From 8461211ce61b0ffdcbbe61a4117e0ae28ea1c721 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 7 Dec 2020 10:20:33 +0100 Subject: [PATCH 1/3] Deprecate Gsuite module and create Google Workspace one --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 1265 +++++ .../docs/modules/google_workspace.asciidoc | 144 + filebeat/docs/modules/gsuite.asciidoc | 2 + filebeat/docs/modules_list.asciidoc | 2 + x-pack/filebeat/filebeat.reference.yml | 53 + x-pack/filebeat/include/list.go | 1 + .../module/google_workspace/_meta/config.yml | 50 + .../google_workspace/_meta/docs.asciidoc | 131 + .../module/google_workspace/_meta/fields.yml | 42 + .../google_workspace/admin/_meta/fields.yml | 271 ++ .../google_workspace/admin/config/config.yml | 56 + .../google_workspace/admin/config/pipeline.js | 946 ++++ .../google_workspace/admin/manifest.yml | 24 + .../test/admin-application-test.json.log | 9 + ...in-application-test.json.log-expected.json | 475 ++ .../admin/test/admin-calendar-test.json.log | 13 + ...admin-calendar-test.json.log-expected.json | 668 +++ .../admin/test/admin-chat-test.json.log | 4 + .../admin-chat-test.json.log-expected.json | 205 + .../admin/test/admin-chromeos-test.json.log | 21 + ...admin-chromeos-test.json.log-expected.json | 1083 +++++ .../admin/test/admin-contacts-test.json.log | 1 + ...admin-contacts-test.json.log-expected.json | 55 + .../test/admin-delegatedadmin-test.json.log | 8 + ...delegatedadmin-test.json.log-expected.json | 408 ++ .../admin/test/admin-docs-test.json.log | 3 + .../admin-docs-test.json.log-expected.json | 163 + .../admin/test/admin-domain-test.json.log | 85 + .../admin-domain-test.json.log-expected.json | 4268 +++++++++++++++++ .../admin/test/admin-gmail-test.json.log | 9 + .../admin-gmail-test.json.log-expected.json | 472 ++ .../admin/test/admin-groups-test.json.log | 14 + .../admin-groups-test.json.log-expected.json | 745 +++ .../admin/test/admin-licenses-test.json.log | 8 + ...admin-licenses-test.json.log-expected.json | 415 ++ .../admin/test/admin-mobile-test.json.log | 31 + .../admin-mobile-test.json.log-expected.json | 1597 ++++++ .../admin/test/admin-org-test.json.log | 17 + .../admin-org-test.json.log-expected.json | 856 ++++ .../admin/test/admin-security-test.json.log | 24 + ...admin-security-test.json.log-expected.json | 1246 +++++ .../admin/test/admin-sites-test.json.log | 5 + .../admin-sites-test.json.log-expected.json | 263 + .../admin/test/admin-user-test.json.log | 74 + .../admin-user-test.json.log-expected.json | 3840 +++++++++++++++ .../module/google_workspace/config/common.js | 83 + .../google_workspace/drive/_meta/fields.yml | 89 + .../google_workspace/drive/config/config.yml | 56 + .../google_workspace/drive/config/pipeline.js | 190 + .../google_workspace/drive/manifest.yml | 24 + .../drive/test/drive-test.json.log | 28 + .../test/drive-test.json.log-expected.json | 1734 +++++++ .../module/google_workspace/fields.go | 23 + .../google_workspace/groups/_meta/fields.yml | 57 + .../google_workspace/groups/config/config.yml | 56 + .../groups/config/pipeline.js | 203 + .../google_workspace/groups/manifest.yml | 24 + .../groups/test/groups-test.json.log | 25 + .../test/groups-test.json.log-expected.json | 1372 ++++++ .../module/google_workspace/ingest/common.yml | 33 + .../google_workspace/login/_meta/fields.yml | 21 + .../google_workspace/login/config/config.yml | 56 + .../google_workspace/login/config/pipeline.js | 98 + .../google_workspace/login/manifest.yml | 24 + .../login/test/login-test.json.log | 14 + .../test/login-test.json.log-expected.json | 506 ++ .../google_workspace/saml/_meta/fields.yml | 27 + .../google_workspace/saml/config/config.yml | 56 + .../google_workspace/saml/config/pipeline.js | 60 + .../module/google_workspace/saml/manifest.yml | 24 + .../saml/test/saml-test.json.log | 2 + .../test/saml-test.json.log-expected.json | 110 + .../user_accounts/config/config.yml | 56 + .../user_accounts/config/pipeline.js | 24 + .../user_accounts/manifest.yml | 24 + .../test/user_accounts-test.json.log | 8 + .../user_accounts-test.json.log-expected.json | 394 ++ .../filebeat/module/gsuite/_meta/config.yml | 1 + .../module/gsuite/_meta/docs.asciidoc | 2 + .../modules.d/google_workspace.yml.disabled | 53 + x-pack/filebeat/modules.d/gsuite.yml.disabled | 1 + 82 files changed, 25631 insertions(+) create mode 100644 filebeat/docs/modules/google_workspace.asciidoc create mode 100644 x-pack/filebeat/module/google_workspace/_meta/config.yml create mode 100644 x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/google_workspace/_meta/fields.yml create mode 100644 x-pack/filebeat/module/google_workspace/admin/_meta/fields.yml create mode 100644 x-pack/filebeat/module/google_workspace/admin/config/config.yml create mode 100644 x-pack/filebeat/module/google_workspace/admin/config/pipeline.js create mode 100644 x-pack/filebeat/module/google_workspace/admin/manifest.yml create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/config/common.js create mode 100644 x-pack/filebeat/module/google_workspace/drive/_meta/fields.yml create mode 100644 x-pack/filebeat/module/google_workspace/drive/config/config.yml create mode 100644 x-pack/filebeat/module/google_workspace/drive/config/pipeline.js create mode 100644 x-pack/filebeat/module/google_workspace/drive/manifest.yml create mode 100644 x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/fields.go create mode 100644 x-pack/filebeat/module/google_workspace/groups/_meta/fields.yml create mode 100644 x-pack/filebeat/module/google_workspace/groups/config/config.yml create mode 100644 x-pack/filebeat/module/google_workspace/groups/config/pipeline.js create mode 100644 x-pack/filebeat/module/google_workspace/groups/manifest.yml create mode 100644 x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/ingest/common.yml create mode 100644 x-pack/filebeat/module/google_workspace/login/_meta/fields.yml create mode 100644 x-pack/filebeat/module/google_workspace/login/config/config.yml create mode 100644 x-pack/filebeat/module/google_workspace/login/config/pipeline.js create mode 100644 x-pack/filebeat/module/google_workspace/login/manifest.yml create mode 100644 x-pack/filebeat/module/google_workspace/login/test/login-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml create mode 100644 x-pack/filebeat/module/google_workspace/saml/config/config.yml create mode 100644 x-pack/filebeat/module/google_workspace/saml/config/pipeline.js create mode 100644 x-pack/filebeat/module/google_workspace/saml/manifest.yml create mode 100644 x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml create mode 100644 x-pack/filebeat/module/google_workspace/user_accounts/config/pipeline.js create mode 100644 x-pack/filebeat/module/google_workspace/user_accounts/manifest.yml create mode 100644 x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log create mode 100644 x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json create mode 100644 x-pack/filebeat/modules.d/google_workspace.yml.disabled diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e8f152c6cb6..02de2e92601 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -771,6 +771,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add `network.direction` override by specifying `internal_networks` in gcp module. {pull}23081[23081] - Migrate okta to httpjson v2 config {pull}23059[23059] - Misp improvements: Migration to httpjson v2 config, pagination and deduplication ID {pull}23070[23070] +- Add Google Workspace module and mark Gsuite module as deprecated {pull}22950[22950] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 18da50aa354..f1ed31cc09e 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -38,6 +38,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -69622,6 +69623,1270 @@ type: keyword Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. +type: long + +-- + +[[exported-fields-google_workspace]] +== google_workspace fields + +Google Workspace Module + + + +[float] +=== google_workspace + +Google Workspace specific fields. +More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + + +*`google_workspace.actor.type`*:: ++ +-- +The type of actor. +Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + + +type: keyword + +-- + +*`google_workspace.actor.key`*:: ++ +-- +Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + + +type: keyword + +-- + +*`google_workspace.event.type`*:: ++ +-- +The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`google_workspace.kind`*:: ++ +-- +The type of API resource, mapped from `kind` in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + + +type: keyword + +example: audit#activity + +-- + +*`google_workspace.organization.domain`*:: ++ +-- +The domain that is affected by the report's event. + + +type: keyword + +-- + + +*`google_workspace.admin.application.edition`*:: ++ +-- +The Google Workspace edition. + +type: keyword + +-- + +*`google_workspace.admin.application.name`*:: ++ +-- +The application's name. + +type: keyword + +-- + +*`google_workspace.admin.application.enabled`*:: ++ +-- +The enabled application. + +type: keyword + +-- + +*`google_workspace.admin.application.licences_order_number`*:: ++ +-- +Order number used to redeem licenses. + +type: keyword + +-- + +*`google_workspace.admin.application.licences_purchased`*:: ++ +-- +Number of licences purchased. + +type: keyword + +-- + +*`google_workspace.admin.application.id`*:: ++ +-- +The application ID. + +type: keyword + +-- + +*`google_workspace.admin.application.asp_id`*:: ++ +-- +The application specific password ID. + +type: keyword + +-- + +*`google_workspace.admin.application.package_id`*:: ++ +-- +The mobile application package ID. + +type: keyword + +-- + +*`google_workspace.admin.group.email`*:: ++ +-- +The group's primary email address. + +type: keyword + +-- + +*`google_workspace.admin.new_value`*:: ++ +-- +The new value for the setting. + +type: keyword + +-- + +*`google_workspace.admin.old_value`*:: ++ +-- +The old value for the setting. + +type: keyword + +-- + +*`google_workspace.admin.org_unit.name`*:: ++ +-- +The organizational unit name. + +type: keyword + +-- + +*`google_workspace.admin.org_unit.full`*:: ++ +-- +The org unit full path including the root org unit name. + +type: keyword + +-- + +*`google_workspace.admin.setting.name`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`google_workspace.admin.user_defined_setting.name`*:: ++ +-- +The name of the user-defined setting. + +type: keyword + +-- + +*`google_workspace.admin.setting.description`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`google_workspace.admin.group.priorities`*:: ++ +-- +Group priorities. + +type: keyword + +-- + +*`google_workspace.admin.domain.alias`*:: ++ +-- +The domain alias. + +type: keyword + +-- + +*`google_workspace.admin.domain.name`*:: ++ +-- +The primary domain name. + +type: keyword + +-- + +*`google_workspace.admin.domain.secondary_name`*:: ++ +-- +The secondary domain name. + +type: keyword + +-- + +*`google_workspace.admin.managed_configuration`*:: ++ +-- +The name of the managed configuration. + +type: keyword + +-- + +*`google_workspace.admin.non_featured_services_selection`*:: ++ +-- +Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + + +type: keyword + +-- + +*`google_workspace.admin.field`*:: ++ +-- +The name of the field. + +type: keyword + +-- + +*`google_workspace.admin.resource.id`*:: ++ +-- +The name of the resource identifier. + +type: keyword + +-- + +*`google_workspace.admin.user.email`*:: ++ +-- +The user's primary email address. + +type: keyword + +-- + +*`google_workspace.admin.user.nickname`*:: ++ +-- +The user's nickname. + +type: keyword + +-- + +*`google_workspace.admin.user.birthdate`*:: ++ +-- +The user's birth date. + +type: date + +-- + +*`google_workspace.admin.gateway.name`*:: ++ +-- +Gateway name. Present on some chat settings. + +type: keyword + +-- + +*`google_workspace.admin.chrome_os.session_type`*:: ++ +-- +Chrome OS session type. + +type: keyword + +-- + +*`google_workspace.admin.device.serial_number`*:: ++ +-- +Device serial number. + +type: keyword + +-- + +*`google_workspace.admin.device.id`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.admin.device.type`*:: ++ +-- +Device type. + +type: keyword + +-- + +*`google_workspace.admin.print_server.name`*:: ++ +-- +The name of the print server. + +type: keyword + +-- + +*`google_workspace.admin.printer.name`*:: ++ +-- +The name of the printer. + +type: keyword + +-- + +*`google_workspace.admin.device.command_details`*:: ++ +-- +Command details. + +type: keyword + +-- + +*`google_workspace.admin.role.id`*:: ++ +-- +Unique identifier for this role privilege. + +type: keyword + +-- + +*`google_workspace.admin.role.name`*:: ++ +-- +The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + + +type: keyword + +-- + +*`google_workspace.admin.privilege.name`*:: ++ +-- +Privilege name. + +type: keyword + +-- + +*`google_workspace.admin.service.name`*:: ++ +-- +The service name. + +type: keyword + +-- + +*`google_workspace.admin.url.name`*:: ++ +-- +The website name. + +type: keyword + +-- + +*`google_workspace.admin.product.name`*:: ++ +-- +The product name. + +type: keyword + +-- + +*`google_workspace.admin.product.sku`*:: ++ +-- +The product SKU. + +type: keyword + +-- + +*`google_workspace.admin.bulk_upload.failed`*:: ++ +-- +Number of failed records in bulk upload operation. + +type: long + +-- + +*`google_workspace.admin.bulk_upload.total`*:: ++ +-- +Number of total records in bulk upload operation. + +type: long + +-- + +*`google_workspace.admin.group.allowed_list`*:: ++ +-- +Names of allow-listed groups. + +type: keyword + +-- + +*`google_workspace.admin.email.quarantine_name`*:: ++ +-- +The name of the quarantine. + +type: keyword + +-- + +*`google_workspace.admin.email.log_search_filter.message_id`*:: ++ +-- +The log search filter's email message ID. + +type: keyword + +-- + +*`google_workspace.admin.email.log_search_filter.start_date`*:: ++ +-- +The log search filter's start date. + +type: date + +-- + +*`google_workspace.admin.email.log_search_filter.end_date`*:: ++ +-- +The log search filter's ending date. + +type: date + +-- + +*`google_workspace.admin.email.log_search_filter.recipient.value`*:: ++ +-- +The log search filter's email recipient. + +type: keyword + +-- + +*`google_workspace.admin.email.log_search_filter.sender.value`*:: ++ +-- +The log search filter's email sender. + +type: keyword + +-- + +*`google_workspace.admin.email.log_search_filter.recipient.ip`*:: ++ +-- +The log search filter's email recipient's IP address. + +type: ip + +-- + +*`google_workspace.admin.email.log_search_filter.sender.ip`*:: ++ +-- +The log search filter's email sender's IP address. + +type: ip + +-- + +*`google_workspace.admin.chrome_licenses.enabled`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`google_workspace.admin.chrome_licenses.allowed`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`google_workspace.admin.oauth2.service.name`*:: ++ +-- +OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`google_workspace.admin.oauth2.application.id`*:: ++ +-- +OAuth2 application ID. + +type: keyword + +-- + +*`google_workspace.admin.oauth2.application.name`*:: ++ +-- +OAuth2 application name. + +type: keyword + +-- + +*`google_workspace.admin.oauth2.application.type`*:: ++ +-- +OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`google_workspace.admin.verification_method`*:: ++ +-- +Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + +type: keyword + +-- + +*`google_workspace.admin.alert.name`*:: ++ +-- +The alert name. + +type: keyword + +-- + +*`google_workspace.admin.rule.name`*:: ++ +-- +The rule name. + +type: keyword + +-- + +*`google_workspace.admin.api.client.name`*:: ++ +-- +The API client name. + +type: keyword + +-- + +*`google_workspace.admin.api.scopes`*:: ++ +-- +The API scopes. + +type: keyword + +-- + +*`google_workspace.admin.mdm.token`*:: ++ +-- +The MDM vendor enrollment token. + +type: keyword + +-- + +*`google_workspace.admin.mdm.vendor`*:: ++ +-- +The MDM vendor's name. + +type: keyword + +-- + +*`google_workspace.admin.info_type`*:: ++ +-- +This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + +type: keyword + +-- + +*`google_workspace.admin.email_monitor.dest_email`*:: ++ +-- +The destination address of the email monitor. + +type: keyword + +-- + +*`google_workspace.admin.email_monitor.level.chat`*:: ++ +-- +The chat email monitor level. + +type: keyword + +-- + +*`google_workspace.admin.email_monitor.level.draft`*:: ++ +-- +The draft email monitor level. + +type: keyword + +-- + +*`google_workspace.admin.email_monitor.level.incoming`*:: ++ +-- +The incoming email monitor level. + +type: keyword + +-- + +*`google_workspace.admin.email_monitor.level.outgoing`*:: ++ +-- +The outgoing email monitor level. + +type: keyword + +-- + +*`google_workspace.admin.email_dump.include_deleted`*:: ++ +-- +Indicates if deleted emails are included in the export. + +type: boolean + +-- + +*`google_workspace.admin.email_dump.package_content`*:: ++ +-- +The contents of the mailbox package. + +type: keyword + +-- + +*`google_workspace.admin.email_dump.query`*:: ++ +-- +The search query used for the dump. + +type: keyword + +-- + +*`google_workspace.admin.request.id`*:: ++ +-- +The request ID. + +type: keyword + +-- + +*`google_workspace.admin.mobile.action.id`*:: ++ +-- +The mobile device action's ID. + +type: keyword + +-- + +*`google_workspace.admin.mobile.action.type`*:: ++ +-- +The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`google_workspace.admin.mobile.certificate.name`*:: ++ +-- +The mobile certificate common name. + +type: keyword + +-- + +*`google_workspace.admin.mobile.company_owned_devices`*:: ++ +-- +The number of devices a company owns. + +type: long + +-- + +*`google_workspace.admin.distribution.entity.name`*:: ++ +-- +The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`google_workspace.admin.distribution.entity.type`*:: ++ +-- +The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + + +*`google_workspace.drive.billable`*:: ++ +-- +Whether this activity is billable. + +type: boolean + +-- + +*`google_workspace.drive.source_folder_id`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.drive.source_folder_title`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.drive.destination_folder_id`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.drive.destination_folder_title`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.drive.file.id`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.drive.file.type`*:: ++ +-- +Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`google_workspace.drive.originating_app_id`*:: ++ +-- +The Google Cloud Project ID of the application that performed the action. + + +type: keyword + +-- + +*`google_workspace.drive.file.owner.email`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.drive.file.owner.is_shared_drive`*:: ++ +-- +Boolean flag denoting whether owner is a shared drive. + + +type: boolean + +-- + +*`google_workspace.drive.primary_event`*:: ++ +-- +Whether this is a primary event. A single user action in Drive may generate several events. + + +type: boolean + +-- + +*`google_workspace.drive.shared_drive_id`*:: ++ +-- +The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + + +type: keyword + +-- + +*`google_workspace.drive.visibility`*:: ++ +-- +Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`google_workspace.drive.new_value`*:: ++ +-- +When a setting or property of the file changes, the new value for it will appear here. + + +type: keyword + +-- + +*`google_workspace.drive.old_value`*:: ++ +-- +When a setting or property of the file changes, the old value for it will appear here. + + +type: keyword + +-- + +*`google_workspace.drive.sheets_import_range_recipient_doc`*:: ++ +-- +Doc ID of the recipient of a sheets import range. + +type: keyword + +-- + +*`google_workspace.drive.old_visibility`*:: ++ +-- +When visibility changes, this holds the old value. + + +type: keyword + +-- + +*`google_workspace.drive.visibility_change`*:: ++ +-- +When visibility changes, this holds the new overall visibility of the file. + + +type: keyword + +-- + +*`google_workspace.drive.target_domain`*:: ++ +-- +The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + + +type: keyword + +-- + +*`google_workspace.drive.added_role`*:: ++ +-- +Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`google_workspace.drive.membership_change_type`*:: ++ +-- +Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`google_workspace.drive.shared_drive_settings_change_type`*:: ++ +-- +Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`google_workspace.drive.removed_role`*:: ++ +-- +Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`google_workspace.drive.target`*:: ++ +-- +Target user or group. + +type: keyword + +-- + + +*`google_workspace.groups.acl_permission`*:: ++ +-- +Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`google_workspace.groups.email`*:: ++ +-- +Group email. + + +type: keyword + +-- + +*`google_workspace.groups.member.email`*:: ++ +-- +Member email. + + +type: keyword + +-- + +*`google_workspace.groups.member.role`*:: ++ +-- +Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`google_workspace.groups.setting`*:: ++ +-- +Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`google_workspace.groups.new_value`*:: ++ +-- +New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`google_workspace.groups.old_value`*:: ++ +-- +Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + +type: keyword + +-- + +*`google_workspace.groups.value`*:: ++ +-- +Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + + +type: keyword + +-- + +*`google_workspace.groups.message.id`*:: ++ +-- +SMTP message Id of an email message. Present for moderation events. + + +type: keyword + +-- + +*`google_workspace.groups.message.moderation_action`*:: ++ +-- +Message moderation action. Possible values are `approved` and `rejected`. + + +type: keyword + +-- + +*`google_workspace.groups.status`*:: ++ +-- +A status describing the output of an operation. Possible values are `failed` and `succeeded`. + + +type: keyword + +-- + + +*`google_workspace.login.affected_email_address`*:: ++ +-- +type: keyword + +-- + +*`google_workspace.login.challenge_method`*:: ++ +-- +Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + +type: keyword + +-- + +*`google_workspace.login.failure_type`*:: ++ +-- +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + +type: keyword + +-- + +*`google_workspace.login.type`*:: ++ +-- +Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + + +type: keyword + +-- + +*`google_workspace.login.is_second_factor`*:: ++ +-- +type: boolean + +-- + +*`google_workspace.login.is_suspicious`*:: ++ +-- +type: boolean + +-- + + +*`google_workspace.saml.application_name`*:: ++ +-- +Saml SP application name. + + +type: keyword + +-- + +*`google_workspace.saml.failure_type`*:: ++ +-- +Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + + +type: keyword + +-- + +*`google_workspace.saml.initiated_by`*:: ++ +-- +Requester of SAML authentication. + + +type: keyword + +-- + +*`google_workspace.saml.orgunit_path`*:: ++ +-- +User orgunit. + + +type: keyword + +-- + +*`google_workspace.saml.status_code`*:: ++ +-- +SAML status code. + + +type: long + +-- + +*`google_workspace.saml.second_level_status_code`*:: ++ +-- +SAML second level status code. + + type: long -- diff --git a/filebeat/docs/modules/google_workspace.asciidoc b/filebeat/docs/modules/google_workspace.asciidoc new file mode 100644 index 00000000000..4b33d09d1e2 --- /dev/null +++ b/filebeat/docs/modules/google_workspace.asciidoc @@ -0,0 +1,144 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-google_workspace]] +[role="xpack"] + +:modulename: google_workspace +:has-dashboards: false + +== Google Workspace module + +beta[] + +This is a module for ingesting data from the different Google Workspace audit reports API's. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: + +[options="header"] +|=========================================================================================================================================================================================================================== +| Google Workspace Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== + +[float] +=== Configure the module + +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/workspacemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/workspacemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. + +This module will make use of the following *oauth2 scope*: + +- `https://www.googleapis.com/auth/admin.reports.audit.readonly` + +Once you have downloaded your service account credentials as a JSON file, +you can set up your module: + +[float] +===== Configuration options + +[source,yaml] +---- +- module: google_workspace + saml: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + user_accounts: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" +---- + +Every fileset has the following configuration options: + +*`var.jwt_file`*:: + +Specifies the path to the JWT credentials file. + +*`var.delegated_account`*:: + +Email of the admin user used to access the API. + +*`var.http_client_timeout`*:: + +Duration of the time limit on HTTP requests made by the module. Defaults to +`60s`. + +*`var.interval`*:: + +Duration between requests to the API. Defaults to `2h`. + +NOTE: Google Workspace defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. + +*`var.user_key`*:: + +Specifies the user key to fetch reports from. Defaults to `all`. + +*`var.cursor_default_tpl`*:: + +The template used by the input to define the default initial interval. Defaults to `{{now (parseDuration "-24h")}}`. + +[float] +==== Google Workspace Reports ECS fields + +This is a list of Google Workspace Reports fields that are mapped to ECS. + +[options="header"] +|=============================================================================================== +| Google Workspace Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== + +These are the common ones to all filesets. + +:has-dashboards!