Skip to content

Commit e4bdd6a

Browse files
moxarth-rathodmoxarth-rathod
authored
[Google Workspace] Update mappings for recent admin log event changes (#16058)
google_workspace: update mapping for schema changes in admin log events This also covers the updated mapping based on the latest schema updates here [1]. map the following events in change event type: - ADMIN_EVENTS_TOGGLE_NEW_APP_FEATURES_PREFERENCE - CHANGE_API_ACCESS - CHANGE_APP_ACCESS - CHANGE_UNCONFIGURED_APPS_ACCESS - CHANGE_UNDERAGE_UNCONFIGURED_APPS_ACCESS map the following events in configuration event category: - ADMIN_EVENTS_TOGGLE_NEW_APP_FEATURES_PREFERENCE - CHANGE_API_ACCESS New test cases were obtained from live logs from a Workspace instance. [1] https://support.google.com/a/answer/16601511
1 parent be75be8 commit e4bdd6a

File tree

9 files changed

+1108
-290
lines changed

9 files changed

+1108
-290
lines changed

packages/google_workspace/changelog.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,12 @@
11
# newer versions go on top
2+
- version: "3.0.0"
3+
changes:
4+
- description: >-
5+
Add support for `setting.metadata.*` fields.
6+
Move `user_defined_setting.name` under `setting.metadata` as per the schema changes.
7+
Add ECS categorization support for event name changes for the admin data stream.
8+
type: breaking-change
9+
link: https://github.com/elastic/integrations/pull/16058
210
- version: "2.47.2"
311
changes:
412
- description: Discard events that are missing the `items[]` field during the split operation and are returned as the root object.
@@ -541,7 +549,7 @@
541549
- description: Convert to generated ECS fields
542550
type: enhancement
543551
link: https://github.com/elastic/integrations/pull/1479
544-
- version: '0.7.2'
552+
- version: "0.7.2"
545553
changes:
546554
- description: update to ECS 1.11.0
547555
type: enhancement

packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,6 @@
22
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2020/07/28 04:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.128.3.4"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.128.3.4"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}}
33
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}}
44
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
5-
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
6-
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
7-
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}}
85
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
96
{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}}
107
{"kind":"admin#reports#activity","id":{"time":"2022-03-07T04:48:46.816Z","uniqueQualifier":"-4744923097030659931","applicationName":"admin","customerId":"A00aaa0aa"},"actor":{"callerType":"USER","email":"user@exmaple.com","profileId":"111111111111111111111"},"ipAddress":"81.2.69.145","etag":"some_etag","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2022/03/07 12:59:59 UTC"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":""},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":""},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":""},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient@example.com"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":""},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2022/02/27 13:00:00 UTC"}]}}

packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-gmail.log-expected.json

