Google Workspace Integration
<div class="condensed-table">
| | |
| --- | --- |
| Version | 2.30.0 (View all) |
| Compatible Kibana version(s) | 8.16.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |
</div>
The Google Workspace integration collects and parses data from the different Google Workspace audit reports APIs.
These blogs from our Security Labs will help you know more about the Google Workspace and how to it setup:
- To understand what Google Workspace is in Part One - Surveying the Land
- To set it up, step by step, in Part Two - Setup Threat Detection with Elastic
It is compatible with a subset of applications under the Google Reports API v1. As of today it supports:
| Google Workspace Service | Description |
|---|---|
| SAML help | View users’ successful and failed sign-ins to SAML applications. |
| User Accounts help | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. |
| Login help | Track user sign-in activity to your domain. |
| Rules help | View a record of actions to review your user’s attempts to share sensitive data. |
| Admin help | View administrator activity performed within the Google Admin console. |
| Drive help | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. |
| Groups help | Track changes to groups, group memberships and group messages. |
| Group Enterprise help | The Group Enterprise activity report returns information about various types of Enterprise Groups Audit activity events. |
| Device help | The Mobile activity report returns information about various types of Device Audit activity events. |
| Token help | The Token activity report returns information about various types of OAuth Token Audit activity events. |
| Access Transparency help | The Access Transparency activity report returns information about various types of Access Transparency activity events. |
| Context Aware Access help | The Context Aware Access activity report returns information about various types of Context-Aware Access Audit activity events. |
| GCP | The GCP activity report returns information about various types of Google Cloud Platform activity events. |
| Chrome | The Chrome activity reports return information about Chrome browser and Chrome OS events. |
In order to ingest data from the Google Reports API you must:
- Have an administrator account.
- Set up a ServiceAccount using the administrator account.
- Set up access to the Admin SDK API for the ServiceAccount.
- Enable Domain-Wide Delegation for your ServiceAccount.
This integration will make use of the following oauth2 scope:
https://www.googleapis.com/auth/admin.reports.audit.readonly
Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration.
Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is https://www.googleapis.com. The API Host will be used for collecting access_transparency, admin, chrome, context_aware_access, device, drive, gcp, groups, group_enterprise, login, rules, saml, token and user accounts logs.
Note
The Delegated Account value in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount.
The Google Workspace Integration collects and parses data received from the Google Workspace Alert Center API using HTTP JSON Input.
Alert Data Stream has been tested against
Google Workspace Alert Center API (v1).Following Alert types have been supported in the current integration version:
- Customer takeout initiated
- Malware reclassification
- Misconfigured whitelist
- Phishing reclassification
- Suspicious message reported
- User reported phishing
- User reported spam spike
- Leaked password
- Suspicious login
- Suspicious login (less secure app)
- Suspicious programmatic login
- User suspended
- User suspended (spam)
- User suspended (spam through relay)
- User suspended (suspicious activity)
- Google Operations
- Configuration problem
- Government attack warning
- Device compromised
- Suspicious activity
- AppMaker Default Cloud SQL setup
- Activity Rule
- Data Loss Prevention
- Apps outage
- Primary admin changed
- SSO profile added
- SSO profile updated
- SSO profile deleted
- Super admin password reset
- Account suspension warning
- Calendar settings changed
- Chrome devices auto-update expiration warning
- Customer takeout initiated
- Drive settings changed
- Email settings changed
- Gmail potential employee spoofing
- Mobile settings changed
- New user added
- Reporting Rule
- Suspended user made active
- User deleted
- User granted Admin privilege
- User suspended (spam)
- User’s Admin privileges revoked
- Users password changed
- Google Voice configuration problem detected
In order to ingest data from the Google Alert Center API, you must:
- Have an administrator account.
- Set up a ServiceAccount using the Administrator Account.
- Set up access to the Admin SDK API for the ServiceAccount.
- Enable Domain-Wide Delegation for the ServiceAccount.
This integration will make use of the following oauth2 scope:
https://www.googleapis.com/auth/apps.alerts
Once Service Account credentials are downloaded as a JSON file, then the integration can be setup to collect data.
Note
The Delegated Account value in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount.
Note
The default value of the "Page Size" is set to 1000. This option is available under Alert Advance options. Set the parameter "Page Size" according to the requirement. For Alert Data Stream, The default value of "Alert Center API Host" is https://alertcenter.googleapis.com. The Alert Center API Host will be used for collecting alert logs only.
This is a list of Google Workspace Reports fields that are mapped to ECS that are common to all data sets.
| Google Workspace Reports | ECS Fields |
|---|---|
items[].id.time |
@timestamp |
items[].id.uniqueQualifier |
event.id |
items[].id.applicationName |
event.provider |
items[].events[].name |
event.action |
items[].customerId |
organization.id |
items[].ipAddress |
source.ip, related.ip, source.as.*, source.geo.* |
items[].actor.email |
source.user.email, source.user.name, source.user.domain |
items[].actor.profileId |
source.user.id |
This is the saml dataset.
**Example**
An example event for saml looks as following:
{
"@timestamp": "2021-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "21bc9c22-c07c-4d9e-be7d-d847757ace52",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.saml",
"namespace": "42924",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "login_failure",
"agent_id_status": "verified",
"category": [
"authentication",
"session"
],
"created": "2024-08-01T22:01:50.429Z",
"dataset": "google_workspace.saml",
"id": "1",
"ingested": "2024-08-01T22:02:02Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"login_failure\",\"parameters\":[{\"name\":\"application_name\",\"value\":\"app\"},{\"name\":\"failure_type\",\"value\":\"failure_app_not_configured_for_user\"},{\"name\":\"initiated_by\",\"value\":\"idp\"},{\"name\":\"orgunit_path\",\"value\":\"ounit\"},{\"name\":\"saml_second_level_status_code\",\"value\":\"SUCCESS_URI\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}],\"type\":\"login\"},\"id\":{\"applicationName\":\"saml\",\"customerId\":\"1\",\"time\":\"2021-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"outcome": "failure",
"provider": "saml",
"type": [
"start"
]
},
"google_workspace": {
"actor": {
"type": "USER"
},
"event": {
"type": "login"
},
"kind": "admin#reports#activity",
"organization": {
"domain": "elastic.com"
},
"saml": {
"application_name": "app",
"failure_type": "failure_app_not_configured_for_user",
"initiated_by": "idp",
"orgunit_path": "ounit",
"second_level_status_code": "SUCCESS_URI",
"status_code": "SUCCESS_URI"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"ip": [
"98.235.162.24"
],
"user": [
"foo"
]
},
"source": {
"as": {
"number": 7922,
"organization": {
"name": "Comcast Cable Communications, Inc."
}
},
"ip": "98.235.162.24",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"google_workspace-saml"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| google_workspace.saml.application_name | Saml SP application name. | keyword |
| google_workspace.saml.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml. | keyword |
| google_workspace.saml.initiated_by | Requester of SAML authentication. | keyword |
| google_workspace.saml.orgunit_path | User orgunit. | keyword |
| google_workspace.saml.second_level_status_code | SAML second level status code. | keyword |
| google_workspace.saml.status_code | SAML status code. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the user_accounts dataset.
**Example**
An example event for user_accounts looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "65179230-7468-4b71-9b2b-a2cd4f778866",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.user_accounts",
"namespace": "10103",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "2sv_disable",
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2024-08-01T22:03:58.977Z",
"dataset": "google_workspace.user_accounts",
"id": "1",
"ingested": "2024-08-01T22:04:10Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"2sv_disable\",\"type\":\"2sv_change\"},\"id\":{\"applicationName\":\"user_accounts\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "user_accounts",
"type": [
"change",
"user"
]
},
"google_workspace": {
"actor": {
"type": "USER"
},
"event": {
"type": "2sv_change"
},
"kind": "admin#reports#activity",
"organization": {
"domain": "elastic.com"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"ip": [
"98.235.162.24"
],
"user": [
"foo"
]
},
"source": {
"as": {
"number": 7922,
"organization": {
"name": "Comcast Cable Communications, Inc."
}
},
"ip": "98.235.162.24",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"google_workspace-user_accounts"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| google_workspace.user_accounts.email_forwarding_destination_address | Out of domain email the actor has forwarded to. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the login dataset.
**Example**
An example event for login looks as following:
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
"ephemeral_id": "8d5b6a07-b1e1-4397-982f-9223504ae534",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.login",
"namespace": "61171",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "account_disabled_password_leak",
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2024-08-01T21:59:36.067Z",
"dataset": "google_workspace.login",
"id": "1",
"ingested": "2024-08-01T21:59:48Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"account_disabled_password_leak\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"}],\"type\":\"account_warning\"},\"id\":{\"applicationName\":\"login\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "login",
"type": [
"user",
"info"
]
},
"google_workspace": {
"actor": {
"type": "USER"
},
"event": {
"type": "account_warning"
},
"kind": "admin#reports#activity",
"login": {
"affected_email_address": "foo@elastic.co"
},
"organization": {
"domain": "elastic.com"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"ip": [
"98.235.162.24"
],
"user": [
"foo",
"foo"
]
},
"source": {
"as": {
"number": 7922,
"organization": {
"name": "Comcast Cable Communications, Inc."
}
},
"ip": "98.235.162.24",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"google_workspace-login"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo",
"target": {
"domain": "elastic.co",
"name": "foo"
}
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.login.affected_email_address | keyword | |
| google_workspace.login.challenge_method | Login challenge method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword |
| google_workspace.login.challenge_status | Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword |
| google_workspace.login.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword |
| google_workspace.login.is_second_factor | boolean | |
| google_workspace.login.is_suspicious | boolean | |
| google_workspace.login.timestamp | UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | long |
| google_workspace.login.type | Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the rules dataset.