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc index 2b268425355..bff00ced026 100644 --- a/filebeat/docs/modules/gsuite.asciidoc +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -12,6 +12,8 @@ This file is generated! See scripts/docs_collector.py beta[] +*Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead.* + This is a module for ingesting data from the different GSuite audit reports API's. include::../include/gs-link.asciidoc[] diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index d4691215e37..34be8c86ec5 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -23,6 +23,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -94,6 +95,7 @@ include::modules/envoyproxy.asciidoc[] include::modules/f5.asciidoc[] include::modules/fortinet.asciidoc[] include::modules/gcp.asciidoc[] +include::modules/google_workspace.asciidoc[] include::modules/gsuite.asciidoc[] include::modules/haproxy.asciidoc[] include::modules/ibmmq.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 8e90ce8f07b..9c8aea58124 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -940,6 +940,58 @@ filebeat.modules: # the subscription. var.credentials_file: ${path.config}/gcp-service-account-xyz.json +#--------------------------- Google_workspace Module --------------------------- +- module: google_workspace + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + + #----------------------------- Googlecloud Module ----------------------------- # googlecloud module is deprecated, please use gcp instead - module: gcp @@ -998,6 +1050,7 @@ filebeat.modules: var.credentials_file: ${path.config}/gcp-service-account-xyz.json #-------------------------------- Gsuite Module -------------------------------- +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: enabled: true diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 80824451de4..d04fe5a5814 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -30,6 +30,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/f5" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/fortinet" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gcp" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/google_workspace" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/gsuite" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/ibmmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/imperva" diff --git a/x-pack/filebeat/module/google_workspace/_meta/config.yml b/x-pack/filebeat/module/google_workspace/_meta/config.yml new file mode 100644 index 00000000000..1d6c5ad4589 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/_meta/config.yml @@ -0,0 +1,50 @@ +- module: google_workspace + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + diff --git a/x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc b/x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc new file mode 100644 index 00000000000..45c067edea1 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc @@ -0,0 +1,131 @@ +[role="xpack"] + +:modulename: google_workspace +:has-dashboards: false + +== Google Workspace module + +beta[] + +This is a module for ingesting data from the different Google Workspace audit reports API's. + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +It is compatible with a subset of applications under the https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started[Google Reports API v1]. As of today it supports: + +[options="header"] +|=========================================================================================================================================================================================================================== +| Google Workspace Service | Description | +| SAML https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[api docs] https://support.google.com/a/answer/7007375?hl=en&ref_topic=9027054[help] | View users’ successful and failed sign-ins to SAML applications. | +| User Accounts https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[api docs] https://support.google.com/a/answer/9022875?hl=en&ref_topic=9027054[help] | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. | +| Login https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[api docs] https://support.google.com/a/answer/4580120?hl=en&ref_topic=9027054[help] | Track user sign-in activity to your domain. | +| Admin https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[api docs] https://support.google.com/a/answer/4579579?hl=en&ref_topic=9027054[help] | View administrator activity performed within the Google Admin console. | +| Drive https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[api docs] https://support.google.com/a/answer/4579696?hl=en&ref_topic=9027054[help] | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. | +| Groups https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[api docs] https://support.google.com/a/answer/6270454?hl=en&ref_topic=9027054[help] | Track changes to groups, group memberships and group messages. | +|=========================================================================================================================================================================================================================== + +[float] +=== Configure the module + +In order for Filebeat to ingest data from the Google Reports API you must: + +- Have an *administrator account*. +- https://support.google.com/workspacemigrate/answer/9222993?hl=en[Set up a ServiceAccount] using the administrator account. +- https://support.google.com/workspacemigrate/answer/9222865?hl=en[Set up access to the Admin SDK API] for the ServiceAccount. +- https://developers.google.com/admin-sdk/reports/v1/guides/delegation[Enable Domain-Wide Delegation] for your ServiceAccount. + +This module will make use of the following *oauth2 scope*: + +- `https://www.googleapis.com/auth/admin.reports.audit.readonly` + +Once you have downloaded your service account credentials as a JSON file, +you can set up your module: + +[float] +===== Configuration options + +[source,yaml] +---- +- module: google_workspace + saml: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + user_accounts: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + login: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + admin: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + drive: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" + groups: + enabled: true + var.jwt_file: "./credentials_file.json" + var.delegated_account: "user@example.com" +---- + +Every fileset has the following configuration options: + +*`var.jwt_file`*:: + +Specifies the path to the JWT credentials file. + +*`var.delegated_account`*:: + +Email of the admin user used to access the API. + +*`var.http_client_timeout`*:: + +Duration of the time limit on HTTP requests made by the module. Defaults to +`60s`. + +*`var.interval`*:: + +Duration between requests to the API. Defaults to `2h`. + +NOTE: Google Workspace defaults to a 2 hour polling interval because Google reports can go from +some minutes up to 3 days of delay. For more details on this, you can read more https://support.google.com/a/answer/7061566[here]. + +*`var.user_key`*:: + +Specifies the user key to fetch reports from. Defaults to `all`. + +*`var.cursor_default_tpl`*:: + +The template used by the input to define the default initial interval. Defaults to `{{now (parseDuration "-24h")}}`. + +[float] +==== Google Workspace Reports ECS fields + +This is a list of Google Workspace Reports fields that are mapped to ECS. + +[options="header"] +|=============================================================================================== +| Google Workspace Reports | ECS Fields | +| `items[].id.time` | `@timestamp` | +| `items[].id.uniqueQualifier` | `event.id` | +| `items[].id.applicationName` | `event.provider` | +| `items[].events[].name` | `event.action` | +| `items[].customerId` | `organization.id` | +| `items[].ipAddress` | `source.ip`, related.ip`, `source.as.*`, `source.geo.*` | +| `items[].actor.email` | `source.user.email`, `source.user.name`, `source.user.domain` | +| `items[].actor.profileId` | `source.user.id` | +|=============================================================================================== + +These are the common ones to all filesets. + +:has-dashboards!: + +:modulename!: diff --git a/x-pack/filebeat/module/google_workspace/_meta/fields.yml b/x-pack/filebeat/module/google_workspace/_meta/fields.yml new file mode 100644 index 00000000000..ecaa0c28dfe --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/_meta/fields.yml @@ -0,0 +1,42 @@ +- key: google_workspace + title: "google_workspace" + description: > + Google Workspace Module + fields: + - name: google_workspace + default_field: false + type: group + description: > + Google Workspace specific fields. + + More information about specific fields can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + fields: + - name: actor.type + type: keyword + description: > + The type of actor. + + Values can be: + *USER*: Another user in the same domain. + *EXTERNAL_USER*: A user outside the domain. + *KEY*: A non-human actor. + - name: actor.key + type: keyword + description: > + Only present when `actor.type` is `KEY`. Can be the `consumer_key` of the requestor for OAuth 2LO API requests or an identifier for robot accounts. + - name: event.type + type: keyword + description: > + The type of Google Workspace event, mapped from `items[].events[].type` in the original payload. + Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + example: audit#activity + - name: kind + type: keyword + description: > + The type of API resource, mapped from `kind` in the original payload. + More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list + example: audit#activity + - name: organization.domain + type: keyword + description: > + The domain that is affected by the report's event. diff --git a/x-pack/filebeat/module/google_workspace/admin/_meta/fields.yml b/x-pack/filebeat/module/google_workspace/admin/_meta/fields.yml new file mode 100644 index 00000000000..219e50dc46a --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/_meta/fields.yml @@ -0,0 +1,271 @@ +- name: admin + type: group + fields: + - name: application.edition + type: keyword + description: The Google Workspace edition. + - name: application.name + type: keyword + description: The application's name. + - name: application.enabled + type: keyword + description: The enabled application. + - name: application.licences_order_number + type: keyword + description: Order number used to redeem licenses. + - name: application.licences_purchased + type: keyword + description: Number of licences purchased. + - name: application.id + type: keyword + description: The application ID. + - name: application.asp_id + type: keyword + description: The application specific password ID. + - name: application.package_id + type: keyword + description: The mobile application package ID. + - name: group.email + type: keyword + description: The group's primary email address. + - name: new_value + type: keyword + description: The new value for the setting. + - name: old_value + type: keyword + description: The old value for the setting. + - name: org_unit.name + type: keyword + description: The organizational unit name. + - name: org_unit.full + type: keyword + description: The org unit full path including the root org unit name. + - name: setting.name + type: keyword + description: The setting name. + - name: user_defined_setting.name + type: keyword + description: The name of the user-defined setting. + - name: setting.description + type: keyword + description: The setting name. + - name: group.priorities + type: keyword + description: Group priorities. + - name: domain.alias + type: keyword + description: The domain alias. + - name: domain.name + type: keyword + description: The primary domain name. + - name: domain.secondary_name + type: keyword + description: The secondary domain name. + - name: managed_configuration + type: keyword + description: The name of the managed configuration. + - name: non_featured_services_selection + type: keyword + description: > + Non-featured services selection. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + - name: field + type: keyword + description: The name of the field. + - name: resource.id + type: keyword + description: The name of the resource identifier. + - name: user.email + type: keyword + description: The user's primary email address. + - name: user.nickname + type: keyword + description: The user's nickname. + - name: user.birthdate + type: date + description: The user's birth date. + - name: gateway.name + type: keyword + description: Gateway name. Present on some chat settings. + - name: chrome_os.session_type + type: keyword + description: Chrome OS session type. + - name: device.serial_number + type: keyword + description: Device serial number. + - name: device.id + type: keyword + - name: device.type + type: keyword + description: Device type. + - name: print_server.name + type: keyword + description: The name of the print server. + - name: printer.name + type: keyword + description: The name of the printer. + - name: device.command_details + type: keyword + description: Command details. + - name: role.id + type: keyword + description: Unique identifier for this role privilege. + - name: role.name + type: keyword + description: > + The role name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + - name: privilege.name + type: keyword + description: Privilege name. + - name: service.name + type: keyword + description: The service name. + - name: url.name + type: keyword + description: The website name. + - name: product.name + type: keyword + description: The product name. + - name: product.sku + type: keyword + description: The product SKU. + - name: bulk_upload.failed + type: long + description: Number of failed records in bulk upload operation. + - name: bulk_upload.total + type: long + description: Number of total records in bulk upload operation. + - name: group.allowed_list + type: keyword + description: Names of allow-listed groups. + - name: email.quarantine_name + type: keyword + description: The name of the quarantine. + - name: email.log_search_filter.message_id + type: keyword + description: The log search filter's email message ID. + - name: email.log_search_filter.start_date + type: date + description: The log search filter's start date. + - name: email.log_search_filter.end_date + type: date + description: The log search filter's ending date. + - name: email.log_search_filter.recipient.value + type: keyword + description: The log search filter's email recipient. + - name: email.log_search_filter.sender.value + type: keyword + description: The log search filter's email sender. + - name: email.log_search_filter.recipient.ip + type: ip + description: The log search filter's email recipient's IP address. + - name: email.log_search_filter.sender.ip + type: ip + description: The log search filter's email sender's IP address. + - name: chrome_licenses.enabled + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: chrome_licenses.allowed + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: oauth2.service.name + type: keyword + description: > + OAuth2 service name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: oauth2.application.id + type: keyword + description: OAuth2 application ID. + - name: oauth2.application.name + type: keyword + description: OAuth2 application name. + - name: oauth2.application.type + type: keyword + description: > + OAuth2 application type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: verification_method + type: keyword + description: > + Related verification method. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and + https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: alert.name + type: keyword + description: The alert name. + - name: rule.name + type: keyword + description: The rule name. + - name: api.client.name + type: keyword + description: The API client name. + - name: api.scopes + type: keyword + description: The API scopes. + - name: mdm.token + type: keyword + description: The MDM vendor enrollment token. + - name: mdm.vendor + type: keyword + description: The MDM vendor's name. + - name: info_type + type: keyword + description: > + This will be used to state what kind of information was changed. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: email_monitor.dest_email + type: keyword + description: The destination address of the email monitor. + - name: email_monitor.level.chat + type: keyword + description: The chat email monitor level. + - name: email_monitor.level.draft + type: keyword + description: The draft email monitor level. + - name: email_monitor.level.incoming + type: keyword + description: The incoming email monitor level. + - name: email_monitor.level.outgoing + type: keyword + description: The outgoing email monitor level. + - name: email_dump.include_deleted + type: boolean + description: Indicates if deleted emails are included in the export. + - name: email_dump.package_content + type: keyword + description: The contents of the mailbox package. + - name: email_dump.query + type: keyword + description: The search query used for the dump. + - name: request.id + type: keyword + description: The request ID. + - name: mobile.action.id + type: keyword + description: The mobile device action's ID. + - name: mobile.action.type + type: keyword + description: > + The mobile device action's type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: mobile.certificate.name + type: keyword + description: The mobile certificate common name. + - name: mobile.company_owned_devices + type: long + description: The number of devices a company owns. + - name: distribution.entity.name + type: keyword + description: > + The distribution entity value, which can be a group name or an org-unit name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: distribution.entity.type + type: keyword + description: > + The distribution entity type, which can be a group or an org-unit. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/google_workspace/admin/config/config.yml b/x-pack/filebeat/module/google_workspace/admin/config/config.yml new file mode 100644 index 00000000000..7836da2fa55 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/config/config.yml @@ -0,0 +1,56 @@ +{{ if eq .input "httpjson" }} +type: httpjson +config_version: "2" +interval: {{ .interval }} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{ .jwt_file }} +auth.oauth2.google.delegated_account: {{ .delegated_account }} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} +request.transforms: + - set: + target: url.params.startTime + value: "[[.cursor.last_execution_datetime]]" + default: '[[now (parseDuration "-{{.initial_interval}}")]]' +response.split: + target: body.items + split: + target: events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" +cursor: + last_execution_datetime: + value: "[[now]]" + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 + - script: + lang: javascript + id: gworkspace-common + file: ${path.home}/module/google_workspace/config/common.js + - script: + lang: javascript + id: gworkspace-admin + file: ${path.home}/module/google_workspace/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js new file mode 100644 index 00000000000..fe189875d65 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js @@ -0,0 +1,946 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + switch (evt.Get("event.action")) { + case "CHANGE_APPLICATION_SETTING": + case "UPDATE_MANAGED_CONFIGURATION": + case "GPLUS_PREMIUM_FEATURES": + case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "UPDATE_BUILDING": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": + case "RENAME_CALENDAR_RESOURCE": + case "UPDATE_CALENDAR_RESOURCE": + case "CHANGE_CALENDAR_SETTING": + case "CANCEL_CALENDAR_EVENTS": + case "RELEASE_CALENDAR_RESOURCES": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": + case "CHANGE_DEVICE_STATE": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_DEVICE_STATE": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "UPDATE_CHROME_OS_PRINT_SERVER": + case "UPDATE_CHROME_OS_PRINTER": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": + case "UPDATE_DEVICE": + case "SEND_CHROME_OS_DEVICE_COMMAND": + case "CHANGE_CONTACTS_SETTING": + case "ASSIGN_ROLE": + case "ADD_PRIVILEGE": + case "REMOVE_PRIVILEGE": + case "RENAME_ROLE": + case "UPDATE_ROLE": + case "UNASSIGN_ROLE": + case "TRANSFER_DOCUMENT_OWNERSHIP": + case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ORG_USERS_LICENSE_ASSIGNMENT": + case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": + case "USER_LICENSE_ASSIGNMENT": + case "CHANGE_LICENSE_AUTO_ASSIGN": + case "USER_LICENSE_REASSIGNMENT": + case "ORG_LICENSE_REVOKE": + case "USER_LICENSE_REVOKE": + case "UPDATE_DYNAMIC_LICENSE": + case "DROP_FROM_QUARANTINE": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "REJECT_FROM_QUARANTINE": + case "RELEASE_FROM_QUARANTINE": + case "CHROME_LICENSES_ENABLED": + case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": + case "ASSIGN_CUSTOM_LOGO": + case "UNASSIGN_CUSTOM_LOGO": + case "REVOKE_ENROLLMENT_TOKEN": + case "CHROME_LICENSES_ALLOWED": + case "EDIT_ORG_UNIT_DESCRIPTION": + case "MOVE_ORG_UNIT": + case "EDIT_ORG_UNIT_NAME": + case "REVOKE_DEVICE_ENROLLMENT_TOKEN": + case "TOGGLE_SERVICE_ENABLED": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "ADD_TO_TRUSTED_OAUTH2_APPS": + case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": + case "BLOCK_ON_DEVICE_ACCESS": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "TOGGLE_CAA_ENABLEMENT": + case "CHANGE_CAA_ERROR_MESSAGE": + case "CHANGE_CAA_APP_ASSIGNMENTS": + case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "UNBLOCK_ON_DEVICE_ACCESS": + case "CHANGE_ACCOUNT_AUTO_RENEWAL": + case "ADD_APPLICATION": + case "ADD_APPLICATION_TO_WHITELIST": + case "CHANGE_ADVERTISEMENT_OPTION": + case "CHANGE_ALERT_CRITERIA": + case "ALERT_RECEIVERS_CHANGED": + case "RENAME_ALERT": + case "ALERT_STATUS_CHANGED": + case "ADD_DOMAIN_ALIAS": + case "REMOVE_DOMAIN_ALIAS": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "AUTHORIZE_API_CLIENT_ACCESS": + case "REMOVE_API_CLIENT_ACCESS": + case "CHROME_LICENSES_REDEEMED": + case "TOGGLE_AUTO_ADD_NEW_SERVICE": + case "CHANGE_PRIMARY_DOMAIN": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "CHANGE_CONFLICT_ACCOUNT_ACTION": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": + case "CHANGE_DOMAIN_DEFAULT_LOCALE": + case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": + case "CHANGE_DOMAIN_NAME": + case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": + case "CHANGE_DOMAIN_SUPPORT_MESSAGE": + case "ADD_TRUSTED_DOMAINS": + case "REMOVE_TRUSTED_DOMAINS": + case "CHANGE_EDU_TYPE": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": + case "CHANGE_LOGIN_BACKGROUND_COLOR": + case "CHANGE_LOGIN_BORDER_COLOR": + case "CHANGE_LOGIN_ACTIVITY_TRACE": + case "PLAY_FOR_WORK_ENROLL": + case "PLAY_FOR_WORK_UNENROLL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "CHANGE_ORGANIZATION_NAME": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_PASSWORD_MAX_LENGTH": + case "CHANGE_PASSWORD_MIN_LENGTH": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "REMOVE_APPLICATION": + case "REMOVE_APPLICATION_FROM_WHITELIST": + case "CHANGE_RENEW_DOMAIN_REGISTRATION": + case "CHANGE_RESELLER_ACCESS": + case "RULE_ACTIONS_CHANGED": + case "CHANGE_RULE_CRITERIA": + case "RENAME_RULE": + case "RULE_STATUS_CHANGED": + case "ADD_SECONDARY_DOMAIN": + case "REMOVE_SECONDARY_DOMAIN": + case "UPDATE_DOMAIN_SECONDARY_EMAIL": + case "CHANGE_SSO_SETTINGS": + case "UPDATE_RULE": + case "ADD_MOBILE_CERTIFICATE": + case "COMPANY_OWNED_DEVICE_BLOCKED": + case "COMPANY_OWNED_DEVICE_UNBLOCKED": + case "COMPANY_OWNED_DEVICE_WIPED": + case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": + case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": + case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "ADD_MOBILE_APPLICATION_TO_WHITELIST": + case "CHANGE_MOBILE_SETTING": + case "CHANGE_ADMIN_RESTRICTIONS_PIN": + case "CHANGE_MOBILE_WIRELESS_NETWORK": + case "ADD_MOBILE_WIRELESS_NETWORK": + case "REMOVE_MOBILE_WIRELESS_NETWORK": + case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": + case "REMOVE_MOBILE_CERTIFICATE": + evt.Put("event.type", ["change"]); + break; + case "CREATE_APPLICATION_SETTING": + case "CREATE_MANAGED_CONFIGURATION": + case "CREATE_BUILDING": + case "CREATE_CALENDAR_RESOURCE": + case "CREATE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_CREATE_GATEWAY": + case "INSERT_CHROME_OS_PRINT_SERVER": + case "INSERT_CHROME_OS_PRINTER": + case "CREATE_ROLE": + case "ADD_WEB_ADDRESS": + case "EMAIL_UNDELETE": + case "CREATE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": + case "CREATE_DEVICE_ENROLLMENT_TOKEN": + case "CREATE_ENROLLMENT_TOKEN": + case "CREATE_ORG_UNIT": + case "CREATE_ALERT": + case "CREATE_PLAY_FOR_WORK_TOKEN": + case "GENERATE_TRANSFER_TOKEN": + case "REGENERATE_OAUTH_CONSUMER_SECRET": + case "CREATE_RULE": + case "GENERATE_PIN": + case "COMPANY_DEVICES_BULK_CREATION": + evt.Put("event.type", ["creation"]); + break; + case "DELETE_APPLICATION_SETTING": + case "DELETE_MANAGED_CONFIGURATION": + case "DELETE_BUILDING": + case "DELETE_CALENDAR_RESOURCE": + case "DELETE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_DELETE_GATEWAY": + case "DELETE_CHROME_OS_PRINT_SERVER": + case "DELETE_CHROME_OS_PRINTER": + case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": + case "DELETE_ROLE": + case "DELETE_WEB_ADDRESS": + case "DELETE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": + case "REMOVE_ORG_UNIT": + case "DELETE_ALERT": + case "DELETE_PLAY_FOR_WORK_TOKEN": + case "DELETE_RULE": + case "COMPANY_DEVICE_DELETION": + evt.Put("event.type", ["deletion"]); + break; + case "DELETE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "CREATE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "REORDER_GROUP_BASED_POLICIES_EVENT": + case "CHANGE_GROUP_DESCRIPTION": + case "ADD_GROUP_MEMBER": + case "REMOVE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": + case "CHANGE_GROUP_NAME": + case "CHANGE_GROUP_SETTING": + case "GROUP_MEMBER_BULK_UPLOAD": + case "WHITELISTED_GROUPS_UPDATED": + evt.Put("event.type", ["group", "change"]); + break; + case "REVOKE_3LO_DEVICE_TOKENS": + case "REVOKE_3LO_TOKEN": + case "ADD_RECOVERY_EMAIL": + case "ADD_RECOVERY_PHONE": + case "GRANT_ADMIN_PRIVILEGE": + case "REVOKE_ADMIN_PRIVILEGE": + case "REVOKE_ASP": + case "TOGGLE_AUTOMATIC_CONTACT_SHARING": + case "CANCEL_USER_INVITE": + case "CHANGE_USER_CUSTOM_FIELD": + case "CHANGE_USER_EXTERNAL_ID": + case "CHANGE_USER_GENDER": + case "CHANGE_USER_IM": + case "ENABLE_USER_IP_WHITELIST": + case "CHANGE_USER_KEYWORD": + case "CHANGE_USER_LANGUAGE": + case "CHANGE_USER_LOCATION": + case "CHANGE_USER_ORGANIZATION": + case "CHANGE_USER_PHONE_NUMBER": + case "CHANGE_RECOVERY_EMAIL": + case "CHANGE_RECOVERY_PHONE": + case "CHANGE_USER_RELATION": + case "CHANGE_USER_ADDRESS": + case "GRANT_DELEGATED_ADMIN_PRIVILEGES": + case "CHANGE_FIRST_NAME": + case "GMAIL_RESET_USER": + case "CHANGE_LAST_NAME": + case "MAIL_ROUTING_DESTINATION_ADDED": + case "MAIL_ROUTING_DESTINATION_REMOVED": + case "ADD_NICKNAME": + case "REMOVE_NICKNAME": + case "CHANGE_PASSWORD": + case "CHANGE_PASSWORD_ON_NEXT_LOGIN": + case "REMOVE_RECOVERY_EMAIL": + case "REMOVE_RECOVERY_PHONE": + case "RESET_SIGNIN_COOKIES": + case "SECURITY_KEY_REGISTERED_FOR_USER": + case "REVOKE_SECURITY_KEY": + case "TURN_OFF_2_STEP_VERIFICATION": + case "UNBLOCK_USER_SESSION": + case "UNENROLL_USER_FROM_TITANIUM": + case "ARCHIVE_USER": + case "UPDATE_BIRTHDATE": + case "DOWNGRADE_USER_FROM_GPLUS": + case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": + case "MOVE_USER_TO_ORG_UNIT": + case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": + case "RENAME_USER": + case "UNENROLL_USER_FROM_STRONG_AUTH": + case "SUSPEND_USER": + case "UNARCHIVE_USER": + case "UNSUSPEND_USER": + case "UPGRADE_USER_TO_GPLUS": + case "MOBILE_DEVICE_APPROVE": + case "MOBILE_DEVICE_BLOCK": + case "MOBILE_DEVICE_WIPE": + case "MOBILE_ACCOUNT_WIPE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": + evt.Put("event.type", ["user", "change"]); + break; + case "DELETE_2SV_SCRATCH_CODES": + case "DELETE_ACCOUNT_INFO_DUMP": + case "DELETE_EMAIL_MONITOR": + case "DELETE_MAILBOX_DUMP": + case "DELETE_USER": + case "MOBILE_DEVICE_DELETE": + evt.Put("event.type", ["user", "deletion"]); + break; + case "GENERATE_2SV_SCRATCH_CODES": + case "CREATE_EMAIL_MONITOR": + case "CREATE_DATA_TRANSFER_REQUEST": + case "CREATE_USER": + case "UNDELETE_USER": + evt.Put("event.type", ["user", "creation"]); + break; + case "ISSUE_DEVICE_COMMAND": + case "DRIVE_DATA_RESTORE": + case "VIEW_SITE_DETAILS": + case "EMAIL_LOG_SEARCH": + case "SKIP_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS": + case "VIEW_DNS_LOGIN_DETAILS": + case "MX_RECORD_VERIFICATION_CLAIM": + case "UPLOAD_OAUTH_CERTIFICATE": + case "SKIP_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN": + case "BULK_UPLOAD": + case "DOWNLOAD_PENDING_INVITES_LIST": + case "DOWNLOAD_USERLIST_CSV": + case "USERS_BULK_UPLOAD": + case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": + evt.Put("event.type", ["info"]); + break; + case "GROUP_LIST_DOWNLOAD": + case "GROUP_MEMBERS_DOWNLOAD": + evt.Put("event.type", ["group", "info"]); + break; + case "REQUEST_ACCOUNT_INFO": + case "REQUEST_MAILBOX_DUMP": + case "RESEND_USER_INVITE": + case "BULK_UPLOAD_NOTIFICATION_SENT": + case "USER_INVITE": + case "VIEW_TEMP_PASSWORD": + case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": + case "ACTION_CANCELLED": + case "ACTION_REQUESTED": + evt.Put("event.type", ["user", "info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.intValue !== null) { + return param.intValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("google_workspace.admin."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("google_workspace.admin.group.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedUserInfo = function(evt) { + var email = evt.Get("google_workspace.admin.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var setEventDuration = function(evt) { + var start = evt.Get("event.start"); + var end = evt.Get("event.end"); + if (!start || !end) { + return; + } + + evt.Put("event.duration", end.UnixNano() - start.UnixNano()); + }; + + var setEventOutcome = function(evt) { + var failed = evt.Get("google_workspace.admin.group.bulk_upload.failed"); + if (failed === null) { + return; + } + + if (failed === 0) { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + }; + + var setGroupAllowedlist = function(evt) { + var allowedList = evt.Get("google_workspace.admin.WHITELISTED_GROUPS"); + if (!allowedList) { + return; + } + + evt.Put("google_workspace.admin.group.allowed_list", allowedList.split(",")); + evt.Delete("google_workspace.admin.WHITELISTED_GROUPS"); + }; + + var deleteField = function(field) { + return function(evt) { + evt.Delete(field); + }; + }; + + var parseDate = function(field, targetField) { + return new processor.Chain() + .Add(new processor.Timestamp({ + field: field, + target_field: targetField, + timezone: "UTC", + layouts: [ + "2006-01-02T15:04:05Z", + "2006-01-02T15:04:05.999Z", + "2006/01/02 15:04:05 UTC", + ], + tests: [ + "2020-02-05T18:19:23Z", + "2020-02-05T18:19:23.599Z", + "2020/07/28 04:59:59 UTC", + ], + ignore_missing: true, + })) + .Add(deleteField(field)) + .Build() + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "google_workspace.admin.APPLICATION_EDITION", + to: "google_workspace.admin.application.edition", + }, + { + from: "google_workspace.admin.APPLICATION_NAME", + to: "google_workspace.admin.application.name", + }, + { + from: "google_workspace.admin.APPLICATION_ENABLED", + to: "google_workspace.admin.application.enabled", + }, + { + from: "google_workspace.admin.APP_LICENSES_ORDER_NUMBER", + to: "google_workspace.admin.application.licences_order_number", + }, + { + from: "google_workspace.admin.CHROME_NUM_LICENSES_PURCHASED", + to: "google_workspace.admin.application.licences_purchased", + type: "long", + }, + { + from: "google_workspace.admin.REAUTH_APPLICATION", + to: "google_workspace.admin.application.name", + }, + { + from: "google_workspace.admin.GROUP_EMAIL", + to: "google_workspace.admin.group.email", + }, + { + from: "google_workspace.admin.GROUP_NAME", + to: "group.name", + }, + { + from: "google_workspace.admin.NEW_VALUE", + to: "google_workspace.admin.new_value", + }, + { + from: "google_workspace.admin.OLD_VALUE", + to: "google_workspace.admin.old_value", + }, + { + from: "google_workspace.admin.ORG_UNIT_NAME", + to: "google_workspace.admin.org_unit.name", + }, + { + from: "google_workspace.admin.SETTING_NAME", + to: "google_workspace.admin.setting.name", + }, + { + from: "google_workspace.admin.SETTING_DESCRIPTION", + to: "google_workspace.admin.setting.description", + }, + { + from: "google_workspace.admin.USER_DEFINED_SETTING_NAME", + to: "google_workspace.admin.user_defined_setting.name", + }, + { + from: "google_workspace.admin.GROUP_PRIORITIES", + to: "google_workspace.admin.group.priorities", + }, + { + from: "google_workspace.admin.DOMAIN_NAME", + to: "google_workspace.admin.domain.name", + }, + { + from: "google_workspace.admin.DOMAIN_ALIAS", + to: "google_workspace.admin.domain.alias", + }, + { + from: "google_workspace.admin.SECONDARY_DOMAIN_NAME", + to: "google_workspace.admin.domain.secondary_name", + }, + { + from: "google_workspace.admin.MANAGED_CONFIGURATION_NAME", + to: "google_workspace.admin.managed_configuration", + }, + { + from: "google_workspace.admin.MOBILE_APP_PACKAGE_ID", + to: "google_workspace.admin.application.package_id", + }, + { + from: "google_workspace.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", + to: "google_workspace.admin.non_featured_services_selection", + }, + { + from: "google_workspace.admin.FIELD_NAME", + to: "google_workspace.admin.field", + }, + { + from: "google_workspace.admin.RESOURCE_IDENTIFIER", + to: "google_workspace.admin.resource.id", + }, + { + from: "google_workspace.admin.USER_EMAIL", + to: "google_workspace.admin.user.email", + }, + { + from: "google_workspace.admin.GATEWAY_NAME", + to: "google_workspace.admin.gateway.name", + }, + { + from: "google_workspace.admin.APP_ID", + to: "google_workspace.admin.application.id", + }, + { + from: "google_workspace.admin.ASP_ID", + to: "google_workspace.admin.application.asp_id", + }, + { + from: "google_workspace.admin.CHROME_OS_SESSION_TYPE", + to: "google_workspace.admin.chrome_os.session_type", + }, + { + from: "google_workspace.admin.DEVICE_NEW_STATE", + to: "google_workspace.admin.new_value", + }, + { + from: "google_workspace.admin.DEVICE_PREVIOUS_STATE", + to: "google_workspace.admin.old_value", + }, + { + from: "google_workspace.admin.DEVICE_SERIAL_NUMBER", + to: "google_workspace.admin.device.serial_number", + }, + { + from: "google_workspace.admin.DEVICE_ID", + to: "google_workspace.admin.device.id", + }, + { + from: "google_workspace.admin.DEVICE_TYPE", + to: "google_workspace.admin.device.type", + }, + { + from: "google_workspace.admin.PRINT_SERVER_NAME", + to: "google_workspace.admin.print_server.name", + }, + { + from: "google_workspace.admin.PRINTER_NAME", + to: "google_workspace.admin.printer.name", + }, + { + from: "google_workspace.admin.DEVICE_COMMAND_DETAILS", + to: "google_workspace.admin.device.command_details", + }, + { + from: "google_workspace.admin.DEVICE_NEW_ORG_UNIT", + to: "google_workspace.admin.new_value", + }, + { + from: "google_workspace.admin.DEVICE_PREVIOUS_ORG_UNIT", + to: "google_workspace.admin.old_value", + }, + { + from: "google_workspace.admin.ROLE_NAME", + to: "google_workspace.admin.role.name", + }, + { + from: "google_workspace.admin.ROLE_ID", + to: "google_workspace.admin.role.id", + }, + { + from: "google_workspace.admin.PRIVILEGE_NAME", + to: "google_workspace.admin.privilege.name", + }, + { + from: "google_workspace.admin.SITE_LOCATION", + to: "url.path", + }, + { + from: "google_workspace.admin.WEB_ADDRESS", + to: "url.full", + }, + { + from: "google_workspace.admin.SITE_NAME", + to: "google_workspace.admin.url.name", + }, + { + from: "google_workspace.admin.SERVICE_NAME", + to: "google_workspace.admin.service.name", + }, + { + from: "google_workspace.admin.PRODUCT_NAME", + to: "google_workspace.admin.product.name", + }, + { + from: "google_workspace.admin.SKU_NAME", + to: "google_workspace.admin.product.sku", + }, + { + from: "google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", + to: "google_workspace.admin.bulk_upload.failed", + type: "long", + }, + { + from: "google_workspace.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", + to: "google_workspace.admin.bulk_upload.total", + type: "long", + }, + { + from: "google_workspace.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", + to: "google_workspace.admin.bulk_upload.failed", + type: "long", + }, + { + from: "google_workspace.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", + to: "google_workspace.admin.bulk_upload.total", + type: "long", + }, + { + from: "google_workspace.admin.EMAIL_LOG_SEARCH_MSG_ID", + to: "google_workspace.admin.email.log_search_filter.message_id", + }, + { + from: "google_workspace.admin.EMAIL_LOG_SEARCH_RECIPIENT", + to: "google_workspace.admin.email.log_search_filter.recipient.value", + }, + { + from: "google_workspace.admin.EMAIL_LOG_SEARCH_SENDER", + to: "google_workspace.admin.email.log_search_filter.sender.value", + }, + { + from: "google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", + to: "google_workspace.admin.email.log_search_filter.recipient.ip", + type: "ip", + }, + { + from: "google_workspace.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", + to: "google_workspace.admin.email.log_search_filter.sender.ip", + type: "ip", + }, + { + from: "google_workspace.admin.QUARANTINE_NAME", + to: "google_workspace.admin.email.quarantine_name", + }, + { + from: "google_workspace.admin.CHROME_LICENSES_ENABLED", + to: "google_workspace.admin.chrome_licenses.enabled", + }, + { + from: "google_workspace.admin.CHROME_LICENSES_ALLOWED", + to: "google_workspace.admin.chrome_licenses.allowed", + }, + { + from: "google_workspace.admin.FULL_ORG_UNIT_PATH", + to: "google_workspace.admin.org_unit.full", + }, + { + from: "google_workspace.admin.OAUTH2_SERVICE_NAME", + to: "google_workspace.admin.oauth2.service.name", + }, + { + from: "google_workspace.admin.OAUTH2_APP_ID", + to: "google_workspace.admin.oauth2.application.id", + }, + { + from: "google_workspace.admin.OAUTH2_APP_NAME", + to: "google_workspace.admin.oauth2.application.name", + }, + { + from: "google_workspace.admin.OAUTH2_APP_TYPE", + to: "google_workspace.admin.oauth2.application.type", + }, + { + from: "google_workspace.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", + to: "google_workspace.admin.verification_method", + }, + { + from: "google_workspace.admin.DOMAIN_VERIFICATION_METHOD", + to: "google_workspace.admin.verification_method", + }, + { + from: "google_workspace.admin.CAA_ASSIGNMENTS_NEW", + to: "google_workspace.admin.new_value", + }, + { + from: "google_workspace.admin.CAA_ASSIGNMENTS_OLD", + to: "google_workspace.admin.old_value", + }, + { + from: "google_workspace.admin.REAUTH_SETTING_NEW", + to: "google_workspace.admin.new_value", + }, + { + from: "google_workspace.admin.REAUTH_SETTING_OLD", + to: "google_workspace.admin.old_value", + }, + { + from: "google_workspace.admin.ALERT_NAME", + to: "google_workspace.admin.alert.name", + }, + { + from: "google_workspace.admin.API_CLIENT_NAME", + to: "google_workspace.admin.api.client.name", + }, + { + from: "google_workspace.admin.API_SCOPES", + to: "google_workspace.admin.api.scopes", + }, + { + from: "google_workspace.admin.PLAY_FOR_WORK_TOKEN_ID", + to: "google_workspace.admin.mdm.token", + }, + { + from: "google_workspace.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", + to: "google_workspace.admin.mdm.vendor", + }, + { + from: "google_workspace.admin.INFO_TYPE", + to: "google_workspace.admin.info_type", + }, + { + from: "google_workspace.admin.RULE_NAME", + to: "google_workspace.admin.rule.name", + }, + { + from: "google_workspace.admin.USER_CUSTOM_FIELD", + to: "google_workspace.admin.setting.name", + }, + { + from: "google_workspace.admin.EMAIL_MONITOR_DEST_EMAIL", + to: "google_workspace.admin.email_monitor.dest_email", + }, + { + from: "google_workspace.admin.EMAIL_MONITOR_LEVEL_CHAT", + to: "google_workspace.admin.email_monitor.level.chat", + }, + { + from: "google_workspace.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", + to: "google_workspace.admin.email_monitor.level.draft", + }, + { + from: "google_workspace.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", + to: "google_workspace.admin.email_monitor.level.incoming", + }, + { + from: "google_workspace.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", + to: "google_workspace.admin.email_monitor.level.outgoing", + }, + { + from: "google_workspace.admin.EMAIL_EXPORT_INCLUDE_DELETED", + to: "google_workspace.admin.email_dump.include_deleted", + }, + { + from: "google_workspace.admin.EMAIL_EXPORT_PACKAGE_CONTENT", + to: "google_workspace.admin.email_dump.package_content", + }, + { + from: "google_workspace.admin.SEARCH_QUERY_FOR_DUMP", + to: "google_workspace.admin.email_dump.query", + }, + { + from: "google_workspace.admin.DESTINATION_USER_EMAIL", + to: "google_workspace.admin.new_value", + }, + { + from: "google_workspace.admin.REQUEST_ID", + to: "google_workspace.admin.request.id", + }, + { + from: "google_workspace.admin.GMAIL_RESET_REASON", + to: "message", + }, + { + from: "google_workspace.admin.USER_NICKNAME", + to: "google_workspace.admin.user.nickname", + }, + { + from: "google_workspace.admin.ACTION_ID", + to: "google_workspace.admin.mobile.action.id", + }, + { + from: "google_workspace.admin.ACTION_TYPE", + to: "google_workspace.admin.mobile.action.type", + }, + { + from: "google_workspace.admin.MOBILE_CERTIFICATE_COMMON_NAME", + to: "google_workspace.admin.mobile.certificate.name", + }, + { + from: "google_workspace.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", + to: "google_workspace.admin.mobile.company_owned_devices", + type: "long", + }, + { + from: "google_workspace.admin.COMPANY_DEVICE_ID", + to: "google_workspace.admin.device.id", + }, + { + from: "google_workspace.admin.DISTRIBUTION_ENTITY_NAME", + to: "google_workspace.admin.distribution.entity.name", + }, + { + from: "google_workspace.admin.DISTRIBUTION_ENTITY_TYPE", + to: "google_workspace.admin.distribution.entity.type", + }, + { + from: "google_workspace.admin.MOBILE_APP_PACKAGE_ID", + to: "google_workspace.admin.application.package_id", + }, + { + from: "google_workspace.admin.NEW_PERMISSION_GRANT_STATE", + to: "google_workspace.admin.new_value", + }, + { + from: "google_workspace.admin.OLD_PERMISSION_GRANT_STATE", + to: "google_workspace.admin.old_value", + }, + { + from: "google_workspace.admin.PERMISSION_GROUP_NAME", + to: "google_workspace.admin.setting.name", + }, + { + from: "google_workspace.admin.MOBILE_WIRELESS_NETWORK_NAME", + to: "network.name", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(parseDate( + "google_workspace.admin.EMAIL_LOG_SEARCH_END_DATE", + "google_workspace.admin.email.log_search_filter.end_date" + )) + .Add(parseDate( + "google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE", + "google_workspace.admin.email.log_search_filter.start_date" + )) + .Add(parseDate( + "google_workspace.admin.BIRTHDATE", + "google_workspace.admin.user.birthdate" + )) + .Add(parseDate( + "google_workspace.admin.BEGIN_DATE_TIME", + "event.start" + )) + .Add(parseDate( + "google_workspace.admin.START_DATE", + "event.start" + )) + .Add(parseDate( + "google_workspace.admin.END_DATE", + "event.end" + )) + .Add(parseDate( + "google_workspace.admin.END_DATE_TIME", + "event.end" + )) + .Add(setGroupInfo) + .Add(setRelatedUserInfo) + .Add(setEventDuration) + .Add(setEventOutcome) + .Add(setGroupAllowedlist) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/google_workspace/admin/manifest.yml b/x-pack/filebeat/module/google_workspace/admin/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log new file mode 100644 index 00000000000..2d2d36e96a3 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json new file mode 100644 index 00000000000..228b200a660 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json @@ -0,0 +1,475 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.edition": "basic", + "google_workspace.admin.application.name": "drive", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.edition": "basic", + "google_workspace.admin.application.name": "drive", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.edition": "basic", + "google_workspace.admin.application.name": "drive", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "drive", + "google_workspace.admin.group.priorities": [ + "a", + "b" + ], + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GPLUS_PREMIUM_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2346, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "1234", + "google_workspace.admin.managed_configuration": "a", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "1234", + "google_workspace.admin.managed_configuration": "a", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "1234", + "google_workspace.admin.managed_configuration": "a", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", + "google_workspace.event.type": "APPLICATION_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4114, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log new file mode 100644 index 00000000000..bcbed9ee886 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log @@ -0,0 +1,13 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json new file mode 100644 index 00000000000..91c175be25f --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json @@ -0,0 +1,668 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 414, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.field": "field", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.resource.id": "1234", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 828, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1361, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1784, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.field": "field", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.resource.id": "1234", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3069, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.field": "field", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.resource.id": "1234", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4077, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CALENDAR_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 4619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CANCEL_CALENDAR_EVENTS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5208, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RELEASE_CALENDAR_RESOURCES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "CALENDAR_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5598, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log new file mode 100644 index 00000000000..b078b332402 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log @@ -0,0 +1,4 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json new file mode 100644 index 00000000000..a151492253a --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json @@ -0,0 +1,205 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_CREATE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.gateway.name": "gateway", + "google_workspace.event.type": "CHAT_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_DELETE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.gateway.name": "gateway", + "google_workspace.event.type": "CHAT_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 384, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MEET_INTEROP_MODIFY_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.gateway.name": "gateway", + "google_workspace.event.type": "CHAT_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHAT_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CHAT_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1152, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log new file mode 100644 index 00000000000..9c3bd721f39 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log @@ -0,0 +1,21 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json new file mode 100644 index 00000000000..9219ed03efc --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json @@ -0,0 +1,1083 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.id": "2345", + "google_workspace.admin.chrome_os.session_type": "type", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.serial_number": "1234", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "prev", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 648, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.id": "2345", + "google_workspace.admin.chrome_os.session_type": "type", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1162, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.serial_number": "2345", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.serial_number": "2345", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.serial_number": "1234", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "INSERT_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.print_server.name": "server", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4151, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.print_server.name": "server", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4546, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.print_server.name": "server", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4941, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "INSERT_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.printer.name": "printer", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.printer.name": "printer", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.printer.name": "printer", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6178, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CHROME_OS_USER_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7135, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ISSUE_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.command_details": [ + "command", + "-a" + ], + "google_workspace.admin.device.serial_number": "1234", + "google_workspace.admin.device.type": "type", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7635, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.serial_number": "1234", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "prev", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8124, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.id": "1234", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DEVICE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.serial_number": "1234", + "google_workspace.admin.device.type": "type", + "google_workspace.event.type": "CHROME_OS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CONTACTS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9465, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log new file mode 100644 index 00000000000..5aececc68aa --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log @@ -0,0 +1 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json new file mode 100644 index 00000000000..05ef3b46ace --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json @@ -0,0 +1,55 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "CONTACTS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log new file mode 100644 index 00000000000..da76df3f767 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json new file mode 100644 index 00000000000..e38c013ed50 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json @@ -0,0 +1,408 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.role.id": "1234", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 483, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.role.id": "1234", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 912, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.privilege.name": "privilege", + "google_workspace.admin.role.id": "1234", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.privilege.name": "privilege", + "google_workspace.admin.role.id": "1234", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2298, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.role.id": "1234", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2728, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "DELEGATED_ADMIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3157, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log new file mode 100644 index 00000000000..c3166fb87d2 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log @@ -0,0 +1,3 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json new file mode 100644 index 00000000000..a9dd7b173b7 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json @@ -0,0 +1,163 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "DOCS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DRIVE_DATA_RESTORE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.duration": 10800000000000, + "event.end": "2002-10-02T15:00:00.000Z", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T12:00:00.000Z", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "DOCS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 471, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOCS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "DOCS_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 967, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log new file mode 100644 index 00000000000..b452d9e8d94 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log @@ -0,0 +1,85 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json new file mode 100644 index 00000000000..17c2a56d0bb --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json @@ -0,0 +1,4268 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "NON_AUTO_RENEWAL", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.enabled": "app enabled", + "google_workspace.admin.application.id": "id", + "google_workspace.admin.application.name": "app name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 437, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.id": "id", + "google_workspace.admin.application.name": "app name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 900, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ADVERTISEMENT_OPTION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1323, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.alert.name": "alert name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ALERT_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.alert.name": "alert name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2154, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.alert.name": "alert name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2535, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALERT_RECEIVERS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.alert.name": "alert name", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2907, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3360, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALERT_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.alert.name": "alert name", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.alias": "alias", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4209, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.alias": "alias", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SKIP_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.alias": "alias", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5048, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.alias": "alias", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5470, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.alias": "alias", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.verification_method": "ANALYTICS", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5894, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6373, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6803, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_API_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.admin.old_value": "true", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7235, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "AUTHORIZE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.api.client.name": "api client", + "google_workspace.admin.api.scopes": [ + "a", + "b" + ], + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7687, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.api.client.name": "api client", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8169, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_REDEEMED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.licences_order_number": "abcd123", + "google_workspace.admin.application.licences_purchased": 1, + "google_workspace.admin.application.name": "app name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8603, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9100, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PRIMARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9526, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_WHITELIST_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "false", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10401, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_FEEDBACK_SOLICITATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11381, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11843, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.mdm.token": "token", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12264, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_USE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "false", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13078, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13458, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13919, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.info_type": "ADDRESS", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14377, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.mdm.token": "token", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14846, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_DNS_LOGIN_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15239, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15623, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16545, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17852, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EDU_TYPE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18617, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19064, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SSO_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19493, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SSL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.info_type": "ADDRESS", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20315, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_TRANSFER_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21103, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_BORDER_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21564, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22021, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "PLAY_FOR_WORK_ENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.mdm.token": "token", + "google_workspace.admin.mdm.vendor": "vendor", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22480, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "PLAY_FOR_WORK_UNENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.mdm.vendor": "vendor", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22925, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MX_RECORD_VERIFICATION_CLAIM", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23322, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_NEW_APP_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23761, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24181, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPLOAD_OAUTH_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24997, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OPEN_ID_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ORGANIZATION_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25810, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_OUTBOUND_RELAY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26266, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_MAX_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_MIN_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27216, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27674, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28139, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.id": "appid", + "google_workspace.admin.application.name": "app name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28610, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.id": "appid", + "google_workspace.admin.application.name": "app name", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29026, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RESELLER_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29921, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RULE_ACTIONS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.rule.name": "rule", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.rule.name": "rule", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30703, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RULE_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.rule.name": "rule", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31067, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.rule.name": "rule", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31804, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RULE_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.rule.name": "rule", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32202, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.domain.secondary_name": "example2.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32644, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.domain.secondary_name": "example2.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33082, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SKIP_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.domain.secondary_name": "example2.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.domain.secondary_name": "example2.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33965, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VERIFY_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.domain.secondary_name": "example2.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34409, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34850, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SSO_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35311, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35692, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.rule.name": "rule", + "google_workspace.event.type": "DOMAIN_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36006, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log new file mode 100644 index 00000000000..dc0842dc0d4 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json new file mode 100644 index 00000000000..75bea4b5cd9 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json @@ -0,0 +1,472 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DROP_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.email.log_search_filter.message_id": "id", + "google_workspace.admin.email.quarantine_name": "quarantine", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EMAIL_LOG_SEARCH", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2020/07/28 04:59:59 UTC\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.email.log_search_filter.end_date": "2020-07-28T04:59:59.000Z", + "google_workspace.admin.email.log_search_filter.message_id": "id", + "google_workspace.admin.email.log_search_filter.recipient.ip": "1.1.1.1", + "google_workspace.admin.email.log_search_filter.recipient.value": "recipient", + "google_workspace.admin.email.log_search_filter.sender.ip": "1.1.1.1", + "google_workspace.admin.email.log_search_filter.sender.value": "sender", + "google_workspace.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00.000Z", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 432, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EMAIL_UNDELETE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.duration": 7200000000000, + "event.end": "2002-10-02T12:00:00.000Z", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T10:00:00.000Z", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1188, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_EMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1671, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.description": "setting description", + "google_workspace.admin.setting.name": "setting", + "google_workspace.admin.user_defined_setting.name": "setting name", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2254, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.description": "setting description", + "google_workspace.admin.setting.name": "setting", + "google_workspace.admin.user_defined_setting.name": "setting name", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.description": "setting description", + "google_workspace.admin.setting.name": "setting", + "google_workspace.admin.user_defined_setting.name": "setting name", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REJECT_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.email.log_search_filter.message_id": "id", + "google_workspace.admin.email.quarantine_name": "quarantine", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RELEASE_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.email.log_search_filter.message_id": "id", + "google_workspace.admin.email.quarantine_name": "quarantine", + "google_workspace.event.type": "EMAIL_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4302, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log new file mode 100644 index 00000000000..2c60ded89cc --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json new file mode 100644 index 00000000000..d322acefbf9 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json @@ -0,0 +1,745 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 379, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_LIST_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1149, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1469, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1901, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 2336, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 2841, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 3364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_MEMBER_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.bulk_upload.failed": 0, + "google_workspace.admin.bulk_upload.total": 10, + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3906, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GROUP_MEMBERS_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4370, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 4693, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_GROUP_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 5112, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "WHITELISTED_GROUPS_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.allowed_list": [ + "a", + "b", + "c" + ], + "google_workspace.event.type": "GROUP_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log new file mode 100644 index 00000000000..c028ff6ba1c --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json new file mode 100644 index 00000000000..9a6738eb30b --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json @@ -0,0 +1,415 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.product.name": "product", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.product.name": "product", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 463, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.product.name": "product", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.product.name": "product", + "google_workspace.admin.product.sku": "sku", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1398, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_REASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.product.name": "product", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1854, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ORG_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.product.name": "product", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2359, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.product.name": "product", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2812, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_DYNAMIC_LICENSE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.product.name": "product", + "google_workspace.event.type": "LICENSES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3276, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log new file mode 100644 index 00000000000..69c376c4453 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log @@ -0,0 +1,31 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json new file mode 100644 index 00000000000..a4e6fd2586d --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json @@ -0,0 +1,1597 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ACTION_CANCELLED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.mobile.action.id": "id", + "google_workspace.admin.mobile.action.type": "ACCOUNT_WIPE", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ACTION_REQUESTED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.mobile.action.id": "id", + "google_workspace.admin.mobile.action.type": "ACCOUNT_WIPE", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.mobile.certificate.name": "name", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_DEVICES_BULK_CREATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.mobile.company_owned_devices": 10, + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1548, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1951, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_DEVICE_DELETION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2376, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2796, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "COMPANY_OWNED_DEVICE_WIPED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3223, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.distribution.entity.name": "ANY", + "google_workspace.admin.distribution.entity.type": "GROUP", + "google_workspace.admin.new_value": "GRANTED", + "google_workspace.admin.old_value": "DENIED", + "google_workspace.admin.setting.name": "LOCATION", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3646, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4354, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.distribution.entity.name": "ANY", + "google_workspace.admin.distribution.entity.type": "ORG_UNIT", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4795, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.distribution.entity.name": "ANY", + "google_workspace.admin.distribution.entity.type": "ORG_UNIT", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.package_id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.distribution.entity.name": "ANY", + "google_workspace.admin.distribution.entity.type": "ORG_UNIT", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_DELETE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7450, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8898, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9328, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9817, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10303, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10792, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.mobile.certificate.name": "cert", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11290, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11773, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12110, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_ACCOUNT_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13120, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13577, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "MOBILE_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14053, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log new file mode 100644 index 00000000000..3ad1efedd6a --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log @@ -0,0 +1,17 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json new file mode 100644 index 00000000000..cb63268bf24 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json @@ -0,0 +1,856 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "app", + "google_workspace.admin.chrome_licenses.enabled": "DISABLED", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "app", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.product.sku": "sku", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 472, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "app", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.product.sku": "sku", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 982, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "app", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.product.sku": "sku", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.full": "full/org/path", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2002, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2400, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2771, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3520, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHROME_LICENSES_ALLOWED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "app", + "google_workspace.admin.chrome_licenses.allowed": "EMPTY", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3896, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4365, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4733, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EDIT_ORG_UNIT_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5101, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5479, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "EDIT_ORG_UNIT_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5880, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.full": "full/org/path", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6286, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_SERVICE_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.service.name": "new", + "google_workspace.event.type": "ORG_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 6684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log new file mode 100644 index 00000000000..1035f42a2fb --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log @@ -0,0 +1,24 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json new file mode 100644 index 00000000000..fd5f69b546f --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json @@ -0,0 +1,1246 