTyIm9sb8Tob3z/cZRdimt29v3qVTcU0m2Sv7rOLnVZluDi2VXXNUaSqK7qq+9X30sPIEo0hW5CoKJT83WG2e7GT6OInfGjxBz/1/pLM+wM8R20aR2Jr5j6J0x12AvplHP4RjkpH6XcOGv9rOatjrZJslcjTb729js+ZDaE9CND4WkvNzf6s2j791IOxMqcaQsUx48PupU2xMjB9t9EIDrfD/2aGxOs5EDNWB42xpM5Xp/P3rv0uQC66Nh1fTwCbUMakkZ8ZAdgVcdQTNYbydLYAPKRvNC34gREyYGi8kKz2X7rhnfnyS1EXnW5hIcIeGl1Tupp4t+JHGZE4IHFsWvRvAAAA//9Zghv3" } diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index 97a3fdcf94a..ffb174f9989 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -26,3 +26,11 @@ # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s From dc6836fb2111212255aeb7bd329be29520466a67 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 12:12:47 +0200 Subject: [PATCH 02/18] Add calendar settings --- filebeat/docs/fields.asciidoc | 27 + .../module/gsuite/admin/_meta/fields.yml | 9 + .../module/gsuite/admin/config/pipeline.js | 41 ++ .../admin/test/gsuite-admin-test.json.log | 13 + .../gsuite-admin-test.json.log-expected.json | 653 ++++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 6 files changed, 744 insertions(+), 1 deletion(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 180bc115054..b76b1c7768e 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -61569,6 +61569,33 @@ type: keyword Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED +type: keyword + +-- + +*`gsuite.admin.field`*:: ++ +-- +The name of the field. + +type: keyword + +-- + +*`gsuite.admin.resource.id`*:: ++ +-- +The name of the resource identifier. + +type: keyword + +-- + +*`gsuite.admin.user.email`*:: ++ +-- +The user's primary email address. + type: keyword -- diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 753ba4683dd..034fbaeb2a4 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -39,3 +39,12 @@ description: > Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + - name: field + type: keyword + description: The name of the field. + - name: resource.id + type: keyword + description: The name of the resource identifier. + - name: user.email + type: keyword + description: The user's primary email address. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index d61d34efcc2..9d94ad597b8 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -12,14 +12,27 @@ var login = (function () { case "UPDATE_MANAGED_CONFIGURATION": case "GPLUS_PREMIUM_FEATURES": case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "UPDATE_BUILDING": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": + case "RENAME_CALENDAR_RESOURCE": + case "UPDATE_CALENDAR_RESOURCE": + case "CHANGE_CALENDAR_SETTING": + case "CANCEL_CALENDAR_EVENTS": + case "RELEASE_CALENDAR_RESOURCES": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": case "CREATE_MANAGED_CONFIGURATION": + case "CREATE_BUILDING": + case "CREATE_CALENDAR_RESOURCE": + case "CREATE_CALENDAR_RESOURCE_FEATURE": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": case "DELETE_MANAGED_CONFIGURATION": + case "DELETE_BUILDING": + case "DELETE_CALENDAR_RESOURCE": + case "DELETE_CALENDAR_RESOURCE_FEATURE": evt.Put("event.type", ["deletion"]); break; case "REORDER_GROUP_BASED_POLICIES_EVENT": @@ -65,6 +78,21 @@ var login = (function () { evt.Put("group.domain", data[1]); }; + var setRelatedUserInfo = function(evt) { + var email = evt.Get("gsuite.admin.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() .Add(categorizeEvent) .Add(flattenParams) @@ -118,12 +146,25 @@ var login = (function () { from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", to: "gsuite.admin.non_featured_services_selection", }, + { + from: "gsuite.admin.FIELD_NAME", + to: "gsuite.admin.field", + }, + { + from: "gsuite.admin.RESOURCE_IDENTIFIER", + to: "gsuite.admin.resource.id", + }, + { + from: "gsuite.admin.USER_EMAIL", + to: "gsuite.admin.user.email", + }, ], mode: "rename", ignore_missing: true, fail_on_error: false, }) .Add(setGroupInfo) + .Add(setRelatedUserInfo) .Build(); return { diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 2d2d36e96a3..5d27a2626cf 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -7,3 +7,16 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index 162335bc984..a060938691f 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -462,5 +462,658 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4581, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4995, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5409, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5942, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6365, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6788, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7219, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7650, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8200, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8658, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CALENDAR_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9200, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CANCEL_CALENDAR_EVENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9789, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RELEASE_CALENDAR_RESOURCES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10179, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 6044e3d2cb2..f70998256b8 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzcWFtv2zgTfc+vGLQPBYovNr599MMCRqOmQZ2kiJNii8WCHpMjiTDF0ZKUU++vX5CSUl97s1sUq5cEInnOzOHcrHNY0GoEhW90oDOAoIOhETxrXzw7A1DkpdN10GxH8PsZAHS74ZpVY+KhXJNRfpTWzsFiRWuI8VGUY2OCSBtHkKPx/VJY1XG346Z+2rxDGJ/LltTXJHWuZUc6OHvacM2OQNucXYXxMOCcm7B9ACRamBPk3FgFGKAMofaj4VDRkgzX5PygYC4MDSRXQ1SVtudeLYaOanbBD5f/HzrKyZGVNEQZ9FIHTX5otA+dLet6rGuCMrAbRI+flnoBFrR6ZKfW3h+QIT73JaVjwHmHebax/h5NQ72no40lgJcP0+zu5QjGlkNJDhpPDrSFUBJ4rAgUV6jtYPtY9sd9dncznoj+fHuSm+C1onT8wMm32Ye037I9L5sKbW/0fn0WtDpOnltrVlA78mQDPJZkYfZJ+RloD7O32YfZAF61oRBNn0m2vqnIiQWtZlHY+NbR3w35wA5ydnA7bkIJv01uYfzuql/zwA7QglZkg841tXsdzzkASsmNDX7XVVqSDScOhctpypAE/T+osK5JQe64gpkOVPk//xqktfhPJ0V77ex0oS0aqHFlGNXmDWYoS8i1IU8hxVSJSwIEpfOUBgHiAuewbMMuuq+jATEfFQXU5qdkXXzoI1Z1LGDYKB2edxtXO/IvtFWnE74NB8+Nk7QlfCT6Sp2vf2G92BVo9T+prg7aND9OvlbAFglCiSGmJeY5yUAK5qsu/aIzL3yXLbv1Irq9Y8d6L4E91XgDoa6Nlq1bpHT8u2XmId92/Iv+9BnYIg2+SBnfHMO3hvXCJ/z9nEmSAVWozTF0CeaFh9rpCt0KEiCgUo68389s6VGkunAMr6XHtrik2pIaFYWgbbGfk406npON+iZOV4jG6nD0la5nGhqImJ+52M6mYwg7iC9GT+00u1REvpftMuLAJ5z9bDvV5Zs96sOzqy6HHavQYkFKSLa5LhqHx+Z/hO1nhw4cNsAP2MFzbUhgXQ9qlAssSOhtrm+yowVcLw/QAcPVxYFEZStywtA4UsKTW2pJXngyJI9RZbvqA9ywPe+JoCeCJ6Lt6RHgdRywIDauKG3N3uu5oX7aSF0OAn9Ph4yN2ir9sW+Qq27bmm7nXXr4568n4+mbydXlm3uRXTyIm9sb8Tob3z/cZRdimt29v3qVTcU0m2Sv7rOLnVZluDi2VXXNUaSqK7qq+9X30sPIEo0hW5CoKJT83WG2e7GT6OInfGjxBz/1/pLM+wM8R20aR2Jr5j6J0x12AvplHP4RjkpH6XcOGv9rOatjrZJslcjTb729js+ZDaE9CND4WkvNzf6s2j791IOxMqcaQsUx48PupU2xMjB9t9EIDrfD/2aGxOs5EDNWB42xpM5Xp/P3rv0uQC66Nh1fTwCbUMakkZ8ZAdgVcdQTNYbydLYAPKRvNC34gREyYGi8kKz2X7rhnfnyS1EXnW5hIcIeGl1Tupp4t+JHGZE4IHFsWvRvAAAA//9Zghv3" + return "eJzcWE1v2zgTvudXDNpDgeK1jHePPixgNGoa1EmKOCm2WCzksTiSCFMcLUk59f76BSkp9YfctJVbBKtLApF8npmH8yWPYEWbCeS2lo7OAJx0iibwonnx4gxAkE2NrJxkPYHfzwCg3Q1XLGrlD2WSlLCTsDYCjSVtIfpHUIa1cknYOIEMle2W3Kbyuw3X1ePmA0L/XDSktqJUZjJtSaOzxw1XbAikztiU6A8DLrl2+wcgRQ1LgoxrLQAdFM5VdjIeC1qT4oqMjXLmXFGUcjlGUUo9smI1NlSxcXa8/v/YUEaGdEpjTJ1cSyfJjpW0rrVlW49tTTB1bCLv8eNSJ8CKNg9sxNb7IzL4566gcAw4azHPdtY/oqqp83SyswTw+n4e376ewFSzK8hAbcmA1OAKAoslgeASpY72j8V/3MW319NZ0p1vTnLtrBQUjh85+T7+FPZr1qOiLlF3Rvfrs6LNMHlutNpAZciSdvBQkIbFF+UXIC0s3sefFhG8aULBm75IWdu6JJOsaLPwwvq3hv6uyTo2kLGBm2ntCvhtdgPTD5fdmgU2gBqkIO1kJqnZa3jJDjBNudbOHrpKa9LuxKFwMQ8ZEqD/ByVWFQnIDJewkI5K++dfUVjz/7RSNNfORuZSo4IKN4pR7N5gjGkBmVRkyYWYKnBNgCBkFtLAgV/gDNZN2Hn3pTfA56Mgh1L9kqzzD33GsvIFDGsh3ct24+ZA/pXU4nTCN+FguTYp7Qnvib5R56tnrBebHLX8J9TVqEnzYfI1AjZI4Ap0Pi0xyyh1JGC5adPPO/PKttlyWC+82wd2bPcS6KnGOwhVpWTauEVC+r97Zh7z7cA/70+XgQ1S9CSlfzOEbwvrlQ34/ZxBkohKlGoIXYB5ZaEyskSzgQAIKIQha/uZNT0koS4M4dX00BSXUFtCoyLnpM77OVmJ4ZysxHdxmjyptXSDr3Q701CBx/zKxbY2DSFsIZ6MnspINqGI/CjbhceBLzj9bAfV5bs96sKzrS7HHStRY04iSVlnMq8NDs1/D9vNDi047IAfsYOXUlGCVRVVmK4wp0Tuc32XHQ3gdnmAFhguz48kKuskI3S1IZFYMmuZkk0sKUqHqLJf9QGuWY86IuiI4JFof3oEeOsHLPCNy0tbsbVyqaibNkKXA8c/0iF9o9ZCfu4a5KbdtqXbqE0P+/LtbDp/N7u8eHeXxOf3yfXNdfI2nt7d38bnyTy+/Xj5Jp4n83gWv7mLz3slDo3oVOEVwPqvshtFomFBtM3WQW6Nuf3c/ptgeKPxKE/3mY5TcT50DGgHjyQwJS3TN3vQwaQFKkU6p6QkV/APq3+YNDPv4hd8aPCjX5obQeb+W89QqtpQsvc9cxKnW+wA9Gwc/hmOpoZCcqGyz8tZ6ftAylokWfiO7nV8yawI9VGA2lYylVz3Z9X+6cf5Bkt1qgE/GTKaHV7aHEsF8w87Tfb4qPHfzBB/PUdiRksn0ZfU5eZ0/t42v7mQ8a7Np1czwNoVPmnSr4xXbHI/RicVuuJ0tgDch9+/GvAj47lDV9skZdF/6YoPZvenos473cCChz32WRDSVfm7TX6WEYEDAseuRf8GAAD//4LFe7c=" } From bfd45f2fe29dd90bdfc654f37fec0af8ef267ee5 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 12:23:40 +0200 Subject: [PATCH 03/18] Add chat settings --- filebeat/docs/fields.asciidoc | 9 + .../module/gsuite/admin/_meta/fields.yml | 3 + .../module/gsuite/admin/config/pipeline.js | 8 + .../admin/test/gsuite-admin-test.json.log | 4 + .../gsuite-admin-test.json.log-expected.json | 199 ++++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 6 files changed, 224 insertions(+), 1 deletion(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b76b1c7768e..c41f0fb44c3 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -61600,6 +61600,15 @@ type: keyword -- +*`gsuite.admin.gateway.name`*:: ++ +-- +Gateway name. Present on some chat settings. + +type: keyword + +-- + *`gsuite.login.affected_email_address`*:: + diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 034fbaeb2a4..344c54fc99b 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -48,3 +48,6 @@ - name: user.email type: keyword description: The user's primary email address. + - name: gateway.name + type: keyword + description: Gateway name. Present on some chat settings. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 9d94ad597b8..ce5d2695d87 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -19,6 +19,8 @@ var login = (function () { case "CHANGE_CALENDAR_SETTING": case "CANCEL_CALENDAR_EVENTS": case "RELEASE_CALENDAR_RESOURCES": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHAT_SETTING": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -26,6 +28,7 @@ var login = (function () { case "CREATE_BUILDING": case "CREATE_CALENDAR_RESOURCE": case "CREATE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_CREATE_GATEWAY": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -33,6 +36,7 @@ var login = (function () { case "DELETE_BUILDING": case "DELETE_CALENDAR_RESOURCE": case "DELETE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_DELETE_GATEWAY": evt.Put("event.type", ["deletion"]); break; case "REORDER_GROUP_BASED_POLICIES_EVENT": @@ -158,6 +162,10 @@ var login = (function () { from: "gsuite.admin.USER_EMAIL", to: "gsuite.admin.user.email", }, + { + from: "gsuite.admin.GATEWAY_NAME", + to: "gsuite.admin.gateway.name", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 5d27a2626cf..e0ab9bbd536 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -20,3 +20,7 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index a060938691f..1ae298b7592 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -1115,5 +1115,204 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_CREATE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10573, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_DELETE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10957, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_MODIFY_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHAT_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11725, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index f70998256b8..fc0a9c490a8 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzcWE1v2zgTvudXDNpDgeK1jHePPixgNGoa1EmKOCm2WCzksTiSCFMcLUk59f76BSkp9YfctJVbBKtLApF8npmH8yWPYEWbCeS2lo7OAJx0iibwonnx4gxAkE2NrJxkPYHfzwCg3Q1XLGrlD2WSlLCTsDYCjSVtIfpHUIa1cknYOIEMle2W3Kbyuw3X1ePmA0L/XDSktqJUZjJtSaOzxw1XbAikztiU6A8DLrl2+wcgRQ1LgoxrLQAdFM5VdjIeC1qT4oqMjXLmXFGUcjlGUUo9smI1NlSxcXa8/v/YUEaGdEpjTJ1cSyfJjpW0rrVlW49tTTB1bCLv8eNSJ8CKNg9sxNb7IzL4566gcAw4azHPdtY/oqqp83SyswTw+n4e376ewFSzK8hAbcmA1OAKAoslgeASpY72j8V/3MW319NZ0p1vTnLtrBQUjh85+T7+FPZr1qOiLlF3Rvfrs6LNMHlutNpAZciSdvBQkIbFF+UXIC0s3sefFhG8aULBm75IWdu6JJOsaLPwwvq3hv6uyTo2kLGBm2ntCvhtdgPTD5fdmgU2gBqkIO1kJqnZa3jJDjBNudbOHrpKa9LuxKFwMQ8ZEqD/ByVWFQnIDJewkI5K++dfUVjz/7RSNNfORuZSo4IKN4pR7N5gjGkBmVRkyYWYKnBNgCBkFtLAgV/gDNZN2Hn3pTfA56Mgh1L9kqzzD33GsvIFDGsh3ct24+ZA/pXU4nTCN+FguTYp7Qnvib5R56tnrBebHLX8J9TVqEnzYfI1AjZI4Ap0Pi0xyyh1JGC5adPPO/PKttlyWC+82wd2bPcS6KnGOwhVpWTauEVC+r97Zh7z7cA/70+XgQ1S9CSlfzOEbwvrlQ34/ZxBkohKlGoIXYB5ZaEyskSzgQAIKIQha/uZNT0koS4M4dX00BSXUFtCoyLnpM77OVmJ4ZysxHdxmjyptXSDr3Q701CBx/zKxbY2DSFsIZ6MnspINqGI/CjbhceBLzj9bAfV5bs96sKzrS7HHStRY04iSVlnMq8NDs1/D9vNDi047IAfsYOXUlGCVRVVmK4wp0Tuc32XHQ3gdnmAFhguz48kKuskI3S1IZFYMmuZkk0sKUqHqLJf9QGuWY86IuiI4JFof3oEeOsHLPCNy0tbsbVyqaibNkKXA8c/0iF9o9ZCfu4a5KbdtqXbqE0P+/LtbDp/N7u8eHeXxOf3yfXNdfI2nt7d38bnyTy+/Xj5Jp4n83gWv7mLz3slDo3oVOEVwPqvshtFomFBtM3WQW6Nuf3c/ptgeKPxKE/3mY5TcT50DGgHjyQwJS3TN3vQwaQFKkU6p6QkV/APq3+YNDPv4hd8aPCjX5obQeb+W89QqtpQsvc9cxKnW+wA9Gwc/hmOpoZCcqGyz8tZ6ftAylokWfiO7nV8yawI9VGA2lYylVz3Z9X+6cf5Bkt1qgE/GTKaHV7aHEsF8w87Tfb4qPHfzBB/PUdiRksn0ZfU5eZ0/t42v7mQ8a7Np1czwNoVPmnSr4xXbHI/RicVuuJ0tgDch9+/GvAj47lDV9skZdF/6YoPZvenos473cCChz32WRDSVfm7TX6WEYEDAseuRf8GAAD//4LFe7c=" + return "eJzcWF1v2zoSfc+vGLQPBYqNjd1HPyxgNGoa1EmKOCm2WFzIY3IkEaY4uiTl1PfXX5CSUn/IbVO5RXH90kIkz5kznC/mHFa0mUDuauXpDMArr2kCL5oPL84AJDlhVeUVmwn89wwA2t1wzbLW4VCmSEs3iWvnYLCkLcTwk5RhrX0aN04gQ+26Jb+pwm7LdfW0+YAw/C4bUleRUJkSLeno7GnDNVsCZTK2JYbDgEuu/f4BEGhgSZBxbSSgh8L7yk3GY0lr0lyRdaOcOdc0ElyOUZbKnDu5Gluq2Ho3Xv97bCkjS0bQGIVXa+UVubFWzre2bPtj2ycoPNtRUPy01DlgRZtHtnLr+xE3hN99QfEYcNZinu2sf0RdU6d0srME8Pphnty9nsDUsC/IQu3IgjLgCwKHJYHkEpUZ7R9L/nef3N1MZ2l3vjnJtXdKUjx+5OT75FPcb9icF3WJpjO63z8r2gxzz63RG6gsOTIeHgsysPji+QUoB4v3yafFCN40oRBMXwg2ri7JpivaLIJjw1dLf9bkPFvI2MLttPYF/Gd2C9MPV92aA7aABpQk41WmqNlreckeUAiujXeHUmlNxp84FC7nMUMi9L+gxKoiCZnlEhbKU+n+/8coroX/tK5orp2typVBDRVuNKPcvcEERQGZ0uTIx5gqcE2AIFUW08BDWOAM1k3YBfkqGBDyUZJHpX9J1oUffcayCgUMa6n8y3bj5sD9K2Xk6RzfhIPj2grac3wg+k4/X//G/mKbo1F/xbo6atJ8mPsaBzZI4Av0IS0xy0h4krDctOkXxLxybbYc1osg+8CO7V4CPdV4B6GqtBKNLJIq/Ltn5jFtB/qCni4DG6TRNynDlyF8W1ivXMTv54wuGVGJSg+hizCvHFRWlWg3EAEBpbTkXD+zocc01oUhvIYem+ISa0tsVOS9Mnk/J2s5nJO1fBanzdPaKD/4SrczDTUEzK9cbGvTEMIW4pvRU1nFNhaRH2W7DDjwBaef7aC6PFtRF55tdTkurESDOclUsMlUXlscmv8BtpsdWnDYAT9iBy+VphSralShWGFOqdrnepYdDeB2eYAWGK4ujiQqmzQj9LUlmTqyayXIpY40iSFe2a/6ADdszjsi6IjgiWh/egR4GwYsCI0ruLZi59RSUzdtxC4Hnn+kQ4ZGbaT63DXITbtty2/nbXq4l29n0/m72dXlu/s0uXhIb25v0rfJ9P7hLrlI58ndx6s3yTydJ7PkzX1y0evi2IhOFV4RrP8qu1FkNCyIttk6yK0xt587vAmGN5qA8rw+k6OnR9wMKr+XDUZTMOBD+4BgA45LAhGGlC4aDmcRzfnQWaSdftIoN23lfreYDkYUqDWZnNKSfME/HAKHmTsLEr/gQ4M/+qUJGt3cHwIZKl1bSvceVScR3WJHoN9G8M8QKizFDEftfi+xKjQjwUamWXzM9wpfMmtCcxSgdpUSiuv+rNo//TRkYalP9cpIhxSow0ubY6lh/mGn0x+fd/6ZGRKu50jMGOUVhpK63JxO713zhx+yQdp8ej0DrH0RkkZ8ZcZjm4dZPq3QF6ezBeAh/hGuAT/yRvDoa5cKlv2XrvngAfGtqAuiG1gIsMfeJjFddbjb9GcZETkgcuxa9HcAAAD//5Kfog8=" } From 9ca736b50c1c4046dad056d434c5a86c42cc571f Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 13:07:27 +0200 Subject: [PATCH 04/18] Add chrome os settings --- filebeat/docs/fields.asciidoc | 65 +- .../module/gsuite/admin/_meta/fields.yml | 23 +- .../module/gsuite/admin/config/pipeline.js | 68 +- .../admin/test/gsuite-admin-test.json.log | 21 + .../gsuite-admin-test.json.log-expected.json | 1014 ++++++++++++++++- 5 files changed, 1185 insertions(+), 6 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index c41f0fb44c3..c068b75a55e 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -61554,7 +61554,7 @@ type: keyword -- -*`gsuite.admin.mobile_app.package_id`*:: +*`gsuite.admin.app.package_id`*:: + -- The mobile application package ID. @@ -61609,6 +61609,69 @@ type: keyword -- +*`gsuite.admin.app.id`*:: ++ +-- +The application ID. + +type: keyword + +-- + +*`gsuite.admin.chrome_os.session_type`*:: ++ +-- +Chrome OS session type. + +type: keyword + +-- + +*`gsuite.admin.device.serial_number`*:: ++ +-- +Device serial number. + +type: keyword + +-- + +*`gsuite.admin.device.type`*:: ++ +-- +Device type. + +type: keyword + +-- + +*`gsuite.admin.print_server.name`*:: ++ +-- +The name of the print server. + +type: keyword + +-- + +*`gsuite.admin.printer.name`*:: ++ +-- +The name of the printer. + +type: keyword + +-- + +*`gsuite.admin.device.command_details`*:: ++ +-- +Command details. + +type: keyword + +-- + *`gsuite.login.affected_email_address`*:: + diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 344c54fc99b..c882a51aa39 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -31,7 +31,7 @@ - name: managed_configuration type: keyword description: The name of the managed configuration. - - name: mobile_app.package_id + - name: app.package_id type: keyword description: The mobile application package ID. - name: non_featured_services_selection @@ -51,3 +51,24 @@ - name: gateway.name type: keyword description: Gateway name. Present on some chat settings. + - name: app.id + type: keyword + description: The application ID. + - name: chrome_os.session_type + type: keyword + description: Chrome OS session type. + - name: device.serial_number + type: keyword + description: Device serial number. + - name: device.type + type: keyword + description: Device type. + - name: print_server.name + type: keyword + description: The name of the print server. + - name: printer.name + type: keyword + description: The name of the printer. + - name: device.command_details + type: keyword + description: Command details. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index ce5d2695d87..3b444d69571 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -21,6 +21,20 @@ var login = (function () { case "RELEASE_CALENDAR_RESOURCES": case "MEET_INTEROP_MODIFY_GATEWAY": case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": + case "CHANGE_DEVICE_STATE": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_DEVICE_STATE": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "UPDATE_CHROME_OS_PRINT_SERVER": + case "UPDATE_CHROME_OS_PRINTER": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": + case "UPDATE_DEVICE": + case "SEND_CHROME_OS_DEVICE_COMMAND": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -29,6 +43,8 @@ var login = (function () { case "CREATE_CALENDAR_RESOURCE": case "CREATE_CALENDAR_RESOURCE_FEATURE": case "MEET_INTEROP_CREATE_GATEWAY": + case "INSERT_CHROME_OS_PRINT_SERVER": + case "INSERT_CHROME_OS_PRINTER": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -37,11 +53,17 @@ var login = (function () { case "DELETE_CALENDAR_RESOURCE": case "DELETE_CALENDAR_RESOURCE_FEATURE": case "MEET_INTEROP_DELETE_GATEWAY": + case "DELETE_CHROME_OS_PRINT_SERVER": + case "DELETE_CHROME_OS_PRINTER": + case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": evt.Put("event.type", ["deletion"]); break; case "REORDER_GROUP_BASED_POLICIES_EVENT": evt.Put("event.type", ["group", "change"]); break; + case "ISSUE_DEVICE_COMMAND": + evt.Put("event.type", ["info"]); + break; } }; @@ -144,7 +166,7 @@ var login = (function () { }, { from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", - to: "gsuite.admin.mobile_app.package_id", + to: "gsuite.admin.app.package_id", }, { from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", @@ -166,6 +188,50 @@ var login = (function () { from: "gsuite.admin.GATEWAY_NAME", to: "gsuite.admin.gateway.name", }, + { + from: "gsuite.admin.APP_ID", + to: "gsuite.admin.app.id", + }, + { + from: "gsuite.admin.CHROME_OS_SESSION_TYPE", + to: "gsuite.admin.chrome_os.session_type", + }, + { + from: "gsuite.admin.DEVICE_NEW_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.DEVICE_SERIAL_NUMBER", + to: "gsuite.admin.device.serial_number", + }, + { + from: "gsuite.admin.DEVICE_TYPE", + to: "gsuite.admin.device.type", + }, + { + from: "gsuite.admin.PRINT_SERVER_NAME", + to: "gsuite.admin.print_server.name", + }, + { + from: "gsuite.admin.PRINTER_NAME", + to: "gsuite.admin.printer.name", + }, + { + from: "gsuite.admin.DEVICE_COMMAND_DETAILS", + to: "gsuite.admin.device.command_details", + }, + { + from: "gsuite.admin.DEVICE_NEW_ORG_UNIT", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", + to: "gsuite.admin.old_value", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index e0ab9bbd536..06cee8c4e91 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -24,3 +24,24 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} + diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index 1ae298b7592..f6887b12973 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -298,8 +298,8 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", + "gsuite.admin.app.package_id": "1234", "gsuite.admin.managed_configuration": "a", - "gsuite.admin.mobile_app.package_id": "1234", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -347,8 +347,8 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", + "gsuite.admin.app.package_id": "1234", "gsuite.admin.managed_configuration": "a", - "gsuite.admin.mobile_app.package_id": "1234", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -396,8 +396,8 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", + "gsuite.admin.app.package_id": "1234", "gsuite.admin.managed_configuration": "a", - "gsuite.admin.mobile_app.package_id": "1234", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -1314,5 +1314,1013 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12306, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12954, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13468, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14108, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14539, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14940, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15442, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15947, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "INSERT_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16852, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "INSERT_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17712, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18098, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18484, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18940, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_USER_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19441, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ISSUE_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.command_details": [ + "command", + "-a" + ], + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19941, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20430, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "1234", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20963, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DEVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21353, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file From d865859ebf25d568fb617b912fb13d871d68e0f5 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 13:12:12 +0200 Subject: [PATCH 05/18] Add contacts settings --- .../module/gsuite/admin/config/pipeline.js | 1 + .../admin/test/gsuite-admin-test.json.log | 1 + .../gsuite-admin-test.json.log-expected.json | 52 +++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 3b444d69571..7bfade58a01 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -35,6 +35,7 @@ var login = (function () { case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": case "UPDATE_DEVICE": case "SEND_CHROME_OS_DEVICE_COMMAND": + case "CHANGE_CONTACTS_SETTING": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 06cee8c4e91..0ba1f252b76 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -44,4 +44,5 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index f6887b12973..f46e29bbb65 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -2322,5 +2322,57 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21771, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file From 08320dba465f4bb73c9496ae02fad4aeeb30af4a Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 14:51:41 +0200 Subject: [PATCH 06/18] Add delegated admin settings --- filebeat/docs/fields.asciidoc | 33 ++ .../module/gsuite/admin/_meta/fields.yml | 11 + .../module/gsuite/admin/config/pipeline.js | 20 + .../admin/test/gsuite-admin-test.json.log | 8 + .../gsuite-admin-test.json.log-expected.json | 398 ++++++++++++++++++ 5 files changed, 470 insertions(+) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index c068b75a55e..d1c9189d6ef 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21635,7 +21635,40 @@ type: keyword -- +<<<<<<< HEAD *`cisco.rsa.time.timestamp`*:: +======= +*`gsuite.admin.role.id`*:: ++ +-- +Unique identifier for this role privilege. + +type: keyword + +-- + +*`gsuite.admin.role.name`*:: ++ +-- +The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + + +type: keyword + +-- + +*`gsuite.admin.privilege.name`*:: ++ +-- +Privilege name. + +type: keyword + +-- + + +*`gsuite.login.affected_email_address`*:: +>>>>>>> 78c75950b... Add delegated admin settings + -- type: keyword diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index c882a51aa39..785bbdfe7d8 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -72,3 +72,14 @@ - name: device.command_details type: keyword description: Command details. + - name: role.id + type: keyword + description: Unique identifier for this role privilege. + - name: role.name + type: keyword + description: > + The role name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + - name: privilege.name + type: keyword + description: Privilege name. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 7bfade58a01..028e28ccf8e 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -36,6 +36,12 @@ var login = (function () { case "UPDATE_DEVICE": case "SEND_CHROME_OS_DEVICE_COMMAND": case "CHANGE_CONTACTS_SETTING": + case "ASSIGN_ROLE": + case "ADD_PRIVILEGE": + case "REMOVE_PRIVILEGE": + case "RENAME_ROLE": + case "UPDATE_ROLE": + case "UNASSIGN_ROLE": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -46,6 +52,7 @@ var login = (function () { case "MEET_INTEROP_CREATE_GATEWAY": case "INSERT_CHROME_OS_PRINT_SERVER": case "INSERT_CHROME_OS_PRINTER": + case "CREATE_ROLE": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -57,6 +64,7 @@ var login = (function () { case "DELETE_CHROME_OS_PRINT_SERVER": case "DELETE_CHROME_OS_PRINTER": case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": + case "DELETE_ROLE": evt.Put("event.type", ["deletion"]); break; case "REORDER_GROUP_BASED_POLICIES_EVENT": @@ -233,6 +241,18 @@ var login = (function () { from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", to: "gsuite.admin.old_value", }, + { + from: "gsuite.admin.ROLE_NAME", + to: "gsuite.admin.role.name", + }, + { + from: "gsuite.admin.ROLE_ID", + to: "gsuite.admin.role.id", + }, + { + from: "gsuite.admin.PRIVILEGE_NAME", + to: "gsuite.admin.privilege.name", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 0ba1f252b76..a2db4545dad 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -45,4 +45,12 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index f46e29bbb65..70ede71d4e0 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -2374,5 +2374,403 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22309, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23221, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23650, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24127, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24607, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25037, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25466, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file From d7c7659d00155413a02103ce20aa0d64fc45bf64 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 15:30:58 +0200 Subject: [PATCH 07/18] Add drive --- .../module/gsuite/admin/config/pipeline.js | 25 +++ .../admin/test/gsuite-admin-test.json.log | 3 + .../gsuite-admin-test.json.log-expected.json | 158 ++++++++++++++++++ 3 files changed, 186 insertions(+) diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 028e28ccf8e..3c5037392a9 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -42,6 +42,8 @@ var login = (function () { case "RENAME_ROLE": case "UPDATE_ROLE": case "UNASSIGN_ROLE": + case "TRANSFER_DOCUMENT_OWNERSHIP": + case "CHANGE_DOCS_SETTING": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -71,6 +73,7 @@ var login = (function () { evt.Put("event.type", ["group", "change"]); break; case "ISSUE_DEVICE_COMMAND": + case "DRIVE_DATA_RESTORE": evt.Put("event.type", ["info"]); break; } @@ -127,6 +130,19 @@ var login = (function () { evt.AppendTo("related.user", data[0]); }; + var setEventDuration = function(evt) { + var start = evt.Get("event.start"); + var end = evt.Get("event.end"); + if (!start || !end) { + return; + } + + var millisToNano = 1e6; + var tsStart = Date.parse(start) * millisToNano; + var tsEnd = Date.parse(end) * millisToNano; + + evt.Put("event.duration", tsEnd-tsStart); + }; var pipeline = new processor.Chain() .Add(categorizeEvent) @@ -253,6 +269,14 @@ var login = (function () { from: "gsuite.admin.PRIVILEGE_NAME", to: "gsuite.admin.privilege.name", }, + { + from: "gsuite.admin.BEGIN_DATE_TIME", + to: "event.start", + }, + { + from: "gsuite.admin.END_DATE_TIME", + to: "event.end", + }, ], mode: "rename", ignore_missing: true, @@ -260,6 +284,7 @@ var login = (function () { }) .Add(setGroupInfo) .Add(setRelatedUserInfo) + .Add(setEventDuration) .Build(); return { diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index a2db4545dad..8c7e427daec 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -53,4 +53,7 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index 70ede71d4e0..6da8db84c1c 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -2772,5 +2772,163 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25951, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DRIVE_DATA_RESTORE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 10800000000000, + "event.end": "2002-10-02T15:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T12:00:00Z", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26422, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOCS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26918, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file From 55e2658aeab39111aa957b09c412c3c45ef9add7 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 8 Jul 2020 16:37:57 +0200 Subject: [PATCH 08/18] Add sites --- filebeat/docs/fields.asciidoc | 18 ++ .../module/gsuite/admin/_meta/fields.yml | 6 + .../module/gsuite/admin/config/pipeline.js | 21 ++ .../admin/test/gsuite-admin-test.json.log | 5 + .../gsuite-admin-test.json.log-expected.json | 256 ++++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 6 files changed, 307 insertions(+), 1 deletion(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d1c9189d6ef..70a5cac62ee 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21666,6 +21666,24 @@ type: keyword -- +*`gsuite.admin.service.name`*:: ++ +-- +The service name. + +type: keyword + +-- + +*`gsuite.admin.url.name`*:: ++ +-- +The website name. + +type: keyword + +-- + *`gsuite.login.affected_email_address`*:: >>>>>>> 78c75950b... Add delegated admin settings diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 785bbdfe7d8..faf71ddf1d5 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -83,3 +83,9 @@ - name: privilege.name type: keyword description: Privilege name. + - name: service.name + type: keyword + description: The service name. + - name: url.name + type: keyword + description: The website name. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 3c5037392a9..c5f2d35a893 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -44,6 +44,8 @@ var login = (function () { case "UNASSIGN_ROLE": case "TRANSFER_DOCUMENT_OWNERSHIP": case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -55,6 +57,7 @@ var login = (function () { case "INSERT_CHROME_OS_PRINT_SERVER": case "INSERT_CHROME_OS_PRINTER": case "CREATE_ROLE": + case "ADD_WEB_ADDRESS": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -67,6 +70,7 @@ var login = (function () { case "DELETE_CHROME_OS_PRINTER": case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": case "DELETE_ROLE": + case "DELETE_WEB_ADDRESS": evt.Put("event.type", ["deletion"]); break; case "REORDER_GROUP_BASED_POLICIES_EVENT": @@ -74,6 +78,7 @@ var login = (function () { break; case "ISSUE_DEVICE_COMMAND": case "DRIVE_DATA_RESTORE": + case "VIEW_SITE_DETAILS": evt.Put("event.type", ["info"]); break; } @@ -277,6 +282,22 @@ var login = (function () { from: "gsuite.admin.END_DATE_TIME", to: "event.end", }, + { + from: "gsuite.admin.SITE_LOCATION", + to: "url.path", + }, + { + from: "gsuite.admin.WEB_ADDRESS", + to: "url.full", + }, + { + from: "gsuite.admin.SITE_NAME", + to: "gsuite.admin.url.name", + }, + { + from: "gsuite.admin.SERVICE_NAME", + to: "gsuite.admin.service.name", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 8c7e427daec..deadfedb8bd 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -56,4 +56,9 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index 6da8db84c1c..560564677a7 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -2930,5 +2930,261 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28093, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SITES_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28690, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.service.name": "service", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29222, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VIEW_SITE_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.url.name": "site", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29732, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index fc0a9c490a8..e1b47953bf8 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzcWF1v2zoSfc+vGLQPBYqNjd1HPyxgNGoa1EmKOCm2WFzIY3IkEaY4uiTl1PfXX5CSUn/IbVO5RXH90kIkz5kznC/mHFa0mUDuauXpDMArr2kCL5oPL84AJDlhVeUVmwn89wwA2t1wzbLW4VCmSEs3iWvnYLCkLcTwk5RhrX0aN04gQ+26Jb+pwm7LdfW0+YAw/C4bUleRUJkSLeno7GnDNVsCZTK2JYbDgEuu/f4BEGhgSZBxbSSgh8L7yk3GY0lr0lyRdaOcOdc0ElyOUZbKnDu5Gluq2Ho3Xv97bCkjS0bQGIVXa+UVubFWzre2bPtj2ycoPNtRUPy01DlgRZtHtnLr+xE3hN99QfEYcNZinu2sf0RdU6d0srME8Pphnty9nsDUsC/IQu3IgjLgCwKHJYHkEpUZ7R9L/nef3N1MZ2l3vjnJtXdKUjx+5OT75FPcb9icF3WJpjO63z8r2gxzz63RG6gsOTIeHgsysPji+QUoB4v3yafFCN40oRBMXwg2ri7JpivaLIJjw1dLf9bkPFvI2MLttPYF/Gd2C9MPV92aA7aABpQk41WmqNlreckeUAiujXeHUmlNxp84FC7nMUMi9L+gxKoiCZnlEhbKU+n+/8coroX/tK5orp2typVBDRVuNKPcvcEERQGZ0uTIx5gqcE2AIFUW08BDWOAM1k3YBfkqGBDyUZJHpX9J1oUffcayCgUMa6n8y3bj5sD9K2Xk6RzfhIPj2grac3wg+k4/X//G/mKbo1F/xbo6atJ8mPsaBzZI4Av0IS0xy0h4krDctOkXxLxybbYc1osg+8CO7V4CPdV4B6GqtBKNLJIq/Ltn5jFtB/qCni4DG6TRNynDlyF8W1ivXMTv54wuGVGJSg+hizCvHFRWlWg3EAEBpbTkXD+zocc01oUhvIYem+ISa0tsVOS9Mnk/J2s5nJO1fBanzdPaKD/4SrczDTUEzK9cbGvTEMIW4pvRU1nFNhaRH2W7DDjwBaef7aC6PFtRF55tdTkurESDOclUsMlUXlscmv8BtpsdWnDYAT9iBy+VphSralShWGFOqdrnepYdDeB2eYAWGK4ujiQqmzQj9LUlmTqyayXIpY40iSFe2a/6ADdszjsi6IjgiWh/egR4GwYsCI0ruLZi59RSUzdtxC4Hnn+kQ4ZGbaT63DXITbtty2/nbXq4l29n0/m72dXlu/s0uXhIb25v0rfJ9P7hLrlI58ndx6s3yTydJ7PkzX1y0evi2IhOFV4RrP8qu1FkNCyIttk6yK0xt587vAmGN5qA8rw+k6OnR9wMKr+XDUZTMOBD+4BgA45LAhGGlC4aDmcRzfnQWaSdftIoN23lfreYDkYUqDWZnNKSfME/HAKHmTsLEr/gQ4M/+qUJGt3cHwIZKl1bSvceVScR3WJHoN9G8M8QKizFDEftfi+xKjQjwUamWXzM9wpfMmtCcxSgdpUSiuv+rNo//TRkYalP9cpIhxSow0ubY6lh/mGn0x+fd/6ZGRKu50jMGOUVhpK63JxO713zhx+yQdp8ej0DrH0RkkZ8ZcZjm4dZPq3QF6ezBeAh/hGuAT/yRvDoa5cKlv2XrvngAfGtqAuiG1gIsMfeJjFddbjb9GcZETkgcuxa9HcAAAD//5Kfog8=" + return "eJzcWVtv2zgTfc+vGLQPBYovMr599MMCQeKmQXNDnBRbLBYKLY6kQSiOyotT769fkJIS35Q0kdstVi8JRPKcmcO5kPI+3OFiDIX15HAPwJFTOIY3zYs3ewASbWaodsR6DL/vAUA7G85YehUW5YRK2nEc2wctKlxCDI/EXHjl0jhxDLlQthtyizrMNuzrh8kbhOE5bkhtjRnllLWkyd7DhDM2CKRzNpUIi0HM2Lv1BZAJDTOEnL2WIByUztV2PBpJnKPiGo1NCuZCYZJxNRKyIr1v5d3IYM3G2dH8/yODORrUGY5E5mhOjtCOFFnX2rKsx7ImInNskuDxw1AnwB0u7tnIpfc9MoTnusS4DDhvMfdWxj8L5bHzdLwyBPD+Zjq5ej+GA82uRAPeogHS4EoEKyoEyZUgnawvm/xxPbk6PzhNu/XNSvbOksS4vGflp8mXOF+z3i99JXRn9HZ97nAxTJ4LrRZQG7SoHdyXqOH2UflbIAu3nyZfbhM4bEIhmH6bsba+QpPe4eI2CBveGvzq0To2kLOBiwPvSvjt9AIOLk+6MQtsQGggidpRTtjMNTxjByLL2GtnN13FOWq341A4nsYMidD/g0rUNUrIDVdwSw4r++dfSRwL/7RSNNvOhgrSQkEtFoqFXN3BichKyEmhRRdjqhRzBAGS8pgGDsIA5zBvwi64T8GAkI8SnSD1U7IuPPhNVHUoYMJLcm/biYsN+e9Iy90J34SDZW8yXBM+EH2nzme/sF5sCqHp71hXkybNh8nXCNgggSuFC2kp8hwzhxJmizb9gjPvbJstm/UiuL1hx3IvgS3VeAWhrhVljVsoKfxdM7PPtw3/gj9dBjZIybOU4c0QviWsdzbib+eMkiRYCVJD6CLMOwu1oUqYBURAEFIatHY7s8b7NNaFIbwa75viEmtLbFToHOliOycrOZyTlXwRpylSr8kN3tLlTBMKAuYTG9vaNISwhXg2empDbGIReS3bccCBR5ztbBvV5cUedeHZVpd+xyqhRYEyzVjnVHgjhuZ/gO3ODi04rID3loSkFtmdKDCldZIXGVDxjNRKXYAWGE6OejKUdZqjcN6gTC2aOWVoU4sKsyFyrJd7gHPW+x0RdETwQLR+bAT4EE5WEDpW0LRma2mmsDtmxPYGjl/TGkOH1pK+dZ1x0U5b0m2/zQv79sPpwfTj6cnxx+t0cnSTnl+cpx8mB9c3V5OjdDq5+nxyOJmm08np5PB6crRV4tiBdhVXEWz7VnZnkGRYEC2zdZBL59vt3OEyMLzDBJSXNZhCOLwXi0F197jBaCoFXLY3B9ZguULIwumki4b+BB6m+XLG9mVqVhquMGWbWLSWWKdr94cXsR5GNLiYQosWl/bUZAzJmlg0JFSqfTVD81reo4gFDRY0WE+yDnGyJev3rDakXSx7aAb37uXEicDQAvdT/wjWZ/TMuKqElml71Xh1/DQw3Y2lpyKxGlKNbjR99bh+t3Yl2Ygc3J2TwqJncyP7EHk3m1gQPFJvnirgX2lZEhWGGij322VtoeoLuVavIapcdihPHkxjfx8c3C3OE0zeqMEs9ziz4eK2ytIxKC6GXjPbi20aG1raNrTvtvixAQilUBeYVuhKfnVabYb1aXDxER8a/OSnxnOUefse54KUNzio3/U53WI3PeJXcfhHOJoZjHVUKPtrOUvhupGxlmkev9NudXzGrFDoXgBva8qI/fasWl/9UKZEpXb1ASndbaeZikrB9HLlZNhfBf+bGRK2pydmNDkKbS+dLXbn71XzTR9NcG16cHYKwrsyJE32xPWdTeE1ubQWrtydLQA38feVBrynyzrhvE0zlts3XfHGt6Hnoi443cBCgO3r7jFdVdjb9EcZETkgcqxa9E8AAAD//29tREc=" } From 8655f5490ab763662a573834f446407ca4252b3b Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 9 Jul 2020 09:50:34 +0200 Subject: [PATCH 09/18] Add licences settings --- .../module/gsuite/admin/_meta/fields.yml | 6 + .../module/gsuite/admin/config/pipeline.js | 16 + .../admin/test/gsuite-admin-test.json.log | 8 + .../gsuite-admin-test.json.log-expected.json | 405 ++++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 5 files changed, 436 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index faf71ddf1d5..574db1c939d 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -89,3 +89,9 @@ - name: url.name type: keyword description: The website name. + - name: product.name + type: keyword + description: The product name. + - name: product.sku + type: keyword + description: The product SKU. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index c5f2d35a893..640c928430f 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -46,6 +46,14 @@ var login = (function () { case "CHANGE_DOCS_SETTING": case "CHANGE_SITES_SETTING": case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ORG_USERS_LICENSE_ASSIGNMENT": + case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": + case "USER_LICENSE_ASSIGNMENT": + case "CHANGE_LICENSE_AUTO_ASSIGN": + case "USER_LICENSE_REASSIGNMENT": + case "ORG_LICENSE_REVOKE": + case "USER_LICENSE_REVOKE": + case "UPDATE_DYNAMIC_LICENSE": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -298,6 +306,14 @@ var login = (function () { from: "gsuite.admin.SERVICE_NAME", to: "gsuite.admin.service.name", }, + { + from: "gsuite.admin.PRODUCT_NAME", + to: "gsuite.admin.product.name", + }, + { + from: "gsuite.admin.SKU_NAME", + to: "gsuite.admin.product.sku", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index deadfedb8bd..331564a6ba8 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -61,4 +61,12 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index 560564677a7..c9d4b9af26f 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -3186,5 +3186,410 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30101, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30564, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31031, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_REASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31955, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32460, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32913, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DYNAMIC_LICENSE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33377, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index e1b47953bf8..cee2029dae6 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzcWVtv2zgTfc+vGLQPBYovMr599MMCQeKmQXNDnBRbLBYKLY6kQSiOyotT769fkJIS35Q0kdstVi8JRPKcmcO5kPI+3OFiDIX15HAPwJFTOIY3zYs3ewASbWaodsR6DL/vAUA7G85YehUW5YRK2nEc2wctKlxCDI/EXHjl0jhxDLlQthtyizrMNuzrh8kbhOE5bkhtjRnllLWkyd7DhDM2CKRzNpUIi0HM2Lv1BZAJDTOEnL2WIByUztV2PBpJnKPiGo1NCuZCYZJxNRKyIr1v5d3IYM3G2dH8/yODORrUGY5E5mhOjtCOFFnX2rKsx7ImInNskuDxw1AnwB0u7tnIpfc9MoTnusS4DDhvMfdWxj8L5bHzdLwyBPD+Zjq5ej+GA82uRAPeogHS4EoEKyoEyZUgnawvm/xxPbk6PzhNu/XNSvbOksS4vGflp8mXOF+z3i99JXRn9HZ97nAxTJ4LrRZQG7SoHdyXqOH2UflbIAu3nyZfbhM4bEIhmH6bsba+QpPe4eI2CBveGvzq0To2kLOBiwPvSvjt9AIOLk+6MQtsQGggidpRTtjMNTxjByLL2GtnN13FOWq341A4nsYMidD/g0rUNUrIDVdwSw4r++dfSRwL/7RSNNvOhgrSQkEtFoqFXN3BichKyEmhRRdjqhRzBAGS8pgGDsIA5zBvwi64T8GAkI8SnSD1U7IuPPhNVHUoYMJLcm/biYsN+e9Iy90J34SDZW8yXBM+EH2nzme/sF5sCqHp71hXkybNh8nXCNgggSuFC2kp8hwzhxJmizb9gjPvbJstm/UiuL1hx3IvgS3VeAWhrhVljVsoKfxdM7PPtw3/gj9dBjZIybOU4c0QviWsdzbib+eMkiRYCVJD6CLMOwu1oUqYBURAEFIatHY7s8b7NNaFIbwa75viEmtLbFToHOliOycrOZyTlXwRpylSr8kN3tLlTBMKAuYTG9vaNISwhXg2empDbGIReS3bccCBR5ztbBvV5cUedeHZVpd+xyqhRYEyzVjnVHgjhuZ/gO3ODi04rID3loSkFtmdKDCldZIXGVDxjNRKXYAWGE6OejKUdZqjcN6gTC2aOWVoU4sKsyFyrJd7gHPW+x0RdETwQLR+bAT4EE5WEDpW0LRma2mmsDtmxPYGjl/TGkOH1pK+dZ1x0U5b0m2/zQv79sPpwfTj6cnxx+t0cnSTnl+cpx8mB9c3V5OjdDq5+nxyOJmm08np5PB6crRV4tiBdhVXEWz7VnZnkGRYEC2zdZBL59vt3OEyMLzDBJSXNZhCOLwXi0F197jBaCoFXLY3B9ZguULIwumki4b+BB6m+XLG9mVqVhquMGWbWLSWWKdr94cXsR5GNLiYQosWl/bUZAzJmlg0JFSqfTVD81reo4gFDRY0WE+yDnGyJev3rDakXSx7aAb37uXEicDQAvdT/wjWZ/TMuKqElml71Xh1/DQw3Y2lpyKxGlKNbjR99bh+t3Yl2Ygc3J2TwqJncyP7EHk3m1gQPFJvnirgX2lZEhWGGij322VtoeoLuVavIapcdihPHkxjfx8c3C3OE0zeqMEs9ziz4eK2ytIxKC6GXjPbi20aG1raNrTvtvixAQilUBeYVuhKfnVabYb1aXDxER8a/OSnxnOUefse54KUNzio3/U53WI3PeJXcfhHOJoZjHVUKPtrOUvhupGxlmkev9NudXzGrFDoXgBva8qI/fasWl/9UKZEpXb1ASndbaeZikrB9HLlZNhfBf+bGRK2pydmNDkKbS+dLXbn71XzTR9NcG16cHYKwrsyJE32xPWdTeE1ubQWrtydLQA38feVBrynyzrhvE0zlts3XfHGt6Hnoi443cBCgO3r7jFdVdjb9EcZETkgcqxa9E8AAAD//29tREc=" + return "eJzcWUtv2zgX3edXXLSLAsUXGd8svRggSNQ0aF6Ik2KKwUCmxSuJMMWr8uHU8+sHpKjELyVN5HaK0SaBSJ7De3hflA9hjssxlMYJiwcAVliJY3jTvnhzAMDR5Fo0VpAaw+8HABBnwwVxJ/2iQqDkZhzGDkGxGlcQ/cOxYE7aLEwcQ8Gk6YbssvGzNbnmYfIWoX9OW1LTYC4KkUfS5OBhwgVpBKEK0jXzi4HNyNnNBZAzBTOEgpziwCxU1jZmPBpxXKCkBrVJSqJSYpJTPWK8FurQ8PlIY0PamtHi/yONBWpUOY5YbsVCWIFmJIWxcS+reqxqwnJLOvEWPwx1AsxxeU+ar7zvkcE/txWGZUBFxDxYG//MpMPO0vHaEMD7u0l6834MR4pshRqcQQ1Cga0QDKsRONVMqGRzWfrHbXpzeXSedevbleSsERzD8p6Vn9IvYb4idVi5mqlu07v1meNymDxXSi6h0WhQWbivUMH0UfkpCAPTT+mXaQLHrSv4rU9zUsbVqLM5LqdeWP9W41eHxpKGgjRcHTlbwW/nV3B0fdaNGSANTIHgqKwoBLZzNc3IAstzcsqabVNxgcru2RVOJyFCAvT/oGZNgxwKTTVMhcXa/PlXEsb8P1GK9thJi1IoJqFhS0mMr59gyvIKCiHRoA0+VbEFAgMuihAGFvwAFbBo3c6bL/wGfDxytEzInxJ1/sFvrG58AmOOC/s2TlxuyT8Xiu9P+NYdDDmd44bwnug7db74hfUiXTIl/g55NWnDfJh8rYAtEtiKWR+WrCgwt8hhtozh5415Z2K0bOcLb/bWPlZrCezIxmsITSNF3pqFXPi/G9vss23LPm9PF4EtUvIspX8zhG8F650J+Ls5gyQJ1kzIIXQB5p2BRoua6SUEQGCcazRmN7PC+yzkhSG8Cu/b5BJySyhUaK1Q5W5Oknw4J0n+Ik5dZk4JO/hIVyONSfCYTxxs3NMQwgjxrPc0WpAOSeS1bKceBx5xdrNtZZcXW9S5Z8wu/YbVTLESeZaTKkTpNBsa/x626x0iOKyB96aEpGH5nJWYiU2SF22gppmQa3kBIjCcnfREKKmsQGadRp4Z1AuRo8kMSsyHyLGZ7gEuSR12RNARwQPRZtsI8MF3VuArlte0IWPETGLXZoTyBpZeUxp9hVZcfOsq4zJOW9HtMMaFefvh/Gjy8fzs9ONtlp7cZZdXl9mH9Oj27iY9ySbpzeez43SSTdLz9Pg2PdkpcahA+/KrALb7KLseJBnmRKtsHeRKf7ub218GhlcYj/KyAlMyi/dsOSjvnrYYbaaA63hzIAWGaoTcdyedN/QH8DDNVyO2L1LzSlONGZnEoDGCVLZxf3gR63FAg6sJRLSwtCcnow/WxKAWTGbK1TPUr+U9CVjQYkGL9STrECMjWb9ljRbKhrSHenDtXg2cAAwRuJ/6R7A+o2dOdc0Uz+JV49X+08J0N5aejERySDa6U+Krw827ta2ECcje3IWQWPYcbmAfIu92EfOCB+rtrgL+lZLFUaLPgfwwLouJqs/lol5DVLnuUJ5sTEN9H+zcEecJJqflYJZ7nBl/cetnaTRxlw9v7yPOdzCZudsH0eTT3fbFWVI59OIcr+pZKNFZLNHfveHHksakRFViVqOt6NWJYjtQz72Jj/jQ4ic/NUKDzLtPuWBCOo2DKnif0RG7rXq/isE/wtBcY6gMTJpfy1jhL1A5KZ4V4cvzTsNnRBKZ6gVwphG5ILc7qjZXPyReVst9fRLL9ls7J6yWMLle63X78+B/M0L88fT4jBJW+EKezZb7s/em/ZUCtTdtcnRxDszZygdN/sQHCdKlU8JmDbPV/vYCcBd+MWrBe/oGy6wzWU5896FL2vra9ZzXeaNbWPCwff1KCFfpzzb7UZsIHBA41nf0TwAAAP//qSx8Vw==" } From 93eabbea7ce59b69c7e6067d5e18ec4533ecacc9 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 9 Jul 2020 10:35:09 +0200 Subject: [PATCH 10/18] Add groups settings --- .../module/gsuite/admin/_meta/fields.yml | 9 + .../module/gsuite/admin/config/pipeline.js | 53 ++ .../admin/test/gsuite-admin-test.json.log | 14 + .../gsuite-admin-test.json.log-expected.json | 728 ++++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 5 files changed, 805 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 574db1c939d..abfb82bd561 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -95,3 +95,12 @@ - name: product.sku type: keyword description: The product SKU. + - name: group.bulk_upload.failed + type: long + description: Number of failed records in bulk upload operation. + - name: group.bulk_upload.total + type: long + description: Number of total records in bulk upload operation. + - name: group.allowed_list + type: keyword + description: Names of allow-listed groups. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 640c928430f..9df8e8692dc 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -81,12 +81,30 @@ var login = (function () { case "DELETE_WEB_ADDRESS": evt.Put("event.type", ["deletion"]); break; + case "DELETE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "CREATE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; case "REORDER_GROUP_BASED_POLICIES_EVENT": + case "CHANGE_GROUP_DESCRIPTION": + case "ADD_GROUP_MEMBER": + case "REMOVE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": + case "CHANGE_GROUP_NAME": + case "CHANGE_GROUP_SETTING": + case "GROUP_MEMBER_BULK_UPLOAD": + case "WHITELISTED_GROUPS_UPDATED": evt.Put("event.type", ["group", "change"]); break; case "ISSUE_DEVICE_COMMAND": case "DRIVE_DATA_RESTORE": case "VIEW_SITE_DETAILS": + case "GROUP_LIST_DOWNLOAD": + case "GROUP_MEMBERS_DOWNLOAD": evt.Put("event.type", ["info"]); break; } @@ -157,6 +175,29 @@ var login = (function () { evt.Put("event.duration", tsEnd-tsStart); }; + var setEventOutcome = function(evt) { + var failed = evt.Get("gsuite.admin.group.bulk_upload.failed"); + if (failed === null) { + return; + } + + if (failed === 0) { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + }; + + var setGroupAllowedlist = function(evt) { + var allowedList = evt.Get("gsuite.admin.WHITELISTED_GROUPS"); + if (!allowedList) { + return; + } + + evt.Put("gsuite.admin.group.allowed_list", allowedList.split(",")); + evt.Delete("gsuite.admin.WHITELISTED_GROUPS"); + }; + var pipeline = new processor.Chain() .Add(categorizeEvent) .Add(flattenParams) @@ -314,6 +355,16 @@ var login = (function () { from: "gsuite.admin.SKU_NAME", to: "gsuite.admin.product.sku", }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", + to: "gsuite.admin.group.