**Example**
An example event for rules looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "5c6a871e-fa71-4f56-b30d-46922ca4e836",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.rules",
"namespace": "88921",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "rule_match",
"agent_id_status": "verified",
"created": "2024-08-01T22:00:43.194Z",
"dataset": "google_workspace.rules",
"id": "1",
"ingested": "2024-08-01T22:00:55Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"rule_match\",\"parameters\":[{\"boolValue\":\"true\",\"name\":\"has_alert\"},{\"name\":\"actor_ip_address\",\"value\":\"127.0.0.0\"},{\"intValue\":\"1234\",\"name\":\"resource_recipients_omitted_count\"},{\"multiValue\":[\"managers\"],\"name\":\"rule_name\"},{\"multiIntValue\":[\"12\"],\"name\":\"rule_id\"}],\"type\":\"rule_match_type\"},\"id\":{\"applicationName\":\"rules\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "rules"
},
"google_workspace": {
"actor": {
"email": "foo@bar.com",
"profile": {
"id": "1"
},
"type": "USER"
},
"event": {
"name": "rule_match",
"type": "rule_match_type"
},
"id": {
"application_name": "rules",
"customer": {
"id": "1"
},
"time": "2020-10-02T15:00:00.000Z",
"unique_qualifier": "1"
},
"ip_address": "67.43.156.13",
"kind": "admin#reports#activity",
"organization": {
"domain": "elastic.com"
},
"rules": {
"actor_ip_address": "127.0.0.0",
"has_alert": true,
"id": [
"12"
],
"name": [
"managers"
],
"resource": {
"recipients_omitted_count": 1234
}
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"hosts": [
"bar.com",
"elastic.com"
],
"ip": [
"67.43.156.13",
"127.0.0.0"
],
"user": [
"foo"
]
},
"rule": {
"id": [
"12"
],
"name": [
"managers"
]
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.13",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-rules"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.email | The primary email address of the actor. May be absent if there is no email address associated with the actor. | keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.profile.id | The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID. | keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.etag | ETag of the entry. | keyword |
| google_workspace.event.name | Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific Google Workspace service or feature which the API organizes into types of events. For eventName request parameters in general: If no eventName is given, the report returns all possible instances of an eventName. When you request an eventName, the API’s response returns all activities which contain that eventName. It is possible that the returned activities will have other eventName properties in addition to the one requested. For more information about eventName properties, see the list of event names for various applications above in applicationName. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found here. |
keyword |
| google_workspace.id.application_name | Application name to which the event belongs. For possible values see the list of applications above in applicationName. | keyword |
| google_workspace.id.customer.id | The unique identifier for a Google Workspace account. | keyword |
| google_workspace.id.time | Time of occurrence of the activity. This is in UNIX epoch time in seconds. | date |
| google_workspace.id.unique_qualifier | Unique qualifier if multiple events have the same time. | keyword |
| google_workspace.ip_address | IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into Google Workspace, which may or may not reflect the user’s physical location. For example, the IP address can be the user’s proxy server’s address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. | ip |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload, more details can be found here. |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| google_workspace.rules.actions | List of actions taken. For a list of possible values refer to actions in the event details table. |
keyword |
| google_workspace.rules.actor_ip_address | IP of the entity who was responsible for the original event which triggered the rule. | ip |
| google_workspace.rules.application | Name of the application to which the flagged item belongs. For a list of possible values refer to application in the event details table. |
keyword |
| google_workspace.rules.conference_id | The unique identifier of a Google Meet conference. | keyword |
| google_workspace.rules.data_source | Source of the data. For a list of possible values refer to data_source in the event details table. |
keyword |
| google_workspace.rules.device.id | ID of the device on which the action was triggered. | keyword |
| google_workspace.rules.device.type | Type of device referred to by device ID. For a list of possible values refer to device_type in the event details table. |
keyword |
| google_workspace.rules.drive_shared_drive_id | Shared drive Id to which the drive item belongs, if applicable. | keyword |
| google_workspace.rules.evaluation_context | Evaluation metadata, such as contextual messages used in a rule evaluation. | flattened |
| google_workspace.rules.has_alert | Whether or not the triggered rule has alert enabled. | boolean |
| google_workspace.rules.has_content_match | Whether the resource has content which matches the criteria in the rule. For a list of possible values refer to has_content_match in the event details table. |
boolean |
| google_workspace.rules.id | Unique identifier for a rule. Rules are created by admins in Google Workspace. | keyword |
| google_workspace.rules.matched.detectors | A list of detectors that matched against the resource. | flattened |
| google_workspace.rules.matched.templates | List of content detector templates that matched. | keyword |
| google_workspace.rules.matched.threshold | Threshold that matched in the rule. | keyword |
| google_workspace.rules.matched.trigger | Trigger of the rule evaluation: email sent or received, document shared. For a list of possible values refer to matched_trigger in the event details table. |
keyword |
| google_workspace.rules.mobile_device_type | Type of device on which rule was applied. | keyword |
| google_workspace.rules.mobile_ios_vendor_id | iOS Vendor Id of device on which rule was applied, if applicable. | keyword |
| google_workspace.rules.name | Name of the rule. | keyword |
| google_workspace.rules.resource.id | Identifier of the resource which matched the rule. | keyword |
| google_workspace.rules.resource.name | Resource name that uniquely identifies a rule. | keyword |
| google_workspace.rules.resource.owner_email | Email address of the owner of the resource. | keyword |
| google_workspace.rules.resource.recipients | A list of users that a Drive document or an email message was shared with when the rule was triggered. | keyword |
| google_workspace.rules.resource.recipients_omitted_count | The number of resource recipients omitted due to exceeding the size limit. | long |
| google_workspace.rules.resource.title | Title of the resource which matched the rule: email subject, or document title. | keyword |
| google_workspace.rules.resource.type | Type of the rule. For a list of possible values refer to resource_type in the event details table. |
keyword |
| google_workspace.rules.resource_name | Name of the resource which matched the rule. | keyword |
| google_workspace.rules.scan_type | Scan mode for the rule evaluation. For a list of possible values refer to scan_type in the event details table. |
keyword |
| google_workspace.rules.severity | Severity of violating a rule. For a list of possible values refer to to severity in the event details table. |
keyword |
| google_workspace.rules.space.id | ID of the space where the rule was triggered. | keyword |
| google_workspace.rules.space.type | Type of space referred to by the space ID. For a list of possible values refer to space_type in the event details table. |
keyword |
| google_workspace.rules.suppressed_actions | A list of actions that were not taken due to other actions with higher priority. | flattened |
| google_workspace.rules.triggered_actions | A list of actions that were taken as a consequence of the rule being triggered. | flattened |
| google_workspace.rules.type | Type of the rule. For a list of possible values refer to rule_type in the event details table. |
keyword |
| google_workspace.rules.update_time_usec | Update time (microseconds since epoch) indicating the version of rule which is used. | date |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the admin dataset.
**Example**
An example event for admin looks as following:
{
"@timestamp": "2022-04-04T15:04:05.000Z",
"agent": {
"ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.admin",
"namespace": "62273",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "CHANGE_APPLICATION_SETTING",
"agent_id_status": "verified",
"category": [
"iam",
"configuration"
],
"created": "2024-08-01T21:51:15.529Z",
"dataset": "google_workspace.admin",
"id": "1",
"ingested": "2024-08-01T21:51:27Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "admin",
"type": [
"change"
]
},
"google_workspace": {
"actor": {
"type": "USER"
},
"admin": {
"application": {
"edition": "basic",
"name": "drive"
},
"group": {
"email": "group@example.com"
},
"new_value": "new",
"old_value": "old",
"org_unit": {
"name": "org"
},
"setting": {
"name": "setting"
}
},
"event": {
"type": "APPLICATION_SETTINGS"
},
"kind": "admin#reports#activity",
"organization": {
"domain": "elastic.com"
}
},
"group": {
"domain": "example.com",
"name": "group"
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"ip": [
"98.235.162.24"
],
"user": [
"foo"
]
},
"source": {
"as": {
"number": 7922,
"organization": {
"name": "Comcast Cable Communications, Inc."
}
},
"ip": "98.235.162.24",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"google_workspace-admin"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo",
"target": {
"group": {
"domain": "example.com",
"name": "group"
}
}
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.admin.alert.name | The alert name. | keyword |
| google_workspace.admin.api.client.name | The API client name. | keyword |
| google_workspace.admin.api.scopes | The API scopes. | keyword |
| google_workspace.admin.application.asp_id | The application specific password ID. | keyword |
| google_workspace.admin.application.edition | The Google Workspace edition. | keyword |
| google_workspace.admin.application.enabled | The enabled application. | keyword |
| google_workspace.admin.application.id | The application ID. | keyword |
| google_workspace.admin.application.licences_order_number | Order number used to redeem licenses. | keyword |
| google_workspace.admin.application.licences_purchased | Number of licences purchased. | long |
| google_workspace.admin.application.name | The application’s name. | keyword |
| google_workspace.admin.application.package_id | The mobile application package ID. | keyword |
| google_workspace.admin.bulk_upload.failed | Number of failed records in bulk upload operation. | long |
| google_workspace.admin.bulk_upload.total | Number of total records in bulk upload operation. | long |
| google_workspace.admin.chrome_licenses.allowed | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword |
| google_workspace.admin.chrome_licenses.enabled | Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings | keyword |
| google_workspace.admin.chrome_os.session_type | Chrome OS session type. | keyword |
| google_workspace.admin.device.command_details | Command details. | keyword |
| google_workspace.admin.device.id | keyword | |
| google_workspace.admin.device.serial_number | Device serial number. | keyword |
| google_workspace.admin.device.type | Device type. | keyword |
| google_workspace.admin.distribution.entity.name | The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword |
| google_workspace.admin.distribution.entity.type | The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword |
| google_workspace.admin.domain.alias | The domain alias. | keyword |
| google_workspace.admin.domain.name | The primary domain name. | keyword |
| google_workspace.admin.domain.secondary_name | The secondary domain name. | keyword |
| google_workspace.admin.email.log_search_filter.end_date | The log search filter’s ending date. | date |
| google_workspace.admin.email.log_search_filter.message_id | The log search filter’s email message ID. | keyword |
| google_workspace.admin.email.log_search_filter.recipient.ip | The log search filter’s email recipient’s IP address. | ip |
| google_workspace.admin.email.log_search_filter.recipient.value | The log search filter’s email recipient. | keyword |
| google_workspace.admin.email.log_search_filter.sender.ip | The log search filter’s email sender’s IP address. | ip |
| google_workspace.admin.email.log_search_filter.sender.value | The log search filter’s email sender. | keyword |
| google_workspace.admin.email.log_search_filter.start_date | The log search filter’s start date. | date |
| google_workspace.admin.email.quarantine_name | The name of the quarantine. | keyword |
| google_workspace.admin.email_dump.include_deleted | Indicates if deleted emails are included in the export. | boolean |
| google_workspace.admin.email_dump.package_content | The contents of the mailbox package. | keyword |
| google_workspace.admin.email_dump.query | The search query used for the dump. | keyword |
| google_workspace.admin.email_monitor.dest_email | The destination address of the email monitor. | keyword |
| google_workspace.admin.email_monitor.level.chat | The chat email monitor level. | keyword |
| google_workspace.admin.email_monitor.level.draft | The draft email monitor level. | keyword |
| google_workspace.admin.email_monitor.level.incoming | The incoming email monitor level. | keyword |
| google_workspace.admin.email_monitor.level.outgoing | The outgoing email monitor level. | keyword |
| google_workspace.admin.field | The name of the field. | keyword |
| google_workspace.admin.gateway.name | Gateway name. Present on some chat settings. | keyword |
| google_workspace.admin.group.allowed_list | Names of allow-listed groups. | keyword |
| google_workspace.admin.group.email | The group’s primary email address. | keyword |
| google_workspace.admin.group.priorities | Group priorities. | keyword |
| google_workspace.admin.info_type | This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword |
| google_workspace.admin.managed_configuration | The name of the managed configuration. | keyword |
| google_workspace.admin.mdm.token | The MDM vendor enrollment token. | keyword |
| google_workspace.admin.mdm.vendor | The MDM vendor’s name. | keyword |
| google_workspace.admin.mobile.action.id | The mobile device action’s ID. | keyword |
| google_workspace.admin.mobile.action.type | The mobile device action’s type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings | keyword |
| google_workspace.admin.mobile.certificate.name | The mobile certificate common name. | keyword |
| google_workspace.admin.mobile.company_owned_devices | The number of devices a company owns. | long |
| google_workspace.admin.new_value | The new value for the setting. | keyword |
| google_workspace.admin.non_featured_services_selection | Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED | keyword |
| google_workspace.admin.oauth2.application.id | OAuth2 application ID. | keyword |
| google_workspace.admin.oauth2.application.name | OAuth2 application name. | keyword |
| google_workspace.admin.oauth2.application.type | OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword |
| google_workspace.admin.oauth2.service.name | OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings | keyword |
| google_workspace.admin.old_value | The old value for the setting. | keyword |
| google_workspace.admin.org_unit.full | The org unit full path including the root org unit name. | keyword |
| google_workspace.admin.org_unit.name | The organizational unit name. | keyword |
| google_workspace.admin.print_server.name | The name of the print server. | keyword |
| google_workspace.admin.printer.name | The name of the printer. | keyword |
| google_workspace.admin.privilege.name | Privilege name. | keyword |
| google_workspace.admin.product.name | The product name. | keyword |
| google_workspace.admin.product.sku | The product SKU. | keyword |
| google_workspace.admin.request.id | The request ID. | keyword |
| google_workspace.admin.resource.id | The name of the resource identifier. | keyword |
| google_workspace.admin.role.id | Unique identifier for this role privilege. | keyword |
| google_workspace.admin.role.name | The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings | keyword |
| google_workspace.admin.rule.name | The rule name. | keyword |
| google_workspace.admin.service.name | The service name. | keyword |
| google_workspace.admin.setting.description | The setting name. | keyword |
| google_workspace.admin.setting.name | The setting name. | keyword |
| google_workspace.admin.url.name | The website name. | keyword |
| google_workspace.admin.user.birthdate | The user’s birth date. | date |
| google_workspace.admin.user.email | The user’s primary email address. | keyword |
| google_workspace.admin.user.nickname | The user’s nickname. | keyword |
| google_workspace.admin.user_defined_setting.name | The name of the user-defined setting. | keyword |
| google_workspace.admin.verification_method | Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the drive dataset.
**Example**
An example event for drive looks as following:
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
"ephemeral_id": "afd0c297-d853-427a-96bc-20af38e5b145",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.drive",
"namespace": "99832",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "add_to_folder",
"agent_id_status": "verified",
"category": [
"file"
],
"created": "2024-08-01T21:55:29.295Z",
"dataset": "google_workspace.drive",
"id": "1",
"ingested": "2024-08-01T21:55:41Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"add_to_folder\",\"parameters\":[{\"boolValue\":false,\"name\":\"billable\"},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"boolValue\":false,\"name\":\"owner_is_shared_drive\"},{\"boolValue\":true,\"name\":\"primary_event\"},{\"name\":\"visibility\",\"value\":\"people_with_link\"}],\"type\":\"access\"},\"id\":{\"applicationName\":\"drive\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "drive",
"type": [
"change"
]
},
"file": {
"name": "document title",
"owner": "owner",
"type": "file"
},
"google_workspace": {
"actor": {
"type": "USER"
},
"drive": {
"billable": false,
"destination_folder_id": "1234",
"destination_folder_title": "folder title",
"file": {
"id": "1234",
"owner": {
"email": "owner@example.com",
"is_shared_drive": false
},
"type": "document"
},
"originating_app_id": "1234",
"primary_event": true,
"visibility": "people_with_link"
},
"event": {
"type": "access"
},
"kind": "admin#reports#activity",
"organization": {
"domain": "elastic.com"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"ip": [
"98.235.162.24"
],
"user": [
"owner",
"foo"
]
},
"source": {
"as": {
"number": 7922,
"organization": {
"name": "Comcast Cable Communications, Inc."