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALLOW_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.oauth2.service.name": "APPS_SCRIPT", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 461, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.oauth2.service.name": "APPS_SCRIPT", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1348, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.oauth2.application.id": "id", + "google_workspace.admin.oauth2.application.name": "appname", + "google_workspace.admin.oauth2.application.type": "CHROME_EXTENSION", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.oauth2.application.id": "id", + "google_workspace.admin.oauth2.application.name": "appname", + "google_workspace.admin.oauth2.application.type": "CHROME_EXTENSION", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2424, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.oauth2.service.name": "APPS_SCRIPT", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2950, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 3383, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 3917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 4434, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 4963, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.verification_method": "ONLY_SECURITY_KEY", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 5481, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_CAA_ENABLEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6010, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CAA_ERROR_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "app", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.name": "group", + "input.type": "log", + "log.offset": 6802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7356, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7746, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 8134, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENFORCE_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 8652, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.group.email": "group@example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 9718, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "ADMIN_CONSOLE", + "google_workspace.admin.new_value": "INHERIT", + "google_workspace.admin.old_value": "NEVER", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10237, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SESSION_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10774, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNBLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.oauth2.service.name": "CALENDAR", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.event.type": "SECURITY_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log new file mode 100644 index 00000000000..ff07d024c4c --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log @@ -0,0 +1,5 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json new file mode 100644 index 00000000000..b9816b3c6c6 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json @@ -0,0 +1,263 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "SITES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "SITES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 594, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SITES_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.setting.name": "setting", + "google_workspace.event.type": "SITES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1191, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.service.name": "service", + "google_workspace.event.type": "SITES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1723, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_SITE_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.url.name": "site", + "google_workspace.event.type": "SITES_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log new file mode 100644 index 00000000000..bed874fc9a4 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log @@ -0,0 +1,74 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json new file mode 100644 index 00000000000..a04a9e8490b --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json @@ -0,0 +1,3840 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GENERATE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 388, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_3LO_DEVICE_TOKENS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.device.id": "id", + "google_workspace.admin.device.type": "type", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_3LO_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.id": "id", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1238, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1649, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2031, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GRANT_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2413, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2798, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_ASP", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.asp_id": "id", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3589, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.bulk_upload.failed": 1, + "google_workspace.admin.bulk_upload.total": 10, + "google_workspace.admin.domain.name": "example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4020, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CANCEL_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4937, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_CUSTOM_FIELD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.setting.name": "custom", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_EXTERNAL_ID", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_GENDER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6325, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_IM", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ENABLE_USER_IP_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7225, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_KEYWORD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7683, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_LANGUAGE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_LOCATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8590, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_ORGANIZATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9044, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_PHONE_NUMBER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9502, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10345, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_RELATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10730, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_USER_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.email_monitor.dest_email": "dest@example.com", + "google_workspace.admin.email_monitor.level.chat": "info", + "google_workspace.admin.email_monitor.level.draft": "info", + "google_workspace.admin.email_monitor.level.incoming": "info", + "google_workspace.admin.email_monitor.level.outgoing": "info", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11637, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_DATA_TRANSFER_REQUEST", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.application.name": "a,b,c", + "google_workspace.admin.new_value": "dest@example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12926, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_ACCOUNT_INFO_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.request.id": "id", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13357, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.email_monitor.dest_email": "dest@example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13780, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.request.id": "id", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14227, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_FIRST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14645, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "GMAIL_RESET_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15096, + "message": "reason", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_LAST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MAIL_ROUTING_DESTINATION_ADDED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15973, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16402, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ADD_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.admin.user.nickname": "nick", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16833, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.admin.user.nickname": "nick", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17249, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.old_value": "old", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNLOAD_PENDING_INVITES_LIST", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18510, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18839, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REMOVE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19224, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REQUEST_ACCOUNT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REQUEST_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00.000Z", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00.000Z", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.email_dump.include_deleted": "true", + "google_workspace.admin.email_dump.package_content": "contents", + "google_workspace.admin.email_dump.query": "foo bar", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RESEND_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20656, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RESET_SIGNIN_COOKIES", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21467, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "REVOKE_SECURITY_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21863, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22246, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "VIEW_TEMP_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.domain.name": "example.com", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "TURN_OFF_2_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23093, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNBLOCK_USER_SESSION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23485, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNENROLL_USER_FROM_TITANIUM", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23869, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24260, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPDATE_BIRTHDATE", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.birthdate": "2002-10-02T15:00:00.000Z", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24636, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "CREATE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25443, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNGRADE_USER_FROM_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "DOWNLOAD_USERLIST_CSV", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "MOVE_USER_TO_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.org_unit.name": "org", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27389, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "RENAME_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.new_value": "new", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27834, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28244, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "SUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29014, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNDELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29392, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UNSUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29769, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "UPGRADE_USER_TO_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30147, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USERS_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.bulk_upload.failed": 0, + "google_workspace.admin.bulk_upload.total": 10, + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30532, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.admin", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "google_workspace.actor.type": "USER", + "google_workspace.admin.user.email": "user@example.com", + "google_workspace.event.type": "USER_SETTINGS", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30972, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/config/common.js b/x-pack/filebeat/module/google_workspace/config/common.js new file mode 100644 index 00000000000..a031e4e26aa --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/config/common.js @@ -0,0 +1,83 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var googleWorkspace = (function () { + var processor = require("processor"); + + var decodeJson = new processor.DecodeJSONFields({ + fields: ["message"], + target: "json", + }); + + var parseTimestamp = new processor.Timestamp({ + field: "json.id.time", + timezone: "UTC", + layouts: ["2006-01-02T15:04:05.999Z"], + tests: ["2020-02-05T18:19:23.599Z"], + ignore_missing: true, + }); + + var convertFields = new processor.Convert({ + fields: [ + { from: "message", to: "event.original" }, + { from: "json.events.name", to: "event.action" }, + { from: "json.id.applicationName", to: "event.provider" }, + { from: "json.id.uniqueQualifier", to: "event.id", type: "string" }, + { from: "json.actor.email", to: "source.user.email" }, + { from: "json.actor.profileId", to: "source.user.id", type: "string" }, + { from: "json.ipAddress", to: "source.ip", type: "ip" }, + { from: "json.kind", to: "google_workspace.kind" }, + { from: "json.id.customerId", to: "organization.id", type: "string" }, + { from: "json.actor.callerType", to: "google_workspace.actor.type" }, + { from: "json.actor.key", to: "google_workspace.actor.key" }, + { from: "json.ownerDomain", to: "google_workspace.organization.domain" }, + { from: "json.events.type", to: "google_workspace.event.type" }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }); + + var completeUserData = function(evt) { + var email = evt.Get("source.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("source.user.name", data[0]); + evt.Put("source.user.domain", data[1]); + }; + + var copyFields = function(evt) { + var ip = evt.Get("source.ip"); + if (ip) { + evt.Put("related.ip", [ip]); + } + var userName = evt.Get("source.user.name"); + if (userName) { + evt.Put("related.user", [userName]); + } + }; + + var pipeline = new processor.Chain() + .Add(decodeJson) + .Add(parseTimestamp) + .Add(convertFields) + .Add(completeUserData) + .Add(copyFields) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return googleWorkspace.process(evt); +} diff --git a/x-pack/filebeat/module/google_workspace/drive/_meta/fields.yml b/x-pack/filebeat/module/google_workspace/drive/_meta/fields.yml new file mode 100644 index 00000000000..9c031b89ce5 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/drive/_meta/fields.yml @@ -0,0 +1,89 @@ +- name: drive + type: group + fields: + - name: billable + type: boolean + description: Whether this activity is billable. + - name: source_folder_id + type: keyword + - name: source_folder_title + type: keyword + - name: destination_folder_id + type: keyword + - name: destination_folder_title + type: keyword + - name: file.id + type: keyword + - name: file.type + type: keyword + description: > + Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: originating_app_id + type: keyword + description: > + The Google Cloud Project ID of the application that performed the action. + - name: file.owner.email + type: keyword + - name: file.owner.is_shared_drive + type: boolean + description: > + Boolean flag denoting whether owner is a shared drive. + - name: primary_event + type: boolean + description: > + Whether this is a primary event. A single user action in Drive may generate several events. + - name: shared_drive_id + type: keyword + description: > + The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + - name: visibility + type: keyword + description: > + Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: new_value + type: keyword + description: > + When a setting or property of the file changes, the new value for it will appear here. + - name: old_value + type: keyword + description: > + When a setting or property of the file changes, the old value for it will appear here. + - name: sheets_import_range_recipient_doc + type: keyword + description: Doc ID of the recipient of a sheets import range. + - name: old_visibility + type: keyword + description: > + When visibility changes, this holds the old value. + - name: visibility_change + type: keyword + description: > + When visibility changes, this holds the new overall visibility of the file. + - name: target_domain + type: keyword + description: > + The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + - name: added_role + type: keyword + description: > + Added membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: membership_change_type + type: keyword + description: > + Type of change in Team Drive membership of a user/group. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: shared_drive_settings_change_type + type: keyword + description: > + Type of change in Team Drive settings. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: removed_role + type: keyword + description: > + Removed membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: target + type: keyword + description: Target user or group. + diff --git a/x-pack/filebeat/module/google_workspace/drive/config/config.yml b/x-pack/filebeat/module/google_workspace/drive/config/config.yml new file mode 100644 index 00000000000..b2ba9bf7458 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/drive/config/config.yml @@ -0,0 +1,56 @@ +{{ if eq .input "httpjson" }} +type: httpjson +config_version: "2" +interval: {{ .interval }} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{ .jwt_file }} +auth.oauth2.google.delegated_account: {{ .delegated_account }} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} +request.transforms: + - set: + target: url.params.startTime + value: "[[.cursor.last_execution_datetime]]" + default: '[[now (parseDuration "-{{.initial_interval}}")]]' +response.split: + target: body.items + split: + target: events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" +cursor: + last_execution_datetime: + value: "[[now]]" + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 + - script: + lang: javascript + id: gworkspace-common + file: ${path.home}/module/google_workspace/config/common.js + - script: + lang: javascript + id: gworkspace-admin + file: ${path.home}/module/google_workspace/drive/config/pipeline.js diff --git a/x-pack/filebeat/module/google_workspace/drive/config/pipeline.js b/x-pack/filebeat/module/google_workspace/drive/config/pipeline.js new file mode 100644 index 00000000000..c2a20d7f2a2 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/drive/config/pipeline.js @@ -0,0 +1,190 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var drive = (function () { + var path = require("path"); + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["file"]); + switch (evt.Get("event.action")) { + case "add_to_folder": + case "edit": + case "add_lock": + case "move": + case "remove_from_folder": + case "rename": + case "remove_lock": + case "sheets_import_range": + evt.Put("event.type", ["change"]); + break; + case "approval_canceled": + case "approval_comment_added": + case "approval_requested": + case "approval_reviewer_responded": + case "change_acl_editors": + case "change_document_access_scope": + case "change_document_visibility": + case "shared_drive_membership_change": + case "shared_drive_settings_change": + case "sheets_import_range_access_change": + case "change_user_access": + evt.AppendTo("event.category", "iam"); + evt.Put("event.type", ["change"]); + break; + case "create": + case "untrash": + case "upload": + evt.Put("event.type", ["creation"]); + break; + case "delete": + case "trash": + evt.Put("event.type", ["deletion"]); + break; + case "download": + case "preview": + case "print": + case "view": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.boolValue !== null) { + return param.boolValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("google_workspace.drive."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setFileInfo = function(evt) { + var type = evt.Get("google_workspace.drive.file.type"); + if (!type) { + return; + } + + switch (type) { + case "folder": + case "shared_drive": + evt.Put("file.type", "dir"); + break; + default: + evt.Put("file.type", "file"); + } + + // path returns extensions with a preceding ., e.g.: .tmp, .png + // according to ecs the expected format is without it, so we need to remove it. + var ext = path.extname(evt.Get("file.name")); + if (!ext) { + return; + } + + if (ext.charAt(0) === ".") { + ext = ext.substr(1); + } + evt.Put("file.extension", ext); + }; + + var setOwnerInfo = function(evt) { + var email = evt.Get("google_workspace.drive.file.owner.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("file.owner", data[0]); + evt.AppendTo("related.user", data[0]); + }; + + var setTargetRelatedUser = function(evt) { + var email = evt.Get("google_workspace.drive.target"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "google_workspace.drive.doc_id", + to: "google_workspace.drive.file.id", + }, + { + from: "google_workspace.drive.doc_title", + to: "file.name", + }, + { + from: "google_workspace.drive.doc_type", + to: "google_workspace.drive.file.type", + }, + { + from: "google_workspace.drive.owner", + to: "google_workspace.drive.file.owner.email", + }, + { + from: "google_workspace.drive.owner_is_shared_drive", + to: "google_workspace.drive.file.owner.is_shared_drive", + }, + { + from: "google_workspace.drive.new_settings_state", + to: "google_workspace.drive.new_value", + }, + { + from: "google_workspace.drive.old_settings_state", + to: "google_workspace.drive.old_value", + }, + { + from: "google_workspace.drive.target_user", + to: "google_workspace.drive.target", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setFileInfo) + .Add(setOwnerInfo) + .Add(setTargetRelatedUser) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return drive.process(evt); +} diff --git a/x-pack/filebeat/module/google_workspace/drive/manifest.yml b/x-pack/filebeat/module/google_workspace/drive/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/drive/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log new file mode 100644 index 00000000000..3cd073a7379 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log @@ -0,0 +1,28 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json new file mode 100644 index 00000000000..af4cd4c8af7 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json @@ -0,0 +1,1734 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_to_folder", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.destination_folder_id": "1234", + "google_workspace.drive.destination_folder_title": "folder title", + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_canceled", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 816, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_comment_added", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1529, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_requested", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_reviewer_responded", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2961, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "create", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "delete", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4386, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "download", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5088, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "edit", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_lock", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6492, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "move", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.destination_folder_id": "1234", + "google_workspace.drive.destination_folder_title": "folder title", + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.source_folder_id": "1234", + "google_workspace.drive.source_folder_title": "a folder title", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7196, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "preview", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8102, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "print", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8805, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_from_folder", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.source_folder_id": "1234", + "google_workspace.drive.source_folder_title": "a folder title", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9506, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "rename", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.extension": "gif", + "file.name": "bar.gif", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": true, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.old_value": "foo.gif", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10319, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "untrash", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11074, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.sheets_import_range_recipient_doc": "1234", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "trash", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12514, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_lock", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13215, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "upload", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13922, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "view", + "event.category": [ + "file" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.shared_drive_id": "1234", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "access", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14624, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_acl_editors", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.new_value": "owner", + "google_workspace.drive.old_value": "writers", + "google_workspace.drive.old_visibility": "people_within_domain_with_link", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.drive.visibility_change": "external", + "google_workspace.event.type": "acl_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15366, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_access_scope", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.new_value": "owner", + "google_workspace.drive.old_value": "writers", + "google_workspace.drive.old_visibility": "people_within_domain_with_link", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.target_domain": "all", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.drive.visibility_change": "external", + "google_workspace.event.type": "acl_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16275, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_visibility", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.new_value": "owner", + "google_workspace.drive.old_value": "writers", + "google_workspace.drive.old_visibility": "people_within_domain_with_link", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.target_domain": "all", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.drive.visibility_change": "external", + "google_workspace.event.type": "acl_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_membership_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.added_role": "editor", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.membership_change_type": "add_to_shared_drive", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.removed_role": "content_manager", + "google_workspace.drive.target": "user@example.com", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "acl_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18189, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_settings_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.new_value": "restricted", + "google_workspace.drive.old_value": "unrestricted", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.shared_drive_settings_change_type": "direct_acl", + "google_workspace.drive.target": "user@example.com", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "acl_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19117, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range_access_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.sheets_import_range_recipient_doc": "1234", + "google_workspace.drive.visibility": "people_with_link", + "google_workspace.event.type": "acl_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20060, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_user_access", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "google_workspace.drive", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "google_workspace.actor.type": "USER", + "google_workspace.drive.billable": false, + "google_workspace.drive.file.id": "1234", + "google_workspace.drive.file.owner.email": "owner@example.com", + "google_workspace.drive.file.owner.is_shared_drive": false, + "google_workspace.drive.file.type": "document", + "google_workspace.drive.new_value": "can_comment", + "google_workspace.drive.old_value": "can_view", + "google_workspace.drive.old_visibility": "people_with_link", + "google_workspace.drive.originating_app_id": "1234", + "google_workspace.drive.primary_event": true, + "google_workspace.drive.target": "user@example.com", + "google_workspace.drive.visibility": "private", + "google_workspace.drive.visibility_change": "external", + "google_workspace.event.type": "acl_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20815, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/fields.go b/x-pack/filebeat/module/google_workspace/fields.go new file mode 100644 index 00000000000..a17ca4dd5a4 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package google_workspace + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "google_workspace", asset.ModuleFieldsPri, AssetGoogleWorkspace); err != nil { + panic(err) + } +} + +// AssetGoogleWorkspace returns asset data. +// This is the base64 encoded gzipped contents of module/google_workspace. +func AssetGoogleWorkspace() string { + return "eJzkXFtz3LaSfvev6EoevJuKRrV51MNWaS3FcUWyVZacbOrUKQoDNIeIQIAGwBnP+fWncOGIMyTnBsqe5OjFriHxfY3GrbvRzTN4wuUFzJSaCcwWSj+ZilB8BWC5FXgB320++u4VAENDNa8sV/IC/vcVAMBb/xr83rwGt4rVwgHlHAUzF/6tM5CkxF4+98cwJ7WwmW9yATkRpnlkl5Vrp1VdrV7uCNEriKmQ8pzTKMjk1erVW6URuMyVLomDATJVtd1sAJRImCLkqpYMiIXC2spcnJ8znKNQFWozCf2ZUFWeE1ZyeWbY07nGSmlrzuf/c64xR42S4jmhls+55WjOBTc2ytLWUVtPhFqlJ67vq0eNKp5wuVCatX4fUIj7eyjQNwOVR8xXa89/I6LGpqcXa48Afvh0f/3xhwu4lMoWqKE2qIFLsAWCISUCUyXhcrLZ7Pr/H64/vr+8yZr2oaWqreEMffOBlr9e/+Hfl0qeFXVJZCN0v36ecJmmng9SLKHSaFBaWBQo4fFZ84/ADTz+ev3H4wTehKngRH+kSpq6RJ094fLRKdb9qvFzjcYqDbnS8OGytgX8dPMBLu/eNc8MKA1EAmcoLc85hne1mioLhFJVS2u6XcU5SjvyVOisFU/yI5SkqpBBrlUJj9xiaf7xz4l/5v4TlRImgNJ8xiURUJGlUIStj+U1oQXkXKBB62dXQeYIBBjP/YKw4B6oHOZhAjpFcCeAW5kMLeHiq6w/94dfSFm5LY/UjNvv44vLzkA8ccnGG4IwMYyqNcUNxTuiPfV8e8L6UnpGJP+X32EnYcGnqS8oMCCBLYh1C5TkOVKLDKbLuBBdZ16buG66O4frdkeO9vkCPfvyGkJVCU5Dt5Bx9++GmEN96/TP9ae7FgPmZCe5+yWFuYX12nj83ZwoyVTgJvRBtBFiDXYnr+DUTUuTKc1QZ7Iup6iPleKDw4CA4c4mBlaBRoZYgicyaA4Qqao1LYg5XivvgyQqhwYTVpi75eBJo9FCgndXu9mIqbLxGFcmV0WMcY33kqEi9InMMFGOUk25WBcnAg8K4beJCZaEixRmD/PaQKV5SfQSPCAQxjSagYkncZH5szKFV+IiHLj+vPVmHFrL5ayfUwmWzqkEO4hTz7Jacpu8ubVPHyLAYW7Z4la0eS2ShlbpWeByQFARWwCXVNSMy1k4n5Syz28NS9RoKVUPEWcLkzPOM4Y5l8iysWhd+8Y2dgRnkWD76DcPW3Av2/ewoCvNlfa2zrFsbx0OPOP0s0WvhwhOjmZqmUAeZytT6ig2G1QkHNZj5DNIlWREL7P0aRuRdnOXRJIZsowqmfNZrUnqtGnP3QgOa+ADW7SSWY7E1tqvIz3nzjgwKJCmSLRpAwO8V/KsIYKGCFZEm141wM/O8QRnxrtuVcoYPhXY+F7e5ncW0BH+gnNbJONfGndhGV9rHapncRWa73++ubz/5ebd218esuurT9n7D++zn68vHz59vL7K7q8//vbuzfV9dn99c/3m4fqqV8XeLB9raD1Y/1A2jlmibdVmayBb7v/wdpxuYjiUwywMzys5fUpdupG6gdrCNuXaFozYfrqeB0NcHsg3GNjmicUFWSbth28DRtiI4C4GjZwNq0oE6tzRZqb3C0ELrUrMlJkYNIYrmW0EdQ4S541Hgw/3ENF804HdGd0WMTGoORGJvtOVx4KAFX2orawHLKGNlinqiWIO66TSXFq/TbtpP6K144EhAg9TvwTrjpGgqiyJZFmMFx098wJME3Ya2EGVSNk9P0n+ucbNUKktuPHIrrtzLnA2MLiePUW93UP3wdvuAnsMEfgmRyxDgW5fY2exWdx8hqZc1FeKVu4alK1+i7dHRvBbPM42v0WLZJYFTg2321gqrVhN0/3RiLMHk3mqxyC6//VTP8+0Fk9ZXflgck74UDRPKDnbL2gVQEAjVZoZ4NJTQKAAN8u3WM1taayypN/q2V8Yj3GkLMEbJEKoBbJsI+x90EC8JyUaf+nmwM4cFLKAP7Bhegtt8rkmmkjLJSZ7UO3T4Rl2G7lQs8wg0bTIci7caVKiMemBNqFmEHAh4L420SCN+IPxtiG5jCXaZkmWY59QHnaLGTkkDrpDdWxh3KYvZ0dIo5HyiqO0k+Tg3fDIPZMcNnAoGeqXFCwyHKkxXvVK1fn5GE29NvDubrsPtkNtLyBdQN5DtOi9rK5HEi+CugbWTXP1EZFPwcZSerbdrtrUSjw7/sO1okhti58mY5iCXY343IqfttiH30YpBmmtuV3upZlxru+iJva5wevhTRmVHuYtdytd7hTPfnBGtKXp+v2nPCvmqHkeRc9KtIUacQf5iMJ5iWskEEhOUkNA5GYPYVS/2d8nbB8QIlCnu3weZcvC0HVilMLHJOremMTztTmfUOFtm1Smy7t3EKB28BmqquOv0hqqgDJw5cPKiVVPmHTNc3t1C3OUTGlAqZUQpeuahx1mDQ3God2adMNlrpICxH0hLG5gwYWAKa7SXowlFmFREOsT3Nyyb2fGLogBWhA5Ow3TY5/F6w3brFSSW6UnDI3Nkq9THAqXMVk4mMmNbx092Ui3h0TCqWFCC3J0dMFJ5C8c1rghAO8tAdMkTxLBA6TJwCVVJe/Edg4So8FIk0TVdqYSJWkwDpWE1WU1CWkimDEUaAdciKlSAsnmrrcmxzvJ3CGPBngOESvQGCA+7d3TsCa/FL+4RbdTuibliippUabN3ABhnq/YuZiqL03y1U5RPteol2mhZe8Je5ywDzapSR6//6wOOdyJF8IRZdBMDylpE0JHSOyL6W3h7gcCpPPz96Ie++AZFOdUDPUg3vaDJaqIorbBkk633qJWWpBAVVlu9acaMVRZEbnM1EIiy4Je+42uXcFzHy1eBdAjEhCIDKAWcijNiBur+bSOqcGW27Q79v6p02aBwBKmwo+wKDgtmsR3EgLsMfLtay2Unp0NJNqd7jzr0+r4C7JPqw5yQKnr+jxlVa7UqPm8WzNzSKb/lAtBpqJf8Xucxb8X6Aun/L11Iz1wswIeuEL1iUJZrgRDfcjdSz+AL+g7GKNl8SZI0oNynDg5PyyfYK3duIvnStHau4pXboKFE+yrTv/Nid1OY/bFQm49ZKRKSdTv3zNircoboWoGd1r9idQZM40ltxaBc/5Jhdq5ks7TLJpDv3/O+3FyR9mhuW89ANxkpiDanYodTR2wersq+L/QCHJBZsBQKp9dvIir3JP7kiQI9GEHGswBKoleZr5KaTwJ13YcL8oqA9CXQ8ElGC7dGPqSzDAizhUIc7kkS5ihRO0MEYNz1ESElgMGQFvPo8+2upMEFOfZA5IySDyJJZyqqkOUM48VmEFo0Cj8anBrj7Taga83xNI7I8QnpnPpq1Pbb/X3ec4Nn3LRLnlL7u5vK0zfR6JnaMOUPpGdJbn+pHeuSrdWYpK+0lBpJ3jUgc/QFRijT+ZH/8t6BQu3IZzlOkI0FKiHriBSK1nGkX69FmZv6U2BaE3GSzdymXaA2epWOWOKHturK0Vbu/cK0uetRFYIrOBZtyj3BdaE1/AzcFuV3EChBDPrWt21XLOA8PUldLNW+c1UtF9vzZN+0cM+kHVqZxPFbpWQuHkYzP1wQFOKxoTQ+1roN8SOnUtAhFFNKbwvQAHXK6uAx8BTg9QL5Aldg8Bvgpngi8NbilnlerJoag3cNTCGLNPqAHNyp24uHSaU6LxhU/Aq5Hz6BeFOzPPgDHG55ZyAr+wNDW/az92IU3/sC4VYyx7AnVZaJ2xLhxvqO1V1rRkzjVv5DTTXX0ZwOnrSWKr56CvvY0D9u6y9sHcfHRsMFmD4boqGjWXTCXWExNKkWAehIqtQl9wXk4w3rLEycoW8spjqijmL/duOX0dxGzcOY+shJPht2azTKr+6tLcedQ/ecRdzpPV1GKc6wHEijj3Ef5X5/QIe3fvGO/sv89+NdTtrK+VklZHqIHb69aFxSv5yqhh5TvgvjP21NBCrEhLuX7tquL99uHsud/BpNkSuV0F09dEUmTp/qFQs1q5sDcg1WM+vZ2Tk8vPb2IuWRH2RXd+BjSEkGuGRVJV2lt4jEMngUeOf/gNOjwPBD0tsfXQyWY+DFxHje9PmuxyqtlVt47gM1AkNdilUQMUOmZpSRLbWo47FJtQs9TNU8cNXIbkpi1lJB8fNaUGEQOfhjJ14euO6+Izf5Jx+1VXu1Txw40C4qPXYjl3odMT+BndDWzr8Eh2lGn10nghzWp3lJgufEMly/0XH3o73XbG0AWpTccrVwPaz2Xq1Y5FSpK3s52u0pCrAnlOIlALu7/ZM3P97rhA3PEMpt9xyZ7Nn0xHD2B9Dzle4vbq/vL0BUtvCLZpt375TelZLbrOK2GI8WQA+hYjCrJvEsX7gZlSx/kHflU3UM+tcp+Op62CHCsf9cvXJktlLCeE5QkLmukT/DgAA//9gcf1M" +} diff --git a/x-pack/filebeat/module/google_workspace/groups/_meta/fields.yml b/x-pack/filebeat/module/google_workspace/groups/_meta/fields.yml new file mode 100644 index 00000000000..05cd6b68590 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/groups/_meta/fields.yml @@ -0,0 +1,57 @@ +- name: groups + type: group + fields: + - name: acl_permission + type: keyword + description: > + Group permission setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: email + type: keyword + description: > + Group email. + - name: member.email + type: keyword + description: > + Member email. + - name: member.role + type: keyword + description: > + Member role. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: setting + type: keyword + description: > + Group setting updated. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: new_value + type: keyword + description: > + New value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: old_value + type: keyword + description: + Old value(s) of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: value + type: keyword + description: > + Value of the group setting. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups + - name: message.id + type: keyword + description: > + SMTP message Id of an email message. + Present for moderation events. + - name: message.moderation_action + type: keyword + description: > + Message moderation action. + Possible values are `approved` and `rejected`. + - name: status + type: keyword + description: > + A status describing the output of an operation. + Possible values are `failed` and `succeeded`. + diff --git a/x-pack/filebeat/module/google_workspace/groups/config/config.yml b/x-pack/filebeat/module/google_workspace/groups/config/config.yml new file mode 100644 index 00000000000..cc16979b0a2 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/groups/config/config.yml @@ -0,0 +1,56 @@ +{{ if eq .input "httpjson" }} +type: httpjson +config_version: "2" +interval: {{ .interval }} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{ .jwt_file }} +auth.oauth2.google.delegated_account: {{ .delegated_account }} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} +request.transforms: + - set: + target: url.params.startTime + value: "[[.cursor.last_execution_datetime]]" + default: '[[now (parseDuration "-{{.initial_interval}}")]]' +response.split: + target: body.items + split: + target: events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" +cursor: + last_execution_datetime: + value: "[[now]]" + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 + - script: + lang: javascript + id: gworkspace-common + file: ${path.home}/module/google_workspace/config/common.js + - script: + lang: javascript + id: gworkspace-admin + file: ${path.home}/module/google_workspace/groups/config/pipeline.js diff --git a/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js new file mode 100644 index 00000000000..8e3a754c846 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js @@ -0,0 +1,203 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var groups = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + evt.Put("event.type", ["group"]); + switch (evt.Get("event.action")) { + case "change_acl_permission": + case "change_basic_setting": + case "change_identity_setting": + case "change_info_setting": + case "change_new_members_restrictions_setting": + case "change_post_replies_setting": + case "change_spam_moderation_setting": + case "change_topic_setting": + evt.AppendTo("event.type", "change"); + break; + case "accept_invitation": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "approve_join_request": + case "join": + evt.AppendTo("event.type", "user"); + evt.AppendTo("event.type", "change"); + break; + case "request_to_join": + case "ban_user_with_moderation": + case "revoke_invitation": + case "invite_user": + case "reject_join_request": + case "reinvite_user": + evt.AppendTo("event.type", "info"); + evt.AppendTo("event.type", "user"); + break; + case "create_group": + case "add_info_setting": + evt.AppendTo("event.type", "creation"); + break; + case "delete_group": + case "remove_info_setting": + evt.AppendTo("event.type", "deletion"); + break; + case "moderate_message": + case "always_post_from_user": + evt.AppendTo("event.type", "info"); + break; + case "add_user": + evt.AppendTo("event.type", "creation"); + evt.AppendTo("event.type", "user"); + break; + case "remove_user": + evt.AppendTo("event.type", "deletion"); + evt.AppendTo("event.type", "user"); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("google_workspace.groups."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setOutcome = function(evt) { + switch (evt.Get("google_workspace.groups.status")) { + case "failed": + evt.Put("event.outcome", "failure"); + break; + case "succeeded": + evt.Put("event.outcome", "success"); + break; + } + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("google_workspace.groups.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedMemberInfo = function(evt) { + var email = evt.Get("google_workspace.groups.member.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "google_workspace.groups.group_email", + to: "google_workspace.groups.email", + }, + { + from: "google_workspace.groups.new_value_repeated", + to: "google_workspace.groups.new_value", + }, + { + from: "google_workspace.groups.old_value_repeated", + to: "google_workspace.groups.old_value", + }, + { + from: "google_workspace.groups.user_email", + to: "google_workspace.groups.member.email", + }, + { + from: "google_workspace.groups.basic_setting", + to: "google_workspace.groups.setting", + }, + { + from: "google_workspace.groups.identity_setting", + to: "google_workspace.groups.setting", + }, + { + from: "google_workspace.groups.info_setting", + to: "google_workspace.groups.setting", + }, + { + from: "google_workspace.groups.new_members_restrictions_setting", + to: "google_workspace.groups.setting", + }, + { + from: "google_workspace.groups.post_replies_setting", + to: "google_workspace.groups.setting", + }, + { + from: "google_workspace.groups.spam_moderation_setting", + to: "google_workspace.groups.setting", + }, + { + from: "google_workspace.groups.topic_setting", + to: "google_workspace.groups.setting", + }, + { + from: "google_workspace.groups.message_id", + to: "google_workspace.groups.message.id", + }, + { + from: "google_workspace.groups.message_moderation_action", + to: "google_workspace.groups.message.moderation_action", + }, + { + from: "google_workspace.groups.member_role", + to: "google_workspace.groups.member.role", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setOutcome) + .Add(setGroupInfo) + .Add(setRelatedMemberInfo) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return groups.process(evt); +} diff --git a/x-pack/filebeat/module/google_workspace/groups/manifest.yml b/x-pack/filebeat/module/google_workspace/groups/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/groups/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log new file mode 100644 index 00000000000..e67fe7571a3 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log @@ -0,0 +1,25 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_permission","parameters":[{"name":"acl_permission","value":"can_add_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value_repeated","multiValue":["managers","members"]},{"name":"old_value_repeated","multiValue":["managers"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"accept_invitation","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"approve_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"request_to_join","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_basic_setting","parameters":[{"name":"basic_setting","value":"allow_external_members"},{"name":"group_email","value":"group@example.com"},{"name":"new_value","value":"true"},{"name":"old_value","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"create_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"delete_group","parameters":[{"name":"group_email","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_identity_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"identity_setting","value":"required_forms_of_identity"},{"name":"new_value","value":"display_name_only"},{"name":"old_value","value":"display_name_or_google_profile"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"new_value","value":"footer"},{"name":"old_value","value":"old footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_info_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"info_setting","value":"custom_footer"},{"name":"value","value":"footer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_new_members_restrictions_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"new_members_restrictions_setting","value":"new_members_can_post"},{"name":"new_value","value":"inherit"},{"name":"old_value","value":"overriden_to_false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_post_replies_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"post_replies_setting","value":"where_should_replies_be_sent"},{"name":"new_value","value":"reply_to_custom_address"},{"name":"old_value","value":"reply_to_author_only"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_spam_moderation_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"spam_moderation_setting","value":"how_to_handle_suspected_spam_messages"},{"name":"new_value","value":"moderate_and_do_not_send_notifications"},{"name":"old_value","value":"moderate_and_send_notifications"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"change_topic_setting","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"topic_setting","value":"allowed_topic_types"},{"name":"new_value","value":"discussions_questions"},{"name":"old_value","value":"discussions"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"moderate_message","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"message_moderation_action","value":"approved"},{"name":"status","value":"succeeded"},{"name":"message_id","value":"message id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"always_post_from_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"status","value":"succeeded"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"add_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"ban_user_with_moderation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"},{"name":"member_role","value":"manager"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"revoke_invitation","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"invite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reject_join_request","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"reinvite_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"groups","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"moderator_action","name":"remove_user","parameters":[{"name":"group_email","value":"group@example.com"},{"name":"user_email","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json new file mode 100644 index 00000000000..599d61b32b5 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json @@ -0,0 +1,1372 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_acl_permission", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value_repeated\",\"multiValue\":[\"managers\",\"members\"]},{\"name\":\"old_value_repeated\",\"multiValue\":[\"managers\"]}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "acl_change", + "google_workspace.groups.acl_permission": "can_add_members", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": [ + "managers", + "members" + ], + "google_workspace.groups.old_value": [ + "managers" + ], + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "accept_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"accept_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 559, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approve_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"approve_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "user", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "join", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "user", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "request_to_join", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"request_to_join\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 1759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_basic_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_basic_setting\",\"parameters\":[{\"name\":\"basic_setting\",\"value\":\"allow_external_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_value\",\"value\":\"true\"},{\"name\":\"old_value\",\"value\":\"false\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": "true", + "google_workspace.groups.old_value": "false", + "google_workspace.groups.setting": "allow_external_members", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 2144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "create_group", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"create_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 2665, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "delete_group", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"delete_group\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 3047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_identity_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_identity_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"identity_setting\",\"value\":\"required_forms_of_identity\"},{\"name\":\"new_value\",\"value\":\"display_name_only\"},{\"name\":\"old_value\",\"value\":\"display_name_or_google_profile\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": "display_name_only", + "google_workspace.groups.old_value": "display_name_or_google_profile", + "google_workspace.groups.setting": "required_forms_of_identity", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 3429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.setting": "custom_footer", + "google_workspace.groups.value": "footer", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 3998, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"new_value\",\"value\":\"footer\"},{\"name\":\"old_value\",\"value\":\"old footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": "footer", + "google_workspace.groups.old_value": "old footer", + "google_workspace.groups.setting": "custom_footer", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 4466, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_info_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_info_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"info_setting\",\"value\":\"custom_footer\"},{\"name\":\"value\",\"value\":\"footer\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.setting": "custom_footer", + "google_workspace.groups.value": "footer", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 4983, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_new_members_restrictions_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_new_members_restrictions_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"new_members_restrictions_setting\",\"value\":\"new_members_can_post\"},{\"name\":\"new_value\",\"value\":\"inherit\"},{\"name\":\"old_value\",\"value\":\"overriden_to_false\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": "inherit", + "google_workspace.groups.old_value": "overriden_to_false", + "google_workspace.groups.setting": "new_members_can_post", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 5454, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_post_replies_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_post_replies_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"post_replies_setting\",\"value\":\"where_should_replies_be_sent\"},{\"name\":\"new_value\",\"value\":\"reply_to_custom_address\"},{\"name\":\"old_value\",\"value\":\"reply_to_author_only\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": "reply_to_custom_address", + "google_workspace.groups.old_value": "reply_to_author_only", + "google_workspace.groups.setting": "where_should_replies_be_sent", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 