From 77292bfc0d819792996253a1714d36ea75618f7c Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 9 Dec 2020 17:19:50 -0500 Subject: [PATCH] [Filebeat] Update event categorization for configuration events for auditd, gsuite, o365, and zoom (#23010) * [Filebeat] Update event categorization for configuration events for auditd, gsuite, o365, and zoom * Update bad AppendTo * Update changelog * Convert processor to painless --- CHANGELOG.next.asciidoc | 4 + .../module/auditd/log/ingest/pipeline.yml | 104 +++++++-- .../test/audit-cent7-node.log-expected.json | 12 + .../log/test/audit-rhel6.log-expected.json | 16 +- .../log/test/audit-rhel7.log-expected.json | 210 ++++++++++++++++++ .../auditd/log/test/test.log-expected.json | 16 +- .../module/gsuite/admin/config/pipeline.js | 118 +++++----- ...in-application-test.json.log-expected.json | 18 +- ...admin-calendar-test.json.log-expected.json | 6 +- ...ite-admin-chat-test.json.log-expected.json | 6 +- ...admin-chromeos-test.json.log-expected.json | 21 +- ...admin-contacts-test.json.log-expected.json | 3 +- ...ite-admin-docs-test.json.log-expected.json | 3 +- ...e-admin-domain-test.json.log-expected.json | 54 +++-- ...te-admin-gmail-test.json.log-expected.json | 12 +- ...e-admin-mobile-test.json.log-expected.json | 6 +- ...admin-security-test.json.log-expected.json | 45 ++-- ...te-admin-sites-test.json.log-expected.json | 6 +- .../module/gsuite/drive/config/pipeline.js | 1 + .../gsuite-drive-test.json.log-expected.json | 33 ++- .../module/gsuite/groups/config/pipeline.js | 11 +- .../gsuite-groups-test.json.log-expected.json | 27 ++- .../module/o365/audit/config/pipeline.js | 72 +++--- .../module/zoom/webhook/ingest/account.yml | 4 + .../module/zoom/webhook/ingest/user.yml | 4 + .../test/user.ndjson.log-expected.json | 6 + 26 files changed, 623 insertions(+), 195 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9ce4c49ec0dc..0d1edebc682d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -747,6 +747,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998] - Add subdomain enrichment for suricata/eve fileset. {pull}23011[23011] - Add subdomain enrichment for zeek/dns fileset. {pull}23011[23011] +- Add `event.category` "configuration" to auditd module events. {pull}23010[23010] +- Add `event.category` "configuration" to gsuite module events. {pull}23010[23010] +- Add `event.category` "configuration" to o365 module events. {pull}23010[23010] +- Add `event.category` "configuration" to zoom module events. {pull}23010[23010] *Heartbeat* diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index caec9d979f23..ccfaf199ec86 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -176,30 +176,86 @@ processors: - set: field: event.kind value: event -- set: - if: "ctx.auditd.log?.record_type == 'USER_AUTH'" - field: event.category - value: authentication -- set: - if: "ctx.auditd.log?.record_type == 'USER_AUTH'" - field: event.type - value: info -- set: - if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" - field: event.category - value: driver -- set: - if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" - field: event.type - value: info -- set: - if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" - field: event.category - value: package -- set: - if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" - field: event.type - value: info +- script: + lang: painless + ignore_failure: true + params: + CONFIG_CHANGE: + category: + - configuration + type: + - change + DAEMON_CONFIG: + category: + - configuration + type: + - change + DAEMON_RECONFIG: + category: + - configuration + type: + - info + USYS_CONFIG: + category: + - configuration + type: + - change + NETFILTER_CFG: + category: + - configuration + type: + - change + FEATURE_CHANGE: + category: + - configuration + type: + - change + MAC_CONFIG_CHANGE: + category: + - configuration + type: + - change + MAC_POLICY_LOAD: + category: + - configuration + type: + - access + MAC_STATUS: + category: + - configuration + type: + - change + USER_MAC_CONFIG_CHANGE: + category: + - configuration + type: + - change + USER_MAC_POLICY_LOAD: + category: + - configuration + type: + - access + USER_AUTH: + category: + - authentication + type: + - info + KERN_MODULE: + category: + - driver + type: + - info + SOFTWARE_UPDATE: + category: + - package + type: + - info + source: >- + if (ctx?.auditd?.log.record_type == null) { + return; + } + def hm = new HashMap(params.get(ctx.auditd.log.record_type)); + hm.forEach((k, v) -> ctx.event[k] = v); - set: if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.category diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json index b47e9806d529..c9d2b77a6e4d 100644 --- a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -31,10 +31,16 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", "event.action": "config_change", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "1", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 234, @@ -50,10 +56,16 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0", "event.action": "config_change", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "1", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 425, diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index 09140e1ea567..a94f8c5798aa 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -222,12 +222,16 @@ "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", "event.action": "user_auth", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "info", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1926, @@ -257,12 +261,16 @@ "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", "event.action": "user_auth", - "event.category": "authentication", + "event.category": [ + "authentication" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "info", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2122, diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 311c49b661a9..4d14263e10f3 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -257,9 +257,15 @@ "auditd.log.sequence": 17, "auditd.log.table": "filter", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 2794, @@ -309,9 +315,15 @@ "auditd.log.sequence": 18, "auditd.log.table": "raw", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 3193, @@ -361,9 +373,15 @@ "auditd.log.sequence": 19, "auditd.log.table": "security", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 3589, @@ -413,9 +431,15 @@ "auditd.log.sequence": 20, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 3990, @@ -465,9 +489,15 @@ "auditd.log.sequence": 21, "auditd.log.table": "nat", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 4389, @@ -622,9 +652,15 @@ "auditd.log.sequence": 27, "auditd.log.table": "filter", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 5953, @@ -758,9 +794,15 @@ "auditd.log.sequence": 32, "auditd.log.table": "raw", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 7289, @@ -831,9 +873,15 @@ "auditd.log.sequence": 34, "auditd.log.table": "security", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 7921, @@ -883,9 +931,15 @@ "auditd.log.sequence": 35, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 8323, @@ -1103,9 +1157,15 @@ "auditd.log.sequence": 44, "auditd.log.table": "nat", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 10630, @@ -1176,9 +1236,15 @@ "auditd.log.sequence": 46, "auditd.log.table": "nat", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 11260, @@ -1228,9 +1294,15 @@ "auditd.log.sequence": 47, "auditd.log.table": "nat", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 11669, @@ -1280,9 +1352,15 @@ "auditd.log.sequence": 48, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 12078, @@ -1332,9 +1410,15 @@ "auditd.log.sequence": 49, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 12490, @@ -1384,9 +1468,15 @@ "auditd.log.sequence": 50, "auditd.log.table": "security", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 12902, @@ -1436,9 +1526,15 @@ "auditd.log.sequence": 51, "auditd.log.table": "security", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 13316, @@ -1488,9 +1584,15 @@ "auditd.log.sequence": 52, "auditd.log.table": "raw", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 13729, @@ -1540,9 +1642,15 @@ "auditd.log.sequence": 53, "auditd.log.table": "raw", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 14138, @@ -1592,9 +1700,15 @@ "auditd.log.sequence": 54, "auditd.log.table": "filter", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 14547, @@ -1644,9 +1758,15 @@ "auditd.log.sequence": 55, "auditd.log.table": "filter", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 14958, @@ -1696,9 +1816,15 @@ "auditd.log.sequence": 56, "auditd.log.table": "nat", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 15370, @@ -1748,9 +1874,15 @@ "auditd.log.sequence": 57, "auditd.log.table": "nat", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 15782, @@ -1800,9 +1932,15 @@ "auditd.log.sequence": 58, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 16193, @@ -1852,9 +1990,15 @@ "auditd.log.sequence": 59, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 16608, @@ -1904,9 +2048,15 @@ "auditd.log.sequence": 60, "auditd.log.table": "security", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 17023, @@ -1956,9 +2106,15 @@ "auditd.log.sequence": 61, "auditd.log.table": "security", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 17440, @@ -2008,9 +2164,15 @@ "auditd.log.sequence": 62, "auditd.log.table": "raw", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 17856, @@ -2060,9 +2222,15 @@ "auditd.log.sequence": 63, "auditd.log.table": "raw", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 18267, @@ -2112,9 +2280,15 @@ "auditd.log.sequence": 64, "auditd.log.table": "filter", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 18679, @@ -2164,9 +2338,15 @@ "auditd.log.sequence": 65, "auditd.log.table": "filter", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 19094, @@ -2216,9 +2396,15 @@ "auditd.log.sequence": 66, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 19509, @@ -2268,9 +2454,15 @@ "auditd.log.sequence": 67, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 19921, @@ -2320,9 +2512,15 @@ "auditd.log.sequence": 68, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 20333, @@ -2372,9 +2570,15 @@ "auditd.log.sequence": 69, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 20745, @@ -2424,9 +2628,15 @@ "auditd.log.sequence": 70, "auditd.log.table": "mangle", "event.action": "netfilter_cfg", + "event.category": [ + "configuration" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", + "event.type": [ + "change" + ], "fileset.name": "log", "input.type": "log", "log.offset": 21157, diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 58ff1fee37d4..1abe864eb204 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -178,12 +178,16 @@ "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", "event.action": "software_update", - "event.category": "package", + "event.category": [ + "package" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "info", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 1893, @@ -296,11 +300,15 @@ "auditd.log.name": "mymodule", "auditd.log.sequence": 579397, "event.action": "kern_module", - "event.category": "driver", + "event.category": [ + "driver" + ], "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "info", + "event.type": [ + "info" + ], "fileset.name": "log", "input.type": "log", "log.offset": 3153, diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 0e014e8094c2..8302ec5a1e58 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -6,36 +6,80 @@ var login = (function () { var processor = require("processor"); var categorizeEvent = function(evt) { + // not convinced that these should be iam evt.Put("event.category", ["iam"]); switch (evt.Get("event.action")) { case "CHANGE_APPLICATION_SETTING": case "UPDATE_MANAGED_CONFIGURATION": + case "CHANGE_CALENDAR_SETTING": + case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": case "GPLUS_PREMIUM_FEATURES": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "CHANGE_CONTACTS_SETTING": + case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_SSO_SETTINGS": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "CHANGE_MOBILE_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["change"]); + break; case "UPDATE_BUILDING": - case "UPDATE_CALENDAR_RESOURCE_FEATURE": case "RENAME_CALENDAR_RESOURCE": case "UPDATE_CALENDAR_RESOURCE": - case "CHANGE_CALENDAR_SETTING": case "CANCEL_CALENDAR_EVENTS": case "RELEASE_CALENDAR_RESOURCES": - case "MEET_INTEROP_MODIFY_GATEWAY": - case "CHANGE_CHAT_SETTING": - case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": case "CHANGE_DEVICE_STATE": - case "CHANGE_CHROME_OS_APPLICATION_SETTING": case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": - case "CHANGE_CHROME_OS_DEVICE_SETTING": case "CHANGE_CHROME_OS_DEVICE_STATE": - case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": case "UPDATE_CHROME_OS_PRINT_SERVER": case "UPDATE_CHROME_OS_PRINTER": - case "CHANGE_CHROME_OS_SETTING": - case "CHANGE_CHROME_OS_USER_SETTING": case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": case "UPDATE_DEVICE": case "SEND_CHROME_OS_DEVICE_COMMAND": - case "CHANGE_CONTACTS_SETTING": case "ASSIGN_ROLE": case "ADD_PRIVILEGE": case "REMOVE_PRIVILEGE": @@ -43,9 +87,6 @@ var login = (function () { case "UPDATE_ROLE": case "UNASSIGN_ROLE": case "TRANSFER_DOCUMENT_OWNERSHIP": - case "CHANGE_DOCS_SETTING": - case "CHANGE_SITES_SETTING": - case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": case "ORG_USERS_LICENSE_ASSIGNMENT": case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": case "USER_LICENSE_ASSIGNMENT": @@ -55,8 +96,6 @@ var login = (function () { case "USER_LICENSE_REVOKE": case "UPDATE_DYNAMIC_LICENSE": case "DROP_FROM_QUARANTINE": - case "CHANGE_EMAIL_SETTING": - case "CHANGE_GMAIL_SETTING": case "REJECT_FROM_QUARANTINE": case "RELEASE_FROM_QUARANTINE": case "CHROME_LICENSES_ENABLED": @@ -70,29 +109,14 @@ var login = (function () { case "EDIT_ORG_UNIT_NAME": case "REVOKE_DEVICE_ENROLLMENT_TOKEN": case "TOGGLE_SERVICE_ENABLED": - case "ALLOW_STRONG_AUTHENTICATION": - case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": - case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": case "ADD_TO_TRUSTED_OAUTH2_APPS": case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": case "BLOCK_ON_DEVICE_ACCESS": - case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": - case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": - case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": - case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": case "TOGGLE_CAA_ENABLEMENT": case "CHANGE_CAA_ERROR_MESSAGE": case "CHANGE_CAA_APP_ASSIGNMENTS": case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": - case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": - case "ENFORCE_STRONG_AUTHENTICATION": - case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": - case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": - case "SESSION_CONTROL_SETTINGS_CHANGE": - case "CHANGE_SESSION_LENGTH": case "UNBLOCK_ON_DEVICE_ACCESS": case "CHANGE_ACCOUNT_AUTO_RENEWAL": case "ADD_APPLICATION": @@ -104,23 +128,14 @@ var login = (function () { case "ALERT_STATUS_CHANGED": case "ADD_DOMAIN_ALIAS": case "REMOVE_DOMAIN_ALIAS": - case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": - case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": - case "ENABLE_API_ACCESS": case "AUTHORIZE_API_CLIENT_ACCESS": case "REMOVE_API_CLIENT_ACCESS": case "CHROME_LICENSES_REDEEMED": case "TOGGLE_AUTO_ADD_NEW_SERVICE": case "CHANGE_PRIMARY_DOMAIN": - case "CHANGE_WHITELIST_SETTING": - case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": case "CHANGE_CONFLICT_ACCOUNT_ACTION": - case "ENABLE_FEEDBACK_SOLICITATION": - case "TOGGLE_CONTACT_SHARING": - case "TOGGLE_USE_CUSTOM_LOGO": case "CHANGE_CUSTOM_LOGO": case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": - case "CHANGE_DATA_LOCALIZATION_SETTING": case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": case "CHANGE_DOMAIN_DEFAULT_LOCALE": case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": @@ -130,24 +145,16 @@ var login = (function () { case "ADD_TRUSTED_DOMAINS": case "REMOVE_TRUSTED_DOMAINS": case "CHANGE_EDU_TYPE": - case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": - case "TOGGLE_SSO_ENABLED": - case "TOGGLE_SSL": case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": case "CHANGE_LOGIN_BACKGROUND_COLOR": case "CHANGE_LOGIN_BORDER_COLOR": case "CHANGE_LOGIN_ACTIVITY_TRACE": case "PLAY_FOR_WORK_ENROLL": case "PLAY_FOR_WORK_UNENROLL": - case "TOGGLE_NEW_APP_FEATURES": - case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": - case "TOGGLE_OPEN_ID_ENABLED": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": case "CHANGE_ORGANIZATION_NAME": - case "TOGGLE_OUTBOUND_RELAY": case "CHANGE_PASSWORD_MAX_LENGTH": case "CHANGE_PASSWORD_MIN_LENGTH": - case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": - case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": case "REMOVE_APPLICATION": case "REMOVE_APPLICATION_FROM_WHITELIST": case "CHANGE_RENEW_DOMAIN_REGISTRATION": @@ -159,7 +166,6 @@ var login = (function () { case "ADD_SECONDARY_DOMAIN": case "REMOVE_SECONDARY_DOMAIN": case "UPDATE_DOMAIN_SECONDARY_EMAIL": - case "CHANGE_SSO_SETTINGS": case "UPDATE_RULE": case "ADD_MOBILE_CERTIFICATE": case "COMPANY_OWNED_DEVICE_BLOCKED": @@ -168,9 +174,7 @@ var login = (function () { case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": - case "CHANGE_MOBILE_APPLICATION_SETTINGS": case "ADD_MOBILE_APPLICATION_TO_WHITELIST": - case "CHANGE_MOBILE_SETTING": case "CHANGE_ADMIN_RESTRICTIONS_PIN": case "CHANGE_MOBILE_WIRELESS_NETWORK": case "ADD_MOBILE_WIRELESS_NETWORK": @@ -180,6 +184,10 @@ var login = (function () { evt.Put("event.type", ["change"]); break; case "CREATE_APPLICATION_SETTING": + case "CREATE_GMAIL_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["creation"]); + break; case "CREATE_MANAGED_CONFIGURATION": case "CREATE_BUILDING": case "CREATE_CALENDAR_RESOURCE": @@ -190,7 +198,6 @@ var login = (function () { case "CREATE_ROLE": case "ADD_WEB_ADDRESS": case "EMAIL_UNDELETE": - case "CREATE_GMAIL_SETTING": case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": case "CREATE_DEVICE_ENROLLMENT_TOKEN": case "CREATE_ENROLLMENT_TOKEN": @@ -205,6 +212,10 @@ var login = (function () { evt.Put("event.type", ["creation"]); break; case "DELETE_APPLICATION_SETTING": + case "DELETE_GMAIL_SETTING": + evt.AppendTo("event.category", "configuration") + evt.Put("event.type", ["deletion"]); + break; case "DELETE_MANAGED_CONFIGURATION": case "DELETE_BUILDING": case "DELETE_CALENDAR_RESOURCE": @@ -215,7 +226,6 @@ var login = (function () { case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": case "DELETE_ROLE": case "DELETE_WEB_ADDRESS": - case "DELETE_GMAIL_SETTING": case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": case "REMOVE_ORG_UNIT": case "DELETE_ALERT": diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index a38404366721..e33c671e30b3 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -2,7 +2,8 @@ { "event.action": "CHANGE_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -58,7 +59,8 @@ { "event.action": "CREATE_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -113,7 +115,8 @@ { "event.action": "DELETE_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -222,7 +225,8 @@ { "event.action": "GPLUS_PREMIUM_FEATURES", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -369,7 +373,8 @@ { "event.action": "UPDATE_MANAGED_CONFIGURATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -418,7 +423,8 @@ { "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index 2a8eb8eb3fe4..110753ae98de 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -348,7 +348,8 @@ { "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -502,7 +503,8 @@ { "event.action": "CHANGE_CALENDAR_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 4736114f4272..0c7828946dab 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -98,7 +98,8 @@ { "event.action": "MEET_INTEROP_MODIFY_GATEWAY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -146,7 +147,8 @@ { "event.action": "CHANGE_CHAT_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index 00f51c0bc794..e4a8b7141108 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -2,7 +2,8 @@ { "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -109,7 +110,8 @@ { "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -262,7 +264,8 @@ { "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -364,7 +367,8 @@ { "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -707,7 +711,8 @@ { "event.action": "CHANGE_CHROME_OS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -758,7 +763,8 @@ { "event.action": "CHANGE_CHROME_OS_USER_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1010,7 +1016,8 @@ { "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index dee1917e48d9..3f0711022768 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -2,7 +2,8 @@ { "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index e0f00e254435..311ecf3e2378 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -105,7 +105,8 @@ { "event.action": "CHANGE_DOCS_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index a349010fdb40..ff5c3d1d2a59 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -739,7 +739,8 @@ { "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -788,7 +789,8 @@ { "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -837,7 +839,8 @@ { "event.action": "ENABLE_API_ACCESS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1137,7 +1140,8 @@ { "event.action": "CHANGE_WHITELIST_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1187,7 +1191,8 @@ { "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1288,7 +1293,8 @@ { "event.action": "ENABLE_FEEDBACK_SOLICITATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1338,7 +1344,8 @@ { "event.action": "TOGGLE_CONTACT_SHARING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1435,7 +1442,8 @@ { "event.action": "TOGGLE_USE_CUSTOM_LOGO", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1582,7 +1590,8 @@ { "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2172,7 +2181,8 @@ { "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2221,7 +2231,8 @@ { "event.action": "TOGGLE_SSO_ENABLED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2270,7 +2281,8 @@ { "event.action": "TOGGLE_SSL", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2713,7 +2725,8 @@ { "event.action": "TOGGLE_NEW_APP_FEATURES", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2762,7 +2775,8 @@ { "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -2907,7 +2921,8 @@ { "event.action": "TOGGLE_OPEN_ID_ENABLED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -3006,7 +3021,8 @@ { "event.action": "TOGGLE_OUTBOUND_RELAY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -3207,7 +3223,8 @@ { "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -4040,7 +4057,8 @@ { "event.action": "CHANGE_SSO_SETTINGS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index f62dad33200c..1db80ed600bd 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -157,7 +157,8 @@ { "event.action": "CHANGE_EMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -212,7 +213,8 @@ { "event.action": "CHANGE_GMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -263,7 +265,8 @@ { "event.action": "CREATE_GMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -314,7 +317,8 @@ { "event.action": "DELETE_GMAIL_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json index 99bea4702c38..10f080230c41 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -558,7 +558,8 @@ { "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -871,7 +872,8 @@ { "event.action": "CHANGE_MOBILE_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index ccfe0f5b3ed5..d08d68f872e1 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -2,7 +2,8 @@ { "event.action": "ALLOW_STRONG_AUTHENTICATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -52,7 +53,8 @@ { "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -101,7 +103,8 @@ { "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -150,7 +153,8 @@ { "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -353,7 +357,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -406,7 +411,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -459,7 +465,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -512,7 +519,8 @@ { "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -565,7 +573,8 @@ { "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -862,7 +871,8 @@ { "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -915,7 +925,8 @@ { "event.action": "ENFORCE_STRONG_AUTHENTICATION", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -970,7 +981,8 @@ { "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1020,7 +1032,8 @@ { "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1073,7 +1086,8 @@ { "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -1124,7 +1138,8 @@ { "event.action": "CHANGE_SESSION_LENGTH", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index 272f4fb77e7a..8847953dbf3d 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -108,7 +108,8 @@ { "event.action": "CHANGE_SITES_SETTING", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", @@ -160,7 +161,8 @@ { "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.admin", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js index eb1d1170ea5c..31403a880ae3 100644 --- a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js @@ -31,6 +31,7 @@ var drive = (function () { case "sheets_import_range_access_change": case "change_user_access": evt.AppendTo("event.category", "iam"); + evt.AppendTo("event.category", "configuration"); evt.Put("event.type", ["change"]); break; case "create": diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json index 9ffde6ce107d..77b16b9e929c 100644 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -64,7 +64,8 @@ "event.action": "approval_canceled", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -124,7 +125,8 @@ "event.action": "approval_comment_added", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -184,7 +186,8 @@ "event.action": "approval_requested", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -244,7 +247,8 @@ "event.action": "approval_reviewer_responded", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1257,7 +1261,8 @@ "event.action": "change_acl_editors", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1321,7 +1326,8 @@ "event.action": "change_document_access_scope", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1386,7 +1392,8 @@ "event.action": "change_document_visibility", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1451,7 +1458,8 @@ "event.action": "shared_drive_membership_change", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1516,7 +1524,8 @@ "event.action": "shared_drive_settings_change", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1581,7 +1590,8 @@ "event.action": "sheets_import_range_access_change", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", @@ -1641,7 +1651,8 @@ "event.action": "change_user_access", "event.category": [ "file", - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.drive", "event.id": "1", diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js