}
},
"ip": "98.235.162.24",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"google_workspace-drive"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.drive.actor_is_collaborator_account | Whether the actor is a collaborator account. | boolean |
| google_workspace.drive.added_role | Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword |
| google_workspace.drive.billable | Whether this activity is billable. | boolean |
| google_workspace.drive.destination_folder_id | keyword | |
| google_workspace.drive.destination_folder_title | keyword | |
| google_workspace.drive.file.id | keyword | |
| google_workspace.drive.file.owner.email | keyword | |
| google_workspace.drive.file.owner.is_shared_drive | Boolean flag denoting whether owner is a shared drive. | boolean |
| google_workspace.drive.file.type | Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword |
| google_workspace.drive.is_encrypted | Whether the file is client-side encrypted. | boolean |
| google_workspace.drive.membership_change_type | Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword |
| google_workspace.drive.new_value | When a setting or property of the file changes, the new value for it will appear here. | keyword |
| google_workspace.drive.old_value | When a setting or property of the file changes, the old value for it will appear here. | keyword |
| google_workspace.drive.old_visibility | When visibility changes, this holds the old value. | keyword |
| google_workspace.drive.originating_app_id | The Google Cloud Project ID of the application that performed the action. | keyword |
| google_workspace.drive.owner_is_team_drive | Whether the owner is a Team Drive. | boolean |
| google_workspace.drive.primary_event | Whether this is a primary event. A single user action in Drive may generate several events. | boolean |
| google_workspace.drive.removed_role | Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword |
| google_workspace.drive.shared_drive_id | The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. | keyword |
| google_workspace.drive.shared_drive_settings_change_type | Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword |
| google_workspace.drive.sheets_import_range_recipient_doc | Doc ID of the recipient of a sheets import range. | keyword |
| google_workspace.drive.source_folder_id | keyword | |
| google_workspace.drive.source_folder_title | keyword | |
| google_workspace.drive.target | Target user or group. | keyword |
| google_workspace.drive.target_domain | The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. | keyword |
| google_workspace.drive.target_user | The email address of the user or group whose access permissions were changed, or the name of the domain for which access permissions were changed. | keyword |
| google_workspace.drive.visibility | Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive | keyword |
| google_workspace.drive.visibility_change | When visibility changes, this holds the new overall visibility of the file. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the groups dataset.
**Example**
An example event for groups looks as following:
{
"@timestamp": "2022-05-04T15:04:05.000Z",
"agent": {
"ephemeral_id": "786aaf54-461f-4190-adaf-05ab3174ad01",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.groups",
"namespace": "35359",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "change_acl_permission",
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2024-08-01T21:58:26.973Z",
"dataset": "google_workspace.groups",
"id": "1",
"ingested": "2024-08-01T21:58:38Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"change_acl_permission\",\"parameters\":[{\"name\":\"acl_permission\",\"value\":\"can_add_members\"},{\"name\":\"group_email\",\"value\":\"group@example.com\"},{\"multiValue\":[\"managers\",\"members\"],\"name\":\"new_value_repeated\"},{\"multiValue\":[\"managers\"],\"name\":\"old_value_repeated\"}],\"type\":\"acl_change\"},\"id\":{\"applicationName\":\"groups\",\"customerId\":\"1\",\"time\":\"2022-05-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
"provider": "groups",
"type": [
"group",
"change"
]
},
"google_workspace": {
"actor": {
"type": "USER"
},
"event": {
"type": "acl_change"
},
"groups": {
"acl_permission": "can_add_members",
"email": "group@example.com",
"new_value": [
"managers",
"members"
],
"old_value": [
"managers"
]
},
"kind": "admin#reports#activity",
"organization": {
"domain": "elastic.com"
}
},
"group": {
"domain": "example.com",
"name": "group"
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"ip": [
"98.235.162.24"
],
"user": [
"foo"
]
},
"source": {
"as": {
"number": 7922,
"organization": {
"name": "Comcast Cable Communications, Inc."
}
},
"ip": "98.235.162.24",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"google_workspace-groups"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo",
"target": {
"group": {
"domain": "example.com",
"name": "group"
}
}
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.groups.acl_permission | Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword |
| google_workspace.groups.email | Group email. | keyword |
| google_workspace.groups.member.email | Member email. | keyword |
| google_workspace.groups.member.role | Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword |
| google_workspace.groups.message.id | SMTP message Id of an email message. Present for moderation events. | keyword |
| google_workspace.groups.message.moderation_action | Message moderation action. Possible values are approved and rejected. |
keyword |
| google_workspace.groups.new_value | New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword |
| google_workspace.groups.old_value | Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword |
| google_workspace.groups.setting | Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword |
| google_workspace.groups.status | A status describing the output of an operation. Possible values are failed and succeeded. |
keyword |
| google_workspace.groups.value | Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups | keyword |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload. More details can be found at https://developers.google.com/admin-sdk/reports/v1/reference/activities/list |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the alert dataset.
**Example**
An example event for alert looks as following:
{
"@timestamp": "2022-07-01T10:49:29.436Z",
"agent": {
"ephemeral_id": "245194a8-7787-44f7-ac57-201f8c49a9a0",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.alert",
"namespace": "62301",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"email": {
"attachments": {
"file": {
"hash": {
"sha256": [
"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
"228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2",
"5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56"
]
}
}
},
"delivery_timestamp": [
"2022-07-01T10:38:13.194Z"
],
"message_id": [
"decedih843@example.com",
"decedih@example.com"
],
"subject": [
"Sales",
"RE: Example salesorderspca JSON request"
],
"to": {
"address": [
"example@example.com"
]
}
},
"event": {
"action": "Gmail phishing",
"agent_id_status": "verified",
"category": [
"email",
"threat",
"malware"
],
"created": "2024-08-01T21:52:26.588Z",
"dataset": "google_workspace.alert",
"end": "2022-07-01T10:47:04.530Z",
"id": "91840a82-3af0-46d7-95ec-625c1cf0c3f7",
"ingested": "2024-08-01T21:52:38Z",
"kind": "alert",
"original": "{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"createTime\":\"2022-07-01T10:49:29.436394Z\",\"customerId\":\"02umwv6u\",\"data\":{\"@type\":\"type.googleapis.com/google.apps.alertcenter.type.MailPhishing\",\"domainId\":{\"customerPrimaryDomain\":\"example.com\"},\"isInternal\":true,\"maliciousEntity\":{\"displayName\":\"string\",\"entity\":{\"displayName\":\"example\",\"emailAddress\":\"example@example.com\"},\"fromHeader\":\"header@example.com\"},\"messages\":[{\"attachmentsSha256Hash\":[\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c\",\"228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2\"],\"date\":\"2022-07-01T10:38:13.194711Z\",\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings from sales \",\"messageId\":\"decedih843@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"Sales\"},{\"attachmentsSha256Hash\":[\"5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56\"],\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings \",\"messageId\":\"decedih@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"RE: Example salesorderspca JSON request\"}],\"systemActionType\":\"NO_OPERATION\"},\"deleted\":false,\"endTime\":\"2022-07-01T10:47:04.530834Z\",\"etag\":\"wF2Ix2DWDv8=\",\"metadata\":{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"assignee\":\"example@example.com\",\"customerId\":\"02umwv6u\",\"etag\":\"wF2Ix2DWDv8=\",\"severity\":\"HIGH\",\"status\":\"NOT_STARTED\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"},\"securityInvestigationToolLink\":\"string\",\"source\":\"Gmail phishing\",\"startTime\":\"2022-07-01T10:38:13.194711Z\",\"type\":\"User reported phishing\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"}",
"start": "2022-07-01T10:38:13.194Z",
"type": [
"info"
]
},
"google_workspace": {
"alert": {
"create_time": "2022-07-01T10:49:29.436Z",
"customer": {
"id": "02umwv6u"
},
"data": {
"domain_id": {
"customer_primary_domain": "example.com"
},
"is_internal": true,
"malicious_entity": {
"display_name": "string",
"entity": {
"display_name": "example",
"email_address": "example@example.com"
},
"from_header": "header@example.com"
},
"messages": [
{
"attachments_sha256_hash": [
"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
"228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2"
],
"date": "2022-07-01T10:38:13.194Z",
"id": "decedih843@example.com",
"md5": {
"hash": {
"message_body": "d29343907090dff4cec4a9a0efb80d20",
"subject": "a3708f8228384d932237f85980ff8283"
}
},
"message_body_snippet": " hi greetings from sales ",
"recipient_email": "example@example.com",
"subject_text": "Sales"
},
{
"attachments_sha256_hash": [
"5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56"
],
"id": "decedih@example.com",
"md5": {
"hash": {
"message_body": "d29343907090dff4cec4a9a0efb80d20",
"subject": "a3708f8228384d932237f85980ff8283"
}
},
"message_body_snippet": " hi greetings ",
"recipient_email": "example@example.com",
"subject_text": "RE: Example salesorderspca JSON request"
}
],
"system_action_type": "NO_OPERATION",
"type": "type.googleapis.com/google.apps.alertcenter.type.MailPhishing"
},
"deleted": false,
"end_time": "2022-07-01T10:47:04.530Z",
"etag": "wF2Ix2DWDv8=",
"id": "91840a82-3af0-46d7-95ec-625c1cf0c3f7",
"metadata": {
"alert": {
"id": "91840a82-3af0-46d7-95ec-625c1cf0c3f7"
},
"assignee": "example@example.com",
"customer": {
"id": "02umwv6u"
},
"etag": "wF2Ix2DWDv8=",
"severity": "HIGH",
"status": "NOT_STARTED",
"update_time": "2022-07-01T10:49:29.436Z"
},
"security_investigation_tool_link": "string",
"source": "Gmail phishing",
"start_time": "2022-07-01T10:38:13.194Z",
"type": "User reported phishing",
"update_time": "2022-07-01T10:49:29.436Z"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "02umwv6u"
},
"related": {
"hash": [
"a3708f8228384d932237f85980ff8283",
"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c",
"228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2",
"5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56"
],
"user": [
"example"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-alert"
],
"user": {
"domain": "example.com",
"email": [
"example@example.com"
],
"name": "example"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| google_workspace.alert.create_time | The time this alert was created. | date |
| google_workspace.alert.customer.id | The unique identifier of the Google account of the customer. | keyword |
| google_workspace.alert.data.action.name | List of action names associated with the rule threshold. | keyword |
| google_workspace.alert.data.actor.email | Email of person who performed the action. | keyword |
| google_workspace.alert.data.affected.user_emails | The list of emails which correspond to the users directly affected by the incident. | keyword |
| google_workspace.alert.data.alert_details | alert details of google workspace alert. | keyword |
| google_workspace.alert.data.appeal_window | appeal window of alert. | keyword |
| google_workspace.alert.data.attachment.data.csv.data_rows.entries | The data entries in a CSV file row, as a string array rather than a single comma-separated string. | keyword |
| google_workspace.alert.data.attachment.data.csv.headers | The list of headers for data columns in a CSV file. | keyword |
| google_workspace.alert.data.create_time | Rule create timestamp. | date |
| google_workspace.alert.data.dashboard.uri | Link to the outage event in Google Workspace Status Dashboard. | keyword |
| google_workspace.alert.data.description | A detailed, freeform incident description. | text |
| google_workspace.alert.data.display.name | Alert display name. | keyword |
| google_workspace.alert.data.domain | Customer domain for email template personalization. | keyword |
| google_workspace.alert.data.domain_id.customer_primary_domain | The primary domain for the customer. | keyword |
| google_workspace.alert.data.email | The email of the user that this event belongs to. | keyword |
| google_workspace.alert.data.event_time | The time at which event occurred. | date |
| google_workspace.alert.data.events.device.id | The device ID. | keyword |
| google_workspace.alert.data.events.device.model | The model of the device. | keyword |
| google_workspace.alert.data.events.device.property | The device property which was changed. | keyword |
| google_workspace.alert.data.events.device.type | The type of the device. | keyword |
| google_workspace.alert.data.events.device_compromised_state | The device compromised state. Possible values are "Compromised" or "Not Compromised". | keyword |
| google_workspace.alert.data.events.ios_vendor.id | Required for iOS, empty for others. | keyword |
| google_workspace.alert.data.events.new_value | The new value of the device property after the change. | keyword |
| google_workspace.alert.data.events.old_value | The old value of the device property before the change. | keyword |
| google_workspace.alert.data.events.resource.id | The device resource ID. | keyword |
| google_workspace.alert.data.events.serial.number | The serial number of the device. | keyword |