6027, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_spam_moderation_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_spam_moderation_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"spam_moderation_setting\",\"value\":\"how_to_handle_suspected_spam_messages\"},{\"name\":\"new_value\",\"value\":\"moderate_and_do_not_send_notifications\"},{\"name\":\"old_value\",\"value\":\"moderate_and_send_notifications\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": "moderate_and_do_not_send_notifications", + "google_workspace.groups.old_value": "moderate_and_send_notifications", + "google_workspace.groups.setting": "how_to_handle_suspected_spam_messages", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 6602, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_topic_setting", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"change_topic_setting\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"topic_setting\",\"value\":\"allowed_topic_types\"},{\"name\":\"new_value\",\"value\":\"discussions_questions\"},{\"name\":\"old_value\",\"value\":\"discussions\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "change" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.new_value": "discussions_questions", + "google_workspace.groups.old_value": "discussions", + "google_workspace.groups.setting": "allowed_topic_types", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 7218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "moderate_message", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"moderate_message\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"message_moderation_action\",\"value\":\"approved\"},{\"name\":\"status\",\"value\":\"succeeded\"},{\"name\":\"message_id\",\"value\":\"message id\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.message.id": "message id", + "google_workspace.groups.message.moderation_action": "approved", + "google_workspace.groups.status": "succeeded", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 7759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "always_post_from_user", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"always_post_from_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"status\",\"value\":\"succeeded\"}]}}", + "event.outcome": "success", + "event.provider": "groups", + "event.type": [ + "group", + "info" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.groups.status": "succeeded", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 8282, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_user", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"add_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "creation", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.groups.member.role": "manager", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 8760, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "ban_user_with_moderation", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"ban_user_with_moderation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"},{\"name\":\"member_role\",\"value\":\"manager\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.groups.member.role": "manager", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 9228, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "revoke_invitation", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"revoke_invitation\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 9712, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "invite_user", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"invite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 10148, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "reject_join_request", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reject_join_request\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 10578, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "reinvite_user", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"reinvite_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "info", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 11016, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_user", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.groups", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"groups\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"moderator_action\",\"name\":\"remove_user\",\"parameters\":[{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"name\":\"user_email\",\"value\":\"user@example.com\"}]}}", + "event.provider": "groups", + "event.type": [ + "group", + "deletion", + "user" + ], + "fileset.name": "groups", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "moderator_action", + "google_workspace.groups.email": "group@example.com", + "google_workspace.groups.member.email": "user@example.com", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "group.domain": "example.com", + "group.name": "group", + "input.type": "log", + "log.offset": 11448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/ingest/common.yml b/x-pack/filebeat/module/google_workspace/ingest/common.yml new file mode 100644 index 00000000000..ec7a9f8bbcf --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/ingest/common.yml @@ -0,0 +1,33 @@ +description: Pipeline for parsing google_workspace logs +processors: + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - remove: + field: json + ignore_missing: true + - set: + field: event.ingested + value: "{{ _ingest.timestamp }}" + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/google_workspace/login/_meta/fields.yml b/x-pack/filebeat/module/google_workspace/login/_meta/fields.yml new file mode 100644 index 00000000000..dc8e9711616 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/login/_meta/fields.yml @@ -0,0 +1,21 @@ +- name: login + type: group + fields: + - name: affected_email_address + type: keyword + - name: challenge_method + type: keyword + description: > + Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: failure_type + type: keyword + description: > + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: type + type: keyword + description: > + Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: is_second_factor + type: boolean + - name: is_suspicious + type: boolean diff --git a/x-pack/filebeat/module/google_workspace/login/config/config.yml b/x-pack/filebeat/module/google_workspace/login/config/config.yml new file mode 100644 index 00000000000..d50bfdab9dc --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/login/config/config.yml @@ -0,0 +1,56 @@ +{{ if eq .input "httpjson" }} +type: httpjson +config_version: "2" +interval: {{ .interval }} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{ .jwt_file }} +auth.oauth2.google.delegated_account: {{ .delegated_account }} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/login +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} +request.transforms: + - set: + target: url.params.startTime + value: "[[.cursor.last_execution_datetime]]" + default: '[[now (parseDuration "-{{.initial_interval}}")]]' +response.split: + target: body.items + split: + target: events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" +cursor: + last_execution_datetime: + value: "[[now]]" + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 + - script: + lang: javascript + id: gworkspace-common + file: ${path.home}/module/google_workspace/config/common.js + - script: + lang: javascript + id: gworkspace-admin + file: ${path.home}/module/google_workspace/login/config/pipeline.js diff --git a/x-pack/filebeat/module/google_workspace/login/config/pipeline.js b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js new file mode 100644 index 00000000000..62b5b8a7542 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js @@ -0,0 +1,98 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["authentication"]); + switch (evt.Get("event.action")) { + case "login_failure": + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "failure"); + break; + case "login_success": + evt.Put("event.type", ["start"]); + evt.Put("event.outcome", "success"); + break; + case "logout": + evt.Put("event.type", ["end"]); + break; + case "account_disabled_generic": + case "account_disabled_spamming_through_relay": + case "account_disabled_spamming": + case "account_disabled_hijacked": + case "account_disabled_password_leak": + evt.Put("event.type", ["user", "change"]); + break; + case "gov_attack_warning": + case "login_challenge": + case "login_verification": + case "suspicious_login": + case "suspicious_login_less_secure_app": + case "suspicious_programmatic_login": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + }; + + var processParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + var prefixRegex = /^(login_)/; + + params.forEach(function(p){ + p.name = p.name.replace(prefixRegex, ""); + switch (p.name) { + // According to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login + // this is a timestamp in microseconds + case "timestamp": + var millis = p.intValue / 1000; + evt.Put("event.start", new Date(millis).toUTCString()); + break; + case "challenge_status": + if (p.value === "Challenge Passed") { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + break; + case "is_second_factor": + case "is_suspicious": + evt.Put("google_workspace.login."+p.name, p.boolValue); + break; + // the rest of params are strings + default: + evt.Put("google_workspace.login."+p.name, getParamValue(p)); + } + }); + + evt.Delete("json.events.parameters"); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(processParams) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/google_workspace/login/manifest.yml b/x-pack/filebeat/module/google_workspace/login/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/login/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log new file mode 100644 index 00000000000..b721c74bf48 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_password_leak","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_login_less_secure_app","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"suspicious_programmatic_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_generic","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming_through_relay","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_spamming","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"account_disabled_hijacked","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"name":"login_timestamp","intValue":1593695305123456}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"account_warning","name":"gov_attack_warning"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_failure_type","value":"login_failure_access_code_disallowed"},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_challenge","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_verification","parameters":[{"name":"is_second_factor","boolValue":false},{"name":"login_challenge_method","value":"backup_code"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"logout","parameters":[{"name":"login_type","value":"exchange"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"backup_code"},{"name":"is_suspicious","boolValue":false},{"name":"login_type","value":"exchange"}]}} diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json new file mode 100644 index 00000000000..9e26d2af48b --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json @@ -0,0 +1,506 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_password_leak", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_generic", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_generic\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1776, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_spamming_through_relay", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming_through_relay\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2176, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "account_disabled_spamming", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"account_disabled_spamming\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}]}}", + "event.provider": "login", + "event.type": [ + "user", + "change" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.affected_email_address": "foo@elastic.co", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2591, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "gov_attack_warning", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"account_warning\",\"name\":\"gov_attack_warning\"}}", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "account_warning", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3448, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_failure", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_failure_type\",\"value\":\"login_failure_access_code_disallowed\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "login", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.challenge_method": "backup_code", + "google_workspace.login.failure_type": "login_failure_access_code_disallowed", + "google_workspace.login.type": "exchange", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_challenge", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_challenge\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "login", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.challenge_method": "backup_code", + "google_workspace.login.type": "exchange", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4262, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_verification", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_verification\",\"parameters\":[{\"name\":\"is_second_factor\",\"boolValue\":false},{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"login_challenge_status\",\"value\":\"Challenge Passed.\"},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "failure", + "event.provider": "login", + "event.type": [ + "info" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "login", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.challenge_method": "backup_code", + "google_workspace.login.is_second_factor": false, + "google_workspace.login.type": "exchange", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4743, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "logout", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"logout\",\"parameters\":[{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.provider": "login", + "event.type": [ + "end" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "login", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.type": "exchange", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5273, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_success", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.login", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"login\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"login_challenge_method\",\"value\":\"backup_code\"},{\"name\":\"is_suspicious\",\"boolValue\":false},{\"name\":\"login_type\",\"value\":\"exchange\"}]}}", + "event.outcome": "success", + "event.provider": "login", + "event.type": [ + "start" + ], + "fileset.name": "login", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "login", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.login.challenge_method": "backup_code", + "google_workspace.login.is_suspicious": false, + "google_workspace.login.type": "exchange", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml b/x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml new file mode 100644 index 00000000000..b7e9efc0926 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/saml/_meta/fields.yml @@ -0,0 +1,27 @@ +- name: saml + type: group + fields: + - name: application_name + type: keyword + description: > + Saml SP application name. + - name: failure_type + type: keyword + description: > + Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. + - name: initiated_by + type: keyword + description: > + Requester of SAML authentication. + - name: orgunit_path + type: keyword + description: > + User orgunit. + - name: status_code + type: long + description: > + SAML status code. + - name: second_level_status_code + type: long + description: > + SAML second level status code. diff --git a/x-pack/filebeat/module/google_workspace/saml/config/config.yml b/x-pack/filebeat/module/google_workspace/saml/config/config.yml new file mode 100644 index 00000000000..46a744bc570 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/saml/config/config.yml @@ -0,0 +1,56 @@ +{{ if eq .input "httpjson" }} +type: httpjson +config_version: "2" +interval: {{ .interval }} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{ .jwt_file }} +auth.oauth2.google.delegated_account: {{ .delegated_account }} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/saml +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} +request.transforms: + - set: + target: url.params.startTime + value: "[[.cursor.last_execution_datetime]]" + default: '[[now (parseDuration "-{{.initial_interval}}")]]' +response.split: + target: body.items + split: + target: events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" +cursor: + last_execution_datetime: + value: "[[now]]" + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 + - script: + lang: javascript + id: gworkspace-common + file: ${path.home}/module/google_workspace/config/common.js + - script: + lang: javascript + id: gworkspace-admin + file: ${path.home}/module/google_workspace/saml/config/pipeline.js diff --git a/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js new file mode 100644 index 00000000000..caf62937f7a --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js @@ -0,0 +1,60 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var saml = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.type", ["start"]); + evt.Put("event.category", ["authentication"]); + switch (evt.Get("event.action")) { + case "login_failure": + evt.Put("event.outcome", "failure"); + break; + case "login_success": + evt.Put("event.outcome", "success"); + break; + } + }; + + var processParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + var prefixRegex = /^(saml_)/; + + params.forEach(function(p){ + p.name = p.name.replace(prefixRegex, ""); + + // all saml event parameters are strings. + // for this reason we know for sure they are in the 'value' field. + // https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml + switch (p.name) { + case "status_code": + case "second_level_status_code": + evt.Put("google_workspace.saml."+p.name, parseInt(p.value)); + break; + default: + evt.Put("google_workspace.saml."+p.name, p.value); + } + }); + + evt.Delete("json.events.parameters"); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(processParams) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return saml.process(evt); +} diff --git a/x-pack/filebeat/module/google_workspace/saml/manifest.yml b/x-pack/filebeat/module/google_workspace/saml/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/saml/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log new file mode 100644 index 00000000000..678193e25d5 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log @@ -0,0 +1,2 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_failure","parameters":[{"name":"application_name","value":"app"},{"name":"failure_type","value":"failure_app_not_configured_for_user"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_second_level_status_code","value":"400"},{"name":"saml_status_code","value":"400"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:01Z","uniqueQualifier":1,"applicationName":"saml","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"login","name":"login_success","parameters":[{"name":"application_name","value":"app"},{"name":"initiated_by","value":"idp"},{"name":"orgunit_path","value":"ounit"},{"name":"saml_status_code","value":"400"}]}} diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json new file mode 100644 index 00000000000..ff3ef42e1c8 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json @@ -0,0 +1,110 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "login_failure", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.saml", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"400\"},{\"name\":\"saml_status_code\",\"value\":\"400\"}]}}", + "event.outcome": "failure", + "event.provider": "saml", + "event.type": [ + "start" + ], + "fileset.name": "saml", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "login", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "google_workspace.saml.application_name": "app", + "google_workspace.saml.failure_type": "failure_app_not_configured_for_user", + "google_workspace.saml.initiated_by": "idp", + "google_workspace.saml.orgunit_path": "ounit", + "google_workspace.saml.second_level_status_code": 400, + "google_workspace.saml.status_code": 400, + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:01.000Z", + "event.action": "login_success", + "event.category": [ + "authentication" + ], + "event.dataset": "google_workspace.saml", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:01Z\",\"uniqueQualifier\":1,\"applicationName\":\"saml\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_status_code\",\"value\":\"400\"}]}}", + "event.outcome": "success", + "event.provider": "saml", + "event.type": [ + "start" + ], + "fileset.name": "saml", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "login", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "google_workspace.saml.application_name": "app", + "google_workspace.saml.initiated_by": "idp", + "google_workspace.saml.orgunit_path": "ounit", + "google_workspace.saml.status_code": 400, + "input.type": "log", + "log.offset": 606, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml new file mode 100644 index 00000000000..03fffe9f9f8 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/user_accounts/config/config.yml @@ -0,0 +1,56 @@ +{{ if eq .input "httpjson" }} +type: httpjson +config_version: "2" +interval: {{ .interval }} +auth.oauth2.provider: google +auth.oauth2.google.jwt_file: {{ .jwt_file }} +auth.oauth2.google.delegated_account: {{ .delegated_account }} +auth.oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly +request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/user_accounts +{{ if .http_client_timeout }} +request.timeout: {{ .http_client_timeout }} +{{ end }} +request.transforms: + - set: + target: url.params.startTime + value: "[[.cursor.last_execution_datetime]]" + default: '[[now (parseDuration "-{{.initial_interval}}")]]' +response.split: + target: body.items + split: + target: events + keep_parent: true +response.pagination: + - set: + target: url.params.pageToken + value: "[[.last_response.body.nextPageToken]]" +cursor: + last_execution_datetime: + value: "[[now]]" + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 + - script: + lang: javascript + id: gworkspace-common + file: ${path.home}/module/google_workspace/config/common.js + - script: + lang: javascript + id: gworkspace-admin + file: ${path.home}/module/google_workspace/user_accounts/config/pipeline.js diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/config/pipeline.js b/x-pack/filebeat/module/google_workspace/user_accounts/config/pipeline.js new file mode 100644 index 00000000000..89b54fa72db --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/user_accounts/config/pipeline.js @@ -0,0 +1,24 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var userAccounts = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.type", ["change", "user"]); + evt.Put("event.category", ["iam"]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return userAccounts.process(evt); +} diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/manifest.yml b/x-pack/filebeat/module/google_workspace/user_accounts/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/user_accounts/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log new file mode 100644 index 00000000000..7da8fdec935 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_disable"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"2sv_change","name":"2sv_enroll"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"password_change","name":"password_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_email_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_phone_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"recovery_info_change","name":"recovery_secret_qa_edit"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_enroll"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"user_accounts","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"titanium_change","name":"titanium_unenroll"}} diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json new file mode 100644 index 00000000000..ed49851f291 --- /dev/null +++ b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json @@ -0,0 +1,394 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "2sv_disable", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_disable\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "2sv_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "2sv_enroll", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"2sv_change\",\"name\":\"2sv_enroll\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "2sv_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 316, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "password_edit", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"password_change\",\"name\":\"password_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "password_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 631, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "recovery_email_edit", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_email_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "recovery_info_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 954, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "recovery_phone_edit", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_phone_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "recovery_info_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1288, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "recovery_secret_qa_edit", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"recovery_info_change\",\"name\":\"recovery_secret_qa_edit\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "recovery_info_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1622, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "titanium_enroll", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_enroll\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "titanium_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "titanium_unenroll", + "event.category": [ + "iam" + ], + "event.dataset": "google_workspace.user_accounts", + "event.id": "1", + "event.module": "google_workspace", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"user_accounts\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"titanium_change\",\"name\":\"titanium_unenroll\"}}", + "event.provider": "user_accounts", + "event.type": [ + "change", + "user" + ], + "fileset.name": "user_accounts", + "google_workspace.actor.type": "USER", + "google_workspace.event.type": "titanium_change", + "google_workspace.kind": "admin#reports#activity", + "google_workspace.