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", + to: "gsuite.admin.group.bulk_upload.total", + type: "long", + }, ], mode: "rename", ignore_missing: true, @@ -322,6 +373,8 @@ var login = (function () { .Add(setGroupInfo) .Add(setRelatedUserInfo) .Add(setEventDuration) + .Add(setEventOutcome) + .Add(setGroupAllowedlist) .Build(); return { diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 331564a6ba8..1131930616c 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -69,4 +69,18 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index c9d4b9af26f..b88b00b5b69 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -3591,5 +3591,733 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33869, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34248, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_LIST_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35018, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35338, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36205, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36710, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 37233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_MEMBER_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "event.outcome": "success", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.bulk_upload.failed": 0, + "gsuite.admin.group.bulk_upload.total": 10, + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 37775, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_MEMBERS_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 38239, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 38562, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting": "setting", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 38981, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "WHITELISTED_GROUPS_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.allowed_list": [ + "a", + "b", + "c" + ], + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 39480, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index cee2029dae6..29d4ee3f01e 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzcWUtv2zgX3edXXLSLAsUXGd8svRggSNQ0aF6Ik2KKwUCmxSuJMMWr8uHU8+sHpKjELyVN5HaK0SaBSJ7De3hflA9hjssxlMYJiwcAVliJY3jTvnhzAMDR5Fo0VpAaw+8HABBnwwVxJ/2iQqDkZhzGDkGxGlcQ/cOxYE7aLEwcQ8Gk6YbssvGzNbnmYfIWoX9OW1LTYC4KkUfS5OBhwgVpBKEK0jXzi4HNyNnNBZAzBTOEgpziwCxU1jZmPBpxXKCkBrVJSqJSYpJTPWK8FurQ8PlIY0PamtHi/yONBWpUOY5YbsVCWIFmJIWxcS+reqxqwnJLOvEWPwx1AsxxeU+ar7zvkcE/txWGZUBFxDxYG//MpMPO0vHaEMD7u0l6834MR4pshRqcQQ1Cga0QDKsRONVMqGRzWfrHbXpzeXSedevbleSsERzD8p6Vn9IvYb4idVi5mqlu07v1meNymDxXSi6h0WhQWbivUMH0UfkpCAPTT+mXaQLHrSv4rU9zUsbVqLM5LqdeWP9W41eHxpKGgjRcHTlbwW/nV3B0fdaNGSANTIHgqKwoBLZzNc3IAstzcsqabVNxgcru2RVOJyFCAvT/oGZNgxwKTTVMhcXa/PlXEsb8P1GK9thJi1IoJqFhS0mMr59gyvIKCiHRoA0+VbEFAgMuihAGFvwAFbBo3c6bL/wGfDxytEzInxJ1/sFvrG58AmOOC/s2TlxuyT8Xiu9P+NYdDDmd44bwnug7db74hfUiXTIl/g55NWnDfJh8rYAtEtiKWR+WrCgwt8hhtozh5415Z2K0bOcLb/bWPlZrCezIxmsITSNF3pqFXPi/G9vss23LPm9PF4EtUvIspX8zhG8F650J+Ls5gyQJ1kzIIXQB5p2BRoua6SUEQGCcazRmN7PC+yzkhSG8Cu/b5BJySyhUaK1Q5W5Oknw4J0n+Ik5dZk4JO/hIVyONSfCYTxxs3NMQwgjxrPc0WpAOSeS1bKceBx5xdrNtZZcXW9S5Z8wu/YbVTLESeZaTKkTpNBsa/x626x0iOKyB96aEpGH5nJWYiU2SF22gppmQa3kBIjCcnfREKKmsQGadRp4Z1AuRo8kMSsyHyLGZ7gEuSR12RNARwQPRZtsI8MF3VuArlte0IWPETGLXZoTyBpZeUxp9hVZcfOsq4zJOW9HtMMaFefvh/Gjy8fzs9ONtlp7cZZdXl9mH9Oj27iY9ySbpzeez43SSTdLz9Pg2PdkpcahA+/KrALb7KLseJBnmRKtsHeRKf7ub218GhlcYj/KyAlMyi/dsOSjvnrYYbaaA63hzIAWGaoTcdyedN/QH8DDNVyO2L1LzSlONGZnEoDGCVLZxf3gR63FAg6sJRLSwtCcnow/WxKAWTGbK1TPUr+U9CVjQYkGL9STrECMjWb9ljRbKhrSHenDtXg2cAAwRuJ/6R7A+o2dOdc0Uz+JV49X+08J0N5aejERySDa6U+Krw827ta2ECcje3IWQWPYcbmAfIu92EfOCB+rtrgL+lZLFUaLPgfwwLouJqs/lol5DVLnuUJ5sTEN9H+zcEecJJqflYJZ7nBl/cetnaTRxlw9v7yPOdzCZudsH0eTT3fbFWVI59OIcr+pZKNFZLNHfveHHksakRFViVqOt6NWJYjtQz72Jj/jQ4ic/NUKDzLtPuWBCOo2DKnif0RG7rXq/isE/wtBcY6gMTJpfy1jhL1A5KZ4V4cvzTsNnRBKZ6gVwphG5ILc7qjZXPyReVst9fRLL9ls7J6yWMLle63X78+B/M0L88fT4jBJW+EKezZb7s/em/ZUCtTdtcnRxDszZygdN/sQHCdKlU8JmDbPV/vYCcBd+MWrBe/oGy6wzWU5896FL2vra9ZzXeaNbWPCwff1KCFfpzzb7UZsIHBA41nf0TwAAAP//qSx8Vw==" + return "eJzcWUtv2zoW3udXHLSLAsVYxszSiwGCxE2D5oU4KaYYXDC0eCQRpnhUPpz6/voLUlLih5SX3N7iapNAJL+P5+N5UR7BAlcTyK2XDg8AnHQKJ/CufvHuAECgTY2snCQ9gf8eAEAzG85JeBUWZRKVsJM4NgLNS1xDDI/AjHvlWJw4gYwr2w65VRVmG/LVw+QdwvCc1KS2wlRmMm1Ik4OHCedkEKTOyJQ8LAY+J++2F0DKNcwRMvJaAHdQOFfZyXgscImKKjQ2yYlyhUlK5ZiLUuqRFYuxwYqMs+Plv8cGMzSoUxzz1MmldBLtWEnrmr2s67GuCU8dmSRY/DDUCrDA1T0Zsfa+R4bw3BQYlwFlDebBxvhXrjy2lk42hgA+3s6m1x8ncKjJFWjAWzQgNbgCwfISQVDJpU62l03/dzO9vjg8Y+36eiV5Z6XAuLxn5Zfptzhfkx4VvuS63XS3PgtcDZPnUqsVVAYtagf3BWq4e1T+DqSFuy/Tb3cJHNWuELZ+l5K2vkTDFri6C8KGtwa/e7SODGRk4PLQuwL+c3YJh1en7ZgFMsA1SIHayUxiPdfQnBzwNCWvnd01FZeo3Z5d4WQWIyRC/wtKXlUoIDNUwp10WNr//5HEsfBPI0V97GRkLjVXUPGVIi42T3DK0wIyqdCiiz5V8CUCByGzGAYOwgBlsKzdLpgvwwZCPAp0XKpfEnXhwR+8rEIC415I976ZuNqRfyG12J/wtTtY8ibFLeED0Qt1Pv+N9SKTcy3/jHk1qcN8mHy1gDUSuIK7EJY8yzB1KGC+asIvGPPBNtGymy+C2Tv7WK8l0JGNNxCqSsm0NguFDH+3ttln2459wZ42Amuk5FnK8GYI3xrWBxvxuzmjJAmWXKohdBHmg4XKyJKbFURA4EIYtLabWeM9i3lhCK/G+zq5xNwSCxU6J3XezUlKDOckJV7FaXLmtXSDj3Q90riCgPnEwTZ7GkLYQDzrPZWRZGISeSvbScCBR5xutp3s8mqLWvdssku/YSXXPEfBUtKZzL3hQ+M/wLa9QwMOG+C9KSGpeLrgOTK5TfKqDZQ0l2ojL0ADDKfHPRFKmmXInTcomEWzlClaZlFhOkSO7XQPcEF61BJBSwQPRNttI8Cn0FlBqFhB04qslXOFbZsRyxs4ektpDBVaC/mjrYyrZtqabqMmLuz7T2eHs89npyefb9j0+JZdXF6wT9PDm9vr6TGbTa+/nh5NZ2w2PZse3UyPOyWOFWhffhXBuo+y7UGSYU60ztZCrvW33dzhMjC8wgSU1xWYnDu856tBefekxqgzBVw1NwfSYKlESEN30npDfwAP03w9YvsiNS0MlcjIJhatlaTZ1v3hVaxHEQ0uZ9CgxaU9ORlDsCYWjeSKaV/O0byV9zhiQY0FNdaTrEOMbMj6LauM1C6mPTSDa/d64ERgaID7qX8G6zN6plSWXAvWXDXe7D81THtj6clIpIZko1stv3vcvlu7QtqIHMxdSoV5z+FG9iHy7haxIHik3u0q4G8pWQIVhhwoRs2yJlH1uVyj1xBVrlqUJxvTWN8HO3eD8wSTN2owyz3Obbi49bNUhoRPh7f3Dc4LmOzC74No9uX2qa5+7tWC+Sp+jci4VNgdq4p2LhkbjBcxjQefr0HAYEpGWJAaAgXUFBB8/YlGeHdPjhzv7ihevqWIMWhHXCm6R8G2vp686lAueIk2frENYKMAhaLG7/g+qCgf+mmj+ZjCYhPFmibqxbt/bDq4UqhzZCW6gt6cyndT6Vkw8REfavzkl+bQKHP3yQdH9gYH9Vh9RjfYdV/yuxj8MwxNDcbazZX9vYyV4YqbkhYsi78NdBo+J1LIdS+At5VMJfnuqNpe/VAaean29dGS7be7mfFSwexq4zbSX6n+mRESjqfHZ7R0MrRabL7an73X9e9IdamaHZ6fAfeuCEGTPlGXyOReS8cq7or97QXgNv6mV4P3dHaOO29ZSqL70J+ryx1eF4yuYSHA9nWUMVxVOFv2szYROSBybO7orwAAAP//8aD33A==" } From 1cb5f355284ed81fc2600a67bfb8df4d957ac4df Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 9 Jul 2020 12:20:01 +0200 Subject: [PATCH 11/18] Add gmail settings --- .../module/gsuite/admin/_meta/fields.yml | 32 +- .../module/gsuite/admin/config/pipeline.js | 61 ++- .../admin/test/gsuite-admin-test.json.log | 9 + .../gsuite-admin-test.json.log-expected.json | 497 +++++++++++++++++- x-pack/filebeat/module/gsuite/fields.go | 2 +- 5 files changed, 580 insertions(+), 21 deletions(-) diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index abfb82bd561..04ef84313ad 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -19,7 +19,13 @@ - name: org_unit.name type: keyword description: The organizational unit name. - - name: setting + - name: setting.name + type: keyword + description: The setting name. + - name: user_defined_setting.name + type: keyword + description: The name of the user-defined setting. + - name: setting.description type: keyword description: The setting name. - name: group.priorities @@ -104,3 +110,27 @@ - name: group.allowed_list type: keyword description: Names of allow-listed groups. + - name: email.quarantine_name + type: keyword + description: The name of the quarantine. + - name: email.log_search_filter.message_id + type: keyword + description: The log search filter's email message ID. + - name: email.log_search_filter.start_date + type: date + description: The log search filter's start date. + - name: email.log_search_filter.end_date + type: date + description: The log search filter's ending date. + - name: email.log_search_filter.recipient.value + type: keyword + description: The log search filter's email recipient. + - name: email.log_search_filter.sender.value + type: keyword + description: The log search filter's email sender. + - name: email.log_search_filter.recipient.ip + type: ip + description: The log search filter's email recipient's IP address. + - name: email.log_search_filter.sender.ip + type: ip + description: The log search filter's email sender's IP address. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 9df8e8692dc..ddb7ab7cbe0 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -54,6 +54,11 @@ var login = (function () { case "ORG_LICENSE_REVOKE": case "USER_LICENSE_REVOKE": case "UPDATE_DYNAMIC_LICENSE": + case "DROP_FROM_QUARANTINE": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "REJECT_FROM_QUARANTINE": + case "RELEASE_FROM_QUARANTINE": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -66,6 +71,8 @@ var login = (function () { case "INSERT_CHROME_OS_PRINTER": case "CREATE_ROLE": case "ADD_WEB_ADDRESS": + case "EMAIL_UNDELETE": + case "CREATE_GMAIL_SETTING": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -79,6 +86,7 @@ var login = (function () { case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": case "DELETE_ROLE": case "DELETE_WEB_ADDRESS": + case "DELETE_GMAIL_SETTING": evt.Put("event.type", ["deletion"]); break; case "DELETE_GROUP": @@ -105,6 +113,7 @@ var login = (function () { case "VIEW_SITE_DETAILS": case "GROUP_LIST_DOWNLOAD": case "GROUP_MEMBERS_DOWNLOAD": + case "EMAIL_LOG_SEARCH": evt.Put("event.type", ["info"]); break; } @@ -229,7 +238,15 @@ var login = (function () { }, { from: "gsuite.admin.SETTING_NAME", - to: "gsuite.admin.setting", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.SETTING_DESCRIPTION", + to: "gsuite.admin.setting.description", + }, + { + from: "gsuite.admin.USER_DEFINED_SETTING_NAME", + to: "gsuite.admin.user_defined_setting.name", }, { from: "gsuite.admin.GROUP_PRIORITIES", @@ -331,6 +348,14 @@ var login = (function () { from: "gsuite.admin.END_DATE_TIME", to: "event.end", }, + { + from: "gsuite.admin.START_DATE", + to: "event.start", + }, + { + from: "gsuite.admin.END_DATE", + to: "event.end", + }, { from: "gsuite.admin.SITE_LOCATION", to: "url.path", @@ -365,6 +390,40 @@ var login = (function () { to: "gsuite.admin.group.bulk_upload.total", type: "long", }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_MSG_ID", + to: "gsuite.admin.email.log_search_filter.message_id", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_END_DATE", + to: "gsuite.admin.email.log_search_filter.end_date", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_RECIPIENT", + to: "gsuite.admin.email.log_search_filter.recipient.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SENDER", + to: "gsuite.admin.email.log_search_filter.sender.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", + to: "gsuite.admin.email.log_search_filter.recipient.ip", + type: "ip", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", + to: "gsuite.admin.email.log_search_filter.sender.ip", + type: "ip", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_START_DATE", + to: "gsuite.admin.email.log_search_filter.start_date", + }, + { + from: "gsuite.admin.QUARANTINE_NAME", + to: "gsuite.admin.email.quarantine_name", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 1131930616c..57b8505226a 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -83,4 +83,13 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index b88b00b5b69..b94d7f87b0b 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -37,7 +37,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -92,7 +92,7 @@ "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -147,7 +147,7 @@ "gsuite.admin.group.email": "group@example.com", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -201,7 +201,7 @@ "a", "b" ], - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -1000,7 +1000,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CALENDAR_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -1297,7 +1297,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CHAT_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -1353,7 +1353,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CHROME_OS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -1460,7 +1460,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CHROME_OS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -1608,7 +1608,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CHROME_OS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -1710,7 +1710,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CHROME_OS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -2053,7 +2053,7 @@ "gsuite.admin.domain": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CHROME_OS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -2104,7 +2104,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CHROME_OS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -2357,7 +2357,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "CONTACTS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -2913,7 +2913,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "DOCS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -2964,7 +2964,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "SITES_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -3017,7 +3017,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "SITES_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -3071,7 +3071,7 @@ "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "SITES_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -4249,7 +4249,7 @@ "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", - "gsuite.admin.setting": "setting", + "gsuite.admin.setting.name": "setting", "gsuite.event.type": "GROUP_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", @@ -4319,5 +4319,466 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DROP_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 39868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EMAIL_LOG_SEARCH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.end_date": "2002-10-02T12:00:00Z", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.recipient.value": "recipient", + "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.sender.value": "sender", + "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00Z", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 40300, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EMAIL_UNDELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 7200000000000, + "event.end": "2002-10-02T12:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T10:00:00Z", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 41053, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_EMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 41536, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 42119, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 42657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 43195, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REJECT_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 43733, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RELEASE_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 44167, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 29d4ee3f01e..758785406ee 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzcWUtv2zoW3udXHLSLAsVYxszSiwGCxE2D5oU4KaYYXDC0eCQRpnhUPpz6/voLUlLih5SX3N7iapNAJL+P5+N5UR7BAlcTyK2XDg8AnHQKJ/CufvHuAECgTY2snCQ9gf8eAEAzG85JeBUWZRKVsJM4NgLNS1xDDI/AjHvlWJw4gYwr2w65VRVmG/LVw+QdwvCc1KS2wlRmMm1Ik4OHCedkEKTOyJQ8LAY+J++2F0DKNcwRMvJaAHdQOFfZyXgscImKKjQ2yYlyhUlK5ZiLUuqRFYuxwYqMs+Plv8cGMzSoUxzz1MmldBLtWEnrmr2s67GuCU8dmSRY/DDUCrDA1T0Zsfa+R4bw3BQYlwFlDebBxvhXrjy2lk42hgA+3s6m1x8ncKjJFWjAWzQgNbgCwfISQVDJpU62l03/dzO9vjg8Y+36eiV5Z6XAuLxn5Zfptzhfkx4VvuS63XS3PgtcDZPnUqsVVAYtagf3BWq4e1T+DqSFuy/Tb3cJHNWuELZ+l5K2vkTDFri6C8KGtwa/e7SODGRk4PLQuwL+c3YJh1en7ZgFMsA1SIHayUxiPdfQnBzwNCWvnd01FZeo3Z5d4WQWIyRC/wtKXlUoIDNUwp10WNr//5HEsfBPI0V97GRkLjVXUPGVIi42T3DK0wIyqdCiiz5V8CUCByGzGAYOwgBlsKzdLpgvwwZCPAp0XKpfEnXhwR+8rEIC415I976ZuNqRfyG12J/wtTtY8ibFLeED0Qt1Pv+N9SKTcy3/jHk1qcN8mHy1gDUSuIK7EJY8yzB1KGC+asIvGPPBNtGymy+C2Tv7WK8l0JGNNxCqSsm0NguFDH+3ttln2459wZ42Amuk5FnK8GYI3xrWBxvxuzmjJAmWXKohdBHmg4XKyJKbFURA4EIYtLabWeM9i3lhCK/G+zq5xNwSCxU6J3XezUlKDOckJV7FaXLmtXSDj3Q90riCgPnEwTZ7GkLYQDzrPZWRZGISeSvbScCBR5xutp3s8mqLWvdssku/YSXXPEfBUtKZzL3hQ+M/wLa9QwMOG+C9KSGpeLrgOTK5TfKqDZQ0l2ojL0ADDKfHPRFKmmXInTcomEWzlClaZlFhOkSO7XQPcEF61BJBSwQPRNttI8Cn0FlBqFhB04qslXOFbZsRyxs4ektpDBVaC/mjrYyrZtqabqMmLuz7T2eHs89npyefb9j0+JZdXF6wT9PDm9vr6TGbTa+/nh5NZ2w2PZse3UyPOyWOFWhffhXBuo+y7UGSYU60ztZCrvW33dzhMjC8wgSU1xWYnDu856tBefekxqgzBVw1NwfSYKlESEN30npDfwAP03w9YvsiNS0MlcjIJhatlaTZ1v3hVaxHEQ0uZ9CgxaU9ORlDsCYWjeSKaV/O0byV9zhiQY0FNdaTrEOMbMj6LauM1C6mPTSDa/d64ERgaID7qX8G6zN6plSWXAvWXDXe7D81THtj6clIpIZko1stv3vcvlu7QtqIHMxdSoV5z+FG9iHy7haxIHik3u0q4G8pWQIVhhwoRs2yJlH1uVyj1xBVrlqUJxvTWN8HO3eD8wSTN2owyz3Obbi49bNUhoRPh7f3Dc4LmOzC74No9uX2qa5+7tWC+Sp+jci4VNgdq4p2LhkbjBcxjQefr0HAYEpGWJAaAgXUFBB8/YlGeHdPjhzv7ihevqWIMWhHXCm6R8G2vp686lAueIk2frENYKMAhaLG7/g+qCgf+mmj+ZjCYhPFmibqxbt/bDq4UqhzZCW6gt6cyndT6Vkw8REfavzkl+bQKHP3yQdH9gYH9Vh9RjfYdV/yuxj8MwxNDcbazZX9vYyV4YqbkhYsi78NdBo+J1LIdS+At5VMJfnuqNpe/VAaean29dGS7be7mfFSwexq4zbSX6n+mRESjqfHZ7R0MrRabL7an73X9e9IdamaHZ6fAfeuCEGTPlGXyOReS8cq7or97QXgNv6mV4P3dHaOO29ZSqL70J+ryx1eF4yuYSHA9nWUMVxVOFv2szYROSBybO7orwAAAP//8aD33A==" + return "eJzMWVtv2zwSfc+vGLQPAYq1jN1HPywQJG4aNDfESbHFYsHQ4kgemCJVknLq/fULklLii+TEkdP99JJAJM+ZOeRcKA9gjssR5LYih0cAjpzEEXyKLz4dAQi0qaHSkVYj+OcRANSz4UqLSvpFGaEUdhTGBqB4gSuI/hGY8Uo6FiaOIOPSNkNuWfrZRlfl8+QtQv+cR1JbYkoZpTVpcvQ84UobBFKZNgX3i4FPdeU2F0DKFUwRMl0pAdzBzLnSjoZDgQuUukRjk1zrXGKS6mLIRUFqYMV8aLDUxtnh4u9DgxkaVCkOeepoQY7QDiVZV9uyqseqJjx12iTe4+ehRoA5Lp+0ESvvO2Twz/0MwzLQWY15tDb+g8sKG09Ha0MAXx4m47svIzhR2s3QQGXRAClwMwTLCwShC04q2Vw2/tf9+O765JI16+NKXTlLAsPyjpXfxz/DfKXVYFYVXDVGt+szx2U/eW6UXEJp0KJy8DRDBY8vyj8CWXj8Pv75mMBpPAre9MdUK1sVaNgcl49eWP/W4K8KrdMGMm3g5qRyM/jH5Q2c3F40Yxa0Aa6ABCpHGWGca/RUO+Bpqivl7LaruEDlDnwUzichQgL036DgZYkCMqMLeCSHhf33f5Iw5v+ppYjbrg3lpLiEki+l5mJ9B8c8nUFGEi26cKZmfIHAQVAWwsCBH9AZLOKx8+6TN8DHo0DHSf6RqPMP/uZF6RMYrwS5z/XE5Zb8c1LicMLH42B1ZVLcEN4TvVHnq7+wXtrkXNF/Q15NYpj3ky8KGJHAzbjzYcmzDFOHAqbLOvy8M8e2jpbtfOHd3rJjtZZASzZeQyhLSWl0CwX5vxtmdvm25Z/3p4nAiJS8Sunf9OFbwTq2Ab+dM0iSYMFJ9qELMMcWSkMFN0sIgMCFMGhtO7PCJxbyQh9ehU8xuYTcEgoVOkcqb+fUUvTn1FLsxWlyVilyvbd0NdK4BI+5Y2Mbm/qy1jg7mHyxZwIzUijYoWj9+qbWeoJBTbBb62ZwBe5jfY/hUxrSJmTR97Kdexx4wWln20qve3vUxGedXrsdK7jiOQqWapVRXhneV8vVDa3BYQ28MycmJU/nPEdGmyR7GVDoKcm1xAg1MFycdaQorViG3FUmnGyzoBQtsygx7SPHZr0DuNZq0BBBQwTPRJt9M8BX31qCL9le01JbS1OJTZ8V6js4/Z7ewLcoStDvpjVY1tNWdBvUcWE/f708mXy7vDj/ds/GZw/s+uaafR2f3D/cjc/YZHz34+J0PGGT8eX49H581ipxKMGHOlcBrH0rmyYs6XeIVtkayJUGvztB9i+xHmW/Cptzh0982SsXn0eMmCngtr46aQVWFwipb8+a09AdwP00X43YrkhNZ0YXyLRNLFpLWrGNC9RerKcBDW4mUKOFpR05GX2wJhYNcclUVUzRvJf3LGBBxIKItZO1j5M1WbdnpSHlQtpDc9B6HoChBu6m/gjWV/RMdVFwJVh913r3+YkwzZWtIyNp2ScbPSj6VeHmxwU3IxuQvbsLkph3bG5g7yPvdhHzggfq7a4C/i8lS6BEnwPFoF5WJ6quI1fr1UeV2wZlZ2ce6vsBOvOAs6szN7I3yxNOrb+5drOURosq7X+/qXHewGTn1SGIJt8fdnX100rOWVWGzzEZJ4ntsSq1yncxXoc07s98BAGDqTbCAinwFBApwJ/1HY3wtk1OO97eUbzdpIDRyyIupX5CwTY+H+21Kde8QBs+WXuwgYdCEfE7kmfofpJfFTdcOVLIDlkpXmB3kUudM4vcpDOWkfSVpUBr+99TpM4h4kLEPbZ1s1fjdzZBXXZZx41jgrt2hVoG3mRUgA2r9zMHfYE9tDG+AKj8HdYYTKkkVC7p/WGoe+deSPbbOFQCzUcaVjO8UzEqW63aev0epY4tXNzuvt+8ItsHWBeRO0x7ru+8WE3LvT4998pr2y3ahBcSJrdrV6rucuvrVWWw11Vq24ZLnZNqsOP144/2hn572v0lRY58v8imy8P5exd/DYz1dnJydQm8cjPftac7iqs2eaXIsZK72eFsAXgIv8xG8I721HFXWZZq0b7przUXLafOOx1hwcN2tcWpVoJJv7fso4wIHBA41i36XwAAAP//Mrp9Pw==" } From 4e999c7807f1ff89d70a50fbc0d58a56ec64fd2c Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 9 Jul 2020 14:46:03 +0200 Subject: [PATCH 12/18] Add org settings --- .../module/gsuite/admin/_meta/fields.yml | 13 + .../module/gsuite/admin/config/pipeline.js | 35 +- .../admin/test/gsuite-admin-test.json.log | 17 + .../gsuite-admin-test.json.log-expected.json | 301 ++++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 5 files changed, 365 insertions(+), 3 deletions(-) diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 04ef84313ad..1f3dd272a1f 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -19,6 +19,9 @@ - name: org_unit.name type: keyword description: The organizational unit name. + - name: org_unit.full + type: keyword + description: The org unit full path including the root org unit name. - name: setting.name type: keyword description: The setting name. @@ -134,3 +137,13 @@ - name: email.log_search_filter.sender.ip type: ip description: The log search filter's email sender's IP address. + - name: chrome_licenses.enabled + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: chrome_licenses.allowed + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index ddb7ab7cbe0..395128432b3 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -59,6 +59,17 @@ var login = (function () { case "CHANGE_GMAIL_SETTING": case "REJECT_FROM_QUARANTINE": case "RELEASE_FROM_QUARANTINE": + case "CHROME_LICENSES_ENABLED": + case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": + case "ASSIGN_CUSTOM_LOGO": + case "UNASSIGN_CUSTOM_LOGO": + case "REVOKE_ENROLLMENT_TOKEN": + case "CHROME_LICENSES_ALLOWED": + case "EDIT_ORG_UNIT_DESCRIPTION": + case "MOVE_ORG_UNIT": + case "EDIT_ORG_UNIT_NAME": + case "REVOKE_DEVICE_ENROLLMENT_TOKEN": + case "TOGGLE_SERVICE_ENABLED": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -73,6 +84,10 @@ var login = (function () { case "ADD_WEB_ADDRESS": case "EMAIL_UNDELETE": case "CREATE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": + case "CREATE_DEVICE_ENROLLMENT_TOKEN": + case "CREATE_ENROLLMENT_TOKEN": + case "CREATE_ORG_UNIT": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -87,6 +102,8 @@ var login = (function () { case "DELETE_ROLE": case "DELETE_WEB_ADDRESS": case "DELETE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": + case "REMOVE_ORG_UNIT": evt.Put("event.type", ["deletion"]); break; case "DELETE_GROUP": @@ -111,11 +128,13 @@ var login = (function () { case "ISSUE_DEVICE_COMMAND": case "DRIVE_DATA_RESTORE": case "VIEW_SITE_DETAILS": - case "GROUP_LIST_DOWNLOAD": - case "GROUP_MEMBERS_DOWNLOAD": case "EMAIL_LOG_SEARCH": evt.Put("event.type", ["info"]); break; + case "GROUP_LIST_DOWNLOAD": + case "GROUP_MEMBERS_DOWNLOAD": + evt.Put("event.type", ["group", "info"]); + break; } }; @@ -424,6 +443,18 @@ var login = (function () { from: "gsuite.admin.QUARANTINE_NAME", to: "gsuite.admin.email.quarantine_name", }, + { + from: "gsuite.admin.CHROME_LICENSES_ENABLED", + to: "gsuite.admin.chrome_licenses.enabled", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ALLOWED", + to: "gsuite.admin.chrome_licenses.allowed", + }, + { + from: "gsuite.admin.FULL_ORG_UNIT_PATH", + to: "gsuite.admin.org_unit.full", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log index 57b8505226a..4d6544e7ca6 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log @@ -92,4 +92,21 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json index b94d7f87b0b..267734ff46e 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json @@ -3771,6 +3771,7 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", "event.provider": "admin", "event.type": [ + "group", "info" ], "fileset.name": "admin", @@ -4140,6 +4141,7 @@ "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", "event.provider": "admin", "event.type": [ + "group", "info" ], "fileset.name": "admin", @@ -4780,5 +4782,304 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_LICENSES_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.enabled": "DISABLED", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 44602, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 45074, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 45584, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 46059, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 46604, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 47002, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 758785406ee..7e2ae5b2139 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzMWVtv2zwSfc+vGLQPAYq1jN1HPywQJG4aNDfESbHFYsHQ4kgemCJVknLq/fULklLii+TEkdP99JJAJM+ZOeRcKA9gjssR5LYih0cAjpzEEXyKLz4dAQi0qaHSkVYj+OcRANSz4UqLSvpFGaEUdhTGBqB4gSuI/hGY8Uo6FiaOIOPSNkNuWfrZRlfl8+QtQv+cR1JbYkoZpTVpcvQ84UobBFKZNgX3i4FPdeU2F0DKFUwRMl0pAdzBzLnSjoZDgQuUukRjk1zrXGKS6mLIRUFqYMV8aLDUxtnh4u9DgxkaVCkOeepoQY7QDiVZV9uyqseqJjx12iTe4+ehRoA5Lp+0ESvvO2Twz/0MwzLQWY15tDb+g8sKG09Ha0MAXx4m47svIzhR2s3QQGXRAClwMwTLCwShC04q2Vw2/tf9+O765JI16+NKXTlLAsPyjpXfxz/DfKXVYFYVXDVGt+szx2U/eW6UXEJp0KJy8DRDBY8vyj8CWXj8Pv75mMBpPAre9MdUK1sVaNgcl49eWP/W4K8KrdMGMm3g5qRyM/jH5Q2c3F40Yxa0Aa6ABCpHGWGca/RUO+Bpqivl7LaruEDlDnwUzichQgL036DgZYkCMqMLeCSHhf33f5Iw5v+ppYjbrg3lpLiEki+l5mJ9B8c8nUFGEi26cKZmfIHAQVAWwsCBH9AZLOKx8+6TN8DHo0DHSf6RqPMP/uZF6RMYrwS5z/XE5Zb8c1LicMLH42B1ZVLcEN4TvVHnq7+wXtrkXNF/Q15NYpj3ky8KGJHAzbjzYcmzDFOHAqbLOvy8M8e2jpbtfOHd3rJjtZZASzZeQyhLSWl0CwX5vxtmdvm25Z/3p4nAiJS8Sunf9OFbwTq2Ab+dM0iSYMFJ9qELMMcWSkMFN0sIgMCFMGhtO7PCJxbyQh9ehU8xuYTcEgoVOkcqb+fUUvTn1FLsxWlyVilyvbd0NdK4BI+5Y2Mbm/qy1jg7mHyxZwIzUijYoWj9+qbWeoJBTbBb62ZwBe5jfY/hUxrSJmTR97Kdexx4wWln20qve3vUxGedXrsdK7jiOQqWapVRXhneV8vVDa3BYQ28MycmJU/nPEdGmyR7GVDoKcm1xAg1MFycdaQorViG3FUmnGyzoBQtsygx7SPHZr0DuNZq0BBBQwTPRJt9M8BX31qCL9le01JbS1OJTZ8V6js4/Z7ewLcoStDvpjVY1tNWdBvUcWE/f708mXy7vDj/ds/GZw/s+uaafR2f3D/cjc/YZHz34+J0PGGT8eX49H581ipxKMGHOlcBrH0rmyYs6XeIVtkayJUGvztB9i+xHmW/Cptzh0982SsXn0eMmCngtr46aQVWFwipb8+a09AdwP00X43YrkhNZ0YXyLRNLFpLWrGNC9RerKcBDW4mUKOFpR05GX2wJhYNcclUVUzRvJf3LGBBxIKItZO1j5M1WbdnpSHlQtpDc9B6HoChBu6m/gjWV/RMdVFwJVh913r3+YkwzZWtIyNp2ScbPSj6VeHmxwU3IxuQvbsLkph3bG5g7yPvdhHzggfq7a4C/i8lS6BEnwPFoF5WJ6quI1fr1UeV2wZlZ2ce6vsBOvOAs6szN7I3yxNOrb+5drOURosq7X+/qXHewGTn1SGIJt8fdnX100rOWVWGzzEZJ4ntsSq1yncxXoc07s98BAGDqTbCAinwFBApwJ/1HY3wtk1OO97eUbzdpIDRyyIupX5CwTY+H+21Kde8QBs+WXuwgYdCEfE7kmfofpJfFTdcOVLIDlkpXmB3kUudM4vcpDOWkfSVpUBr+99TpM4h4kLEPbZ1s1fjdzZBXXZZx41jgrt2hVoG3mRUgA2r9zMHfYE9tDG+AKj8HdYYTKkkVC7p/WGoe+deSPbbOFQCzUcaVjO8UzEqW63aev0epY4tXNzuvt+8ItsHWBeRO0x7ru+8WE3LvT4998pr2y3ahBcSJrdrV6rucuvrVWWw11Vq24ZLnZNqsOP144/2hn572v0lRY58v8imy8P5exd/DYz1dnJydQm8cjPftac7iqs2eaXIsZK72eFsAXgIv8xG8I721HFXWZZq0b7przUXLafOOx1hwcN2tcWpVoJJv7fso4wIHBA41i36XwAAAP//Mrp9Pw==" + return "eJzkWk1v4zgSvedXFGYOAQZrBbvHHBYIOu5M0OkkiJPBDhYLhSZLUsEUqeZHMt5fvyApJY4tuWPLmW1gdOmGSL5X9cj6oJwJLHB5CqX15PAIwJGTeAo/pRc/HQEItNxQ40irU/jnEQC0s+GrFl6GRQWhFPY0jk1AsRpXEMMjsGBeujxOPIWCSdsNuWUTZhvtm5fJG4ThuUiktkFOBfGWNDt6mfBVGwRShTY1C4uBzbV36wuAMwVzhEJ7JYA5qJxr7OnJicAnlLpBY7NS61JixnV9wkRNamLF4sRgo42zJ09/PzFYoEHF8YRxR0/kCO2JJOtaW1b1WNWEcadNFjx+GeoEWODyWRux8n5AhvDcVxiXgS5azKM3478x6bHz9PTNEMAvD7Pp3S+ncKa0q9CAt2iAFLgKwbIaQeiakcrWl03/dT+9uz67yrv1aaX2zpLAuHxg5Zfp73G+0mpS+Zqpzuh+fRa4HCfPjZJLaAxaVA6eK1Tw+Kr8I5CFxy/T3x8z+JSOQjD9kWtlfY0mX+DyMQgb3hr85tE6baDQBm7OvKvgH1c3cHZ72Y1Z0AaYAhKoHBWEaa7Rc+2Aca69cnbTVXxC5Q58FC5mMUIi9N+gZk2DAgqja3gkh7X993+yOBb+00qRtl0bKkkxCQ1bSs3E2x2cMl5BQRItunimKvaEwEBQEcPAQRjQBTylYxfcp2BAiEeBjpH8U6IuPPgHq5uQwJgX5H5uJy435F+QEocTPh0Hq73huCZ8IHqnzl9/YL20KZmi/8a8mqUwHydfEjAhgauYC2HJigK5QwHzZRt+wZlj20bLZr4Ibm/YsVpLoCcbv0FoGkk8uYWCwr9rZg75tuFf8KeLwISUfZcyvBnDt4J1bCN+P2eUJMOakRxDF2GOLTSGamaWEAGBCWHQ2n5mhc95zAtjeBU+p+QSc0ssVOgcqbKfU0sxnlNLsROnKXOvyI3e0tVIYxIC5paNfaEtvBy1tdqUiSsAQcNcBaS49IJUmWJRa/c6a9iiTqWxOrQ4W5hC+5ELLEihyA9FG9Z31T8QTFqC7bvfDa7AfazvKaAbQ9rEvL4v20XAgVecfraNhL+zR13GaBP+sGM1U6xEkXOtCiq9YWO1XN3QFhzegA9m6axhfMFKzGmdZCcDaj0n+SZVQwsMl+cDSVOrvEDmvIkn2zwRR5tblMjHyLFegQGutZp0RNARwQvReicP8Dk0uxCaiKBpo62lucSu84sdBzi9T7cSmiYl6I+uWVm201Z0m7RxYX/+fHU2+/Xq8uLX+3x6/pBf31znn6dn9w930/N8Nr377fLTdJbPplfTT/fT816JY1NwqHMVwfq3smsLs3GHaJWtg1y5cgwnyPFFP6DsVvNL5vCZLUfl4ouEkTIF3LaXOa3A6hqBh4axOw3DATxO89WIHYpUXhldY65tZtFa0ipfu9LtxPoposHNDFq0uHQgJ2MI1syiISZz5es5mn15zyMWJCxIWFtZxzjZkg171hhSLqY9NAet5xEYWuBh6o9g/Y6eXNc1UyJvb397n58E010iBzKSlmOy0YOibx7XP3e4imxEDu4+kcRyYHMj+xh5N4vYfexOJfZ0FfB/KVkCJYYcKCbtsjZRDR25Vq8xqtx2KFs781jfD9CZR5xtnbmRo1mecW7DXXqYpTFaeD7+xtXivIPJLvwhiGZfHrZ19XMvF7lv4geigpHE/liVWpXbGK9jGg9nPoGAQa6NsEAKAgUkCghnfUsjvGmT0471dxTvNylijLKISamfUeRrH7R22pRrVqONH9ED2CRAoUj4A8kzdj/ZN88MU44U5oesFK+w28ilLnOLzPAqL0iGylKjtePvKVKXkHAh4R7bttlr8QeboCG7rGPG5YK5foV6Bt5lVISNq3czB0OBPbQxoQCocg9rDHJqCJXLRn+qGt65V5LdNg6VQPORhrUMeypGTa9VG6/3UerYwuXt9vvNd2T7AOsS8jtMa+8jkjgqizZDxeZDBWSvZusqIHMMBz8i/wj9ljbl9h5rXZW2dvwFVXnpBVm9WsJH/XAyqgZuajljtYTZ7Zvr93BrFnobb3DUtbtnP3VJqsNOV9U/dQfD9vT7S4ochbtFPl8ezt+79Ft26s1mZ1+vgHlXhRse39KIaVN6RS5vmKsOZwvAQ/y7ggQ+cJVxzHmbcy36N/17jWjPqQtOJ1gIsENXKK6VyGXY2/yjjIgcEDneWvS/AAAA///U01Gs" } From 6b811cf3d77562c9c2072ce99d36393015a1a9a7 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 9 Jul 2020 17:05:11 +0200 Subject: [PATCH 13/18] Add security settings and split test files --- .../module/gsuite/admin/_meta/fields.yml | 21 + .../module/gsuite/admin/config/pipeline.js | 68 + .../gsuite-admin-application-test.json.log | 9 + ...in-application-test.json.log-expected.json | 466 ++ .../test/gsuite-admin-calendar-test.json.log | 13 + ...admin-calendar-test.json.log-expected.json | 655 +++ .../test/gsuite-admin-chat-test.json.log | 4 + ...ite-admin-chat-test.json.log-expected.json | 201 + .../test/gsuite-admin-chromeos-test.json.log | 21 + ...admin-chromeos-test.json.log-expected.json | 1062 ++++ .../test/gsuite-admin-contacts-test.json.log | 1 + ...admin-contacts-test.json.log-expected.json | 54 + .../gsuite-admin-delegatedadmin-test.json.log | 8 + ...delegatedadmin-test.json.log-expected.json | 400 ++ .../test/gsuite-admin-docs-test.json.log | 3 + ...ite-admin-docs-test.json.log-expected.json | 160 + .../test/gsuite-admin-gmail-test.json.log | 9 + ...te-admin-gmail-test.json.log-expected.json | 463 ++ .../test/gsuite-admin-groups-test.json.log | 14 + ...e-admin-groups-test.json.log-expected.json | 732 +++ .../test/gsuite-admin-licenses-test.json.log | 8 + ...admin-licenses-test.json.log-expected.json | 407 ++ .../admin/test/gsuite-admin-org-test.json.log | 17 + ...uite-admin-org-test.json.log-expected.json | 839 +++ .../test/gsuite-admin-security-test.json.log | 24 + ...admin-security-test.json.log-expected.json | 1222 ++++ .../test/gsuite-admin-sites-test.json.log | 5 + ...te-admin-sites-test.json.log-expected.json | 258 + .../admin/test/gsuite-admin-test.json.log | 112 - .../gsuite-admin-test.json.log-expected.json | 5085 ----------------- x-pack/filebeat/module/gsuite/fields.go | 2 +- 31 files changed, 7145 insertions(+), 5198 deletions(-) create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log delete mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 1f3dd272a1f..591839709c1 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -147,3 +147,24 @@ description: > Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: oauth2.service.name + type: keyword + description: > + OAuth2 service name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: oauth2.application.id + type: keyword + description: OAuth2 application ID. + - name: oauth2.application.name + type: keyword + description: OAuth2 application name. + - name: oauth2.application.type + type: keyword + description: > + OAuth2 application type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: verification_method + type: keyword + description: > + 2-step verification method. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 395128432b3..3d6115454be 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -70,6 +70,30 @@ var login = (function () { case "EDIT_ORG_UNIT_NAME": case "REVOKE_DEVICE_ENROLLMENT_TOKEN": case "TOGGLE_SERVICE_ENABLED": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "ADD_TO_TRUSTED_OAUTH2_APPS": + case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": + case "BLOCK_ON_DEVICE_ACCESS": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "TOGGLE_CAA_ENABLEMENT": + case "CHANGE_CAA_ERROR_MESSAGE": + case "CHANGE_CAA_APP_ASSIGNMENTS": + case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "UNBLOCK_ON_DEVICE_ACCESS": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -239,10 +263,18 @@ var login = (function () { from: "gsuite.admin.APPLICATION_NAME", to: "gsuite.admin.application.name", }, + { + from: "gsuite.admin.REAUTH_APPLICATION", + to: "gsuite.admin.application.name", + }, { from: "gsuite.admin.GROUP_EMAIL", to: "gsuite.admin.group.email", }, + { + from: "gsuite.admin.GROUP_NAME", + to: "group.name", + }, { from: "gsuite.admin.NEW_VALUE", to: "gsuite.admin.new_value", @@ -455,6 +487,42 @@ var login = (function () { from: "gsuite.admin.FULL_ORG_UNIT_PATH", to: "gsuite.admin.org_unit.full", }, + { + from: "gsuite.admin.OAUTH2_SERVICE_NAME", + to: "gsuite.admin.oauth2.service.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_ID", + to: "gsuite.admin.oauth2.application.id", + }, + { + from: "gsuite.admin.OAUTH2_APP_NAME", + to: "gsuite.admin.oauth2.application.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_TYPE", + to: "gsuite.admin.oauth2.application.type", + }, + { + from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_OLD", + to: "gsuite.admin.old_value", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log new file mode 100644 index 00000000000..2d2d36e96a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json new file mode 100644 index 00000000000..69fbb9a48a4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -0,0 +1,466 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.priorities": [ + "a", + "b" + ], + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GPLUS_PREMIUM_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2346, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4114, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log new file mode 100644 index 00000000000..bcbed9ee886 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log @@ -0,0 +1,13 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json new file mode 100644 index 00000000000..a30d1436855 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -0,0 +1,655 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 414, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 828, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1361, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1784, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3069, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4077, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CALENDAR_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CANCEL_CALENDAR_EVENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5208, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RELEASE_CALENDAR_RESOURCES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5598, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log new file mode 100644 index 00000000000..b078b332402 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log @@ -0,0 +1,4 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json new file mode 100644 index 00000000000..5fa7d463921 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -0,0 +1,201 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_CREATE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_DELETE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 384, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_MODIFY_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHAT_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1152, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log new file mode 100644 index 00000000000..9c3bd721f39 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log @@ -0,0 +1,21 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json new file mode 100644 index 00000000000..e1f19914c7e --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -0,0 +1,1062 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 648, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1162, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "INSERT_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4151, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4546, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4941, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "INSERT_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6178, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_USER_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7135, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ISSUE_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.command_details": [ + "command", + "-a" + ], + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7635, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8124, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "1234", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DEVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9465, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log new file mode 100644 index 00000000000..5aececc68aa --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log @@ -0,0 +1 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json new file mode 100644 index 00000000000..42929636dbb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -0,0 +1,54 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log new file mode 100644 index 00000000000..da76df3f767 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json new file mode 100644 index 00000000000..db951c82cf3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -0,0 +1,400 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 483, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 912, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2298, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2728, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3157, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log new file mode 100644 index 00000000000..c3166fb87d2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log @@ -0,0 +1,3 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json new file mode 100644 index 00000000000..a14ecdf0aef --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -0,0 +1,160 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DRIVE_DATA_RESTORE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 10800000000000, + "event.end": "2002-10-02T15:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T12:00:00Z", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 471, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOCS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 967, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log new file mode 100644 index 00000000000..f9ecb940c0f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json new file mode 100644 index 00000000000..abf97b1d1f5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -0,0 +1,463 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DROP_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EMAIL_LOG_SEARCH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.end_date": "2002-10-02T12:00:00Z", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.recipient.value": "recipient", + "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.sender.value": "sender", + "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00Z", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 432, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EMAIL_UNDELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 7200000000000, + "event.end": "2002-10-02T12:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T10:00:00Z", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1185, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_EMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2251, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2789, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3327, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REJECT_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3865, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RELEASE_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4299, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log new file mode 100644 index 00000000000..2c60ded89cc --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json new file mode 100644 index 00000000000..5a30d6583a9 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -0,0 +1,732 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 379, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_LIST_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1149, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1469, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1901, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2336, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2841, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_MEMBER_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "event.outcome": "success", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.bulk_upload.failed": 0, + "gsuite.admin.group.bulk_upload.total": 10, + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3906, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_MEMBERS_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4370, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4693, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5112, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "WHITELISTED_GROUPS_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.allowed_list": [ + "a", + "b", + "c" + ], + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log new file mode 100644 index 00000000000..c028ff6ba1c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json new file mode 100644 index 00000000000..380118b588c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -0,0 +1,407 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 463, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1398, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_REASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1854, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2359, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2812, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DYNAMIC_LICENSE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3276, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log new file mode 100644 index 00000000000..3ad1efedd6a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log @@ -0,0 +1,17 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json new file mode 100644 index 00000000000..5e163522b2f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -0,0 +1,839 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_LICENSES_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.enabled": "DISABLED", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 472, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 982, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2002, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2400, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2771, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3520, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_LICENSES_ALLOWED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.allowed": "EMPTY", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3896, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4365, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4733, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EDIT_ORG_UNIT_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5101, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5479, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EDIT_ORG_UNIT_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5880, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6286, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_SERVICE_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.service.name": "new", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log new file mode 100644 index 00000000000..1035f42a2fb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log @@ -0,0 +1,24 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json new file mode 100644 index 00000000000..07ce877287d --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -0,0 +1,1222 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALLOW_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 461, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1348, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2424, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "BLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2950, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3383, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4434, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4963, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.verification_method": "ONLY_SECURITY_KEY", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5481, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_CAA_ENABLEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6010, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CAA_ERROR_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7356, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7746, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8134, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENFORCE_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8652, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9718, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "ADMIN_CONSOLE", + "gsuite.admin.new_value": "INHERIT", + "gsuite.admin.old_value": "NEVER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10237, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SESSION_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10774, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNBLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "CALENDAR", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log new file mode 100644 index 00000000000..ff07d024c4c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log @@ -0,0 +1,5 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json new file mode 100644 index 00000000000..565e28c91a2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -0,0 +1,258 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 594, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SITES_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1191, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.service.name": "service", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1723, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VIEW_SITE_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.url.name": "site", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log deleted file mode 100644 index 4d6544e7ca6..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log +++ /dev/null @@ -1,112 +0,0 @@ -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} -{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} - diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json deleted file mode 100644 index 267734ff46e..00000000000 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-test.json.log-expected.json +++ /dev/null @@ -1,5085 +0,0 @@ -[ - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_APPLICATION_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 0, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_APPLICATION_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 641, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_APPLICATION_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.application.edition": "basic", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "drive", - "gsuite.admin.group.priorities": [ - "a", - "b" - ], - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 1853, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "GPLUS_PREMIUM_FEATURES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2346, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_MANAGED_CONFIGURATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.app.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 2770, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_MANAGED_CONFIGURATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.app.