| google_workspace.alert.data.header | A header to display above the incident message. Typically used to attach a localized notice on the timeline for followup comms translations. | keyword |
| google_workspace.alert.data.incident_tracking.id | Incident tracking ID. | keyword |
| google_workspace.alert.data.is_internal | If true, the email originated from within the organization. | boolean |
| google_workspace.alert.data.login_details.ip_address | The human-readable IP address that is associated with the warning event. | ip |
| google_workspace.alert.data.login_details.login_time | The successful login time that is associated with the warning event. This isn’t present for blocked login attempts. | date |
| google_workspace.alert.data.malicious_entity.display_name | The header from display name. | keyword |
| google_workspace.alert.data.malicious_entity.entity.display_name | Display name of the user. | keyword |
| google_workspace.alert.data.malicious_entity.entity.email_address | Email address of the user. | keyword |
| google_workspace.alert.data.malicious_entity.from_header | The sender email address. | keyword |
| google_workspace.alert.data.merge_info.new_alert.id | New alert ID. Reference the google.apps.alertcenter.Alert with this ID for the current state. |
keyword |
| google_workspace.alert.data.merge_info.new_incident_tracking.id | The new tracking ID from the parent incident. | keyword |
| google_workspace.alert.data.messages.attachments_sha256_hash | The SHA256 hash of email’s attachment and all MIME parts. | keyword |
| google_workspace.alert.data.messages.date | The date of the event related to this email. | date |
| google_workspace.alert.data.messages.id | The message ID. | keyword |
| google_workspace.alert.data.messages.md5.hash.message_body | The hash of the message body text. | keyword |
| google_workspace.alert.data.messages.md5.hash.subject | The MD5 Hash of email’s subject (only available for reported emails). | keyword |
| google_workspace.alert.data.messages.message_body_snippet | The snippet of the message body text (only available for reported emails). | keyword |
| google_workspace.alert.data.messages.recipient | The recipient of this email. | keyword |
| google_workspace.alert.data.messages.recipient_email | keyword | |
| google_workspace.alert.data.messages.subject_text | The email subject text (only available for reported emails). | keyword |
| google_workspace.alert.data.name | Rule name. | keyword |
| google_workspace.alert.data.next_update_time | Timestamp by which the next update is expected to arrive. | date |
| google_workspace.alert.data.primary.admin.changed_event.domain | domain in which actioned occurred. | keyword |
| google_workspace.alert.data.primary.admin.changed_event.previous_admin_email | Email of person who was the primary admin before the action. | keyword |
| google_workspace.alert.data.primary.admin.changed_event.updated_admin_email | Email of person who is the primary admin after the action. | keyword |
| google_workspace.alert.data.products | List of products impacted by the outage. | keyword |
| google_workspace.alert.data.query | Query that is used to get the data from the associated source. | keyword |
| google_workspace.alert.data.request.info.app.developer_email | List of app developers who triggered notifications for above application. | keyword |
| google_workspace.alert.data.request.info.app.key | The application that requires the SQL setup. | keyword |
| google_workspace.alert.data.request.info.number_of_requests | Number of requests sent for this application to set up default SQL instance. | keyword |
| google_workspace.alert.data.resolution_time | Timestamp when the outage is expected to be resolved, or has confirmed resolution. Provided only when known. | date |
| google_workspace.alert.data.rule.violation_info.data.source | Source of the data. | keyword |
| google_workspace.alert.data.rule.violation_info.match_info.predefined_detector.name | Name that uniquely identifies the detector. | keyword |
| google_workspace.alert.data.rule.violation_info.match_info.user_defined_detector.display.name | Display name of the detector. | keyword |
| google_workspace.alert.data.rule.violation_info.match_info.user_defined_detector.resource.name | Resource name that uniquely identifies the detector. | keyword |
| google_workspace.alert.data.rule.violation_info.recipients | For Drive, they are grantees that the Drive file was shared with at the time of rule triggering. Valid values include user emails, group emails, domains, or anyone if the file was publicly accessible. If the file was private the recipients list will be empty. For Gmail, they are emails of the users or groups that the Gmail message was sent to. | keyword |
| google_workspace.alert.data.rule.violation_info.resource_info.document.id | Drive file ID. | keyword |
| google_workspace.alert.data.rule.violation_info.resource_info.resource.title | Title of the resource, for example email subject, or document title. | keyword |
| google_workspace.alert.data.rule.violation_info.rule_info.display.name | User provided name of the rule. | keyword |
| google_workspace.alert.data.rule.violation_info.rule_info.resource.name | Resource name that uniquely identifies the rule. | keyword |
| google_workspace.alert.data.rule.violation_info.suppressed.action.types | Actions suppressed due to other actions with higher priority. | keyword |
| google_workspace.alert.data.rule.violation_info.trigger.user.email | Email of the user who caused the violation. Value could be empty if not applicable, for example, a violation found by drive continuous scan. | keyword |
| google_workspace.alert.data.rule.violation_info.trigger.value | Trigger of the rule. | keyword |
| google_workspace.alert.data.rule.violation_info.triggered.action.info | Metadata related to the triggered actions. | nested |
| google_workspace.alert.data.rule.violation_info.triggered.action.info.object | keyword | |
| google_workspace.alert.data.rule.violation_info.triggered.action.types | Actions applied as a consequence of the rule being triggered. | keyword |
| google_workspace.alert.data.rule_description | Description of the rule. | text |
| google_workspace.alert.data.source.ip | The source IP address of the malicious email. | ip |
| google_workspace.alert.data.sso_profile.created_event.inbound_sso.profile_name | sso profile name which got created. | keyword |
| google_workspace.alert.data.sso_profile.deleted_event.inbound_sso.profile_name | sso profile name which got deleted. | keyword |
| google_workspace.alert.data.sso_profile.updated_event.inbound_sso.profile_changes | changes made to sso profile. | keyword |
| google_workspace.alert.data.sso_profile.updated_event.inbound_sso.profile_name | sso profile name which got updated. | keyword |
| google_workspace.alert.data.state | state of alert. | keyword |
| google_workspace.alert.data.status | Current outage status. | keyword |
| google_workspace.alert.data.super_admin_password_reset_event.user.email | email of person whose password was reset. | keyword |
| google_workspace.alert.data.superseded_alerts | List of alert IDs superseded by this alert. It is used to indicate that this alert is essentially extension of superseded alerts and we found the relationship after creating these alerts. | keyword |
| google_workspace.alert.data.superseding_alert | Alert ID superseding this alert. It is used to indicate that superseding alert is essentially extension of this alert and we found the relationship after creating both alerts. | keyword |
| google_workspace.alert.data.suspension_details.abuse_reason | abuse reason for suspension details. | keyword |
| google_workspace.alert.data.suspension_details.product_name | product name for suspension details. | keyword |
| google_workspace.alert.data.system_action_type | System actions on the messages. | keyword |
| google_workspace.alert.data.takeout.request.id | The takeout request ID. | keyword |
| google_workspace.alert.data.threshold | Alert threshold is for example “COUNT > 5”. | keyword |
| google_workspace.alert.data.title | A one-line incident description. | keyword |
| google_workspace.alert.data.trigger.source | The trigger sources for this rule. | keyword |
| google_workspace.alert.data.type | The type of the alert with alert data. | keyword |
| google_workspace.alert.data.update_time | The timestamp of the last update to the rule. | date |
| google_workspace.alert.data.window_size | Rule window size. Possible values are 1 hour or 24 hours. | keyword |
| google_workspace.alert.deleted | True if this alert is marked for deletion. | boolean |
| google_workspace.alert.end_time | The time the event that caused this alert ceased being active. If provided, the end time must not be earlier than the start time. If not provided, it indicates an ongoing alert. | date |
| google_workspace.alert.etag | etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of an alert from overwriting each other. | keyword |
| google_workspace.alert.id | The unique identifier for the alert. | keyword |
| google_workspace.alert.metadata.alert.id | The alert identifier. | keyword |
| google_workspace.alert.metadata.assignee | The email address of the user assigned to the alert. | keyword |
| google_workspace.alert.metadata.customer.id | The unique identifier of the Google account of the customer. | keyword |
| google_workspace.alert.metadata.etag | etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of an alert metadata from overwriting each other. | keyword |
| google_workspace.alert.metadata.severity | The severity value of the alert. Alert Center will set this field at alert creation time, default’s to an empty string when it could not be determined. | keyword |
| google_workspace.alert.metadata.status | The current status of the alert. | keyword |
| google_workspace.alert.metadata.update_time | The time this metadata was last updated. | date |
| google_workspace.alert.security_investigation_tool_link | An optional Security Investigation Tool query for this alert. | keyword |
| google_workspace.alert.source | A unique identifier for the system that reported the alert. This is output only after alert is created. | keyword |
| google_workspace.alert.start_time | The time the event that caused this alert was started or detected. | date |
| google_workspace.alert.type | The type of the alert. This is output only after alert is created. | keyword |
| google_workspace.alert.update_time | The time this alert was last updated. | date |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
| log.source.address | Source address from which the log event was read / sent from. | keyword |
This is the device dataset.
**Example**
An example event for device looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "9875ab07-088d-4ff3-8cfe-daa3a497cf78",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.device",
"namespace": "89096",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
"created": "2024-08-01T21:54:32.984Z",
"dataset": "google_workspace.device",
"id": "1",
"ingested": "2024-08-01T21:54:44Z",
"kind": [
"event"
],
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"APPLICATION_EVENT\",\"parameters\":[{\"name\":\"ACCOUNT_STATE\",\"value\":\"REGISTERED\"},{\"name\":\"ACTION_EXECUTION_STATUS\",\"value\":\"ACTION_REJECTED_BY_USER\"},{\"name\":\"ACTION_ID\",\"value\":\"asd1234\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"APK_SHA256_HASH\",\"value\":\"af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e9891562113d8a62add1bf\"},{\"name\":\"APPLICATION_ID\",\"value\":\"af2bdbe1aa9f\"},{\"name\":\"APPLICATION_MESSAGE\",\"value\":\"message\"},{\"name\":\"APPLICATION_REPORT_KEY\",\"value\":\"sda21\"},{\"name\":\"APPLICATION_REPORT_SEVERITY\",\"value\":\"ERROR\"},{\"name\":\"APPLICATION_REPORT_TIMESTAMP\",\"value\":\"2020-10-03T15:00:00Z\"},{\"name\":\"APPLICATION_STATE\",\"value\":\"INSTALLED\"},{\"name\":\"BASIC_INTEGRITY\",\"value\":\"integrity\"},{\"name\":\"CTS_PROFILE_MATCH\",\"value\":\"profile\"},{\"name\":\"DEVICE_COMPLIANCE\",\"value\":\"COMPLIANT\"},{\"name\":\"DEVICE_COMPROMISED_STATE\",\"value\":\"COMPROMISED\"},{\"name\":\"DEVICE_DEACTIVATION_REASON\",\"value\":\"CAMERA_NOT_DISABLED\"},{\"name\":\"DEVICE_ID\",\"value\":\"asdqwe12e\"},{\"name\":\"DEVICE_MODEL\",\"value\":\"model\"},{\"name\":\"DEVICE_OWNERSHIP\",\"value\":\"COMPANY_OWNED\"},{\"name\":\"DEVICE_PROPERTY\",\"value\":\"BASIC_INTEGRITY\"},{\"name\":\"DEVICE_SETTING\",\"value\":\"DEVELOPER_OPTIONS\"},{\"name\":\"DEVICE_STATUS_ON_APPLE_PORTAL\",\"value\":\"ADDED\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"ANDROID\"},{\"name\":\"FAILED_PASSWD_ATTEMPTS\",\"value\":20},{\"name\":\"IOS_VENDOR_ID\",\"value\":\"asfdwer23\"},{\"name\":\"NEW_DEVICE_ID\",\"value\":\"asfwr5tg\"},{\"name\":\"NEW_VALUE\",\"value\":\"DEVICE_ADMINISTRATOR\"},{\"name\":\"OLD_VALUE\",\"value\":\"DEVICE_OWNER\"},{\"name\":\"OS_EDITION\",\"value\":\"edition\"},{\"name\":\"OS_PROPERTY\",\"value\":\"property\"},{\"name\":\"OS_VERSION\",\"value\":\"os11\"},{\"name\":\"PHA_CATEGORY\",\"value\":\"BACKDOOR\"},{\"name\":\"POLICY_NAME\",\"value\":\"policy name\"},{\"name\":\"POLICY_SYNC_RESULT\",\"value\":\"POLICY_SYNC_ABORTED\"},{\"name\":\"POLICY_SYNC_TYPE\",\"value\":\"POLICY_APPLIED_TYPE\"},{\"name\":\"REGISTER_PRIVILEGE\",\"value\":\"DEVICE_OWNER\"},{\"name\":\"RESOURCE_ID\",\"value\":\"sads324\"},{\"name\":\"RISK_SIGNAL\",\"value\":\"BASIC_INTEGRITY\"},{\"name\":\"SECURITY_EVENT_ID\",\"value\":2323523},{\"name\":\"SECURITY_PATCH_LEVEL\",\"value\":\"patch level\"},{\"name\":\"SERIAL_NUMBER\",\"value\":\"asdsad1234\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@foo.com\"},{\"name\":\"VALUE\",\"value\":\"value\"},{\"name\":\"WINDOWS_SYNCML_POLICY_STATUS_CODE\",\"value\":\"200\"}],\"type\":\"device_applications\"},\"id\":{\"applicationName\":\"device\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"example.com\"}",
"provider": "device"
},
"google_workspace": {
"actor": {
"email": "foo@bar.com",
"profile": {
"id": "1"
},
"type": "USER"
},
"device": {
"account_state": "REGISTERED",
"action": {
"execution_status": "ACTION_REJECTED_BY_USER",
"id": "asd1234",
"type": "ACCOUNT_WIPE"
},
"apk_sha256_hash": "af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e9891562113d8a62add1bf",
"application": {
"id": "af2bdbe1aa9f",
"message": "message",
"report": {
"key": "sda21",
"severity": "ERROR",
"timestamp": "2020-10-03T15:00:00.000Z"
},
"state": "INSTALLED"
},