Lines changed: 0 additions & 255 deletions
Original file line numberDiff line numberDiff line change
@@ -354,261 +354,6 @@
354354
}
355355
}
356356
},
357-
{
358-
"@timestamp": "2020-10-02T15:00:00.000Z",
359-
"ecs": {
360-
"version": "8.16.0"
361-
},
362-
"event": {
363-
"action": "CHANGE_GMAIL_SETTING",
364-
"category": [
365-
"iam",
366-
"configuration"
367-
],
368-
"id": "1",
369-
"kind": "event",
370-
"original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
371-
"provider": "admin",
372-
"type": [
373-
"change"
374-
]
375-
},
376-
"google_workspace": {
377-
"actor": {
378-
"type": "USER"
379-
},
380-
"admin": {
381-
"org_unit": {
382-
"name": "org"
383-
},
384-
"setting": {
385-
"description": "setting description",
386-
"name": "setting"
387-
},
388-
"user_defined_setting": {
389-
"name": "setting name"
390-
}
391-
},
392-
"event": {
393-
"type": "EMAIL_SETTINGS"
394-
},
395-
"kind": "admin#reports#activity",
396-
"organization": {
397-
"domain": "elastic.com"
398-
}
399-
},
400-
"organization": {
401-
"id": "1"
402-
},
403-
"related": {
404-
"ip": [
405-
"67.43.156.13"
406-
],
407-
"user": [
408-
"foo"
409-
]
410-
},
411-
"source": {
412-
"as": {
413-
"number": 35908
414-
},
415-
"geo": {
416-
"continent_name": "Asia",
417-
"country_iso_code": "BT",
418-
"country_name": "Bhutan",
419-
"location": {
420-
"lat": 27.5,
421-
"lon": 90.5
422-
}
423-
},
424-
"ip": "67.43.156.13",
425-
"user": {
426-
"domain": "bar.com",
427-
"email": "foo@bar.com",
428-
"id": "1",
429-
"name": "foo"
430-
}
431-
},
432-
"tags": [
433-
"preserve_original_event"
434-
],
435-
"user": {
436-
"domain": "bar.com",
437-
"email": "foo@bar.com",
438-
"id": "1",
439-
"name": "foo"
440-
}
441-
},
442-
{
443-
"@timestamp": "2020-10-02T15:00:00.000Z",
444-
"ecs": {
445-
"version": "8.16.0"
446-
},
447-
"event": {
448-
"action": "CREATE_GMAIL_SETTING",
449-
"category": [
450-
"iam"
451-
],
452-
"id": "1",
453-
"kind": "event",
454-
"original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
455-
"provider": "admin",
456-
"type": [
457-
"change",
458-
"creation"
459-
]
460-
},
461-
"google_workspace": {
462-
"actor": {
463-
"type": "USER"
464-
},
465-
"admin": {
466-
"org_unit": {
467-
"name": "org"
468-
},
469-
"setting": {
470-
"description": "setting description",
471-
"name": "setting"
472-
},
473-
"user_defined_setting": {
474-
"name": "setting name"
475-
}
476-
},
477-
"event": {
478-
"type": "EMAIL_SETTINGS"
479-
},
480-
"kind": "admin#reports#activity",
481-
"organization": {
482-
"domain": "elastic.com"
483-
}
484-
},
485-
"organization": {
486-
"id": "1"
487-
},
488-
"related": {
489-
"ip": [
490-
"67.43.156.13"
491-
],
492-
"user": [
493-
"foo"
494-
]
495-
},
496-
"source": {
497-
"as": {
498-
"number": 35908
499-
},
500-
"geo": {
501-
"continent_name": "Asia",
502-
"country_iso_code": "BT",
503-
"country_name": "Bhutan",
504-
"location": {
505-
"lat": 27.5,
506-
"lon": 90.5
507-
}
508-
},
509-
"ip": "67.43.156.13",
510-
"user": {
511-
"domain": "bar.com",
512-
"email": "foo@bar.com",
513-
"id": "1",
514-
"name": "foo"
515-
}
516-
},
517-
"tags": [
518-
"preserve_original_event"
519-
],
520-
"user": {
521-
"domain": "bar.com",
522-
"email": "foo@bar.com",
523-
"id": "1",
524-
"name": "foo"
525-
}
526-
},
527-
{
528-
"@timestamp": "2020-10-02T15:00:00.000Z",
529-
"ecs": {
530-
"version": "8.16.0"
531-
},
532-
"event": {
533-
"action": "DELETE_GMAIL_SETTING",
534-
"category": [
535-
"iam",
536-
"configuration"
537-
],
538-
"id": "1",
539-
"kind": "event",
540-
"original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}",
541-
"provider": "admin",
542-
"type": [
543-
"deletion"
544-
]
545-
},
546-
"google_workspace": {
547-
"actor": {
548-
"type": "USER"
549-
},
550-
"admin": {
551-
"org_unit": {
552-
"name": "org"
553-
},
554-
"setting": {
555-
"description": "setting description",
556-
"name": "setting"
557-
},
558-
"user_defined_setting": {
559-
"name": "setting name"
560-
}
561-
},
562-
"event": {
563-
"type": "EMAIL_SETTINGS"
564-
},
565-
"kind": "admin#reports#activity",
566-
"organization": {
567-
"domain": "elastic.com"
568-
}
569-
},
570-
"organization": {
571-
"id": "1"
572-
},
573-
"related": {
574-
"ip": [
575-
"67.43.156.13"
576-
],
577-
"user": [
578-
"foo"
579-
]
580-
},
581-
"source": {
582-
"as": {
583-
"number": 35908
584-
},
585-
"geo": {
586-
"continent_name": "Asia",
587-
"country_iso_code": "BT",
588-
"country_name": "Bhutan",
589-
"location": {
590-
"lat": 27.5,
591-
"lon": 90.5
592-
}
593-
},
594-
"ip": "67.43.156.13",
595-
"user": {
596-
"domain": "bar.com",
597-
"email": "foo@bar.com",
598-
"id": "1",
599-
"name": "foo"
600-
}
601-
},
602-
"tags": [
603-
"preserve_original_event"
604-
],
605-
"user": {
606-
"domain": "bar.com",
607-
"email": "foo@bar.com",
608-
"id": "1",
609-
"name": "foo"
610-
}
611-
},
612357
{
613358
"@timestamp": "2020-10-02T15:00:00.000Z",
614359
"ecs": {

0 commit comments

Comments
 (0)