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2285, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "google_workspace", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index f557da1b720..0badc11284e 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -1,3 +1,4 @@ +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: enabled: true diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc index 37f11e4a945..2e83bc5fa7e 100644 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -7,6 +7,8 @@ beta[] +*Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead.* + This is a module for ingesting data from the different GSuite audit reports API's. include::../include/gs-link.asciidoc[] diff --git a/x-pack/filebeat/modules.d/google_workspace.yml.disabled b/x-pack/filebeat/modules.d/google_workspace.yml.disabled new file mode 100644 index 00000000000..b5eb0051965 --- /dev/null +++ b/x-pack/filebeat/modules.d/google_workspace.yml.disabled @@ -0,0 +1,53 @@ +# Module: google_workspace +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-google_workspace.html + +- module: google_workspace + saml: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + user_accounts: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + login: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + groups: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 2h + diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index d003ecbc7d3..ddb160dcbac 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -1,6 +1,7 @@ # Module: gsuite # Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-gsuite.html +# Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: enabled: true From 3b131313d6ce725cbcdce45de75343b7bfa131fc Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Sat, 12 Dec 2020 09:41:58 +0100 Subject: [PATCH 2/3] Update with latest gsuite changes --- .../google_workspace/admin/config/pipeline.js | 118 ++++++++++-------- ...in-application-test.json.log-expected.json | 18 ++- ...admin-calendar-test.json.log-expected.json | 6 +- .../admin-chat-test.json.log-expected.json | 6 +- ...admin-chromeos-test.json.log-expected.json | 21 ++-- ...admin-contacts-test.json.log-expected.json | 3 +- .../admin-docs-test.json.log-expected.json | 3 +- .../admin-domain-test.json.log-expected.json | 54 +++++--- .../admin-gmail-test.json.log-expected.json | 12 +- .../admin-mobile-test.json.log-expected.json | 6 +- ...admin-security-test.json.log-expected.json | 45 ++++--- .../admin-sites-test.json.log-expected.json | 6 +- .../google_workspace/drive/config/pipeline.js | 1 + .../test/drive-test.json.log-expected.json | 33 +++-- .../groups/config/pipeline.js | 11 +- .../test/groups-test.json.log-expected.json | 27 ++-- 16 files changed, 235 insertions(+), 135 deletions(-) diff --git a/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js index fe189875d65..1071a61aef0 100644 --- a/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js @@ -6,36 +6,80 @@ var login = (function () { var processor = require("processor"); var categorizeEvent = function(evt) { + // not convinced that these should be iam evt.Put("event.category", ["iam"]); switch (evt.Get("event.action")) { case "CHANGE_APPLICATION_SETTING": case "UPDATE_MANAGED_CONFIGURATION": + case "CHANGE_CALENDAR_SETTING": + case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": case "GPLUS_PREMIUM_FEATURES": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "CHANGE_CONTACTS_SETTING": + case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_SSO_SETTINGS": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "CHANGE_MOBILE_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["change"]); + break; case "UPDATE_BUILDING": - case "UPDATE_CALENDAR_RESOURCE_FEATURE": case "RENAME_CALENDAR_RESOURCE": case "UPDATE_CALENDAR_RESOURCE": - case "CHANGE_CALENDAR_SETTING": case "CANCEL_CALENDAR_EVENTS": case "RELEASE_CALENDAR_RESOURCES": - case "MEET_INTEROP_MODIFY_GATEWAY": - case "CHANGE_CHAT_SETTING": - case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": case "CHANGE_DEVICE_STATE": - case "CHANGE_CHROME_OS_APPLICATION_SETTING": case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": - case "CHANGE_CHROME_OS_DEVICE_SETTING": case "CHANGE_CHROME_OS_DEVICE_STATE": - case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": case "UPDATE_CHROME_OS_PRINT_SERVER": case "UPDATE_CHROME_OS_PRINTER": - case "CHANGE_CHROME_OS_SETTING": - case "CHANGE_CHROME_OS_USER_SETTING": case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": case "UPDATE_DEVICE": case "SEND_CHROME_OS_DEVICE_COMMAND": - case "CHANGE_CONTACTS_SETTING": case "ASSIGN_ROLE": case "ADD_PRIVILEGE": case "REMOVE_PRIVILEGE": @@ -43,9 +87,6 @@ var login = (function () { case "UPDATE_ROLE": case "UNASSIGN_ROLE": case "TRANSFER_DOCUMENT_OWNERSHIP": - case "CHANGE_DOCS_SETTING": - case "CHANGE_SITES_SETTING": - case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": case "ORG_USERS_LICENSE_ASSIGNMENT": case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": case "USER_LICENSE_ASSIGNMENT": @@ -55,8 +96,6 @@ var login = (function () { case "USER_LICENSE_REVOKE": case "UPDATE_DYNAMIC_LICENSE": case "DROP_FROM_QUARANTINE": - case "CHANGE_EMAIL_SETTING": - case "CHANGE_GMAIL_SETTING": case "REJECT_FROM_QUARANTINE": case "RELEASE_FROM_QUARANTINE": case "CHROME_LICENSES_ENABLED": @@ -70,29 +109,14 @@ var login = (function () { case "EDIT_ORG_UNIT_NAME": case "REVOKE_DEVICE_ENROLLMENT_TOKEN": case "TOGGLE_SERVICE_ENABLED": - case "ALLOW_STRONG_AUTHENTICATION": - case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": case "ADD_TO_TRUSTED_OAUTH2_APPS": case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": case "BLOCK_ON_DEVICE_ACCESS": - case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": - case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": - case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": case "TOGGLE_CAA_ENABLEMENT": case "CHANGE_CAA_ERROR_MESSAGE": case "CHANGE_CAA_APP_ASSIGNMENTS": case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": - case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": - case "ENFORCE_STRONG_AUTHENTICATION": - case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": - case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": - case "SESSION_CONTROL_SETTINGS_CHANGE": - case "CHANGE_SESSION_LENGTH": case "UNBLOCK_ON_DEVICE_ACCESS": case "CHANGE_ACCOUNT_AUTO_RENEWAL": case "ADD_APPLICATION": @@ -104,23 +128,14 @@ var login = (function () { case "ALERT_STATUS_CHANGED": case "ADD_DOMAIN_ALIAS": case "REMOVE_DOMAIN_ALIAS": - case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": - case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": - case "ENABLE_API_ACCESS": case "AUTHORIZE_API_CLIENT_ACCESS": case "REMOVE_API_CLIENT_ACCESS": case "CHROME_LICENSES_REDEEMED": case "TOGGLE_AUTO_ADD_NEW_SERVICE": case "CHANGE_PRIMARY_DOMAIN": - case "CHANGE_WHITELIST_SETTING": - case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": case "CHANGE_CONFLICT_ACCOUNT_ACTION": - case "ENABLE_FEEDBACK_SOLICITATION": - case "TOGGLE_CONTACT_SHARING": - case "TOGGLE_USE_CUSTOM_LOGO": case "CHANGE_CUSTOM_LOGO": case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": - case "CHANGE_DATA_LOCALIZATION_SETTING": case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": case "CHANGE_DOMAIN_DEFAULT_LOCALE": case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": @@ -130,24 +145,16 @@ var login = (function () { case "ADD_TRUSTED_DOMAINS": case "REMOVE_TRUSTED_DOMAINS": case "CHANGE_EDU_TYPE": - case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": - case "TOGGLE_SSO_ENABLED": - case "TOGGLE_SSL": case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": case "CHANGE_LOGIN_BACKGROUND_COLOR": case "CHANGE_LOGIN_BORDER_COLOR": case "CHANGE_LOGIN_ACTIVITY_TRACE": case "PLAY_FOR_WORK_ENROLL": case "PLAY_FOR_WORK_UNENROLL": - case "TOGGLE_NEW_APP_FEATURES": - case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": - case "TOGGLE_OPEN_ID_ENABLED": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": case "CHANGE_ORGANIZATION_NAME": - case "TOGGLE_OUTBOUND_RELAY": case "CHANGE_PASSWORD_MAX_LENGTH": case "CHANGE_PASSWORD_MIN_LENGTH": - case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": - case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": case "REMOVE_APPLICATION": case "REMOVE_APPLICATION_FROM_WHITELIST": case "CHANGE_RENEW_DOMAIN_REGISTRATION": @@ -159,7 +166,6 @@ var login = (function () { case "ADD_SECONDARY_DOMAIN": case "REMOVE_SECONDARY_DOMAIN": case "UPDATE_DOMAIN_SECONDARY_EMAIL": - case "CHANGE_SSO_SETTINGS": case "UPDATE_RULE": case "ADD_MOBILE_CERTIFICATE": case "COMPANY_OWNED_DEVICE_BLOCKED": @@ -168,9 +174,7 @@ var login = (function () { case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": - case "CHANGE_MOBILE_APPLICATION_SETTINGS": case "ADD_MOBILE_APPLICATION_TO_WHITELIST": - case "CHANGE_MOBILE_SETTING": case "CHANGE_ADMIN_RESTRICTIONS_PIN": case "CHANGE_MOBILE_WIRELESS_NETWORK": case "ADD_MOBILE_WIRELESS_NETWORK": @@ -180,6 +184,10 @@ var login = (function () { evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": + case "CREATE_GMAIL_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["creation"]); + break; case "CREATE_MANAGED_CONFIGURATION": case "CREATE_BUILDING": case "CREATE_CALENDAR_RESOURCE": @@ -190,7 +198,6 @@ var login = (function () { case "CREATE_ROLE": case "ADD_WEB_ADDRESS": case "EMAIL_UNDELETE": - case "CREATE_GMAIL_SETTING": case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": case "CREATE_DEVICE_ENROLLMENT_TOKEN": case "CREATE_ENROLLMENT_TOKEN": @@ -205,6 +212,10 @@ var login = (function () { evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": + case "DELETE_GMAIL_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["deletion"]); + break; case "DELETE_MANAGED_CONFIGURATION": case "DELETE_BUILDING": case "DELETE_CALENDAR_RESOURCE": @@ -215,7 +226,6 @@ var login = (function () { case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": case "DELETE_ROLE": case "DELETE_WEB_ADDRESS": - case "DELETE_GMAIL_SETTING": case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": case "REMOVE_ORG_UNIT": case "DELETE_ALERT": diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json index 228b200a660..6e14b17286f 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json @@ -3,7 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -60,7 +61,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -116,7 +118,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -227,7 +230,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GPLUS_PREMIUM_FEATURES", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -377,7 +381,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_MANAGED_CONFIGURATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -427,7 +432,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json index 91c175be25f..b58fc898aa5 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json @@ -356,7 +356,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -513,7 +514,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CALENDAR_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json index a151492253a..fd36d938cfa 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json @@ -101,7 +101,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_MODIFY_GATEWAY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -150,7 +151,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHAT_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json index 9219ed03efc..be4e9edc547 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json @@ -3,7 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -112,7 +113,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -268,7 +270,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -372,7 +375,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -722,7 +726,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -774,7 +779,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_USER_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1031,7 +1037,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json index 05ef3b46ace..7c057be7bfd 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json @@ -3,7 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json index a9dd7b173b7..3d9032bcb6c 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json @@ -108,7 +108,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOCS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json index 17c2a56d0bb..aedc198aeec 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json @@ -755,7 +755,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -805,7 +806,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -855,7 +857,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_API_ACCESS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1161,7 +1164,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_WHITELIST_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1212,7 +1216,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1315,7 +1320,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_FEEDBACK_SOLICITATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1366,7 +1372,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CONTACT_SHARING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1465,7 +1472,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_CUSTOM_LOGO", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1615,7 +1623,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2217,7 +2226,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2267,7 +2277,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSO_ENABLED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2317,7 +2328,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSL", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2769,7 +2781,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_NEW_APP_FEATURES", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2819,7 +2832,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -2967,7 +2981,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OPEN_ID_ENABLED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -3068,7 +3083,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OUTBOUND_RELAY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -3273,7 +3289,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -4123,7 +4140,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SSO_SETTINGS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json index 75bea4b5cd9..5d748bc3990 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json @@ -161,7 +161,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -217,7 +218,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -269,7 +271,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -321,7 +324,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json index a4e6fd2586d..436ec466cf4 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json @@ -570,7 +570,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -889,7 +890,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json index fd5f69b546f..d3e6ddbea99 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json @@ -3,7 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_STRONG_AUTHENTICATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -54,7 +55,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -104,7 +106,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -154,7 +157,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -361,7 +365,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -415,7 +420,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -469,7 +475,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -523,7 +530,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -577,7 +585,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -880,7 +889,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -934,7 +944,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENFORCE_STRONG_AUTHENTICATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -990,7 +1001,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1041,7 +1053,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1095,7 +1108,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -1147,7 +1161,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SESSION_LENGTH", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json index b9816b3c6c6..aa6e0b98b67 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json @@ -111,7 +111,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", @@ -164,7 +165,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/drive/config/pipeline.js b/x-pack/filebeat/module/google_workspace/drive/config/pipeline.js index c2a20d7f2a2..a35777d3e67 100644 --- a/x-pack/filebeat/module/google_workspace/drive/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/drive/config/pipeline.js @@ -31,6 +31,7 @@ var drive = (function () { case "sheets_import_range_access_change": case "change_user_access": evt.AppendTo("event.category", "iam"); + evt.AppendTo("event.category", "configuration"); evt.Put("event.type", ["change"]); break; case "create": diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json index af4cd4c8af7..7577f101f35 100644 --- a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json @@ -66,7 +66,8 @@ "event.action": "approval_canceled", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -127,7 +128,8 @@ "event.action": "approval_comment_added", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -188,7 +190,8 @@ "event.action": "approval_requested", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -249,7 +252,8 @@ "event.action": "approval_reviewer_responded", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1279,7 +1283,8 @@ "event.action": "change_acl_editors", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1344,7 +1349,8 @@ "event.action": "change_document_access_scope", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1410,7 +1416,8 @@ "event.action": "change_document_visibility", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1476,7 +1483,8 @@ "event.action": "shared_drive_membership_change", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1542,7 +1550,8 @@ "event.action": "shared_drive_settings_change", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1608,7 +1617,8 @@ "event.action": "sheets_import_range_access_change", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", @@ -1669,7 +1679,8 @@ "event.action": "change_user_access", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.drive", "event.id": "1", diff --git a/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js index 8e3a754c846..7f91d9db844 100644 --- a/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js @@ -9,7 +9,6 @@ var groups = (function () { evt.Put("event.category", ["iam"]); evt.Put("event.type", ["group"]); switch (evt.Get("event.action")) { - case "change_acl_permission": case "change_basic_setting": case "change_identity_setting": case "change_info_setting": @@ -17,6 +16,10 @@ var groups = (function () { case "change_post_replies_setting": case "change_spam_moderation_setting": case "change_topic_setting": + evt.AppendTo("event.category", "configuration"); + evt.AppendTo("event.type", "change"); + break; + case "change_acl_permission": evt.AppendTo("event.type", "change"); break; case "accept_invitation": @@ -38,11 +41,17 @@ var groups = (function () { evt.AppendTo("event.type", "user"); break; case "create_group": + evt.AppendTo("event.type", "creation"); + break; case "add_info_setting": + evt.AppendTo("event.category", "configuration"); evt.AppendTo("event.type", "creation"); break; case "delete_group": + evt.AppendTo("event.type", "deletion"); + break; case "remove_info_setting": + evt.AppendTo("event.category", "configuration"); evt.AppendTo("event.type", "deletion"); break; case "moderate_message": diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json index 599d61b32b5..1a129341981 100644 --- a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json @@ -277,7 +277,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_basic_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -436,7 +437,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_identity_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -491,7 +493,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_info_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -545,7 +548,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_info_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -600,7 +604,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_info_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -654,7 +659,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_new_members_restrictions_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -709,7 +715,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_post_replies_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -764,7 +771,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_spam_moderation_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", @@ -819,7 +827,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_topic_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "google_workspace.groups", "event.id": "1", From 00c56abf269bc22dc14ebe6f6af523dffc9f90ef Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 14 Dec 2020 16:08:36 +0100 Subject: [PATCH 3/3] Use deprecation tag and fix doc typo --- filebeat/docs/modules/google_workspace.asciidoc | 2 +- filebeat/docs/modules/gsuite.asciidoc | 2 +- x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc | 2 +- x-pack/filebeat/module/gsuite/_meta/docs.asciidoc | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/filebeat/docs/modules/google_workspace.asciidoc b/filebeat/docs/modules/google_workspace.asciidoc index 4b33d09d1e2..75b2c19b259 100644 --- a/filebeat/docs/modules/google_workspace.asciidoc +++ b/filebeat/docs/modules/google_workspace.asciidoc @@ -12,7 +12,7 @@ This file is generated! See scripts/docs_collector.py beta[] -This is a module for ingesting data from the different Google Workspace audit reports API's. +This is a module for ingesting data from the different Google Workspace audit reports APIs. include::../include/gs-link.asciidoc[] diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc index bff00ced026..2df022216c5 100644 --- a/filebeat/docs/modules/gsuite.asciidoc +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -12,7 +12,7 @@ This file is generated! See scripts/docs_collector.py beta[] -*Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead.* +deprecated::[7.12] This is a module for ingesting data from the different GSuite audit reports API's. diff --git a/x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc b/x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc index 45c067edea1..e22bb4b3f71 100644 --- a/x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/google_workspace/_meta/docs.asciidoc @@ -7,7 +7,7 @@ beta[] -This is a module for ingesting data from the different Google Workspace audit reports API's. +This is a module for ingesting data from the different Google Workspace audit reports APIs. include::../include/gs-link.asciidoc[] diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc index 2e83bc5fa7e..38402d773a0 100644 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -7,7 +7,7 @@ beta[] -*Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead.* +deprecated::[7.12] This is a module for ingesting data from the different GSuite audit reports API's.