"basic_integrity": "integrity",
"compliance": "COMPLIANT",
"compromised_state": "COMPROMISED",
"cts_profile_match": "profile",
"deactivation_reason": "CAMERA_NOT_DISABLED",
"failed_passwd_attempts": 20,
"id": "asdqwe12e",
"ios_vendor_id": "asfdwer23",
"model": "model",
"new_device_id": "asfwr5tg",
"new_value": "DEVICE_ADMINISTRATOR",
"old_value": "DEVICE_OWNER",
"os": {
"edition": "edition",
"property": "property",
"version": "os11"
},
"ownership": "COMPANY_OWNED",
"pha_category": "BACKDOOR",
"policy": {
"name": "policy name",
"sync": {
"result": "POLICY_SYNC_ABORTED",
"type": "POLICY_APPLIED_TYPE"
}
},
"property": "BASIC_INTEGRITY",
"register_privilege": "DEVICE_OWNER",
"resource": {
"id": "sads324"
},
"risk_signal": "BASIC_INTEGRITY",
"security": {
"event_id": 2323523,
"patch_level": "patch level"
},
"serial_number": "asdsad1234",
"setting": "DEVELOPER_OPTIONS",
"status_on_apple_portal": "ADDED",
"type": "ANDROID",
"user_email": "user@foo.com",
"value": "value",
"windows_syncml_policy_status_code": "200"
},
"event": {
"name": "APPLICATION_EVENT",
"type": "device_applications"
},
"id": {
"application_name": "device",
"customer": {
"id": "1"
},
"time": "2020-10-02T15:00:00.000Z",
"unique_qualifier": "1"
},
"ip_address": "67.43.156.13",
"kind": "admin#reports#activity",
"organization": {
"domain": "example.com"
}
},
"host": {
"os": {
"version": "os11"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"hash": [
"af2bdbe1aa9b6ec1e2ade1d694f41fc71a831d0268e9891562113d8a62add1bf"
],
"hosts": [
"bar.com",
"example.com"
],
"ip": [
"67.43.156.13"
],
"user": [
"1",
"foo",
"foo@bar.com",
"user@foo.com"
]
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.13",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-device"
],
"user": {
"domain": "bar.com",
"email": [
"foo@bar.com",
"user@foo.com"
],
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.email | The primary email address of the actor. May be absent if there is no email address associated with the actor. | keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.profile.id | The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID. | keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.device.account_state | Parameter to indicate the account state on the device. | keyword |
| google_workspace.device.action.execution_status | The execution status of an action. | keyword |
| google_workspace.device.action.id | Unique identifier for an action. | keyword |
| google_workspace.device.action.type | The type of an action. | keyword |
| google_workspace.device.apk_sha256_hash | Parameter to indicate the SHA-256 hash of an application. | keyword |
| google_workspace.device.application.id | Parameter to indicate the Application Id. | keyword |
| google_workspace.device.application.message | Parameter to indicate the message sent by an application report. | keyword |
| google_workspace.device.application.report.key | Parameter to indicate the key of an application message. | keyword |
| google_workspace.device.application.report.severity | Parameter to indicate the severity of a report. | keyword |
| google_workspace.device.application.report.timestamp | Parameter to indicate the timestamp of a report. | date |
| google_workspace.device.application.state | Parameter to indicate the application install/uninstall/update done on device. | keyword |
| google_workspace.device.basic_integrity | Parameter to indicate whether the device passes the basic integrity check. | keyword |
| google_workspace.device.compliance | Parameter to indicate the device compliance state with set policies. | keyword |
| google_workspace.device.compromised_state | Parameter to indicate the compromised state of device. | keyword |
| google_workspace.device.cts_profile_match | Parameter to indicate whether the device passes the CTS profile match. | keyword |
| google_workspace.device.deactivation_reason | Parameter to indicate the reason for the deactivation of the mobile device | keyword |
| google_workspace.device.failed_passwd_attempts | Parameter to indicate the number of failed screen unlock attempts. | long |
| google_workspace.device.id | Parameter to indicate the Device Id. | keyword |
| google_workspace.device.ios_vendor_id | Parameter to indicate the iOS Vendor Id. | keyword |
| google_workspace.device.model | Parameter to indicate the device model. | keyword |
| google_workspace.device.new_device_id | Parameter to indicate the new Device Id. | keyword |
| google_workspace.device.new_value | Parameter to indicate the new value. | keyword |
| google_workspace.device.old_value | Parameter to indicate the old value. | keyword |
| google_workspace.device.os.edition | Parameter to indicate the Windows OS edition. | keyword |
| google_workspace.device.os.property | Parameter to indicate OS Property. | keyword |
| google_workspace.device.os.version | Parameter to indicate the OS version. | keyword |
| google_workspace.device.ownership | Parameter to indicate the ownership of mobile device. | keyword |
| google_workspace.device.pha_category | Potentially harmful app category reported by SafetyNet. | keyword |
| google_workspace.device.policy.name | Parameter to indicate the policy name. | keyword |
| google_workspace.device.policy.sync.result | Parameter to indicate the policy status. | keyword |
| google_workspace.device.policy.sync.type | Parameter to indicate the policy sync type. | keyword |
| google_workspace.device.property | Parameter to indicate the changed device property. | keyword |
| google_workspace.device.register_privilege | Parameter to indicate Device Policy app’s privilege on the user’s device. | keyword |
| google_workspace.device.resource.id | Parameter to indicate the unique resource id of a device. | keyword |
| google_workspace.device.risk_signal | Parameter to indicate the risk signal, e.g. CTS profile match. | keyword |
| google_workspace.device.security.event_id | Security event id. | long |
| google_workspace.device.security.patch_level | Parameter to indicate the security patch Level. | keyword |
| google_workspace.device.serial_number | Parameter to indicate the Serial number. | keyword |
| google_workspace.device.setting | Parameter to indicate device settings. | keyword |
| google_workspace.device.status_on_apple_portal | Parameter to indicate the device status on Apple portal. | keyword |
| google_workspace.device.type | Parameter to indicate the device type. | keyword |
| google_workspace.device.user_email | Parameter to indicate the User email. | keyword |
| google_workspace.device.value | Parameter to indicate the value of a field. | keyword |
| google_workspace.device.windows_syncml_policy_status_code | Parameter to indicate the policy status code. | keyword |
| google_workspace.etag | ETag of the entry. | keyword |
| google_workspace.event.name | Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific Google Workspace service or feature which the API organizes into types of events. For eventName request parameters in general: If no eventName is given, the report returns all possible instances of an eventName. When you request an eventName, the API’s response returns all activities which contain that eventName. It is possible that the returned activities will have other eventName properties in addition to the one requested. For more information about eventName properties, see the list of event names for various applications above in applicationName. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found here. |
keyword |
| google_workspace.id.application_name | Application name to which the event belongs. For possible values see the list of applications above in applicationName. | keyword |
| google_workspace.id.customer.id | The unique identifier for a Google Workspace account. | keyword |
| google_workspace.id.time | Time of occurrence of the activity. This is in UNIX epoch time in seconds. | date |
| google_workspace.id.unique_qualifier | Unique qualifier if multiple events have the same time. | keyword |
| google_workspace.ip_address | IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into Google Workspace, which may or may not reflect the user’s physical location. For example, the IP address can be the user’s proxy server’s address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. | ip |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload, more details can be found here. |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the group_enterprise dataset.
**Example**
An example event for group_enterprise looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "9405bd92-9ad6-4271-9f8f-10d1dc3bae86",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.group_enterprise",
"namespace": "26916",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "add_info_setting",
"agent_id_status": "verified",
"created": "2024-08-01T21:57:32.529Z",
"dataset": "google_workspace.group_enterprise",
"id": "1",
"ingested": "2024-08-01T21:57:44Z",
"kind": [
"event"
],
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"add_info_setting\",\"parameters\":[{\"name\":\"dynamic_group_query\",\"value\":\"query\"},{\"name\":\"group_id\",\"value\":\"asd123d\"},{\"name\":\"info_setting\",\"value\":\"setting\"},{\"name\":\"member_id\",\"value\":\"mem12w3\"},{\"name\":\"member_role\",\"value\":\"owner\"},{\"name\":\"member_type\",\"value\":\"user\"},{\"name\":\"membership_expiry\",\"value\":\"2020-10-02T15:00:00Z\"},{\"name\":\"namespace\",\"value\":\"namespace\"},{\"name\":\"new_value\",\"value\":\"new\"},{\"name\":\"old_value\",\"value\":\"old\"},{\"name\":\"security_setting\",\"value\":\"group setting\"},{\"name\":\"security_setting_state\",\"value\":\"group setting state\"},{\"name\":\"value\",\"value\":\"group setting value\"}],\"type\":\"moderator_action\"},\"id\":{\"applicationName\":\"group_enterprise\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"example.com\"}",
"provider": "group_enterprise"
},
"google_workspace": {
"actor": {
"email": "foo@bar.com",
"profile": {
"id": "1"
},
"type": "USER"
},
"event": {
"name": "add_info_setting",
"type": "moderator_action"
},
"group_enterprise": {
"dynamic_group_query": "query",
"group": {
"id": "asd123d"
},
"info_setting": "setting",
"member": {
"id": "mem12w3",
"role": "owner",
"type": "user"
},
"membership_expiry": "2020-10-02T15:00:00.000Z",
"namespace": "namespace",
"new_value": "new",
"old_value": "old",
"security_setting": {
"state": "group setting state",
"value": "group setting"
},
"value": "group setting value"
},
"id": {
"application_name": "group_enterprise",
"customer": {
"id": "1"
},
"time": "2020-10-02T15:00:00.000Z",
"unique_qualifier": "1"
},
"ip_address": "67.43.156.13",
"kind": "admin#reports#activity",
"organization": {
"domain": "example.com"
}
},
"group": {
"id": "asd123d"
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"hosts": [
"bar.com",
"example.com"
],
"ip": [
"67.43.156.13"
],
"user": [
"1",
"foo",
"foo@bar.com"
]
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.13",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-group_enterprise"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.email | The primary email address of the actor. May be absent if there is no email address associated with the actor. | keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.profile.id | The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID. | keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.etag | ETag of the entry. | keyword |
| google_workspace.event.name | Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific Google Workspace service or feature which the API organizes into types of events. For eventName request parameters in general: If no eventName is given, the report returns all possible instances of an eventName. When you request an eventName, the API’s response returns all activities which contain that eventName. It is possible that the returned activities will have other eventName properties in addition to the one requested. For more information about eventName properties, see the list of event names for various applications above in applicationName. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found here. |
keyword |
| google_workspace.group_enterprise.dynamic_group_query | Dynamic group query. | keyword |
| google_workspace.group_enterprise.group.id | Identifier of the target group. | keyword |
| google_workspace.group_enterprise.info_setting | Group info setting. | keyword |
| google_workspace.group_enterprise.member.id | Identifier of the member. | keyword |
| google_workspace.group_enterprise.member.role | The role assigned to the member in the context of the group, such as owner, manager, or member. | keyword |
| google_workspace.group_enterprise.member.type | A member’s type, such as user, group, or service account. In rare cases, a value of "other" appears when the member type is unknown. | keyword |
| google_workspace.group_enterprise.membership_expiry | Membership expiration time. | date |
| google_workspace.group_enterprise.namespace | Namespace of the target group. | keyword |
| google_workspace.group_enterprise.new_value | New value of a group setting. | keyword |
| google_workspace.group_enterprise.old_value | Old value of a group setting. | keyword |
| google_workspace.group_enterprise.security_setting.state | Group security setting. | keyword |
| google_workspace.group_enterprise.security_setting.value | Group security setting state. | keyword |
| google_workspace.group_enterprise.value | Value of a group setting. | keyword |
| google_workspace.id.application_name | Application name to which the event belongs. For possible values see the list of applications above in applicationName. | keyword |
| google_workspace.id.customer.id | The unique identifier for a Google Workspace account. | keyword |
| google_workspace.id.time | Time of occurrence of the activity. This is in UNIX epoch time in seconds. | date |
| google_workspace.id.unique_qualifier | Unique qualifier if multiple events have the same time. | keyword |
| google_workspace.ip_address | IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into Google Workspace, which may or may not reflect the user’s physical location. For example, the IP address can be the user’s proxy server’s address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. | ip |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload, more details can be found here. |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the token dataset.