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3218, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_MANAGED_CONFIGURATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.app.package_id": "1234", - "gsuite.admin.managed_configuration": "a", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 3666, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", - "gsuite.event.type": "APPLICATION_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4114, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4581, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 4995, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_BUILDING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5409, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 5942, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6365, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 6788, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7219, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 7650, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "RENAME_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8200, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_CALENDAR_RESOURCE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.field": "field", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.resource.id": "1234", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 8658, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CALENDAR_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9200, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CANCEL_CALENDAR_EVENTS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 9789, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "RELEASE_CALENDAR_RESOURCES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "CALENDAR_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10179, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "MEET_INTEROP_CREATE_GATEWAY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10573, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "MEET_INTEROP_DELETE_GATEWAY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 10957, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "MEET_INTEROP_MODIFY_GATEWAY", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.gateway.name": "gateway", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11341, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHAT_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHAT_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 11725, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "2345", - "gsuite.admin.chrome_os.session_type": "type", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12306, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_DEVICE_STATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "prev", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 12954, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "2345", - "gsuite.admin.chrome_os.session_type": "type", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 13468, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "2345", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14108, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "2345", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14539, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 14940, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15442, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 15947, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "INSERT_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16457, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 16852, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.print_server.name": "server", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17247, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "INSERT_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 17712, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18098, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_CHROME_OS_PRINTER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.printer.name": "printer", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18484, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 18940, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CHROME_OS_USER_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19441, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ISSUE_DEVICE_COMMAND", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.command_details": [ - "command", - "-a" - ], - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 19941, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "prev", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20430, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "1234", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 20963, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_DEVICE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.device.serial_number": "1234", - "gsuite.admin.device.type": "type", - "gsuite.event.type": "CHROME_OS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21353, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_CONTACTS_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "CONTACTS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 21771, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ASSIGN_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22309, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 22792, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23221, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ADD_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.privilege.name": "privilege", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 23650, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "REMOVE_PRIVILEGE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.privilege.name": "privilege", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24127, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "RENAME_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 24607, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.role.id": "1234", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25037, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UNASSIGN_ROLE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25466, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 25951, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DRIVE_DATA_RESTORE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 10800000000000, - "event.end": "2002-10-02T15:00:00Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T12:00:00Z", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26422, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_DOCS_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "DOCS_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 26918, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ADD_WEB_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 27499, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_WEB_ADDRESS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28093, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_SITES_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 28690, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.service.name": "service", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29222, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ], - "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "VIEW_SITE_DETAILS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.url.name": "site", - "gsuite.event.type": "SITES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 29732, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30101, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 30564, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "USER_LICENSE_ASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31031, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.product.name": "product", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31499, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "USER_LICENSE_REASSIGNMENT", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 31955, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ORG_LICENSE_REVOKE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 32460, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "USER_LICENSE_REVOKE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.old_value": "old", - "gsuite.admin.product.name": "product", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 32913, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_DYNAMIC_LICENSE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.name": "product", - "gsuite.event.type": "LICENSES_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33377, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_GROUP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "creation" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 33869, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_GROUP", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "creation" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 34248, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_GROUP_DESCRIPTION", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 34627, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "GROUP_LIST_DOWNLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", - "event.provider": "admin", - "event.type": [ - "group", - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 35018, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ADD_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 35338, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "REMOVE_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 35770, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_GROUP_MEMBER", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 36205, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 36710, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 37233, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "GROUP_MEMBER_BULK_UPLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", - "event.outcome": "success", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.group.bulk_upload.failed": 0, - "gsuite.admin.group.bulk_upload.total": 10, - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 37775, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "GROUP_MEMBERS_DOWNLOAD", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", - "event.provider": "admin", - "event.type": [ - "group", - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 38239, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_GROUP_NAME", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 38562, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_GROUP_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 38981, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "WHITELISTED_GROUPS_UPDATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", - "event.provider": "admin", - "event.type": [ - "group", - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.group.allowed_list": [ - "a", - "b", - "c" - ], - "gsuite.event.type": "GROUP_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 39480, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DROP_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 39868, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "EMAIL_LOG_SEARCH", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", - "event.provider": "admin", - "event.type": [ - "info" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.end_date": "2002-10-02T12:00:00Z", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", - "gsuite.admin.email.log_search_filter.recipient.value": "recipient", - "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", - "gsuite.admin.email.log_search_filter.sender.value": "sender", - "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00Z", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 40300, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "EMAIL_UNDELETE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.duration": 7200000000000, - "event.end": "2002-10-02T12:00:00Z", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", - "event.provider": "admin", - "event.start": "2002-10-02T10:00:00Z", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.user.email": "user@example.com", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 41053, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo", - "user" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_EMAIL_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "group.domain": "example.com", - "group.name": "group", - "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", - "gsuite.admin.group.email": "group@example.com", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.name": "setting", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 41536, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHANGE_GMAIL_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 42119, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_GMAIL_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 42657, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "DELETE_GMAIL_SETTING", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.setting.description": "setting description", - "gsuite.admin.setting.name": "setting", - "gsuite.admin.user_defined_setting.name": "setting name", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 43195, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "REJECT_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 43733, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "RELEASE_FROM_QUARANTINE", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.email.log_search_filter.message_id": "id", - "gsuite.admin.email.quarantine_name": "quarantine", - "gsuite.event.type": "EMAIL_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 44167, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHROME_LICENSES_ENABLED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.chrome_licenses.enabled": "DISABLED", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 44602, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 45074, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "deletion" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 45584, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.application.name": "app", - "gsuite.admin.new_value": "new", - "gsuite.admin.old_value": "old", - "gsuite.admin.org_unit.name": "org", - "gsuite.admin.product.sku": "sku", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 46059, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", - "event.provider": "admin", - "event.type": [ - "creation" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.full": "full/org/path", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 46604, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-10-02T15:00:00.000Z", - "client.as.number": 7922, - "client.as.organization.name": "Comcast Cable Communications, LLC", - "client.geo.city_name": "State College", - "client.geo.continent_name": "North America", - "client.geo.country_iso_code": "US", - "client.geo.location.lat": 40.7957, - "client.geo.location.lon": -77.8618, - "client.geo.region_iso_code": "US-PA", - "client.geo.region_name": "Pennsylvania", - "client.ip": "98.235.162.24", - "client.user.domain": "bar.com", - "client.user.email": "foo@bar.com", - "client.user.id": "1", - "client.user.name": "foo", - "event.action": "ASSIGN_CUSTOM_LOGO", - "event.category": [ - "iam" - ], - "event.dataset": "gsuite.admin", - "event.id": "1", - "event.module": "gsuite", - "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", - "event.provider": "admin", - "event.type": [ - "change" - ], - "fileset.name": "admin", - "gsuite.actor.type": "USER", - "gsuite.admin.org_unit.name": "org", - "gsuite.event.type": "ORG_SETTINGS", - "gsuite.kind": "admin#reports#activity", - "gsuite.organization.domain": "elastic.com", - "input.type": "log", - "log.offset": 47002, - "organization.id": "1", - "related.ip": [ - "98.235.162.24" - ], - "related.user": [ - "foo" - ], - "service.type": "gsuite", - "tags": [ - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 7e2ae5b2139..dbfcfdecb9b 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkWk1v4zgSvedXFGYOAQZrBbvHHBYIOu5M0OkkiJPBDhYLhSZLUsEUqeZHMt5fvyApJY4tuWPLmW1gdOmGSL5X9cj6oJwJLHB5CqX15PAIwJGTeAo/pRc/HQEItNxQ40irU/jnEQC0s+GrFl6GRQWhFPY0jk1AsRpXEMMjsGBeujxOPIWCSdsNuWUTZhvtm5fJG4ThuUiktkFOBfGWNDt6mfBVGwRShTY1C4uBzbV36wuAMwVzhEJ7JYA5qJxr7OnJicAnlLpBY7NS61JixnV9wkRNamLF4sRgo42zJ09/PzFYoEHF8YRxR0/kCO2JJOtaW1b1WNWEcadNFjx+GeoEWODyWRux8n5AhvDcVxiXgS5azKM3478x6bHz9PTNEMAvD7Pp3S+ncKa0q9CAt2iAFLgKwbIaQeiakcrWl03/dT+9uz67yrv1aaX2zpLAuHxg5Zfp73G+0mpS+Zqpzuh+fRa4HCfPjZJLaAxaVA6eK1Tw+Kr8I5CFxy/T3x8z+JSOQjD9kWtlfY0mX+DyMQgb3hr85tE6baDQBm7OvKvgH1c3cHZ72Y1Z0AaYAhKoHBWEaa7Rc+2Aca69cnbTVXxC5Q58FC5mMUIi9N+gZk2DAgqja3gkh7X993+yOBb+00qRtl0bKkkxCQ1bSs3E2x2cMl5BQRItunimKvaEwEBQEcPAQRjQBTylYxfcp2BAiEeBjpH8U6IuPPgHq5uQwJgX5H5uJy435F+QEocTPh0Hq73huCZ8IHqnzl9/YL20KZmi/8a8mqUwHydfEjAhgauYC2HJigK5QwHzZRt+wZlj20bLZr4Ibm/YsVpLoCcbv0FoGkk8uYWCwr9rZg75tuFf8KeLwISUfZcyvBnDt4J1bCN+P2eUJMOakRxDF2GOLTSGamaWEAGBCWHQ2n5mhc95zAtjeBU+p+QSc0ssVOgcqbKfU0sxnlNLsROnKXOvyI3e0tVIYxIC5paNfaEtvBy1tdqUiSsAQcNcBaS49IJUmWJRa/c6a9iiTqWxOrQ4W5hC+5ELLEihyA9FG9Z31T8QTFqC7bvfDa7AfazvKaAbQ9rEvL4v20XAgVecfraNhL+zR13GaBP+sGM1U6xEkXOtCiq9YWO1XN3QFhzegA9m6axhfMFKzGmdZCcDaj0n+SZVQwsMl+cDSVOrvEDmvIkn2zwRR5tblMjHyLFegQGutZp0RNARwQvReicP8Dk0uxCaiKBpo62lucSu84sdBzi9T7cSmiYl6I+uWVm201Z0m7RxYX/+fHU2+/Xq8uLX+3x6/pBf31znn6dn9w930/N8Nr377fLTdJbPplfTT/fT816JY1NwqHMVwfq3smsLs3GHaJWtg1y5cgwnyPFFP6DsVvNL5vCZLUfl4ouEkTIF3LaXOa3A6hqBh4axOw3DATxO89WIHYpUXhldY65tZtFa0ipfu9LtxPoposHNDFq0uHQgJ2MI1syiISZz5es5mn15zyMWJCxIWFtZxzjZkg171hhSLqY9NAet5xEYWuBh6o9g/Y6eXNc1UyJvb397n58E010iBzKSlmOy0YOibx7XP3e4imxEDu4+kcRyYHMj+xh5N4vYfexOJfZ0FfB/KVkCJYYcKCbtsjZRDR25Vq8xqtx2KFs781jfD9CZR5xtnbmRo1mecW7DXXqYpTFaeD7+xtXivIPJLvwhiGZfHrZ19XMvF7lv4geigpHE/liVWpXbGK9jGg9nPoGAQa6NsEAKAgUkCghnfUsjvGmT0471dxTvNylijLKISamfUeRrH7R22pRrVqONH9ED2CRAoUj4A8kzdj/ZN88MU44U5oesFK+w28ilLnOLzPAqL0iGylKjtePvKVKXkHAh4R7bttlr8QeboCG7rGPG5YK5foV6Bt5lVISNq3czB0OBPbQxoQCocg9rDHJqCJXLRn+qGt65V5LdNg6VQPORhrUMeypGTa9VG6/3UerYwuXt9vvNd2T7AOsS8jtMa+8jkjgqizZDxeZDBWSvZusqIHMMBz8i/wj9ljbl9h5rXZW2dvwFVXnpBVm9WsJH/XAyqgZuajljtYTZ7Zvr93BrFnobb3DUtbtnP3VJqsNOV9U/dQfD9vT7S4ochbtFPl8ezt+79Ft26s1mZ1+vgHlXhRse39KIaVN6RS5vmKsOZwvAQ/y7ggQ+cJVxzHmbcy36N/17jWjPqQtOJ1gIsENXKK6VyGXY2/yjjIgcEDneWvS/AAAA///U01Gs" + return "eJzkWk1v4zgSvedXFGYOAQZrBdvHHBYIOu5M0OkkiJPBDhYLhRZLUsEUqeaHM95fvyApJYotuWPLmQkwvnTDJN+remR9kM4EFrg6hcI4sngEYMkKPIWf4hc/HQFwNJmm2pKSp/CvIwBoZsM3xZ3wi3JCwc1pGJuAZBV2EP2HY86csGmYeAo5E6Ydsqvaz9bK1c+TNwj95yKSmhozyilrSJOj5wnflEYgmStdMb8Y2Fw5u74AMiZhjpArJzkwC6W1tTk9OeG4RKFq1CYplCoEJpmqThivSE4MX5xorJW25mT5zxONOWqUGZ6wzNKSLKE5EWRsY0tXj64mLLNKJ97j56FWgAWunpTmne8HZPCf+xLDMlB5g3n0avw3Jhy2np6+GgL45WE2vfvlFM6ksiVqcAY1kARbIhhWIXBVMZLJ+rLpv++nd9dnV2m7Pq5UzhriGJYPrPw6/T3Ml0pOSlcx2Rrdr88CV+PkuZFiBbVGg9LCU4kSHl+UfwQy8Ph1+vtjAp/jUfCmP2ZKGlehThe4evTC+m81fndorNKQKw03Z86W8OnqBs5uL9sxA0oDk0AcpaWcMM7Vaq4ssCxTTlqz6SouUdoDH4WLWYiQAP0PqFhdI4dcqwoeyWJl/vPfJIz5/zRSxG1XmgqSTEDNVkIx/noHpywrISeBBm04UyVbIjDglIcwsOAHVA7LeOy8++QN8PHI0TISf0rU+Q/+waraJzDmONmfm4mrDfkXJPnhhI/HwSinM1wT3hO9UedvH1gvpQsm6X8hryYxzMfJFwWMSGBLZn1YsjzHzCKH+aoJP+/MsWmiZTNfeLc37OjWEujJxq8Q6lpQFt1CTv7fNTOHfNvwz/vTRmBESn5I6b8Zw9fBOjYBv58zSJJgxUiMoQswxwZqTRXTKwiAwDjXaEw/s8SnNOSFMbwSn2JyCbklFCq0lmTRz6kEH8+pBN+JUxepk2RHb2k30pgAj7llY59pcydGba3SReTyQFAzWwLJTDhOsoixqJR9mTVsUavSWB0anC1Mvv1IOeYkkaeHovXr2+rvCSYNwfbdbwc7cO/rewzoWpPSIa/vy3bhceAFp59tI+Hv7FGbMZqEP+xYxSQrkKeZkjkVTrOxWnY3tAGHV+CDWTqpWbZgBaa0TrKTAZWak3iVqqEBhsvzgaSpZJojs06Hk62XlKFJDQrMxsixXoEBrpWctETQEsEz0XonD/DFN7vgmwivaa2MobnAtvMLHQdYtU+34psmyemPtllZNdM6uk2auDA/f7k6m/16dXnx6306PX9Ir2+u0y/Ts/uHu+l5Opve/Xb5eTpLZ9Or6ef76XmvxKEpONS5CmD9W9m2hcm4Q9RlayE7V47hBDm+6HuU3Wp+wSw+sdWoXHwRMWKmgNvmMqckGFUhZL5hbE/DcACP07wbsUORmpVaVZgqkxg0hpRM1650O7F+DmhwM4MGLSwdyMnogzUxqImJVLpqjnpf3vOABRELItZW1jFONmTDntWapA1pD/VB63kAhgZ4mPo9WH+gZ6aqikmeNre/vc9PhGkvkQMZSYkx2ehB0neH688dtiQTkL27SxJYDGxuYB8j72YRuw/dqcCergL+kpLFUaDPgXzSLGsS1dCRa/Qao8pti7K1Mw/1/QCdecDZ1plrMZrlCefG36WHWWqtuMvG37ganDcwmYU7BNHs68O2rn7uxCJ1dXggyhkJ7I9VoWSxjfE6pHF/5iMIaMyU5gZIgqeASAH+rG9phDdtssqy/o7i7SYFjFEWMSHUE/J07UFrp025ZhWa8IjuwSYeCnnEH0ieoftJvjummbQkMT1kpXiB3UYuVJEaZDor05yErywVGjP+niJUAREXIu6xaZq9Bn+wCRqyy1imbcqZ7VeoZ+BNRgXYsHo3c9AX2EMb4wuALPawRmNGNaG0yeinquGdeyHZbeNQctTvaVjDsKdiVPdatfH1PkodG7i83X6/+YFs72BdRH6Dac19RFCG0qBJULL5UAHZq9m68sgZ+oMfkD9Cv6V0sb3HWlelqR1/c1UUc7b8lByiLdxUJPxW+mlLr/jXiGIwc5rs6k3KdH+p2b+2Nkq85TWhh3fMrvQwb/klYZN7zC1/8ER0rdl8A/jIp2KJmvLG9LRCW6oDZpBPE2OxfsUBkeNjC/R8uWRV904w6pfYUU31prQzVgmY3b4xDvxlyWkc9Y7XUyBUQbLFjuf+T91Gvz39/pIkS8wiT+erw/l7F/84Jl72ZmffrsCnF5S2zS39OUgXTpJNa2bLw9kC8BD+UCmCD7yNWGadSTPF+zf9RzfbnlPnnY6w4GGH3mQyJXkq/N6m72VE4IDA8dqi/wcAAP//VkeeGw==" } From 27ca2f2762010225d031c764443e65a690202746 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 10 Jul 2020 11:49:10 +0200 Subject: [PATCH 14/18] Add domain settings --- filebeat/docs/fields.asciidoc | 422 +- .../module/gsuite/admin/_meta/fields.yml | 45 +- .../module/gsuite/admin/config/pipeline.js | 143 +- ...in-application-test.json.log-expected.json | 2 +- ...admin-calendar-test.json.log-expected.json | 22 +- ...ite-admin-chat-test.json.log-expected.json | 2 +- ...admin-chromeos-test.json.log-expected.json | 4 +- ...admin-contacts-test.json.log-expected.json | 2 +- ...ite-admin-docs-test.json.log-expected.json | 4 +- .../test/gsuite-admin-domain-test.json.log | 85 + ...e-admin-domain-test.json.log-expected.json | 4183 +++++++++++++++++ ...te-admin-gmail-test.json.log-expected.json | 2 +- ...uite-admin-org-test.json.log-expected.json | 2 +- ...admin-security-test.json.log-expected.json | 6 +- ...te-admin-sites-test.json.log-expected.json | 2 +- x-pack/filebeat/module/gsuite/fields.go | 2 +- 16 files changed, 4846 insertions(+), 82 deletions(-) create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 70a5cac62ee..56b58012e5d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21635,58 +21635,7 @@ type: keyword -- -<<<<<<< HEAD *`cisco.rsa.time.timestamp`*:: -======= -*`gsuite.admin.role.id`*:: -+ --- -Unique identifier for this role privilege. - -type: keyword - --- - -*`gsuite.admin.role.name`*:: -+ --- -The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings - - -type: keyword - --- - -*`gsuite.admin.privilege.name`*:: -+ --- -Privilege name. - -type: keyword - --- - -*`gsuite.admin.service.name`*:: -+ --- -The service name. - -type: keyword - --- - -*`gsuite.admin.url.name`*:: -+ --- -The website name. - -type: keyword - --- - - -*`gsuite.login.affected_email_address`*:: ->>>>>>> 78c75950b... Add delegated admin settings + -- type: keyword @@ -61533,6 +61482,33 @@ type: keyword -- +*`gsuite.admin.application.enabled`*:: ++ +-- +The enabled application. + +type: keyword + +-- + +*`gsuite.admin.application.licences_order_number`*:: ++ +-- +Order number used to redeem licenses. + +type: keyword + +-- + +*`gsuite.admin.application.licences_purchased`*:: ++ +-- +Number of licences purchased. + +type: keyword + +-- + *`gsuite.admin.group.email`*:: + -- @@ -61569,7 +61545,34 @@ type: keyword -- -*`gsuite.admin.setting`*:: +*`gsuite.admin.org_unit.full`*:: ++ +-- +The org unit full path including the root org unit name. + +type: keyword + +-- + +*`gsuite.admin.setting.name`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`gsuite.admin.user_defined_setting.name`*:: ++ +-- +The name of the user-defined setting. + +type: keyword + +-- + +*`gsuite.admin.setting.description`*:: + -- The setting name. @@ -61587,7 +61590,16 @@ type: keyword -- -*`gsuite.admin.domain`*:: +*`gsuite.admin.domain.alias`*:: ++ +-- +The domain alias. + +type: keyword + +-- + +*`gsuite.admin.domain.name`*:: + -- The primary domain name. @@ -61596,6 +61608,15 @@ type: keyword -- +*`gsuite.admin.domain.secondary_name`*:: ++ +-- +The secondary domain name. + +type: keyword + +-- + *`gsuite.admin.managed_configuration`*:: + -- @@ -61719,6 +61740,301 @@ type: keyword -- Command details. +type: keyword + +-- + +*`gsuite.admin.role.id`*:: ++ +-- +Unique identifier for this role privilege. + +type: keyword + +-- + +*`gsuite.admin.role.name`*:: ++ +-- +The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + + +type: keyword + +-- + +*`gsuite.admin.privilege.name`*:: ++ +-- +Privilege name. + +type: keyword + +-- + +*`gsuite.admin.service.name`*:: ++ +-- +The service name. + +type: keyword + +-- + +*`gsuite.admin.url.name`*:: ++ +-- +The website name. + +type: keyword + +-- + +*`gsuite.admin.product.name`*:: ++ +-- +The product name. + +type: keyword + +-- + +*`gsuite.admin.product.sku`*:: ++ +-- +The product SKU. + +type: keyword + +-- + +*`gsuite.admin.group.bulk_upload.failed`*:: ++ +-- +Number of failed records in bulk upload operation. + +type: long + +-- + +*`gsuite.admin.group.bulk_upload.total`*:: ++ +-- +Number of total records in bulk upload operation. + +type: long + +-- + +*`gsuite.admin.group.allowed_list`*:: ++ +-- +Names of allow-listed groups. + +type: keyword + +-- + +*`gsuite.admin.email.quarantine_name`*:: ++ +-- +The name of the quarantine. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.message_id`*:: ++ +-- +The log search filter's email message ID. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.start_date`*:: ++ +-- +The log search filter's start date. + +type: date + +-- + +*`gsuite.admin.email.log_search_filter.end_date`*:: ++ +-- +The log search filter's ending date. + +type: date + +-- + +*`gsuite.admin.email.log_search_filter.recipient.value`*:: ++ +-- +The log search filter's email recipient. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.sender.value`*:: ++ +-- +The log search filter's email sender. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.recipient.ip`*:: ++ +-- +The log search filter's email recipient's IP address. + +type: ip + +-- + +*`gsuite.admin.email.log_search_filter.sender.ip`*:: ++ +-- +The log search filter's email sender's IP address. + +type: ip + +-- + +*`gsuite.admin.chrome_licenses.enabled`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`gsuite.admin.chrome_licenses.allowed`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`gsuite.admin.oauth2.service.name`*:: ++ +-- +OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.id`*:: ++ +-- +OAuth2 application ID. + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.name`*:: ++ +-- +OAuth2 application name. + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.type`*:: ++ +-- +OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`gsuite.admin.verification_method`*:: ++ +-- +Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + +type: keyword + +-- + +*`gsuite.admin.alert.name`*:: ++ +-- +The alert name. + +type: keyword + +-- + +*`gsuite.admin.rule.name`*:: ++ +-- +The rule name. + +type: keyword + +-- + +*`gsuite.admin.api.client.name`*:: ++ +-- +The API client name. + +type: keyword + +-- + +*`gsuite.admin.api.scopes`*:: ++ +-- +The API scopes. + +type: keyword + +-- + +*`gsuite.admin.mdm.token`*:: ++ +-- +The MDM vendor enrollment token. + +type: keyword + +-- + +*`gsuite.admin.mdm.vendor`*:: ++ +-- +The MDM vendor's name. + +type: keyword + +-- + +*`gsuite.admin.info_type`*:: ++ +-- +This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + type: keyword -- diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 591839709c1..825ce87bf07 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -7,6 +7,15 @@ - name: application.name type: keyword description: The application's name. + - name: application.enabled + type: keyword + description: The enabled application. + - name: application.licences_order_number + type: keyword + description: Order number used to redeem licenses. + - name: application.licences_purchased + type: keyword + description: Number of licences purchased. - name: group.email type: keyword description: The group's primary email address. @@ -34,9 +43,15 @@ - name: group.priorities type: keyword description: Group priorities. - - name: domain + - name: domain.alias + type: keyword + description: The domain alias. + - name: domain.name type: keyword description: The primary domain name. + - name: domain.secondary_name + type: keyword + description: The secondary domain name. - name: managed_configuration type: keyword description: The name of the managed configuration. @@ -166,5 +181,29 @@ - name: verification_method type: keyword description: > - 2-step verification method. - For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + Related verification method. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and + https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: alert.name + type: keyword + description: The alert name. + - name: rule.name + type: keyword + description: The rule name. + - name: api.client.name + type: keyword + description: The API client name. + - name: api.scopes + type: keyword + description: The API scopes. + - name: mdm.token + type: keyword + description: The MDM vendor enrollment token. + - name: mdm.vendor + type: keyword + description: The MDM vendor's name. + - name: info_type + type: keyword + description: > + This will be used to state what kind of information was changed. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 3d6115454be..62d7e77f5b9 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -94,6 +94,73 @@ var login = (function () { case "SESSION_CONTROL_SETTINGS_CHANGE": case "CHANGE_SESSION_LENGTH": case "UNBLOCK_ON_DEVICE_ACCESS": + case "CHANGE_ACCOUNT_AUTO_RENEWAL": + case "ADD_APPLICATION": + case "ADD_APPLICATION_TO_WHITELIST": + case "CHANGE_ADVERTISEMENT_OPTION": + case "CHANGE_ALERT_CRITERIA": + case "ALERT_RECEIVERS_CHANGED": + case "RENAME_ALERT": + case "ALERT_STATUS_CHANGED": + case "ADD_DOMAIN_ALIAS": + case "REMOVE_DOMAIN_ALIAS": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "AUTHORIZE_API_CLIENT_ACCESS": + case "REMOVE_API_CLIENT_ACCESS": + case "CHROME_LICENSES_REDEEMED": + case "TOGGLE_AUTO_ADD_NEW_SERVICE": + case "CHANGE_PRIMARY_DOMAIN": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "CHANGE_CONFLICT_ACCOUNT_ACTION": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": + case "CHANGE_DOMAIN_DEFAULT_LOCALE": + case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": + case "CHANGE_DOMAIN_NAME": + case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": + case "CHANGE_DOMAIN_SUPPORT_MESSAGE": + case "ADD_TRUSTED_DOMAINS": + case "REMOVE_TRUSTED_DOMAINS": + case "CHANGE_EDU_TYPE": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": + case "CHANGE_LOGIN_BACKGROUND_COLOR": + case "CHANGE_LOGIN_BORDER_COLOR": + case "CHANGE_LOGIN_ACTIVITY_TRACE": + case "PLAY_FOR_WORK_ENROLL": + case "PLAY_FOR_WORK_UNENROLL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "CHANGE_ORGANIZATION_NAME": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_PASSWORD_MAX_LENGTH": + case "CHANGE_PASSWORD_MIN_LENGTH": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "REMOVE_APPLICATION": + case "REMOVE_APPLICATION_FROM_WHITELIST": + case "CHANGE_RENEW_DOMAIN_REGISTRATION": + case "CHANGE_RESELLER_ACCESS": + case "RULE_ACTIONS_CHANGED": + case "CHANGE_RULE_CRITERIA": + case "RENAME_RULE": + case "RULE_STATUS_CHANGED": + case "ADD_SECONDARY_DOMAIN": + case "REMOVE_SECONDARY_DOMAIN": + case "UPDATE_DOMAIN_SECONDARY_EMAIL": + case "CHANGE_SSO_SETTINGS": + case "UPDATE_RULE": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -112,6 +179,12 @@ var login = (function () { case "CREATE_DEVICE_ENROLLMENT_TOKEN": case "CREATE_ENROLLMENT_TOKEN": case "CREATE_ORG_UNIT": + case "CREATE_ALERT": + case "CREATE_PLAY_FOR_WORK_TOKEN": + case "GENERATE_TRANSFER_TOKEN": + case "REGENERATE_OAUTH_CONSUMER_SECRET": + case "CREATE_RULE": + case "GENERATE_PIN": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -128,6 +201,9 @@ var login = (function () { case "DELETE_GMAIL_SETTING": case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": case "REMOVE_ORG_UNIT": + case "DELETE_ALERT": + case "DELETE_PLAY_FOR_WORK_TOKEN": + case "DELETE_RULE": evt.Put("event.type", ["deletion"]); break; case "DELETE_GROUP": @@ -153,6 +229,15 @@ var login = (function () { case "DRIVE_DATA_RESTORE": case "VIEW_SITE_DETAILS": case "EMAIL_LOG_SEARCH": + case "SKIP_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS": + case "VIEW_DNS_LOGIN_DETAILS": + case "MX_RECORD_VERIFICATION_CLAIM": + case "UPLOAD_OAUTH_CERTIFICATE": + case "SKIP_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN": evt.Put("event.type", ["info"]); break; case "GROUP_LIST_DOWNLOAD": @@ -169,6 +254,9 @@ var login = (function () { if (param.multiValue) { return param.multiValue; } + if (param.intValue !== null) { + return param.intValue; + } }; var flattenParams = function(evt) { @@ -263,6 +351,19 @@ var login = (function () { from: "gsuite.admin.APPLICATION_NAME", to: "gsuite.admin.application.name", }, + { + from: "gsuite.admin.APPLICATION_ENABLED", + to: "gsuite.admin.application.enabled", + }, + { + from: "gsuite.admin.APP_LICENSES_ORDER_NUMBER", + to: "gsuite.admin.application.licences_order_number", + }, + { + from: "gsuite.admin.CHROME_NUM_LICENSES_PURCHASED", + to: "gsuite.admin.application.licences_purchased", + type: "long", + }, { from: "gsuite.admin.REAUTH_APPLICATION", to: "gsuite.admin.application.name", @@ -305,7 +406,15 @@ var login = (function () { }, { from: "gsuite.admin.DOMAIN_NAME", - to: "gsuite.admin.domain", + to: "gsuite.admin.domain.name", + }, + { + from: "gsuite.admin.DOMAIN_ALIAS", + to: "gsuite.admin.domain.alias", + }, + { + from: "gsuite.admin.SECONDARY_DOMAIN_NAME", + to: "gsuite.admin.domain.secondary_name", }, { from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", @@ -507,6 +616,10 @@ var login = (function () { from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", to: "gsuite.admin.verification_method", }, + { + from: "gsuite.admin.DOMAIN_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, { from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", to: "gsuite.admin.new_value", @@ -523,6 +636,34 @@ var login = (function () { from: "gsuite.admin.REAUTH_SETTING_OLD", to: "gsuite.admin.old_value", }, + { + from: "gsuite.admin.ALERT_NAME", + to: "gsuite.admin.alert.name", + }, + { + from: "gsuite.admin.API_CLIENT_NAME", + to: "gsuite.admin.api.client.name", + }, + { + from: "gsuite.admin.API_SCOPES", + to: "gsuite.admin.api.scopes", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_TOKEN_ID", + to: "gsuite.admin.mdm.token", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", + to: "gsuite.admin.mdm.vendor", + }, + { + from: "gsuite.admin.INFO_TYPE", + to: "gsuite.admin.info_type", + }, + { + from: "gsuite.admin.RULE_NAME", + to: "gsuite.admin.rule.name", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index 69fbb9a48a4..a12f0d34c16 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -249,7 +249,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index a30d1436855..52947846853 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -29,7 +29,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.event.type": "CALENDAR_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -78,7 +78,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.old_value": "old", "gsuite.event.type": "CALENDAR_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -127,7 +127,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.field": "field", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", @@ -179,7 +179,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.event.type": "CALENDAR_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -228,7 +228,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.old_value": "old", "gsuite.event.type": "CALENDAR_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -277,7 +277,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.event.type": "CALENDAR_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -326,7 +326,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.old_value": "old", "gsuite.event.type": "CALENDAR_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -375,7 +375,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.field": "field", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", @@ -427,7 +427,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.event.type": "CALENDAR_SETTINGS", @@ -477,7 +477,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.field": "field", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", @@ -531,7 +531,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 5fa7d463921..9a1e9c5e2b5 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -175,7 +175,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index e1f19914c7e..97e7768ab03 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -734,7 +734,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.setting.name": "setting", @@ -1037,7 +1037,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index 42929636dbb..7d4741eb11c 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -29,7 +29,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index a14ecdf0aef..1f43ad582c5 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -29,7 +29,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.user.email": "user@example.com", "gsuite.event.type": "DOCS_SETTINGS", @@ -134,7 +134,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log new file mode 100644 index 00000000000..b452d9e8d94 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log @@ -0,0 +1,85 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json new file mode 100644 index 00000000000..d7700213800 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -0,0 +1,4183 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "NON_AUTO_RENEWAL", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "id", + "gsuite.admin.application.enabled": "app enabled", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 437, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 900, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ADVERTISEMENT_OPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1323, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ALERT_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2154, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2535, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALERT_RECEIVERS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2907, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3360, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALERT_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4209, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SKIP_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5048, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5470, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.verification_method": "ANALYTICS", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5894, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6373, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6803, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_API_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "true", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7235, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "AUTHORIZE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.api.scopes": [ + "a", + "b" + ], + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7687, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8169, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_LICENSES_REDEEMED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.licences_order_number": "abcd123", + "gsuite.admin.application.licences_purchased": 1, + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8603, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9100, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PRIMARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9526, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_WHITELIST_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10401, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_FEEDBACK_SOLICITATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11381, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11843, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12264, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_USE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13078, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13458, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13919, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14377, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14846, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VIEW_DNS_LOGIN_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15239, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15623, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16545, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17852, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_EDU_TYPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18617, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19064, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_SSO_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19493, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_SSL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20315, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GENERATE_TRANSFER_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21103, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LOGIN_BORDER_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21564, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22021, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "PLAY_FOR_WORK_ENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22480, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "PLAY_FOR_WORK_UNENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22925, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MX_RECORD_VERIFICATION_CLAIM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23322, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_NEW_APP_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23761, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24181, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPLOAD_OAUTH_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24997, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_OPEN_ID_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ORGANIZATION_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25810, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_OUTBOUND_RELAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26266, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD_MAX_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD_MIN_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27216, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27674, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28139, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28610, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.app.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29026, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RESELLER_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29921, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RULE_ACTIONS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30703, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RULE_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31067, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31804, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RULE_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32202, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32644, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33082, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SKIP_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33965, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34409, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34850, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SSO_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35311, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GENERATE_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35692, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36006, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index abf97b1d1f5..c62f1599a2e 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -186,7 +186,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json index 5e163522b2f..79e059bc22b 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -814,7 +814,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.org_unit.name": "org", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index 07ce877287d..02062dcdb65 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -29,7 +29,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.event.type": "SECURITY_SETTINGS", @@ -177,7 +177,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", @@ -944,7 +944,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index 565e28c91a2..27a6d09ff66 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -135,7 +135,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.domain": "example.com", + "gsuite.admin.domain.name": "example.com", "gsuite.admin.new_value": "new", "gsuite.admin.old_value": "old", "gsuite.admin.org_unit.name": "org", diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index dbfcfdecb9b..ccd425d24ff 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkWk1v4zgSvedXFGYOAQZrBdvHHBYIOu5M0OkkiJPBDhYLhRZLUsEUqeaHM95fvyApJYotuWPLmQkwvnTDJN+remR9kM4EFrg6hcI4sngEYMkKPIWf4hc/HQFwNJmm2pKSp/CvIwBoZsM3xZ3wi3JCwc1pGJuAZBV2EP2HY86csGmYeAo5E6Ydsqvaz9bK1c+TNwj95yKSmhozyilrSJOj5wnflEYgmStdMb8Y2Fw5u74AMiZhjpArJzkwC6W1tTk9OeG4RKFq1CYplCoEJpmqThivSE4MX5xorJW25mT5zxONOWqUGZ6wzNKSLKE5EWRsY0tXj64mLLNKJ97j56FWgAWunpTmne8HZPCf+xLDMlB5g3n0avw3Jhy2np6+GgL45WE2vfvlFM6ksiVqcAY1kARbIhhWIXBVMZLJ+rLpv++nd9dnV2m7Pq5UzhriGJYPrPw6/T3Ml0pOSlcx2Rrdr88CV+PkuZFiBbVGg9LCU4kSHl+UfwQy8Ph1+vtjAp/jUfCmP2ZKGlehThe4evTC+m81fndorNKQKw03Z86W8OnqBs5uL9sxA0oDk0AcpaWcMM7Vaq4ssCxTTlqz6SouUdoDH4WLWYiQAP0PqFhdI4dcqwoeyWJl/vPfJIz5/zRSxG1XmgqSTEDNVkIx/noHpywrISeBBm04UyVbIjDglIcwsOAHVA7LeOy8++QN8PHI0TISf0rU+Q/+waraJzDmONmfm4mrDfkXJPnhhI/HwSinM1wT3hO9UedvH1gvpQsm6X8hryYxzMfJFwWMSGBLZn1YsjzHzCKH+aoJP+/MsWmiZTNfeLc37OjWEujJxq8Q6lpQFt1CTv7fNTOHfNvwz/vTRmBESn5I6b8Zw9fBOjYBv58zSJJgxUiMoQswxwZqTRXTKwiAwDjXaEw/s8SnNOSFMbwSn2JyCbklFCq0lmTRz6kEH8+pBN+JUxepk2RHb2k30pgAj7llY59pcydGba3SReTyQFAzWwLJTDhOsoixqJR9mTVsUavSWB0anC1Mvv1IOeYkkaeHovXr2+rvCSYNwfbdbwc7cO/rewzoWpPSIa/vy3bhceAFp59tI+Hv7FGbMZqEP+xYxSQrkKeZkjkVTrOxWnY3tAGHV+CDWTqpWbZgBaa0TrKTAZWak3iVqqEBhsvzgaSpZJojs06Hk62XlKFJDQrMxsixXoEBrpWctETQEsEz0XonD/DFN7vgmwivaa2MobnAtvMLHQdYtU+34psmyemPtllZNdM6uk2auDA/f7k6m/16dXnx6306PX9Ir2+u0y/Ts/uHu+l5Opve/Xb5eTpLZ9Or6ef76XmvxKEpONS5CmD9W9m2hcm4Q9RlayE7V47hBDm+6HuU3Wp+wSw+sdWoXHwRMWKmgNvmMqckGFUhZL5hbE/DcACP07wbsUORmpVaVZgqkxg0hpRM1650O7F+DmhwM4MGLSwdyMnogzUxqImJVLpqjnpf3vOABRELItZW1jFONmTDntWapA1pD/VB63kAhgZ4mPo9WH+gZ6aqikmeNre/vc9PhGkvkQMZSYkx2ehB0neH688dtiQTkL27SxJYDGxuYB8j72YRuw/dqcCergL+kpLFUaDPgXzSLGsS1dCRa/Qao8pti7K1Mw/1/QCdecDZ1plrMZrlCefG36WHWWqtuMvG37ganDcwmYU7BNHs68O2rn7uxCJ1dXggyhkJ7I9VoWSxjfE6pHF/5iMIaMyU5gZIgqeASAH+rG9phDdtssqy/o7i7SYFjFEWMSHUE/J07UFrp025ZhWa8IjuwSYeCnnEH0ieoftJvjummbQkMT1kpXiB3UYuVJEaZDor05yErywVGjP+niJUAREXIu6xaZq9Bn+wCRqyy1imbcqZ7VeoZ+BNRgXYsHo3c9AX2EMb4wuALPawRmNGNaG0yeinquGdeyHZbeNQctTvaVjDsKdiVPdatfH1PkodG7i83X6/+YFs72BdRH6Dac19RFCG0qBJULL5UAHZq9m68sgZ+oMfkD9Cv6V0sb3HWlelqR1/c1UUc7b8lByiLdxUJPxW+mlLr/jXiGIwc5rs6k3KdH+p2b+2Nkq85TWhh3fMrvQwb/klYZN7zC1/8ER0rdl8A/jIp2KJmvLG9LRCW6oDZpBPE2OxfsUBkeNjC/R8uWRV904w6pfYUU31prQzVgmY3b4xDvxlyWkc9Y7XUyBUQbLFjuf+T91Gvz39/pIkS8wiT+erw/l7F/84Jl72ZmffrsCnF5S2zS39OUgXTpJNa2bLw9kC8BD+UCmCD7yNWGadSTPF+zf9RzfbnlPnnY6w4GGH3mQyJXkq/N6m72VE4IDA8dqi/wcAAP//VkeeGw==" + return "eJzkWl1P7DgSfedXlGYekEZL0N5HHlZCl74MunyJhtGOVqvgjiuJ1Y4r13a6p/fXr+w4ELo7AdrNDNL0CyiJzykfl6vKlRzBHFcnUJhGWDwAsMJKPIGf2gs/HQBwNJkWtRWkTuBfBwAQnoYr4o10g3KBkpsTf+8IFKuwh+h+HHPWSJv6B08gZ9J0t+yqdk9rauqnhzcI3e+8JTU1ZiIXWSBNDp4euCKNIFROumJuMLAZNXZ9AGRMwQwhp0ZxYBZKa2tzcnzMcYGSatQmKYgKiUlG1THjlVBHhs+PNdakrTle/PNYY44aVYbHLLNiIaxAcyyFscGWvh59TVhmSSduxk+3OgHmuFqS5r3rAzK4332JfhhQHjAPXtz/jckGu5mevLgF8MvDdHL3ywmcKrIlamgMahAKbIlgWIXAqWJCJevDJv++n9xdn16m3fh2JDXWCI5++MDI75Pf/fOK1FHZVEx1Rm/XZ46rOHlulFxBrdGgsrAsUcHjs/KPIAw8fp/8/pjA19YVnOmPGSnTVKjTOa4enbDuqsYfDRpLGnLScHPa2BK+XN7A6e1Fd88AaWAKBEdlRS6wfVbTjCywLKNGWbM5VVygsnt2hfOp3yEe+h9QsbpGDrmmCh6Fxcr857+Jv+f+CVK0y05aFEIxCTVbSWL85QpOWFZCLiQatN6nSrZAYMBF7reBBXeDcli0buemL5wBbj9ytEzIP2XXuR/+waraBTDWcGF/Dg+uNuSfC8X3J3zrDoYaneGa8I7ojTpffWK9SBdMif/5uJq02zxOvlbAFglsyazblizPMbPIYbYK289N5tCE3bIZL9y0N+zo5xLYEo1fINS1FFk7LeTC/V0zc2huG/Nz8+l2YIuUvErprsTw9bAOjcd/nRMVm0lch34XbYB4AfsqrxSZc0aTkuaoU9VUM9S7WnHjMKDFcHmIgyXQyBEr8EQGzTtMqhudlczsrsp1awnl0GHCE+Z2O7yXJlgxIWOWwsMcGqi1qJhegQcExrlGM6CAwmXqQ3UMr8JlG+99uPe1A1orVLGdkySP5yTJ38Wpi7RRwkbvsn7wYxIc5shee6LNGxm1tKSLlssBQc1sCUJlsuFCFW14JLLPTw1b1KkUq0PAGWFyFWHKMRcKebovWje+K8gcwVEgGF/97mYP7mPn3m7oWgvSPtXuynbucOAZZztbKLWZFGxnpl4G9jijTLGr2AWoQDisY+AzmJHiTK/SeLcNSK9zV0yxAnmakcpF0WgW6zZ93w3g8AJ8MEklNcvmrMBURKXqimZCvigUIADDxdlAfiCV5shso/0m1gvhUqRBiVmMHOv1H8A1qaOOCDoieCJaP0cCfHNHLXAlrNO0JmPETGJ37vD1rqsDdqiVXcmuuPijK5VX4bGebkchBJifv12eTn+9vDj/9T6dnD2k1zfX6bfJ6f3D3eQsnU7ufrv4Opmm08nl5Ov95GyrxL4k3ZdfebDtS9kdSpI4J+qzdZC9A+9wLoivbxzK+8qbgllcslVUwDpvMdpIAbehlUAKDFUImTuudN4wvIHjNO/v2KGdmpWaKkzJJAaNEaTStYbCu1i/ejS4mUJA80MHgjS6zZoY1ILJyFr+zGNBixVq+lHWmEkGsuGZ1Voo68Me6r2WLh4YAvAw9UewvqJnRlXFFE9D72Fn/2lhuhbGQEQiGRONHpT40eB6s82WwnhkN92FkFgMLK5nj5F3M4nd+0Jc4paqAv6SlMVRoouB/CgMC4FqyOWCXjGq3HYoo4cQn9/3cAjxOGOHEC2jWZY4M8KOsdSaeJPFHy4DzhuYzLzZB9H0+8PYAWbWyHna1L49mTMx1CmSpIq3NURaENCYkeYGhAJHAS0FOF8fKYQ3bbJk2faK4u0meYwoi5iUtESerrVT37Uo16xC41/hOLAjB4W8xR8Inr76SX40TDNlhcLoo1E/UzzDjpFLKlKDTGdlmgvpMkuFxsSfUyQV0OJCi3toQrEX8AeLoCG7jGXappzZ7QptufEmozysH/0+c9Al2H0b4xKAKnawRmMmaoHKJtFdueGVeyZ538Kh4qg/0rDAsKNiot5q1cblXZQ6NHBxO36+eUW2D7CuRX6DaeE88tSAj3zVsFlsXXbN9YD8Geot0sV4jbWuSsgdf3NViDW2/JLsoyzcVMS/qf8yUiv+NaIYzBot7OpNyvRfVO2eW4MSb+kmbOGNWZUtzCMvTTa5Y075gx7Rt2azB/CZvWKBWuTB9LRCW9IeI8gdSndifEECLcmnVAiYWp8h7PUM7V8UjC8Ik6jjj38eZWRj6CayY+H7E83W/sRzs1IkmfS1TSzT6e0FtFCv8JmM6t3fkXVULcrAuxxeJZbmGPX+5ursChaoOGlApUnKyk3Nww6ztgP2Qzv6WYdQOUW1fLe1s4SBpZASZvj0YYWxzCIsS2b9h1Nu2/e/s1wyA1nJVPE5So+hzfvUiWJVv4EQ9dFQ1Al8U/0pqyRMb9+YNHMmZKNxzx5wSYVQHXabJP/URXTLM+TuwgqXp9LZap+5z3/H2XaGpqdXl+BqEVR29Msm0kWjhE1rZsv92QLw4L+pbcEHGqmW2cakGfHti/5aG2yL17lJt7DgYIcauBkpnkq3tulHGeE5wHO8tOj/AQAA///tg4lD" } From 4ea2b389bbef6f02060d2b21ec86025b13f4c4e5 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 13 Jul 2020 10:42:22 +0200 Subject: [PATCH 15/18] Add user settings --- filebeat/docs/fields.asciidoc | 145 +- .../module/gsuite/admin/_meta/fields.yml | 54 +- .../module/gsuite/admin/config/pipeline.js | 164 +- ...in-application-test.json.log-expected.json | 6 +- ...admin-chromeos-test.json.log-expected.json | 6 +- ...e-admin-domain-test.json.log-expected.json | 8 +- ...e-admin-groups-test.json.log-expected.json | 5 +- .../test/gsuite-admin-user-test.json.log | 74 + ...ite-admin-user-test.json.log-expected.json | 3766 +++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 10 files changed, 4189 insertions(+), 41 deletions(-) create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 56b58012e5d..74068927bef 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -61509,6 +61509,33 @@ type: keyword -- +*`gsuite.admin.application.id`*:: ++ +-- +The application ID. + +type: keyword + +-- + +*`gsuite.admin.application.asp_id`*:: ++ +-- +The application specific password ID. + +type: keyword + +-- + +*`gsuite.admin.application.package_id`*:: ++ +-- +The mobile application package ID. + +type: keyword + +-- + *`gsuite.admin.group.email`*:: + -- @@ -61626,15 +61653,6 @@ type: keyword -- -*`gsuite.admin.app.package_id`*:: -+ --- -The mobile application package ID. - -type: keyword - --- - *`gsuite.admin.non_featured_services_selection`*:: + -- @@ -61672,19 +61690,28 @@ type: keyword -- -*`gsuite.admin.gateway.name`*:: +*`gsuite.admin.user.nickname`*:: + -- -Gateway name. Present on some chat settings. +The user's nickname. type: keyword -- -*`gsuite.admin.app.id`*:: +*`gsuite.admin.user.birthdate`*:: + -- -The application ID. +The user's birth date. + +type: date + +-- + +*`gsuite.admin.gateway.name`*:: ++ +-- +Gateway name. Present on some chat settings. type: keyword @@ -61708,6 +61735,13 @@ type: keyword -- +*`gsuite.admin.device.id`*:: ++ +-- +type: keyword + +-- + *`gsuite.admin.device.type`*:: + -- @@ -61808,7 +61842,7 @@ type: keyword -- -*`gsuite.admin.group.bulk_upload.failed`*:: +*`gsuite.admin.bulk_upload.failed`*:: + -- Number of failed records in bulk upload operation. @@ -61817,7 +61851,7 @@ type: long -- -*`gsuite.admin.group.bulk_upload.total`*:: +*`gsuite.admin.bulk_upload.total`*:: + -- Number of total records in bulk upload operation. @@ -62035,6 +62069,87 @@ type: keyword This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings +type: keyword + +-- + +*`gsuite.admin.email_monitor.dest_email`*:: ++ +-- +The destination address of the email monitor. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.chat`*:: ++ +-- +The chat email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.draft`*:: ++ +-- +The draft email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.incoming`*:: ++ +-- +The incoming email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.outgoing`*:: ++ +-- +The outgoing email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_dump.include_deleted`*:: ++ +-- +Indicates if deleted emails are included in the export. + +type: boolean + +-- + +*`gsuite.admin.email_dump.package_content`*:: ++ +-- +The contents of the mailbox package. + +type: keyword + +-- + +*`gsuite.admin.email_dump.query`*:: ++ +-- +The search query used for the dump. + +type: keyword + +-- + +*`gsuite.admin.request.id`*:: ++ +-- +The request ID. + type: keyword -- diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index 825ce87bf07..f4243e590e1 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -16,6 +16,15 @@ - name: application.licences_purchased type: keyword description: Number of licences purchased. + - name: application.id + type: keyword + description: The application ID. + - name: application.asp_id + type: keyword + description: The application specific password ID. + - name: application.package_id + type: keyword + description: The mobile application package ID. - name: group.email type: keyword description: The group's primary email address. @@ -55,9 +64,6 @@ - name: managed_configuration type: keyword description: The name of the managed configuration. - - name: app.package_id - type: keyword - description: The mobile application package ID. - name: non_featured_services_selection type: keyword description: > @@ -72,18 +78,23 @@ - name: user.email type: keyword description: The user's primary email address. + - name: user.nickname + type: keyword + description: The user's nickname. + - name: user.birthdate + type: date + description: The user's birth date. - name: gateway.name type: keyword description: Gateway name. Present on some chat settings. - - name: app.id - type: keyword - description: The application ID. - name: chrome_os.session_type type: keyword description: Chrome OS session type. - name: device.serial_number type: keyword description: Device serial number. + - name: device.id + type: keyword - name: device.type type: keyword description: Device type. @@ -119,10 +130,10 @@ - name: product.sku type: keyword description: The product SKU. - - name: group.bulk_upload.failed + - name: bulk_upload.failed type: long description: Number of failed records in bulk upload operation. - - name: group.bulk_upload.total + - name: bulk_upload.total type: long description: Number of total records in bulk upload operation. - name: group.allowed_list @@ -207,3 +218,30 @@ description: > This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: email_monitor.dest_email + type: keyword + description: The destination address of the email monitor. + - name: email_monitor.level.chat + type: keyword + description: The chat email monitor level. + - name: email_monitor.level.draft + type: keyword + description: The draft email monitor level. + - name: email_monitor.level.incoming + type: keyword + description: The incoming email monitor level. + - name: email_monitor.level.outgoing + type: keyword + description: The outgoing email monitor level. + - name: email_dump.include_deleted + type: boolean + description: Indicates if deleted emails are included in the export. + - name: email_dump.package_content + type: keyword + description: The contents of the mailbox package. + - name: email_dump.query + type: keyword + description: The search query used for the dump. + - name: request.id + type: keyword + description: The request ID. diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 62d7e77f5b9..0e582367e00 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -225,6 +225,75 @@ var login = (function () { case "WHITELISTED_GROUPS_UPDATED": evt.Put("event.type", ["group", "change"]); break; + case "REVOKE_3LO_DEVICE_TOKENS": + case "REVOKE_3LO_TOKEN": + case "ADD_RECOVERY_EMAIL": + case "ADD_RECOVERY_PHONE": + case "GRANT_ADMIN_PRIVILEGE": + case "REVOKE_ADMIN_PRIVILEGE": + case "REVOKE_ASP": + case "TOGGLE_AUTOMATIC_CONTACT_SHARING": + case "CANCEL_USER_INVITE": + case "CHANGE_USER_CUSTOM_FIELD": + case "CHANGE_USER_EXTERNAL_ID": + case "CHANGE_USER_GENDER": + case "CHANGE_USER_IM": + case "ENABLE_USER_IP_WHITELIST": + case "CHANGE_USER_KEYWORD": + case "CHANGE_USER_LANGUAGE": + case "CHANGE_USER_LOCATION": + case "CHANGE_USER_ORGANIZATION": + case "CHANGE_USER_PHONE_NUMBER": + case "CHANGE_RECOVERY_EMAIL": + case "CHANGE_RECOVERY_PHONE": + case "CHANGE_USER_RELATION": + case "CHANGE_USER_ADDRESS": + case "GRANT_DELEGATED_ADMIN_PRIVILEGES": + case "CHANGE_FIRST_NAME": + case "GMAIL_RESET_USER": + case "CHANGE_LAST_NAME": + case "MAIL_ROUTING_DESTINATION_ADDED": + case "MAIL_ROUTING_DESTINATION_REMOVED": + case "ADD_NICKNAME": + case "REMOVE_NICKNAME": + case "CHANGE_PASSWORD": + case "CHANGE_PASSWORD_ON_NEXT_LOGIN": + case "REMOVE_RECOVERY_EMAIL": + case "REMOVE_RECOVERY_PHONE": + case "RESET_SIGNIN_COOKIES": + case "SECURITY_KEY_REGISTERED_FOR_USER": + case "REVOKE_SECURITY_KEY": + case "TURN_OFF_2_STEP_VERIFICATION": + case "UNBLOCK_USER_SESSION": + case "UNENROLL_USER_FROM_TITANIUM": + case "ARCHIVE_USER": + case "UPDATE_BIRTHDATE": + case "DOWNGRADE_USER_FROM_GPLUS": + case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": + case "MOVE_USER_TO_ORG_UNIT": + case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": + case "RENAME_USER": + case "UNENROLL_USER_FROM_STRONG_AUTH": + case "SUSPEND_USER": + case "UNARCHIVE_USER": + case "UNSUSPEND_USER": + case "UPGRADE_USER_TO_GPLUS": + evt.Put("event.type", ["user", "change"]); + break; + case "DELETE_2SV_SCRATCH_CODES": + case "DELETE_ACCOUNT_INFO_DUMP": + case "DELETE_EMAIL_MONITOR": + case "DELETE_MAILBOX_DUMP": + case "DELETE_USER": + evt.Put("event.type", ["user", "deletion"]); + break; + case "GENERATE_2SV_SCRATCH_CODES": + case "CREATE_EMAIL_MONITOR": + case "CREATE_DATA_TRANSFER_REQUEST": + case "CREATE_USER": + case "UNDELETE_USER": + evt.Put("event.type", ["user", "creation"]); + break; case "ISSUE_DEVICE_COMMAND": case "DRIVE_DATA_RESTORE": case "VIEW_SITE_DETAILS": @@ -238,12 +307,25 @@ var login = (function () { case "SKIP_SECONDARY_DOMAIN_MX": case "VERIFY_SECONDARY_DOMAIN_MX": case "VERIFY_SECONDARY_DOMAIN": + case "BULK_UPLOAD": + case "DOWNLOAD_PENDING_INVITES_LIST": + case "DOWNLOAD_USERLIST_CSV": + case "USERS_BULK_UPLOAD": evt.Put("event.type", ["info"]); break; case "GROUP_LIST_DOWNLOAD": case "GROUP_MEMBERS_DOWNLOAD": evt.Put("event.type", ["group", "info"]); break; + case "REQUEST_ACCOUNT_INFO": + case "REQUEST_MAILBOX_DUMP": + case "RESEND_USER_INVITE": + case "BULK_UPLOAD_NOTIFICATION_SENT": + case "USER_INVITE": + case "VIEW_TEMP_PASSWORD": + case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": + evt.Put("event.type", ["user", "info"]); + break; } }; @@ -422,7 +504,7 @@ var login = (function () { }, { from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", - to: "gsuite.admin.app.package_id", + to: "gsuite.admin.application.package_id", }, { from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", @@ -446,7 +528,11 @@ var login = (function () { }, { from: "gsuite.admin.APP_ID", - to: "gsuite.admin.app.id", + to: "gsuite.admin.application.id", + }, + { + from: "gsuite.admin.ASP_ID", + to: "gsuite.admin.application.asp_id", }, { from: "gsuite.admin.CHROME_OS_SESSION_TYPE", @@ -464,6 +550,10 @@ var login = (function () { from: "gsuite.admin.DEVICE_SERIAL_NUMBER", to: "gsuite.admin.device.serial_number", }, + { + from: "gsuite.admin.DEVICE_ID", + to: "gsuite.admin.device.id", + }, { from: "gsuite.admin.DEVICE_TYPE", to: "gsuite.admin.device.type", @@ -542,12 +632,22 @@ var login = (function () { }, { from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", - to: "gsuite.admin.group.bulk_upload.failed", + to: "gsuite.admin.bulk_upload.failed", type: "long", }, { from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", - to: "gsuite.admin.group.bulk_upload.total", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.total", type: "long", }, { @@ -664,6 +764,62 @@ var login = (function () { from: "gsuite.admin.RULE_NAME", to: "gsuite.admin.rule.name", }, + { + from: "gsuite.admin.USER_CUSTOM_FIELD", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_DEST_EMAIL", + to: "gsuite.admin.email_monitor.dest_email", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_CHAT", + to: "gsuite.admin.email_monitor.level.chat", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", + to: "gsuite.admin.email_monitor.level.draft", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", + to: "gsuite.admin.email_monitor.level.incoming", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", + to: "gsuite.admin.email_monitor.level.outgoing", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_INCLUDE_DELETED", + to: "gsuite.admin.email_dump.include_deleted", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_PACKAGE_CONTENT", + to: "gsuite.admin.email_dump.package_content", + }, + { + from: "gsuite.admin.SEARCH_QUERY_FOR_DUMP", + to: "gsuite.admin.email_dump.query", + }, + { + from: "gsuite.admin.DESTINATION_USER_EMAIL", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REQUEST_ID", + to: "gsuite.admin.request.id", + }, + { + from: "gsuite.admin.GMAIL_RESET_REASON", + to: "message", + }, + { + from: "gsuite.admin.USER_NICKNAME", + to: "gsuite.admin.user.nickname", + }, + { + from: "gsuite.admin.BIRTHDATE", + to: "gsuite.admin.user.birthdate", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index a12f0d34c16..1475c5272e7 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -298,7 +298,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.package_id": "1234", + "gsuite.admin.application.package_id": "1234", "gsuite.admin.managed_configuration": "a", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -347,7 +347,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.package_id": "1234", + "gsuite.admin.application.package_id": "1234", "gsuite.admin.managed_configuration": "a", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -396,7 +396,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.package_id": "1234", + "gsuite.admin.application.package_id": "1234", "gsuite.admin.managed_configuration": "a", "gsuite.event.type": "APPLICATION_SETTINGS", "gsuite.kind": "admin#reports#activity", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index 97e7768ab03..18295dd26ee 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -31,7 +31,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "2345", + "gsuite.admin.application.id": "2345", "gsuite.admin.chrome_os.session_type": "type", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", @@ -138,7 +138,7 @@ "group.domain": "example.com", "group.name": "group", "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "2345", + "gsuite.admin.application.id": "2345", "gsuite.admin.chrome_os.session_type": "type", "gsuite.admin.group.email": "group@example.com", "gsuite.admin.new_value": "new", @@ -940,7 +940,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "1234", + "gsuite.admin.application.id": "1234", "gsuite.event.type": "CHROME_OS_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index d7700213800..523c942555b 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -78,8 +78,8 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "id", "gsuite.admin.application.enabled": "app enabled", + "gsuite.admin.application.id": "id", "gsuite.admin.application.name": "app name", "gsuite.event.type": "DOMAIN_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -128,7 +128,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "id", + "gsuite.admin.application.id": "id", "gsuite.admin.application.name": "app name", "gsuite.event.type": "DOMAIN_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -3284,7 +3284,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "appid", + "gsuite.admin.application.id": "appid", "gsuite.admin.application.name": "app name", "gsuite.event.type": "DOMAIN_SETTINGS", "gsuite.kind": "admin#reports#activity", @@ -3333,7 +3333,7 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.app.id": "appid", + "gsuite.admin.application.id": "appid", "gsuite.admin.application.name": "app name", "gsuite.event.type": "DOMAIN_SETTINGS", "gsuite.kind": "admin#reports#activity", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json index 5a30d6583a9..27ae5a0b4e0 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -495,7 +495,6 @@ "event.id": "1", "event.module": "gsuite", "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", - "event.outcome": "success", "event.provider": "admin", "event.type": [ "group", @@ -503,8 +502,8 @@ ], "fileset.name": "admin", "gsuite.actor.type": "USER", - "gsuite.admin.group.bulk_upload.failed": 0, - "gsuite.admin.group.bulk_upload.total": 10, + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, "gsuite.event.type": "GROUP_SETTINGS", "gsuite.kind": "admin#reports#activity", "gsuite.organization.domain": "elastic.com", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log new file mode 100644 index 00000000000..bed874fc9a4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log @@ -0,0 +1,74 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json new file mode 100644 index 00000000000..389c1170b51 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -0,0 +1,3766 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GENERATE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 388, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_3LO_DEVICE_TOKENS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_3LO_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1238, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1649, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2031, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GRANT_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2413, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2798, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_ASP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.asp_id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3589, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 1, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4020, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CANCEL_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4937, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_CUSTOM_FIELD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "custom", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_EXTERNAL_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_GENDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6325, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_IM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_USER_IP_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7225, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_KEYWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7683, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_LANGUAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_LOCATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8590, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_ORGANIZATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9044, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_PHONE_NUMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9502, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10345, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_RELATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10730, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00Z", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.email_monitor.level.chat": "info", + "gsuite.admin.email_monitor.level.draft": "info", + "gsuite.admin.email_monitor.level.incoming": "info", + "gsuite.admin.email_monitor.level.outgoing": "info", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11637, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_DATA_TRANSFER_REQUEST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "a,b,c", + "gsuite.admin.new_value": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12926, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_ACCOUNT_INFO_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13357, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13780, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14227, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_FIRST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14645, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GMAIL_RESET_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15096, + "message": "reason", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LAST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MAIL_ROUTING_DESTINATION_ADDED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15973, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16402, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16833, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17249, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DOWNLOAD_PENDING_INVITES_LIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18510, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18839, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19224, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REQUEST_ACCOUNT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REQUEST_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00Z", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_dump.include_deleted": "true", + "gsuite.admin.email_dump.package_content": "contents", + "gsuite.admin.email_dump.query": "foo bar", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RESEND_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20656, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RESET_SIGNIN_COOKIES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21467, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_SECURITY_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21863, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22246, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VIEW_TEMP_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TURN_OFF_2_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23093, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNBLOCK_USER_SESSION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23485, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNENROLL_USER_FROM_TITANIUM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23869, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24260, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_BIRTHDATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.birthdate": "2002-10-02T15:00:00Z", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24636, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25443, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DOWNGRADE_USER_FROM_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DOWNLOAD_USERLIST_CSV", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOVE_USER_TO_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27389, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27834, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28244, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29014, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNDELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29392, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNSUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29769, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPGRADE_USER_TO_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30147, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USERS_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30532, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30972, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index ccd425d24ff..0175376588f 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkWl1P7DgSfedXlGYekEZL0N5HHlZCl74MunyJhtGOVqvgjiuJ1Y4r13a6p/fXr+w4ELo7AdrNDNL0CyiJzykfl6vKlRzBHFcnUJhGWDwAsMJKPIGf2gs/HQBwNJkWtRWkTuBfBwAQnoYr4o10g3KBkpsTf+8IFKuwh+h+HHPWSJv6B08gZ9J0t+yqdk9rauqnhzcI3e+8JTU1ZiIXWSBNDp4euCKNIFROumJuMLAZNXZ9AGRMwQwhp0ZxYBZKa2tzcnzMcYGSatQmKYgKiUlG1THjlVBHhs+PNdakrTle/PNYY44aVYbHLLNiIaxAcyyFscGWvh59TVhmSSduxk+3OgHmuFqS5r3rAzK4332JfhhQHjAPXtz/jckGu5mevLgF8MvDdHL3ywmcKrIlamgMahAKbIlgWIXAqWJCJevDJv++n9xdn16m3fh2JDXWCI5++MDI75Pf/fOK1FHZVEx1Rm/XZ46rOHlulFxBrdGgsrAsUcHjs/KPIAw8fp/8/pjA19YVnOmPGSnTVKjTOa4enbDuqsYfDRpLGnLScHPa2BK+XN7A6e1Fd88AaWAKBEdlRS6wfVbTjCywLKNGWbM5VVygsnt2hfOp3yEe+h9QsbpGDrmmCh6Fxcr857+Jv+f+CVK0y05aFEIxCTVbSWL85QpOWFZCLiQatN6nSrZAYMBF7reBBXeDcli0buemL5wBbj9ytEzIP2XXuR/+waraBTDWcGF/Dg+uNuSfC8X3J3zrDoYaneGa8I7ojTpffWK9SBdMif/5uJq02zxOvlbAFglsyazblizPMbPIYbYK289N5tCE3bIZL9y0N+zo5xLYEo1fINS1FFk7LeTC/V0zc2huG/Nz8+l2YIuUvErprsTw9bAOjcd/nRMVm0lch34XbYB4AfsqrxSZc0aTkuaoU9VUM9S7WnHjMKDFcHmIgyXQyBEr8EQGzTtMqhudlczsrsp1awnl0GHCE+Z2O7yXJlgxIWOWwsMcGqi1qJhegQcExrlGM6CAwmXqQ3UMr8JlG+99uPe1A1orVLGdkySP5yTJ38Wpi7RRwkbvsn7wYxIc5shee6LNGxm1tKSLlssBQc1sCUJlsuFCFW14JLLPTw1b1KkUq0PAGWFyFWHKMRcKebovWje+K8gcwVEgGF/97mYP7mPn3m7oWgvSPtXuynbucOAZZztbKLWZFGxnpl4G9jijTLGr2AWoQDisY+AzmJHiTK/SeLcNSK9zV0yxAnmakcpF0WgW6zZ93w3g8AJ8MEklNcvmrMBURKXqimZCvigUIADDxdlAfiCV5shso/0m1gvhUqRBiVmMHOv1H8A1qaOOCDoieCJaP0cCfHNHLXAlrNO0JmPETGJ37vD1rqsDdqiVXcmuuPijK5VX4bGebkchBJifv12eTn+9vDj/9T6dnD2k1zfX6bfJ6f3D3eQsnU7ufrv4Opmm08nl5Ov95GyrxL4k3ZdfebDtS9kdSpI4J+qzdZC9A+9wLoivbxzK+8qbgllcslVUwDpvMdpIAbehlUAKDFUImTuudN4wvIHjNO/v2KGdmpWaKkzJJAaNEaTStYbCu1i/ejS4mUJA80MHgjS6zZoY1ILJyFr+zGNBixVq+lHWmEkGsuGZ1Voo68Me6r2WLh4YAvAw9UewvqJnRlXFFE9D72Fn/2lhuhbGQEQiGRONHpT40eB6s82WwnhkN92FkFgMLK5nj5F3M4nd+0Jc4paqAv6SlMVRoouB/CgMC4FqyOWCXjGq3HYoo4cQn9/3cAjxOGOHEC2jWZY4M8KOsdSaeJPFHy4DzhuYzLzZB9H0+8PYAWbWyHna1L49mTMx1CmSpIq3NURaENCYkeYGhAJHAS0FOF8fKYQ3bbJk2faK4u0meYwoi5iUtESerrVT37Uo16xC41/hOLAjB4W8xR8Inr76SX40TDNlhcLoo1E/UzzDjpFLKlKDTGdlmgvpMkuFxsSfUyQV0OJCi3toQrEX8AeLoCG7jGXappzZ7QptufEmozysH/0+c9Al2H0b4xKAKnawRmMmaoHKJtFdueGVeyZ538Kh4qg/0rDAsKNiot5q1cblXZQ6NHBxO36+eUW2D7CuRX6DaeE88tSAj3zVsFlsXXbN9YD8Geot0sV4jbWuSsgdf3NViDW2/JLsoyzcVMS/qf8yUiv+NaIYzBot7OpNyvRfVO2eW4MSb+kmbOGNWZUtzCMvTTa5Y075gx7Rt2azB/CZvWKBWuTB9LRCW9IeI8gdSndifEECLcmnVAiYWp8h7PUM7V8UjC8Ik6jjj38eZWRj6CayY+H7E83W/sRzs1IkmfS1TSzT6e0FtFCv8JmM6t3fkXVULcrAuxxeJZbmGPX+5ursChaoOGlApUnKyk3Nww6ztgP2Qzv6WYdQOUW1fLe1s4SBpZASZvj0YYWxzCIsS2b9h1Nu2/e/s1wyA1nJVPE5So+hzfvUiWJVv4EQ9dFQ1Al8U/0pqyRMb9+YNHMmZKNxzx5wSYVQHXabJP/URXTLM+TuwgqXp9LZap+5z3/H2XaGpqdXl+BqEVR29Msm0kWjhE1rZsv92QLw4L+pbcEHGqmW2cakGfHti/5aG2yL17lJt7DgYIcauBkpnkq3tulHGeE5wHO8tOj/AQAA///tg4lD" + return "eJzkW1tv3DjSfc+vKMw8BBh8buPLox8WMOJOxohvSNuDHSwWMlssSURTLIWk7PT++gUvsvsiqdvNzkyA7ZcEknjOYZEsVhXpE1jg8gxK0wqL7wCssBLP4Jfw4Jd3ABxNrkVjBakz+Mc7AIhfwzXxVrpGhUDJzZl/dwKK1biC6H4cC9ZKm/kPz6Bg0nSv7LJxX2tqm5ePtwjd73MgNQ3mohB5JJ28e/ngmjSCUAXpmrnGwObU2s0GkDMFc4SCWsWBWaisbczZ6SnHJ5TUoDaTkqiUOMmpPmW8FurE8MWpxoa0NadP/3+qsUCNKsdTllvxJKxAcyqFsVHLqj1WbcJyS3rievzyqjPAApfPpPnK8wEzuN99hb4ZUBEx3629/4PJFruenq29AvjtYTb9+tsZnCuyFWpoDWoQCmyFYFiNwKlmQk02m03/eT/9enN+lXXtQ0tqrREcffOBll+mf/rvFamTqq2Z6kT322eByzTz3Cq5hEajQWXhuUIFj6+WfwRh4PHL9M/HCXwMU8FJf8xJmbZGnS1w+egM655q/NaisaShIA23562t4MPVLZzfXXbvDJAGpkBwVFYUAsO3muZkgeU5tcqa7a7iEyp75KnweeZXiIf+P6hZ0yCHQlMNj8Jibf7174l/5/4TTRGGnbQohWISGraUxPj6CE5ZXkEhJBq0fk5V7AmBAReFXwYW3Asq4ClMO9d94QS49cjRMiH/klXnfvid1Y1zYKzlwv4aP1xumX8hFD+e4cN0MNTqHDcM74j2tPP1T2wv0iVT4j/er07CMk8zXzBgQAJbMeuWJSsKzC1ymC/j8nOdeW/iatn2F67bWzpW9xLo8cZrCE0jRR66hVy4fzdkDvVtq3+uP90KDEiTnZTuSQrfCtZ74/F3c6Jic4mb0G+ijRBrsDt5pcjdZDQZaY46U209R32oiluHAQHD7UMcLIFGjliDJzJo3iCpaXVeMXO4VW6CEiqgw4QXzN06RNJorCDB5cVuNmaa7HiML+FVw4xxjffS0LB8wUpM1FHTXMh1ORF4UIR3DhOsmZApzB7mvYFGi5rpJXhAYJxrNAMTT+Fz5nfIFF6Fz2Gb9busD9nQWqHKfk6SPJ2TJH8Tpy6zVgmb7NxW9xwmwWGOuLgX2qKVSUNLugxcDggaZisQKpctF6oMuxKRff1qWFFnpVQ7RJwRJheIZxwLoZBnx6J17bs42BGcRILx0e9ersD92L6HBd1oQdpHOIeyfXY48IrTzxYzHCYFO5hpJfDxOKNMqaPYOahIOGzHyGcwJ8WZXmbp0zYi7eaumWIl8iwnVYiy1Sx12qzO3QgOa+ADLppUViCzrfbrSD8JFxwYlJinKNqMfAFuSJ10RNARwQvRZgYN8MklmeCCd9ethowRc4ldxuUjfRcBHZAluGRFcfG9SxKW8bOVTfUkrkLz66er89nvV5eff7/PphcP2c3tTfZpen7/8HV6kc2mX/+4/DidZbPp1fTj/fSi18Q+GD/W0Hqw/qHs0rHE2GqVrYNcSfWH3XF6iOFQ3hZheF4l8kXq0o3UHdQI21xoW3Fm++l6XgxxeSDfYMDNM4vPbJnkDz8HjOCI4C4WiFwMSzVC7pLQbqb3i8grTTVmZCYGjRGkso0CzpvkfPRocDuDiOabDnhndC5iYlALJhNzpwuPBQEr5lCjrG9YQhstU8wTZQ7bpNFCWe+m3bQ/YrTjgSECD1P/CNYdI5FTXTPFs1glOnjmBZiu2DTgQUmmeM8HJb61uFkWtZUwHtl190lILAcG17OnmHd70733sbvEnkAE/pYtlqNE59f4SWwWnc/QlIv2SrHKXYcymrf4eOQIeYvHGctbtExmeca5EXaMpdHE2zw9H404ezCZRXsMotmXh36eeSsXWdv4EnLBxFA1T5Iq9ytaBRDQmJPmBoTyFBAowM3ykah5VY0ly/qjnv3FeIwDtYRskElJz8izjWL3mwbihtVo/AGbAztxUMgD/oDD9BHa5FvLNFNWKEzOoFZ3h1fYMXJJZWaQ6bzKCiHdblKjMemFNkklBFwIuO9NDEgj/mC9bUiXsUzbLCly7BPlYUfCyCE56DbVY4txTl+VB6jRmItGoLKT5OLd8Mi9krxt4FBx1D9SWGQ40GKi6VW19fgQS703cHk3noPtMNsPUBeQ95AWs5eX45HEg6DtAOuqO/qIyD9DjEW6HI+rNq0S947/casQa231YXKMUHDbIv4exYeR+PDvMYrBvNXCLveyzHGO76Il9jnB6+FNGZUe5pGzlW3ulMx+cEasqtnO+3/mWfGEWhRRelajreiIHuQrSpclrpFAIPkpLQRMbfYQjpo3+/OE8QFhEnV6yudRRhaGbhOrFL4m0fbWJF6PzcUklz62SWU6v7uEALWDz+TUHH6U1lEFlIEjH15PLC0w6Zjn+uIanlBx0oBKk5S165qHHWYNDY5DO3rpRqiCkgrEfSUsYeBZSAlzfLn2YiyzCM8Vs/5am1v2q7dgn5mBvGKq/DlCj30Wrw9ss5qUsKQnHI3Nko9THIpQ8WJwCJO73DpmspFuD0XSmWGSV+zg6oJT5A8c1rghAO+tgGtWJEnwAGkahMqpFlu1nTfJ6DDSlFBrS0pU0mG8VQlv62YSrolgxlGiHUgh5kQS2abXW9Nxqbjb5NGAKCBiBRoDzF9x9zS8u1WK392i26muu3KVk7Ko0mZugDCvR+xCzul7d/lqp5RvLeplWmnZZ8IeJ/jB7mqSx+/fq8N97cQD4YiyFqa/FM5Zveqikm6jJhUPtzeOGaslzO72jPcLJmSr8cib1xWVQnXYIb7/S/cfNzxDO7WwwoXY2fzgadkXtvupEoras/PrK3BpFCo7emWWdNkqYbOG2ep4WgAe/B9rBPCBcx/LbGuynHj/oO+q4PfMOtfpAAsOdui8KSfFM+9jsx8lwnMEP76u6L8BAAD//2rRXfU=" } From df3fd49d57eb8d0b3a7ed925b0c7d32172a388df Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 13 Jul 2020 11:15:55 +0200 Subject: [PATCH 16/18] Add mobile settings --- filebeat/docs/fields.asciidoc | 57 + .../module/gsuite/admin/_meta/fields.yml | 24 + .../module/gsuite/admin/config/pipeline.js | 80 + .../test/gsuite-admin-mobile-test.json.log | 31 + ...e-admin-mobile-test.json.log-expected.json | 1566 +++++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- 6 files changed, 1759 insertions(+), 1 deletion(-) create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 74068927bef..50d4b657cf4 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -62150,6 +62150,63 @@ type: keyword -- The request ID. +type: keyword + +-- + +*`gsuite.admin.mobile.action.id`*:: ++ +-- +The mobile device action's ID. + +type: keyword + +-- + +*`gsuite.admin.mobile.action.type`*:: ++ +-- +The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`gsuite.admin.mobile.certificate.name`*:: ++ +-- +The mobile certificate common name. + +type: keyword + +-- + +*`gsuite.admin.mobile.company_owned_devices`*:: ++ +-- +The number of devices a company owns. + +type: long + +-- + +*`gsuite.admin.distribution.entity.name`*:: ++ +-- +The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`gsuite.admin.distribution.entity.type`*:: ++ +-- +The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + type: keyword -- diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml index f4243e590e1..7c82f3ed6e7 100644 --- a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -245,3 +245,27 @@ - name: request.id type: keyword description: The request ID. + - name: mobile.action.id + type: keyword + description: The mobile device action's ID. + - name: mobile.action.type + type: keyword + description: > + The mobile device action's type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: mobile.certificate.name + type: keyword + description: The mobile certificate common name. + - name: mobile.company_owned_devices + type: long + description: The number of devices a company owns. + - name: distribution.entity.name + type: keyword + description: > + The distribution entity value, which can be a group name or an org-unit name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: distribution.entity.type + type: keyword + description: > + The distribution entity type, which can be a group or an org-unit. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 0e582367e00..764f4bb695f 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -161,6 +161,22 @@ var login = (function () { case "UPDATE_DOMAIN_SECONDARY_EMAIL": case "CHANGE_SSO_SETTINGS": case "UPDATE_RULE": + case "ADD_MOBILE_CERTIFICATE": + case "COMPANY_OWNED_DEVICE_BLOCKED": + case "COMPANY_OWNED_DEVICE_UNBLOCKED": + case "COMPANY_OWNED_DEVICE_WIPED": + case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": + case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": + case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "ADD_MOBILE_APPLICATION_TO_WHITELIST": + case "CHANGE_MOBILE_SETTING": + case "CHANGE_ADMIN_RESTRICTIONS_PIN": + case "CHANGE_MOBILE_WIRELESS_NETWORK": + case "ADD_MOBILE_WIRELESS_NETWORK": + case "REMOVE_MOBILE_WIRELESS_NETWORK": + case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": + case "REMOVE_MOBILE_CERTIFICATE": evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": @@ -185,6 +201,7 @@ var login = (function () { case "REGENERATE_OAUTH_CONSUMER_SECRET": case "CREATE_RULE": case "GENERATE_PIN": + case "COMPANY_DEVICES_BULK_CREATION": evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": @@ -204,6 +221,7 @@ var login = (function () { case "DELETE_ALERT": case "DELETE_PLAY_FOR_WORK_TOKEN": case "DELETE_RULE": + case "COMPANY_DEVICE_DELETION": evt.Put("event.type", ["deletion"]); break; case "DELETE_GROUP": @@ -278,6 +296,12 @@ var login = (function () { case "UNARCHIVE_USER": case "UNSUSPEND_USER": case "UPGRADE_USER_TO_GPLUS": + case "MOBILE_DEVICE_APPROVE": + case "MOBILE_DEVICE_BLOCK": + case "MOBILE_DEVICE_WIPE": + case "MOBILE_ACCOUNT_WIPE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": evt.Put("event.type", ["user", "change"]); break; case "DELETE_2SV_SCRATCH_CODES": @@ -285,6 +309,7 @@ var login = (function () { case "DELETE_EMAIL_MONITOR": case "DELETE_MAILBOX_DUMP": case "DELETE_USER": + case "MOBILE_DEVICE_DELETE": evt.Put("event.type", ["user", "deletion"]); break; case "GENERATE_2SV_SCRATCH_CODES": @@ -311,6 +336,10 @@ var login = (function () { case "DOWNLOAD_PENDING_INVITES_LIST": case "DOWNLOAD_USERLIST_CSV": case "USERS_BULK_UPLOAD": + case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": evt.Put("event.type", ["info"]); break; case "GROUP_LIST_DOWNLOAD": @@ -324,6 +353,8 @@ var login = (function () { case "USER_INVITE": case "VIEW_TEMP_PASSWORD": case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": + case "ACTION_CANCELLED": + case "ACTION_REQUESTED": evt.Put("event.type", ["user", "info"]); break; } @@ -820,6 +851,55 @@ var login = (function () { from: "gsuite.admin.BIRTHDATE", to: "gsuite.admin.user.birthdate", }, + { + from: "gsuite.admin.ACTION_ID", + to: "gsuite.admin.mobile.action.id", + }, + { + from: "gsuite.admin.ACTION_TYPE", + to: "gsuite.admin.mobile.action.type", + }, + { + from: "gsuite.admin.MOBILE_CERTIFICATE_COMMON_NAME", + to: "gsuite.admin.mobile.certificate.name", + }, + { + from: "gsuite.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", + to: "gsuite.admin.mobile.company_owned_devices", + type: "long", + }, + { + from: "gsuite.admin.COMPANY_DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_NAME", + to: "gsuite.admin.distribution.entity.name", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_TYPE", + to: "gsuite.admin.distribution.entity.type", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.NEW_PERMISSION_GRANT_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_PERMISSION_GRANT_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.PERMISSION_GROUP_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.MOBILE_WIRELESS_NETWORK_NAME", + to: "network.name", + }, ], mode: "rename", ignore_missing: true, diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log new file mode 100644 index 00000000000..69c376c4453 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log @@ -0,0 +1,31 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json new file mode 100644 index 00000000000..3c0346e6896 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -0,0 +1,1566 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ACTION_CANCELLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ACTION_REQUESTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "name", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_DEVICES_BULK_CREATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mobile.company_owned_devices": 10, + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1548, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1951, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_DEVICE_DELETION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2376, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2796, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_OWNED_DEVICE_WIPED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3223, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "GROUP", + "gsuite.admin.new_value": "GRANTED", + "gsuite.admin.old_value": "DENIED", + "gsuite.admin.setting.name": "LOCATION", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3646, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4354, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4795, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_DELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7450, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8898, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9328, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9817, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10303, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10792, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "cert", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11290, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11773, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12110, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_ACCOUNT_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13120, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13577, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14053, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 0175376588f..b68faad49fc 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkW1tv3DjSfc+vKMw8BBh8buPLox8WMOJOxohvSNuDHSwWMlssSURTLIWk7PT++gUvsvsiqdvNzkyA7ZcEknjOYZEsVhXpE1jg8gxK0wqL7wCssBLP4Jfw4Jd3ABxNrkVjBakz+Mc7AIhfwzXxVrpGhUDJzZl/dwKK1biC6H4cC9ZKm/kPz6Bg0nSv7LJxX2tqm5ePtwjd73MgNQ3mohB5JJ28e/ngmjSCUAXpmrnGwObU2s0GkDMFc4SCWsWBWaisbczZ6SnHJ5TUoDaTkqiUOMmpPmW8FurE8MWpxoa0NadP/3+qsUCNKsdTllvxJKxAcyqFsVHLqj1WbcJyS3rievzyqjPAApfPpPnK8wEzuN99hb4ZUBEx3629/4PJFruenq29AvjtYTb9+tsZnCuyFWpoDWoQCmyFYFiNwKlmQk02m03/eT/9enN+lXXtQ0tqrREcffOBll+mf/rvFamTqq2Z6kT322eByzTz3Cq5hEajQWXhuUIFj6+WfwRh4PHL9M/HCXwMU8FJf8xJmbZGnS1w+egM655q/NaisaShIA23562t4MPVLZzfXXbvDJAGpkBwVFYUAsO3muZkgeU5tcqa7a7iEyp75KnweeZXiIf+P6hZ0yCHQlMNj8Jibf7174l/5/4TTRGGnbQohWISGraUxPj6CE5ZXkEhJBq0fk5V7AmBAReFXwYW3Asq4ClMO9d94QS49cjRMiH/klXnfvid1Y1zYKzlwv4aP1xumX8hFD+e4cN0MNTqHDcM74j2tPP1T2wv0iVT4j/er07CMk8zXzBgQAJbMeuWJSsKzC1ymC/j8nOdeW/iatn2F67bWzpW9xLo8cZrCE0jRR66hVy4fzdkDvVtq3+uP90KDEiTnZTuSQrfCtZ74/F3c6Jic4mb0G+ijRBrsDt5pcjdZDQZaY46U209R32oiluHAQHD7UMcLIFGjliDJzJo3iCpaXVeMXO4VW6CEiqgw4QXzN06RNJorCDB5cVuNmaa7HiML+FVw4xxjffS0LB8wUpM1FHTXMh1ORF4UIR3DhOsmZApzB7mvYFGi5rpJXhAYJxrNAMTT+Fz5nfIFF6Fz2Gb9busD9nQWqHKfk6SPJ2TJH8Tpy6zVgmb7NxW9xwmwWGOuLgX2qKVSUNLugxcDggaZisQKpctF6oMuxKRff1qWFFnpVQ7RJwRJheIZxwLoZBnx6J17bs42BGcRILx0e9ersD92L6HBd1oQdpHOIeyfXY48IrTzxYzHCYFO5hpJfDxOKNMqaPYOahIOGzHyGcwJ8WZXmbp0zYi7eaumWIl8iwnVYiy1Sx12qzO3QgOa+ADLppUViCzrfbrSD8JFxwYlJinKNqMfAFuSJ10RNARwQvRZgYN8MklmeCCd9ethowRc4ldxuUjfRcBHZAluGRFcfG9SxKW8bOVTfUkrkLz66er89nvV5eff7/PphcP2c3tTfZpen7/8HV6kc2mX/+4/DidZbPp1fTj/fSi18Q+GD/W0Hqw/qHs0rHE2GqVrYNcSfWH3XF6iOFQ3hZheF4l8kXq0o3UHdQI21xoW3Fm++l6XgxxeSDfYMDNM4vPbJnkDz8HjOCI4C4WiFwMSzVC7pLQbqb3i8grTTVmZCYGjRGkso0CzpvkfPRocDuDiOabDnhndC5iYlALJhNzpwuPBQEr5lCjrG9YQhstU8wTZQ7bpNFCWe+m3bQ/YrTjgSECD1P/CNYdI5FTXTPFs1glOnjmBZiu2DTgQUmmeM8HJb61uFkWtZUwHtl190lILAcG17OnmHd70733sbvEnkAE/pYtlqNE59f4SWwWnc/QlIv2SrHKXYcymrf4eOQIeYvHGctbtExmeca5EXaMpdHE2zw9H404ezCZRXsMotmXh36eeSsXWdv4EnLBxFA1T5Iq9ytaBRDQmJPmBoTyFBAowM3ykah5VY0ly/qjnv3FeIwDtYRskElJz8izjWL3mwbihtVo/AGbAztxUMgD/oDD9BHa5FvLNFNWKEzOoFZ3h1fYMXJJZWaQ6bzKCiHdblKjMemFNkklBFwIuO9NDEgj/mC9bUiXsUzbLCly7BPlYUfCyCE56DbVY4txTl+VB6jRmItGoLKT5OLd8Mi9krxt4FBx1D9SWGQ40GKi6VW19fgQS703cHk3noPtMNsPUBeQ95AWs5eX45HEg6DtAOuqO/qIyD9DjEW6HI+rNq0S947/casQa231YXKMUHDbIv4exYeR+PDvMYrBvNXCLveyzHGO76Il9jnB6+FNGZUe5pGzlW3ulMx+cEasqtnO+3/mWfGEWhRRelajreiIHuQrSpclrpFAIPkpLQRMbfYQjpo3+/OE8QFhEnV6yudRRhaGbhOrFL4m0fbWJF6PzcUklz62SWU6v7uEALWDz+TUHH6U1lEFlIEjH15PLC0w6Zjn+uIanlBx0oBKk5S165qHHWYNDY5DO3rpRqiCkgrEfSUsYeBZSAlzfLn2YiyzCM8Vs/5am1v2q7dgn5mBvGKq/DlCj30Wrw9ss5qUsKQnHI3Nko9THIpQ8WJwCJO73DpmspFuD0XSmWGSV+zg6oJT5A8c1rghAO+tgGtWJEnwAGkahMqpFlu1nTfJ6DDSlFBrS0pU0mG8VQlv62YSrolgxlGiHUgh5kQS2abXW9Nxqbjb5NGAKCBiBRoDzF9x9zS8u1WK392i26muu3KVk7Ko0mZugDCvR+xCzul7d/lqp5RvLeplWmnZZ8IeJ/jB7mqSx+/fq8N97cQD4YiyFqa/FM5Zveqikm6jJhUPtzeOGaslzO72jPcLJmSr8cib1xWVQnXYIb7/S/cfNzxDO7WwwoXY2fzgadkXtvupEoras/PrK3BpFCo7emWWdNkqYbOG2ep4WgAe/B9rBPCBcx/LbGuynHj/oO+q4PfMOtfpAAsOdui8KSfFM+9jsx8lwnMEP76u6L8BAAD//2rRXfU=" + return "eJzkW0tv5DYSvs+vKCSHAYK4jc3RhwWMcWdixC+M7WCDxUJmiyWJMMXSkJR7en/9gg+1+yGp282exMD2ZQaS+H0fi2SxqkifwDMuzqA0rbD4AcAKK/EMfggPfvgAwNHkWjRWkDqDf34AgPg1XBNvpWtUCJTcnPl3J6BYjSuI7sexYK20mf/wDAomTffKLhr3taa2WX68Reh+nwOpaTAXhcgj6eTD8oNr0ghCFaRr5hoDm1FrNxtAzhTMEApqFQdmobK2MWenpxxfUFKD2kxKolLiJKf6lPFaqBPDn081NqStOX35x6nGAjWqHE9ZbsWLsALNqRTGRi2r9li1Ccst6Ynr8fJVZ4BnXMxJ85XnA2Zwv4cKfTOgImJ+WHv/B5Mtdj09W3sF8NPj/fTLT2dwrshWqKE1qEEosBWCYTUCp5oJNdlsNv3Xw/TLzflV1rUPLam1RnD0zQda/j7903+vSJ1Ubc1UJ7rfPs+4SDPPrZILaDQaVBbmFSp4erX8EwgDT79P/3yawKcwFZz0p5yUaWvU2TMunpxh3VONX1s0ljQUpOH2vLUV/HJ1C+d3l907A6SBKRAclRWFwPCtphlZYHlOrbJmu6v4gsoeeSp8vvcrxEP/DDVrGuRQaKrhSViszb//M/Hv3H+iKcKwkxalUExCwxaSGF8fwSnLKyiERIPWz6mKvSAw4KLwy8CCe0EFvIRp57ovnAC3HjlaJuRfsurcD7+xunEOjLVc2B/jh4st8z8LxY9n+DAdDLU6xw3DO6I97Xz9ju1FumRK/Nf71UlY5mnmCwYMSGArZt2yZEWBuUUOs0Vcfq4zH01cLdv+wnV7S8fqXgI93ngNoWmkyEO3kAv374bMob5t9c/1p1uBAWmyk9I9SeFbwfpoPP5uTlRsJnET+k20EWINdievFLmbjCYjzVFnqq1nqA9VceswIGC4fYiDJdDIEWvwRAbNGyQ1rc4rZg63yk1QQgV0mLDE3K1DJI3GChJcXuxmY6bJjse4DK8aZoxrvJeGhuXPrMREHTXNhFyXE4EHRXjnMMGaCZnC7GE+Gmi0qJlegAcExrlGMzDxFM4zv0Om8Cqch23W77I+ZENrhSr7OUnydE6S/E2cusxaJWyyc1vdc5gEhzni4pa0RSuThpZ0GbgcEDTMViBULlsuVBl2JSL7+tWwos5KqXaIOCNMLhDPOBZCIc+ORevad3GwIziJBOOj371cgfu+fQ8LutGCtI9wDmX77HDgFaefLWY4TAp2MNNK4ONxRplSR7FzUJFw2I6Rz2BOijO9yNKnbUTazV0zxUrkWU6qEGWrWeq0WZ27ERzWwAdcNKmsQGZb7deRfhEuODAoMU9RtBn5AtyQOumIoCOCJdFmBg3wq0sywQXvrlsNGSNmEruMy0f6LgI6IEtwyYri4luXJCziZyub6klchebHX6/O73+7uvz820M2vXjMbm5vsl+n5w+PX6YX2f30yx+Xn6b32f30avrpYXrRa2IfjB9raD1Y/1B26VhibLXK1kGupPrD7jg9xHAob4swPK8S+XPq0o3UHdQI20xoW3Fm++l6XgxxeSDfYMDNM4tztkjyh58DRnBEcBcLRC6GpRohd0loN9P7ReSVphozMhODxghS2UYB501yPnk0uL2HiOabDnhndC5iYlALJhNzpwuPBQEr5lCjrG9YQhstU8wTZQ7bpNFCWe+m3bQ/YrTjgSECD1N/D9YdI5FTXTPFs1glOnjmBZiu2DTgQUmmeM9HJb62uFkWtZUwHtl190VILAcG17OnmHd7033wsbvEnkAE/pYtlqNE59f4SWwWnc/QlIv2SrHKXYcymrf4eOQIeYvHGctbtExmmePMCDvG0mjibZ6ej0acPZjMc3sMovvfH/t5Zq18ztrGl5ALJoaqeZJUuV/RKoCAxpw0NyCUp4BAAW6Wj0TNq2osWdYf9ewvxmMcqCVkg0xKmiPPNordbxqIG1aj8QdsDuzEQSEP+AMO00dok68t00xZoTA5g1rdHV5hx8gllZlBpvMqK4R0u0mNxqQX2iSVEHAh4H40MSCN+IP1tiFdxjJts6TIsU+Uhx0JI4fkoNtUjy3GOX1VHqBGYy4agcpOkot3wyP3SvK2gUPFUX9PYZHhQIuJplfV1uNDLPXRwOXdeA62w2zfQV1A3kNazF6WxyOJB0HbAdZVd/QRkd9DjEW6HI+rNq0S947/c6sQa231y+QYoeC2Rfw9il9G4sO/xygG81YLu9jLMsc5vouW2OcEr4c3ZVR6mEfOVra5UzL7wRmxqmY773/Ps+IFtSii9KxGW9ERPcgXlC5LXCOBQPIuLQRMbfYQjpo3+/OE8QFhEnV6yudRRhaGbhOrFL4m0fbWJF6PzcUklz62SWU6v7uEALWDz+TUHH6U1lEFlIEjH15PLD1j0jHP9cU1vKDipAGVJilr1zUPO8waGhyHdvTSjVAFJRWI+0pYwsBcSAkzXF57MZZZhHnFrL/W5pb96i3YOTOQV0yV7yP02Gfx+sA2q0kJS3rC0dgs+TjFoQgVLwaHMLnLrWMmG+n2UCSdGSZ5xQ6uLjhF/sBhjRsC8N4KuGZFkgQPkKZBqJxqsVXbeZOMDiNNCbW2pEQlHcZblfC2bibhmghmHCXagRRiRiSRbXq9NR2XirtNHg2IAiJWoDHA/BV3T8O7W6X4zS26neq6K1c5KYsqbeYGCPN6xC7kjL51l692Svnaol6klZZ9Juxxgh/sriZ5/P69OtzXTjwQjiiDYXq4kjZh+REu9sXrbeHsBwKky/P3oj72xjMo570E6kHe+MYSTZSjtiGSTo/eolVWICGnuh7NpzoZVDdMLTKaK+RZsGt/0LWreO6rxcsCekQCBpEBaK6GrhkJY7WYtfFqsBU27Yy9f+qsskBgCVPhZ5hXIq+66+4sFNhj5dv/XQXp8mTgot37nWd9Vj3+guyzqoMcMOq6Pd+zKZcnkaxejfmSrvcnncZs2/+e1RLu7/YsoBRMyFbjkbOBKyqF6rCDH/5LB9ENz1DqI6xgFnk2O3if76uD+L03OLn78+srYK2t3MQf+xsE0qWb71nDbHU8LQCP/q/fAvjAQbpltjVZTrx/0Hd59Z5Z5zodYMHBDh3g56R45oPW7HuJ8BwhMF5X9L8AAAD//z8N/SI=" } From 3fd31a7b8c5c08b36c7f45fa9a812a556f13e377 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 13 Jul 2020 11:25:50 +0200 Subject: [PATCH 17/18] Add CHANGELOG entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index ee796c027f1..091dcab8f35 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -57,6 +57,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adds Gsuite module with SAML support. {pull}19329[19329] - Adds Gsuite User Accounts support. {pull}19329[19329] - Adds Gsuite Login audit support. {pull}19702[19702] +- Adds Gsuite Admin support. {pull}19769[19769] *Heartbeat* From c08277d61976a8d1357c897a5cb92c851085b1bd Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jul 2020 21:48:12 +0200 Subject: [PATCH 18/18] Generate fields.go --- x-pack/filebeat/module/gsuite/fields.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index b68faad49fc..85d6b81a11e 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkW0tv5DYSvs+vKCSHAYK4jc3RhwWMcWdixC+M7WCDxUJmiyWJMMXSkJR7en/9gg+1+yGp282exMD2ZQaS+H0fi2SxqkifwDMuzqA0rbD4AcAKK/EMfggPfvgAwNHkWjRWkDqDf34AgPg1XBNvpWtUCJTcnPl3J6BYjSuI7sexYK20mf/wDAomTffKLhr3taa2WX68Reh+nwOpaTAXhcgj6eTD8oNr0ghCFaRr5hoDm1FrNxtAzhTMEApqFQdmobK2MWenpxxfUFKD2kxKolLiJKf6lPFaqBPDn081NqStOX35x6nGAjWqHE9ZbsWLsALNqRTGRi2r9li1Ccst6Ynr8fJVZ4BnXMxJ85XnA2Zwv4cKfTOgImJ+WHv/B5Mtdj09W3sF8NPj/fTLT2dwrshWqKE1qEEosBWCYTUCp5oJNdlsNv3Xw/TLzflV1rUPLam1RnD0zQda/j7903+vSJ1Ubc1UJ7rfPs+4SDPPrZILaDQaVBbmFSp4erX8EwgDT79P/3yawKcwFZz0p5yUaWvU2TMunpxh3VONX1s0ljQUpOH2vLUV/HJ1C+d3l907A6SBKRAclRWFwPCtphlZYHlOrbJmu6v4gsoeeSp8vvcrxEP/DDVrGuRQaKrhSViszb//M/Hv3H+iKcKwkxalUExCwxaSGF8fwSnLKyiERIPWz6mKvSAw4KLwy8CCe0EFvIRp57ovnAC3HjlaJuRfsurcD7+xunEOjLVc2B/jh4st8z8LxY9n+DAdDLU6xw3DO6I97Xz9ju1FumRK/Nf71UlY5mnmCwYMSGArZt2yZEWBuUUOs0Vcfq4zH01cLdv+wnV7S8fqXgI93ngNoWmkyEO3kAv374bMob5t9c/1p1uBAWmyk9I9SeFbwfpoPP5uTlRsJnET+k20EWINdievFLmbjCYjzVFnqq1nqA9VceswIGC4fYiDJdDIEWvwRAbNGyQ1rc4rZg63yk1QQgV0mLDE3K1DJI3GChJcXuxmY6bJjse4DK8aZoxrvJeGhuXPrMREHTXNhFyXE4EHRXjnMMGaCZnC7GE+Gmi0qJlegAcExrlGMzDxFM4zv0Om8Cqch23W77I+ZENrhSr7OUnydE6S/E2cusxaJWyyc1vdc5gEhzni4pa0RSuThpZ0GbgcEDTMViBULlsuVBl2JSL7+tWwos5KqXaIOCNMLhDPOBZCIc+ORevad3GwIziJBOOj371cgfu+fQ8LutGCtI9wDmX77HDgFaefLWY4TAp2MNNK4ONxRplSR7FzUJFw2I6Rz2BOijO9yNKnbUTazV0zxUrkWU6qEGWrWeq0WZ27ERzWwAdcNKmsQGZb7deRfhEuODAoMU9RtBn5AtyQOumIoCOCJdFmBg3wq0sywQXvrlsNGSNmEruMy0f6LgI6IEtwyYri4luXJCziZyub6klchebHX6/O73+7uvz820M2vXjMbm5vsl+n5w+PX6YX2f30yx+Xn6b32f30avrpYXrRa2IfjB9raD1Y/1B26VhibLXK1kGupPrD7jg9xHAob4swPK8S+XPq0o3UHdQI20xoW3Fm++l6XgxxeSDfYMDNM4tztkjyh58DRnBEcBcLRC6GpRohd0loN9P7ReSVphozMhODxghS2UYB501yPnk0uL2HiOabDnhndC5iYlALJhNzpwuPBQEr5lCjrG9YQhstU8wTZQ7bpNFCWe+m3bQ/YrTjgSECD1N/D9YdI5FTXTPFs1glOnjmBZiu2DTgQUmmeM9HJb62uFkWtZUwHtl190VILAcG17OnmHd7033wsbvEnkAE/pYtlqNE59f4SWwWnc/QlIv2SrHKXYcymrf4eOQIeYvHGctbtExmmePMCDvG0mjibZ6ej0acPZjMc3sMovvfH/t5Zq18ztrGl5ALJoaqeZJUuV/RKoCAxpw0NyCUp4BAAW6Wj0TNq2osWdYf9ewvxmMcqCVkg0xKmiPPNordbxqIG1aj8QdsDuzEQSEP+AMO00dok68t00xZoTA5g1rdHV5hx8gllZlBpvMqK4R0u0mNxqQX2iSVEHAh4H40MSCN+IP1tiFdxjJts6TIsU+Uhx0JI4fkoNtUjy3GOX1VHqBGYy4agcpOkot3wyP3SvK2gUPFUX9PYZHhQIuJplfV1uNDLPXRwOXdeA62w2zfQV1A3kNazF6WxyOJB0HbAdZVd/QRkd9DjEW6HI+rNq0S947/c6sQa231y+QYoeC2Rfw9il9G4sO/xygG81YLu9jLMsc5vouW2OcEr4c3ZVR6mEfOVra5UzL7wRmxqmY773/Ps+IFtSii9KxGW9ERPcgXlC5LXCOBQPIuLQRMbfYQjpo3+/OE8QFhEnV6yudRRhaGbhOrFL4m0fbWJF6PzcUklz62SWU6v7uEALWDz+TUHH6U1lEFlIEjH15PLD1j0jHP9cU1vKDipAGVJilr1zUPO8waGhyHdvTSjVAFJRWI+0pYwsBcSAkzXF57MZZZhHnFrL/W5pb96i3YOTOQV0yV7yP02Gfx+sA2q0kJS3rC0dgs+TjFoQgVLwaHMLnLrWMmG+n2UCSdGSZ5xQ6uLjhF/sBhjRsC8N4KuGZFkgQPkKZBqJxqsVXbeZOMDiNNCbW2pEQlHcZblfC2bibhmghmHCXagRRiRiSRbXq9NR2XirtNHg2IAiJWoDHA/BV3T8O7W6X4zS26neq6K1c5KYsqbeYGCPN6xC7kjL51l692Svnaol6klZZ9Juxxgh/sriZ5/P69OtzXTjwQjiiDYXq4kjZh+REu9sXrbeHsBwKky/P3oj72xjMo570E6kHe+MYSTZSjtiGSTo/eolVWICGnuh7NpzoZVDdMLTKaK+RZsGt/0LWreO6rxcsCekQCBpEBaK6GrhkJY7WYtfFqsBU27Yy9f+qsskBgCVPhZ5hXIq+66+4sFNhj5dv/XQXp8mTgot37nWd9Vj3+guyzqoMcMOq6Pd+zKZcnkaxejfmSrvcnncZs2/+e1RLu7/YsoBRMyFbjkbOBKyqF6rCDH/5LB9ENz1DqI6xgFnk2O3if76uD+L03OLn78+srYK2t3MQf+xsE0qWb71nDbHU8LQCP/q/fAvjAQbpltjVZTrx/0Hd59Z5Z5zodYMHBDh3g56R45oPW7HuJ8BwhMF5X9L8AAAD//z8N/SI=" + return "eJzkW0tv4zgSvvevKMwcGhhMHGwfc1gg6Lh7gs4LcTLYwWKh0GRJIkyRapKK2/vrF3zI8UOSHdOZCXZ8SWCJ3/exSBarivQJzHBxBoVpuMUPAJZbgWfwU/jipw8ADA3VvLZcyTP45wcAiG/DtWKNcI1yjoKZM//sBCSpcAXRfRjmpBE28y+eQU6EaR/ZRe3e1qqply9vEbrP10BqaqQ85zSSjj4sX7hWGoHLXOmKuMZApqqxmw2AEglThFw1kgGxUFpbm7PTU4bPKFSN2owKpQqBI6qqU8IqLk8Mm51qrJW25vT5H6cac9QoKZ4SavkztxzNqeDGRi2r9li1CaFW6ZHr8fJRa4AZLuZKs5Xve8zgPg8l+mag8oj5Ye3570Q02Pb0bO0RwC+Pk/H9L2dwLpUtUUNjUAOXYEsEQyoEpirC5Wiz2fhfD+P7m/OrrG0fWqrGGs7QN+9p+W38h39fKnlSNhWRrehu+8xwkWaeWykWUGs0KC3MS5Tw9GL5J+AGnr6N/3gawecwFZz0J6qkaSrU2QwXT86w7luN3xs0VmnIlYbb88aW8OnqFs7vLttnBpQGIoEzlJbnHMO7Wk2VBUKpaqQ1213FZ5T2yFPh68SvEA/9K1SkrpFBrlUFT9xiZf79n5F/5v6JpgjDrjQvuCQCarIQirD1ERwTWkLOBRq0fk6V5BmBAOO5XwYW3AOVw3OYdq773Alw65GhJVz8KavOffAHqWrnwEjDuP05vrjYMv+MS3Y8w4fpYFSjKW4Y3hHtaefrd2wvpQsi+X+9Xx2FZZ5mvmDAgAS2JNYtS5LnSC0ymC7i8nOd+Wjiatn2F67bWzpW9xLo8MZrCHUtOA3dQsbd3w2ZfX3b6p/rT7sCA9JoJ6X7JoVvBeuj8fi7OVGSqcBN6FfRRog12J28glM3GU2mNEOdyaaaoj5Uxa3DgIDh9iEGVoFGhliBJzJoXiGpbjQtiTncKjdBicqhxYQl5m4dPGk0VpDg8mI3GzF1djzGZXhVE2Nc47001ITOSIGJOio15WJdTgTuFeGdwwgrwkUKs4f5aKDWvCJ6AR4QCGMaTc/EkzjP/A6ZwitxHrZZv8v6kA2t5bLo5lSCpXMqwV7FqYuskdwmO7fVPYcIcJgDLm5JmzciaWiVLgKXA4Ka2BK4pKJhXBZhV1LKvrzVr6i1UqodIs4AkwvEM4Y5l8iyY9G69m0c7AhOIsHw6LcPV+Detu9hQdeaK+0jnEPZvjoceMHpZosZDhGcHMy0Evh4nEGm1FFsHVQk7Ldj5DNIlWREL7L0aRuRdnNXRJICWUaVzHnRaJI6bVbnbgSHNfAeF61kliOxjfbrSD9zFxwYFEhTFG1GvgA3Sp60RNASwZJoM4MG+OKSTHDBu+tWrYzhU4FtxuUjfRcBHZAluGRFMv6jTRIW8bWVTfUkrkLz85er88lvV5dff3vIxheP2c3tTfZlfP7weD++yCbj+98vP48n2WR8Nf78ML7oNLEPxo81tB6seyjbdCwxtlplayFXUv1+d5weYjiU10UYnldyOktdupG6hRpgm3JtS0ZsN13Hgz4uD+Qb9Lh5YnFOFkn+8GvACI4I7mKByMWwqkKgLgltZ3q3CFpqVWGmzMigMVzJbKOA8yo5nz0a3E4govmmPd4ZnYsYGdSciMTc6cJjQcCKOdQg6yuW0EbLFPNEmf02qTWX1rtpN+2PGO14YIjA/dRvwbpjJKiqKiJZFqtEB8+8ANMWm3o8qBIp3vNR8u8NbpZFbcmNR3bdfeYCi57B9ewp5t3edB987C6wIxCBv2SLZSjQ+TV2EptF59M35aK9Uqxy16IM5i0+HjlC3uJxhvIWLZJZ5jg13A6x1FqxhqbnoxFnDyYza45BNPn22M0zbcQsa2pfQs4J76vmCSWL/YpWAQQ0UqWZAS49BQQKcLN8IGpeVWOVJd1Rz/5iPMaBWkI2SIRQc2TZRrH7VQNxQyo0/oDNgZ04KGQBv8dh+ght9L0hmkjLJSZnUKu7wwvsELlQRWaQaFpmORduN6nQmPRCm1AFBFwIuB9NDEgjfm+9rU+XsUTbLCly7BLlYQfCyD456DbVY4txTl8WB6jRSHnNUdpRcvGuf+ReSF43cCgZ6rcUFhkOtBivO1VtfX2IpT4auLwbzsF2mO0N1AXkPaTF7GV5PJJ4ELQdYF21Rx8R+T3EWEoXw3HVplXi3vE3t4oijS0/jY4RCm5bxN+j+DQQH/41RjFIG83tYi/LHOf4LlpinxO8Dt6UUelgHjhb2eZOyex7Z8Sqmu28/z3PimfUPI/SswptqY7oQe5RuCxxjQQCybu0EBC52UM4at7szxOGB4QI1Okpn0cZWBi6SaxS+JpE01mTeDk25yMqfGyTynR+dwkBagefoao+/CitpQooPUc+rBpZNcOkY57ri2t4RsmUBpRaCVG5rnnYftbQ4Di0g5duuMxVUoG4q4TFDcy5EDDF5bUXY4lFmJfE+mttbtmv3oKdEwO0JLJ4H6HHPovXB7ZZpSS3So8YGpslH6c4FC7jxeAQJre5dcxkI90eioQzw4iW5ODqglPkDxzWuCEA762AaZInSfAAaRq4pKriW7WdV8loMdKUqMYWKlFJi/FaJayp6lG4JoIZQ4G2J4WYKiWQbHq9NR2XkrlNHg3wHCJWoDFA/BV3T8PaW6X4wy26neraK1dUSYsybeYGCPNyxM7FVP1oL1/tlPK9Qb1IKy37TNjjBD/YXk3y+N17dbivnXggHFF6w/RwJW1E6BEu9sXrbeHsBwKky/P3oj72xtMr570E6kHe8MYSTURR2xBJp0dv0SorkEBVVQ3mU60MVdVELjI1l8iyYNfuoGtX8dxXi5cF9IgEBCIDqLnsu2bEjdV82sSrwZbbtDP27qmzygKBJUyFX2Feclq2191JKLDHyrf/XYXSxUnPRbv3O8+6rHr8BdllVQfZY9R1e75nU7ZmFKpIvd8ff1EQ4scsBn57D8NLkZAIgbLAo+f2V66LL/htWv+nDoY3c7d7yAkXjcYjpzGh0xE7bCDvpcNv0VGq0d+CIMK8r85yk4VbmlnufyC3d8S6CtCYmlOumu5Vtdl6ecmAVCJtZb/UCpMOWrcHbUIqAZO7PWuj/58rxA1PX1WDW06cS50eHMJ3lTh9WB3il8n59RWQxpZu0Qz9vEjpwm1lWU1seTwtAI/+h60BvOeOjCW2MRlVrHvQdwVsHbPOdTrAgoPtu5vjl6vPR7O3EuE5Qs67ruh/AQAA//+ocCHp" }