**Example**
An example event for token looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "22e6154c-9c10-4cb9-b17b-41f429c22724",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.token",
"namespace": "16418",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "authorize",
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2024-08-01T22:03:00.693Z",
"dataset": "google_workspace.token",
"id": "1",
"ingested": "2024-08-01T22:03:12Z",
"kind": [
"event"
],
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"authorize\",\"parameters\":[{\"name\":\"client_id\",\"value\":\"923474483785-sqf6uk8vq1rqe853il0g2h4m98ji2fq6.apps.googleusercontent.com\"},{\"name\":\"app_name\",\"value\":\"Gmail Add-on\"},{\"name\":\"api_name\",\"value\":\"token\"},{\"name\":\"method_name\",\"value\":\"oauth\"},{\"name\":\"num_response_bytes\",\"value\":1223},{\"name\":\"client_type\",\"value\":\"WEB\"},{\"multiMessageValue\":[{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/gmail.addons.current.message.readonly\"},{\"multiValue\":[\"GMAIL\"],\"name\":\"product_bucket\"}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/gmail.addons.execute\"},{\"multiValue\":[\"GMAIL\"],\"name\":\"product_bucket\"}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/script.external_request\"},{\"multiValue\":[\"APPS_SCRIPT_RUNTIME\"],\"name\":\"product_bucket\"}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/script.storage\"},{\"multiValue\":[\"APPS_SCRIPT_RUNTIME\"],\"name\":\"product_bucket\"}]},{\"parameter\":[{\"name\":\"scope_name\",\"value\":\"https://www.googleapis.com/auth/userinfo.email\"},{\"multiValue\":[\"IDENTITY\",\"OTHER\"],\"name\":\"product_bucket\"}]}],\"name\":\"scope_data\"},{\"multiValue\":[\"https://www.googleapis.com/auth/gmail.addons.current.message.readonly\",\"https://www.googleapis.com/auth/gmail.addons.execute\",\"https://www.googleapis.com/auth/script.external_request\",\"https://www.googleapis.com/auth/script.storage\",\"https://www.googleapis.com/auth/userinfo.email\"],\"name\":\"scope\"}]},\"id\":{\"applicationName\":\"token\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"example.com\"}",
"provider": "token",
"type": [
"info",
"user"
]
},
"google_workspace": {
"actor": {
"email": "foo@bar.com",
"profile": {
"id": "1"
},
"type": "USER"
},
"event": {
"name": "authorize"
},
"id": {
"application_name": "token",
"customer": {
"id": "1"
},
"time": "2020-10-02T15:00:00.000Z",
"unique_qualifier": "1"
},
"ip_address": "67.43.156.13",
"kind": "admin#reports#activity",
"organization": {
"domain": "example.com"
},
"token": {
"api_name": "token",
"app_name": "Gmail Add-on",
"client": {
"id": "923474483785-sqf6uk8vq1rqe853il0g2h4m98ji2fq6.apps.googleusercontent.com",
"type": "WEB"
},
"method_name": "oauth",
"num_response_bytes": 1223,
"scope": {
"data": [
{
"product_bucket": [
"GMAIL"
],
"scope_name": "https://www.googleapis.com/auth/gmail.addons.current.message.readonly"
},
{
"product_bucket": [
"GMAIL"
],
"scope_name": "https://www.googleapis.com/auth/gmail.addons.execute"
},
{
"product_bucket": [
"APPS_SCRIPT_RUNTIME"
],
"scope_name": "https://www.googleapis.com/auth/script.external_request"
},
{
"product_bucket": [
"APPS_SCRIPT_RUNTIME"
],
"scope_name": "https://www.googleapis.com/auth/script.storage"
},
{
"product_bucket": [
"IDENTITY",
"OTHER"
],
"scope_name": "https://www.googleapis.com/auth/userinfo.email"
}
],
"value": [
"https://www.googleapis.com/auth/gmail.addons.current.message.readonly",
"https://www.googleapis.com/auth/gmail.addons.execute",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/script.storage",
"https://www.googleapis.com/auth/userinfo.email"
]
}
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"hosts": [
"bar.com",
"example.com"
],
"ip": [
"67.43.156.13"
],
"user": [
"1",
"foo",
"foo@bar.com"
]
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.13",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-token"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.email | The primary email address of the actor. May be absent if there is no email address associated with the actor. | keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.profile.id | The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID. | keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.etag | ETag of the entry. | keyword |
| google_workspace.event.name | Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific Google Workspace service or feature which the API organizes into types of events. For eventName request parameters in general: If no eventName is given, the report returns all possible instances of an eventName. When you request an eventName, the API’s response returns all activities which contain that eventName. It is possible that the returned activities will have other eventName properties in addition to the one requested. For more information about eventName properties, see the list of event names for various applications above in applicationName. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found here. |
keyword |
| google_workspace.id.application_name | Application name to which the event belongs. For possible values see the list of applications above in applicationName. | keyword |
| google_workspace.id.customer.id | The unique identifier for a Google Workspace account. | keyword |
| google_workspace.id.time | Time of occurrence of the activity. This is in UNIX epoch time in seconds. | date |
| google_workspace.id.unique_qualifier | Unique qualifier if multiple events have the same time. | keyword |
| google_workspace.ip_address | IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into Google Workspace, which may or may not reflect the user’s physical location. For example, the IP address can be the user’s proxy server’s address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. | ip |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload, more details can be found here. |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| google_workspace.token.api_name | The API name which was used in the OAuth Activity. | keyword |
| google_workspace.token.app_name | The application for which access was granted or revoked. | keyword |
| google_workspace.token.client.id | Client ID to which access has been granted / revoked. | keyword |
| google_workspace.token.client.type | The client type. | keyword |
| google_workspace.token.method_name | The method name which was used in the OAuth Activity. | keyword |
| google_workspace.token.num_response_bytes | The number of response bytes in the OAuth Activity. | long |
| google_workspace.token.scope.data | Scope Data. | flattened |
| google_workspace.token.scope.value | Scopes under which access was granted / revoked. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the access_transparency dataset.
**Example**
An example event for access_transparency looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.access_transparency",
"namespace": "83912",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
"created": "2024-08-01T21:50:19.274Z",
"dataset": "google_workspace.access_transparency",
"id": "1",
"ingested": "2024-08-01T21:50:31Z",
"kind": [
"event"
],
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"APPLICATION_EVENT\",\"parameters\":[{\"name\":\"ACCESS_APPROVAL_ALERT_CENTER_IDS\",\"value\":\"alert123\"},{\"name\":\"ACCESS_APPROVAL_REQUEST_IDS\",\"value\":\"req12341\"},{\"name\":\"ACCESS_MANAGEMENT_POLICY\",\"value\":\"policy\"},{\"name\":\"ACTOR_HOME_OFFICE\",\"value\":\"actoroffice\"},{\"name\":\"GSUITE_PRODUCT_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"JUSTIFICATIONS\",\"value\":\"justfy\"},{\"name\":\"LOG_ID\",\"value\":\"lg651667\"},{\"name\":\"ON_BEHALF_OF\",\"value\":\"example@example.com\"},{\"name\":\"OWNER_EMAIL\",\"value\":\"foo@example.com\"},{\"name\":\"RESOURCE_NAME\",\"value\":\"foo\"},{\"name\":\"TICKETS\",\"value\":\"ticket\"}],\"type\":\"device_applications\"},\"id\":{\"applicationName\":\"device\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"example.com\"}",
"provider": "device"
},
"google_workspace": {
"access_transparency": {
"access_approval": {
"alert_center_ids": "alert123",
"request_ids": "req12341"
},
"access_management": {
"policy": "policy"
},
"actor_home_office": "actoroffice",
"gsuite_product_name": "CALENDAR",
"justifications": "justfy",
"log_id": "lg651667",
"on_behalf_of": "example@example.com",
"owner_email": "foo@example.com",
"resource_name": "foo",
"tickets": "ticket"
},
"actor": {
"email": "foo@bar.com",
"profile": {
"id": "1"
},
"type": "USER"
},
"event": {
"name": "APPLICATION_EVENT",
"type": "device_applications"
},
"id": {
"application_name": "device",
"customer": {
"id": "1"
},
"time": "2020-10-02T15:00:00.000Z",
"unique_qualifier": "1"
},
"ip_address": "67.43.156.13",
"kind": "admin#reports#activity",
"organization": {
"domain": "example.com"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"hosts": [
"bar.com",
"example.com"
],
"ip": [
"67.43.156.13"
],
"user": [
"1",
"foo",
"foo@bar.com",
"foo@example.com"
]
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.13",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-access_transparency"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.access_transparency.access_approval.alert_center_ids | Parameter for the Access Approval Alert Center IDs. | keyword |
| google_workspace.access_transparency.access_approval.request_ids | Parameter for the Access Approval ticket IDs. | keyword |
| google_workspace.access_transparency.access_management.policy | Parameter for the Access Management Policy. | keyword |
| google_workspace.access_transparency.actor_home_office | The home office of the actor who performed the data access. | keyword |
| google_workspace.access_transparency.gsuite_product_name | Google Workspace product name. | keyword |
| google_workspace.access_transparency.justifications | Access justifications, such as "Customer Initiated Support - Case Number: 12345678". | keyword |
| google_workspace.access_transparency.log_id | Unique log ID. | keyword |
| google_workspace.access_transparency.on_behalf_of | Parameter for the resource sharee email(s). | keyword |
| google_workspace.access_transparency.owner_email | The email ID or team identifier of the customer who owns the resource. | keyword |
| google_workspace.access_transparency.resource_name | Name of the resource that was accessed. | keyword |
| google_workspace.access_transparency.tickets | Parameter for tickets. | keyword |
| google_workspace.actor.email | The primary email address of the actor. May be absent if there is no email address associated with the actor. | keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.profile.id | The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID. | keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.etag | ETag of the entry. | keyword |
| google_workspace.event.name | Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific Google Workspace service or feature which the API organizes into types of events. For eventName request parameters in general: If no eventName is given, the report returns all possible instances of an eventName. When you request an eventName, the API’s response returns all activities which contain that eventName. It is possible that the returned activities will have other eventName properties in addition to the one requested. For more information about eventName properties, see the list of event names for various applications above in applicationName. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found here. |
keyword |
| google_workspace.id.application_name | Application name to which the event belongs. For possible values see the list of applications above in applicationName. | keyword |
| google_workspace.id.customer.id | The unique identifier for a Google Workspace account. | keyword |
| google_workspace.id.time | Time of occurrence of the activity. This is in UNIX epoch time in seconds. | date |
| google_workspace.id.unique_qualifier | Unique qualifier if multiple events have the same time. | keyword |
| google_workspace.ip_address | IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into Google Workspace, which may or may not reflect the user’s physical location. For example, the IP address can be the user’s proxy server’s address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. | ip |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload, more details can be found here. |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the context_aware_access dataset.
**Example**
An example event for context_aware_access looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.context_aware_access",
"namespace": "14973",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "APPLICATION_EVENT",
"agent_id_status": "verified",
"created": "2024-08-01T21:53:36.823Z",
"dataset": "google_workspace.context_aware_access",
"id": "1",
"ingested": "2024-08-01T21:53:48Z",
"kind": [
"event"
],
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"APPLICATION_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"value\":\"applied\"},{\"name\":\"CAA_ACCESS_LEVEL_SATISFIED\",\"value\":\"satisfied\"},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"value\":\"unsatisfied\"},{\"name\":\"CAA_APPLICATION\",\"value\":\"app\"},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"devic423\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"devstate\"}],\"type\":\"device_applications\"},\"id\":{\"applicationName\":\"device\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"example.com\"}",
"provider": "device"
},
"google_workspace": {
"actor": {
"email": "foo@bar.com",
"profile": {
"id": "1"
},
"type": "USER"
},
"context_aware_access": {
"access_level": {
"applied": "applied",
"satisfied": "satisfied",
"unsatisfied": "unsatisfied"
},
"application": "app",
"device": {
"id": "devic423",
"state": "devstate"
}
},
"event": {
"name": "APPLICATION_EVENT",
"type": "device_applications"
},
"id": {
"application_name": "device",
"customer": {
"id": "1"
},
"time": "2020-10-02T15:00:00.000Z",
"unique_qualifier": "1"
},
"ip_address": "67.43.156.13",
"kind": "admin#reports#activity",
"organization": {
"domain": "example.com"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"hosts": [
"bar.com",
"example.com"
],
"ip": [
"67.43.156.13"
],
"user": [
"1",
"foo",
"foo@bar.com"
]
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.13",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-context_aware_access"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.email | The primary email address of the actor. May be absent if there is no email address associated with the actor. | keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.profile.id | The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID. | keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.context_aware_access.access_level.applied | Display name of Access level applied. | keyword |
| google_workspace.context_aware_access.access_level.satisfied | Display name of Access level satisfied. | keyword |
| google_workspace.context_aware_access.access_level.unsatisfied | Display name of Access level unsatisfied. | keyword |
| google_workspace.context_aware_access.application | Display name of Application. | keyword |
| google_workspace.context_aware_access.device.id | Display name of Device Id. | keyword |
| google_workspace.context_aware_access.device.state | Display name of Device State. | keyword |
| google_workspace.etag | ETag of the entry. | keyword |
| google_workspace.event.name | Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific Google Workspace service or feature which the API organizes into types of events. For eventName request parameters in general: If no eventName is given, the report returns all possible instances of an eventName. When you request an eventName, the API’s response returns all activities which contain that eventName. It is possible that the returned activities will have other eventName properties in addition to the one requested. For more information about eventName properties, see the list of event names for various applications above in applicationName. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found here. |
keyword |
| google_workspace.id.application_name | Application name to which the event belongs. For possible values see the list of applications above in applicationName. | keyword |
| google_workspace.id.customer.id | The unique identifier for a Google Workspace account. | keyword |
| google_workspace.id.time | Time of occurrence of the activity. This is in UNIX epoch time in seconds. | date |
| google_workspace.id.unique_qualifier | Unique qualifier if multiple events have the same time. | keyword |
| google_workspace.ip_address | IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into Google Workspace, which may or may not reflect the user’s physical location. For example, the IP address can be the user’s proxy server’s address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. | ip |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload, more details can be found here. |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the gcp dataset.
**Example**
An example event for gcp looks as following:
{
"@timestamp": "2020-10-02T15:00:00.000Z",
"agent": {
"ephemeral_id": "73bd4e11-03bc-40dc-a0bc-1d9ca1aaa853",
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "google_workspace.gcp",
"namespace": "65228",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "IMPORT_SSH_PUBLIC_KEY",
"agent_id_status": "verified",
"created": "2024-08-01T21:56:37.313Z",
"dataset": "google_workspace.gcp",
"id": "1",
"ingested": "2024-08-01T21:56:49Z",
"kind": [
"event"
],
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"IMPORT_SSH_PUBLIC_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"foo@bar.com\"}],\"type\":\"CLOUD_OSLOGIN\"},\"id\":{\"applicationName\":\"device\",\"customerId\":\"1\",\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1},\"ipAddress\":\"67.43.156.13\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"example.com\"}",
"provider": "device"
},
"google_workspace": {
"actor": {
"email": "foo@bar.com",
"profile": {
"id": "1"
},
"type": "USER"
},
"event": {
"name": "IMPORT_SSH_PUBLIC_KEY",
"type": "CLOUD_OSLOGIN"
},
"gcp": {
"user_email": "foo@bar.com"
},
"id": {
"application_name": "device",
"customer": {
"id": "1"
},
"time": "2020-10-02T15:00:00.000Z",
"unique_qualifier": "1"
},
"ip_address": "67.43.156.13",
"kind": "admin#reports#activity",
"organization": {
"domain": "example.com"
}
},
"input": {
"type": "httpjson"
},
"organization": {
"id": "1"
},
"related": {
"hosts": [
"bar.com",
"example.com"
],
"ip": [
"67.43.156.13"
],
"user": [
"1",
"foo",
"foo@bar.com"
]
},
"source": {
"as": {
"number": 35908
},
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.13",
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-gcp"
],
"user": {
"domain": "bar.com",
"email": "foo@bar.com",
"id": "1",
"name": "foo"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| google_workspace.actor.email | The primary email address of the actor. May be absent if there is no email address associated with the actor. | keyword |
| google_workspace.actor.key | Only present when actor.type is KEY. Can be the consumer_key of the requestor for OAuth 2LO API requests or an identifier for robot accounts. |
keyword |
| google_workspace.actor.profile.id | The unique Google Workspace profile ID of the actor. This value might be absent if the actor is not a Google Workspace user, or may be the number 105250506097979753968 which acts as a placeholder ID. | keyword |
| google_workspace.actor.type | The type of actor. Values can be: USER: Another user in the same domain. EXTERNAL_USER: A user outside the domain. KEY: A non-human actor. | keyword |
| google_workspace.etag | ETag of the entry. | keyword |
| google_workspace.event.name | Name of the event. This is the specific name of the activity reported by the API. And each eventName is related to a specific Google Workspace service or feature which the API organizes into types of events. For eventName request parameters in general: If no eventName is given, the report returns all possible instances of an eventName. When you request an eventName, the API’s response returns all activities which contain that eventName. It is possible that the returned activities will have other eventName properties in addition to the one requested. For more information about eventName properties, see the list of event names for various applications above in applicationName. | keyword |
| google_workspace.event.type | The type of Google Workspace event, mapped from items[].events[].type in the original payload. Each fileset can have a different set of values for it, more details can be found here. |
keyword |
| google_workspace.gcp.user_email | The email address of the acting user. | keyword |
| google_workspace.id.application_name | Application name to which the event belongs. For possible values see the list of applications above in applicationName. | keyword |
| google_workspace.id.customer.id | The unique identifier for a Google Workspace account. | keyword |
| google_workspace.id.time | Time of occurrence of the activity. This is in UNIX epoch time in seconds. | date |
| google_workspace.id.unique_qualifier | Unique qualifier if multiple events have the same time. | keyword |
| google_workspace.ip_address | IP address of the user doing the action. This is the Internet Protocol (IP) address of the user when logging into Google Workspace, which may or may not reflect the user’s physical location. For example, the IP address can be the user’s proxy server’s address or a virtual private network (VPN) address. The API supports IPv4 and IPv6. | ip |
| google_workspace.kind | The type of API resource, mapped from kind in the original payload, more details can be found here. |
keyword |
| google_workspace.organization.domain | The domain that is affected by the report’s event. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.offset | Log offset. | long |
This is the chrome dataset.
**Example**
An example event for chrome looks as following:
{
"@timestamp": "2024-12-09T14:18:25.405Z",
"agent": {
"ephemeral_id": "7917124f-6a0b-493b-be4b-a928a4f17334",
"id": "499a39d7-b13c-4994-a354-0d3791cf15e6",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.16.0"
},
"data_stream": {
"dataset": "google_workspace.chrome",
"namespace": "12964",
"type": "logs"
},
"device": {
"model": {
"name": "NXKUTSI002429051947600"
}
},
"ecs": {
"version": "8.16.0"
},
"elastic_agent": {
"id": "499a39d7-b13c-4994-a354-0d3791cf15e6",
"snapshot": false,
"version": "8.16.0"
},
"event": {
"action": "browser_extension_install",
"agent_id_status": "verified",
"dataset": "google_workspace.chrome",
"id": "-3640711002716937498",
"ingested": "2024-12-24T07:36:34Z",
"kind": "event",
"original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"kalpesh.kumar@example.io\",\"profileId\":\"109689693170624712102\"},\"etag\":\"\\\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\\\"\",\"events\":{\"name\":\"BROWSER_EXTENSION_INSTALL\",\"parameters\":[{\"intValue\":\"1733753905405\",\"name\":\"TIMESTAMP\"},{\"name\":\"EVENT_REASON\",\"value\":\"BROWSER_EXTENSION_INSTALL\"},{\"name\":\"APP_ID\",\"value\":\"lmjegmlicamnimmfhcmpkclmigmmcbeh\"},{\"name\":\"APP_NAME\",\"value\":\"Application Launcher For Drive (by Google)\"},{\"name\":\"BROWSER_VERSION\",\"value\":\"123.0.6312.112\"},{\"name\":\"CHROME_ORG_UNIT_ID\",\"value\":\"02gajno12larrqx\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_NAME\",\"value\":\"NXKUTSI002429051947600\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 15786.48.2\"},{\"name\":\"DEVICE_USER\",\"value\":\"kalpesh.kumar@example.io\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"efa9510f-8cd2-4d85-b6c2-939cfb335e9e\"},{\"name\":\"EVENT_RESULT\",\"value\":\"REPORTED\"},{\"name\":\"EXTENSION_ACTION\",\"value\":\"INSTALL\"},{\"name\":\"EXTENSION_SOURCE\",\"value\":\"CHROME_WEBSTORE\"},{\"name\":\"EXTENSION_VERSION\",\"value\":\"3.10\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"example.io\"},{\"name\":\"PROFILE_USER_NAME\",\"value\":\"kalpesh.kumar@example.io\"},{\"name\":\"USER_AGENT\",\"value\":\"Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36\"},{\"name\":\"VIRTUAL_DEVICE_ID\",\"value\":\"3d69c5a5-0afc-474b-a1a3-d3dc617e2a60\"}],\"type\":\"BROWSER_EXTENSION_INSTALL_TYPE\"},\"id\":{\"applicationName\":\"chrome\",\"customerId\":\"C03puekhd\",\"time\":\"2024-12-09T14:18:25.405Z\",\"uniqueQualifier\":\"-3640711002716937498\"},\"kind\":\"admin#reports#activity\"}",
"outcome": "success",
"provider": "chrome",
"reason": "BROWSER_EXTENSION_INSTALL"
},
"google_workspace": {
"chrome": {
"actor": {
"caller_type": "USER",
"email": "kalpesh.kumar@example.io",
"profile_id": "109689693170624712102"
},
"app_id": "lmjegmlicamnimmfhcmpkclmigmmcbeh",
"app_name": "Application Launcher For Drive (by Google)",
"browser_version": "123.0.6312.112",
"chrome_org_unit_id": "02gajno12larrqx",
"client_type": "CHROME_OS_DEVICE",
"device_name": "NXKUTSI002429051947600",
"device_platform": "ChromeOS 15786.48.2",
"device_user": "kalpesh.kumar@example.io",
"directory_device_id": "efa9510f-8cd2-4d85-b6c2-939cfb335e9e",
"etag": "\"CfV-pEPVZc7PJf2fWsHJTliD34MdGbO8iFIk3L4uBwQ/cBsNSJx2A9Lg8kiQCGLddmq827A\"",
"event_reason": "BROWSER_EXTENSION_INSTALL",
"event_result": "REPORTED",
"extension_action": "INSTALL",
"extension_source": "CHROME_WEBSTORE",
"extension_version": "3.10",
"id": {
"application_name": "chrome",
"customer_id": "C03puekhd",
"time": "2024-12-09T14:18:25.405Z",
"unique_qualifier": "-3640711002716937498"
},
"kind": "admin#reports#activity",
"name": "BROWSER_EXTENSION_INSTALL",
"org_unit_name": "example.io",
"profile_user_name": "kalpesh.kumar@example.io",
"timestamp": "2024-12-09T14:18:25.405Z",
"type": "BROWSER_EXTENSION_INSTALL_TYPE",
"user_agent": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
"virtual_device_id": "3d69c5a5-0afc-474b-a1a3-d3dc617e2a60"
}
},
"host": {
"os": {
"full": "ChromeOS 15786.48.2"
}
},
"input": {
"type": "cel"
},
"observer": {
"product": "Chrome",
"vendor": "Google Workspace"
},
"organization": {
"id": "C03puekhd"
},
"related": {
"user": [
"kalpesh.kumar@example.io",
"109689693170624712102"
]
},
"source": {
"user": {
"domain": "example.io",
"email": "kalpesh.kumar@example.io",
"id": "109689693170624712102",
"name": "kalpesh.kumar"
}
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_workspace-chrome"
],
"user": {
"domain": "example.io",
"email": "kalpesh.kumar@example.io",
"id": "109689693170624712102",
"name": "kalpesh.kumar"
},
"user_agent": {
"device": {
"name": "Other"
},
"name": "Chrome",
"original": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
"os": {
"full": "Chrome OS 14541.0.0",
"name": "Chrome OS",
"version": "14541.0.0"
},
"version": "123.0.0.0"
}
}
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset. | constant_keyword |
| event.module | Event module. | constant_keyword |
| google_workspace.chrome.actor.caller_type | keyword | |
| google_workspace.chrome.actor.email | keyword | |
| google_workspace.chrome.actor.key | keyword | |
| google_workspace.chrome.actor.profile_id | keyword | |
| google_workspace.chrome.app_id | keyword | |
| google_workspace.chrome.app_name | App name. | keyword |
| google_workspace.chrome.browser_version | Browser version event parameter. | keyword |
| google_workspace.chrome.chrome_org_unit_id | keyword | |
| google_workspace.chrome.client_type | Event client type parameter. | keyword |
| google_workspace.chrome.content_hash | Content hash event parameter. | keyword |
| google_workspace.chrome.content_name | Content name event parameter. | keyword |
| google_workspace.chrome.content_size | Content size event parameter. | long |
| google_workspace.chrome.content_transfer_method | The method for content transferring. | keyword |
| google_workspace.chrome.content_type | Content type event parameter. | keyword |
| google_workspace.chrome.device_id | Device id event name. | keyword |
| google_workspace.chrome.device_name | Device name event parameter. | keyword |
| google_workspace.chrome.device_platform | Device platform event parameter. | keyword |
| google_workspace.chrome.device_user | Device user name event parameter. | keyword |
| google_workspace.chrome.directory_device_id | Directory API device ID of the device or browser on which the event happened. | keyword |
| google_workspace.chrome.etag | keyword | |
| google_workspace.chrome.event_reason | Event reason event parameter. | keyword |
| google_workspace.chrome.event_result | Event result event parameter. | keyword |
| google_workspace.chrome.evidence_locker_filepath | A parameter that contains the filepath of the evidence locker. | keyword |
| google_workspace.chrome.extension_action | keyword | |
| google_workspace.chrome.extension_source | keyword | |
| google_workspace.chrome.extension_version | keyword | |
| google_workspace.chrome.federated_origin | A parameter that contains the domain of the federated 3rd party provding the login flow. | keyword |
| google_workspace.chrome.id.application_name | keyword | |
| google_workspace.chrome.id.customer_id | keyword | |
| google_workspace.chrome.id.time | date | |
| google_workspace.chrome.id.unique_qualifier | keyword | |
| google_workspace.chrome.ip_address | ip | |
| google_workspace.chrome.is_federated | A parameter that contains whether the login is through a federated 3rd party. | boolean |
| google_workspace.chrome.kind | keyword | |
| google_workspace.chrome.login_failure_reason | Login failure event reason parameter. | keyword |
| google_workspace.chrome.login_user_name | A Parameter that contains the username used by the user when performing the login that triggered the login event report. | keyword |
| google_workspace.chrome.name | keyword | |
| google_workspace.chrome.new_boot_mode | New device boot mode. | keyword |
| google_workspace.chrome.org_unit_name | Org unit name. | keyword |
| google_workspace.chrome.owner_domain | keyword | |
| google_workspace.chrome.previous_boot_mode | Previous device boot mode. | keyword |
| google_workspace.chrome.profile_user_name | GSuite user name of the profile. | keyword |
| google_workspace.chrome.remove_user_reason | Parameter explaining why a user was removed from a device. | keyword |
| google_workspace.chrome.scan_id | A parameter that contains the scan id of the content analysis scan which triggered the event. | keyword |
| google_workspace.chrome.server_scan_status | Status indicates the outcome of the event’s server scan, which could be complete, require a manual audit due to configuration settings, or require a manual audit because the scan took too long. | keyword |
| google_workspace.chrome.timestamp | The server timestamp of the Chrome Safe Browsing event. | date |
| google_workspace.chrome.trigger_destination | A parameter that contains the destination of the rule which triggered the event. | keyword |
| google_workspace.chrome.trigger_source | A parameter that contains the source of the rule which triggered the event. | keyword |
| google_workspace.chrome.trigger_type | Event trigger type parameter. | keyword |
| google_workspace.chrome.trigger_user | Trigger user event parameter. | keyword |
| google_workspace.chrome.triggered_rules_reason | Triggered rules reason event parameter. | keyword |
| google_workspace.chrome.type | keyword | |
| google_workspace.chrome.url | The URL that event happened on. | keyword |
| google_workspace.chrome.user_agent | User agent event parameter. | keyword |
| google_workspace.chrome.user_justification | A parameter that contains a justification message provided by users. | keyword |
| google_workspace.chrome.virtual_device_id | Virtual device ID of the browser on which the event happened. | keyword |
| input.type | Type of filebeat input. | keyword |
| log.offset | Log offset. | long |
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 2.30.0 | pass:[] Enhancement (View pull request) Increase CEL resource.tracer.maxsize to prevent loss of trace responses. |
8.16.0 or higher |
| 2.29.0 | pass:[] Enhancement (View pull request) Add support of Chrome Audit Events. pass:[] Enhancement (View pull request) ECS version updated to 8.16.0. |
8.16.0 or higher |
| 2.28.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind manually set to "pipeline_error". |
8.13.0 or higher |
| 2.27.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 2.26.1 | pass:[] Bug fix (View pull request) Fix string literals in painless scripts. pass:[] Bug fix (View pull request) Add missing empty fields cleanup to admin data stream. |
8.13.0 or higher |
| 2.26.0 | pass:[] Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 2.25.5 | pass:[] Bug fix (View pull request) Fix broken links in Security Service integrations packages. |
8.13.0 or higher |
| 2.25.4 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 2.25.3 | pass:[] Bug fix (View pull request) Remove link to unpublished security-labs blog from README. |
8.13.0 or higher |
| 2.25.2 | pass:[] Bug fix (View pull request) Handle json.id.time missing |
8.13.0 or higher |
| 2.25.1 | pass:[] Bug fix (View pull request) Fix definition of subfields of nested objects |
8.13.0 or higher |
| 2.25.0 | pass:[] Enhancement (View pull request) Add GeoIP processors to all data streams. |
8.13.0 or higher |
| 2.24.0 | pass:[] Bug fix (View pull request) Updated google drive event schema and mappings to incorporate missing fields. |
8.13.0 or higher |
| 2.23.0 | pass:[] Enhancement (View pull request) Removed import_mappings. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 2.22.0 | pass:[] Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 2.21.0 | pass:[] Enhancement (View pull request) Update manifest format version to v3.0.3. |
8.12.0 or higher |
| 2.20.0 | pass:[] Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 2.19.2 | pass:[] Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 2.19.1 | pass:[] Bug fix (View pull request) Fixing timestamp format for Admin datastream |
8.7.1 or higher |
| 2.19.0 | pass:[] Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 2.18.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 2.17.0 | pass:[] Enhancement (View pull request) Improve event.original check to avoid errors if set. |
8.7.1 or higher |
| 2.16.2 | pass:[] Bug fix (View pull request) Fix documentation for initial interval configuration. |
8.7.1 or higher |
| 2.16.1 | pass:[] Bug fix (View pull request) Fix mapping of group fields |
8.7.1 or higher |
| 2.16.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 2.15.0 | pass:[] Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest. |
8.7.1 or higher |
| 2.14.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 2.13.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 2.12.0 | pass:[] Enhancement (View pull request) Document duration units. |
8.7.1 or higher |
| 2.11.0 | pass:[] Enhancement (View pull request) Convert dashboards to Lens. |
8.7.1 or higher |
| 2.10.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 2.9.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 2.8.0 | pass:[] Enhancement (View pull request) Update package-spec version to 2.7.0. |
8.7.1 or higher |
| 2.7.0 | pass:[] Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 2.6.0 | pass:[] Enhancement (View pull request) Improve documentation by linking Security Labs blog post and clarifying the Delegated Account value. |
8.4.0 or higher |
| 2.5.1 | pass:[] Enhancement (View pull request) Set event categorization for Token data stream. |
8.4.0 or higher |
| 2.5.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
8.4.0 or higher |
| 2.4.0 | pass:[] Enhancement (View pull request) Add support for new Access Transparency, Context Aware Access, Device, GCP, Group Enterprise and Token Data Streams. |
8.4.0 or higher |
| 2.3.1 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
8.4.0 or higher |
| 2.3.0 | pass:[] Enhancement (View pull request) Add recipients domains into related.hosts in Rules data stream. |
8.4.0 or higher |
| 2.2.3 | pass:[] Bug fix (View pull request) Fix @timestamp value in Rules data stream. |
8.4.0 or higher |
| 2.2.2 | pass:[] Bug fix (View pull request) Fix ingest pipeline to rename event name after fingerprint |
8.4.0 or higher |
| 2.2.1 | pass:[] Bug fix (View pull request) Fix pagination and filters for Report API data streams. |
8.4.0 or higher |
| 2.2.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
8.4.0 or higher |
| 2.1.0 | pass:[] Enhancement (View pull request) Add New Rules Data Stream. pass:[] Enhancement (View pull request) Add Missing Dashboards. pass:[] Enhancement (View pull request) Improve ECS Utilization. |
8.4.0 or higher |
| 2.0.0 | pass:[] Enhancement (View pull request) Add a new alert data stream and fix the request query parameter inconsistent between intervals. |
8.4.0 or higher |
| 1.9.0 | pass:[] Bug fix (View pull request) Use event time as cursor instead of current time. pass:[] Bug fix (View pull request) Fix pagination logic and avoid showing error on last page. pass:[] Enhancement (View pull request) Allow each data stream to define its own interval. |
8.4.0 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
8.4.0 or higher |
| 1.7.4 | pass:[] Bug fix (View pull request) Parse event parameters for user_accounts data stream. |
8.4.0 or higher |
| 1.7.3 | pass:[] Bug fix (View pull request) Change fingerprint processor to avoid skipping events. |
8.4.0 or higher |
| 1.7.2 | pass:[] Bug fix (View pull request) Remove duplicate fields. |
8.4.0 or higher |
| 1.7.1 | pass:[] Enhancement (View pull request) Use ECS geo.location definition. |
8.4.0 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.4.0 |
8.4.0 or higher |
| 1.6.1 | pass:[] Enhancement (View pull request) Update package name and description to align with standard wording |
8.4.0 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.3.0. |
8.4.0 or higher |
| 1.5.1 | pass:[] Enhancement (View pull request) update readme |
8.4.0 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Allow to set credentials directly in the config. |
8.4.0 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Update to ECS 8.2 |
7.16.0 or higher 8.0.0 or higher |
| 1.3.4 | pass:[] Bug fix (View pull request) Fix pagination to prevent skipped events when more than one page is present. |
— |
| 1.3.3 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
7.16.0 or higher 8.0.0 or higher |
| 1.3.2 | pass:[] Bug fix (View pull request) Add mapping for ECS event.created. |
7.16.0 or higher 8.0.0 or higher |
| 1.3.1 | pass:[] Enhancement (View pull request) Remove redundant event.ingested from pipelines.pass:[] Bug fix (View pull request) Validate IP fields and remove invalid data to prevent index mapping exceptions. |
7.16.0 or higher 8.0.0 or higher |
| 1.3.0 | pass:[] Enhancement (View pull request) Update to ECS 8.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.2.3 | pass:[] Bug fix (View pull request) Fix admin pipeline parameter processing |
— |
| 1.2.2 | pass:[] Bug fix (View pull request) Regenerate test files using the new GeoIP database |
7.16.0 or higher 8.0.0 or higher |
| 1.2.1 | pass:[] Bug fix (View pull request) Change test public IPs to the supported subset |
— |
| 1.2.0 | pass:[] Enhancement (View pull request) Add 8.0.0 version constraint |
7.16.0 or higher 8.0.0 or higher |
| 1.1.3 | pass:[] Enhancement (View pull request) Uniform with guidelines |
7.16.0 or higher |
| 1.1.2 | pass:[] Enhancement (View pull request) Update Title and Description. |
7.16.0 or higher |
| 1.1.1 | pass:[] Bug fix (View pull request) Fix logic that checks for the forwarded tag |
— |
| 1.1.0 | pass:[] Enhancement (View pull request) Update to ECS 1.12.0 |
— |
| 1.0.0 | pass:[] Enhancement (View pull request) make GA |
— |
| 0.7.3 | pass:[] Enhancement (View pull request) Convert to generated ECS fields |
— |
| 0.7.2 | pass:[] Enhancement (View pull request) update to ECS 1.11.0 |
— |
| 0.7.1 | pass:[] Enhancement (View pull request) Escape special characters in docs |
— |
| 0.7.0 | pass:[] Enhancement (View pull request) Update integration description |
— |
| 0.6.0 | pass:[] Enhancement (View pull request) Set "event.module" and "event.dataset" |
— |
| 0.5.0 | pass:[] Enhancement (View pull request) add system tests and remove log input |
— |
| 0.4.0 | pass:[] Enhancement (View pull request) update to ECS 1.10.0 and add event.original options |
— |
| 0.3.1 | pass:[] Enhancement (View pull request) add fingerprint processor to avoid duplicated events. |
— |
| 0.3.0 | pass:[] Enhancement (View pull request) move edge processing to ingest pipelines |
— |
| 0.2.4 | pass:[] Bug fix (View pull request) add fail_on_template_error on pagination |
— |
| 0.2.3 | pass:[] Enhancement (View pull request) update to ECS 1.9.0 |
— |
| 0.2.2 | pass:[] Bug fix (View pull request) fix status code parsing for saml datastream |
— |
| 0.2.1 | pass:[] Bug fix (View pull request) fixes date formatting for pagination |
— |
| 0.0.1 | pass:[] Enhancement (View pull request) initial release |
— |