index 326eccfee714..21f859a13e61 100644 --- a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js @@ -9,7 +9,6 @@ var groups = (function () { evt.Put("event.category", ["iam"]); evt.Put("event.type", ["group"]); switch (evt.Get("event.action")) { - case "change_acl_permission": case "change_basic_setting": case "change_identity_setting": case "change_info_setting": @@ -17,6 +16,10 @@ var groups = (function () { case "change_post_replies_setting": case "change_spam_moderation_setting": case "change_topic_setting": + evt.AppendTo("event.category", "configuration"); + evt.AppendTo("event.type", "change"); + break; + case "change_acl_permission": evt.AppendTo("event.type", "change"); break; case "accept_invitation": @@ -38,11 +41,17 @@ var groups = (function () { evt.AppendTo("event.type", "user"); break; case "create_group": + evt.AppendTo("event.type", "creation"); + break; case "add_info_setting": + evt.AppendTo("event.category", "configuration"); evt.AppendTo("event.type", "creation"); break; case "delete_group": + evt.AppendTo("event.type", "deletion"); + break; case "remove_info_setting": + evt.AppendTo("event.category", "configuration"); evt.AppendTo("event.type", "deletion"); break; case "moderate_message": diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json index f62ef0391c08..b99c77b57a57 100644 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -271,7 +271,8 @@ { "event.action": "change_basic_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -427,7 +428,8 @@ { "event.action": "change_identity_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -481,7 +483,8 @@ { "event.action": "add_info_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -534,7 +537,8 @@ { "event.action": "change_info_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -588,7 +592,8 @@ { "event.action": "remove_info_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -641,7 +646,8 @@ { "event.action": "change_new_members_restrictions_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -695,7 +701,8 @@ { "event.action": "change_post_replies_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -749,7 +756,8 @@ { "event.action": "change_spam_moderation_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", @@ -803,7 +811,8 @@ { "event.action": "change_topic_setting", "event.category": [ - "iam" + "iam", + "configuration" ], "event.dataset": "gsuite.groups", "event.id": "1", diff --git a/x-pack/filebeat/module/o365/audit/config/pipeline.js b/x-pack/filebeat/module/o365/audit/config/pipeline.js index 8ff5e572fc2c..e1ee6bc1c814 100644 --- a/x-pack/filebeat/module/o365/audit/config/pipeline.js +++ b/x-pack/filebeat/module/o365/audit/config/pipeline.js @@ -220,33 +220,34 @@ function sharePointFileOperationSchema(debug) { ignore_missing: true, fail_on_error: false })); - builder.Add("setEventCategory", new processor.AddFields({ - target: 'event', - fields: { - category: 'file', - }, - })); - builder.Add("mapEventType", makeMapper({ - from: 'o365audit.Operation', - to: 'event.type', - mappings: { - 'FileAccessed': 'access', - 'FileDeleted': 'deletion', - 'FileDownloaded': 'access', - 'FileModified': 'change', - 'FileMoved': 'change', - 'FileRenamed': 'change', - 'FileRestored': 'change', - 'FileUploaded': 'creation', - 'FolderCopied': 'creation', - 'FolderCreated': 'creation', - 'FolderDeleted': 'deletion', - 'FolderModified': 'change', - 'FolderMoved': 'change', - 'FolderRenamed': 'change', - 'FolderRestored': 'change', - }, - })); + + var actionToCategoryType = { + ComplianceSettingChanged: ['configuration', 'change'], + FileAccessed: ['file', 'access'], + FileDeleted: ['file', 'deletion'], + FileDownloaded: ['file', 'access'], + FileModified: ['file', 'change'], + FileMoved: ['file', 'change'], + FileRenamed: ['file', 'change'], + FileRestored: ['file', 'change'], + FileUploaded: ['file', 'creation'], + FolderCopied: ['file', 'creation'], + FolderCreated: ['file', 'creation'], + FolderDeleted: ['file', 'deletion'], + FolderModified: ['file', 'change'], + FolderMoved: ['file', 'change'], + FolderRenamed: ['file', 'change'], + FolderRestored: ['file', 'change'], + }; + + builder.Add("setEventFields", function(evt) { + var action = evt.Get("o365audit.Operation"); + if (action == null) return; + var fields = actionToCategoryType[action]; + if (fields == null) return; + evt.Put("event.category", fields[0]); + evt.Put("event.type", fields[1]); + }); return builder.Build(); } @@ -446,10 +447,25 @@ function yammerSchema(debug) { // Network or verified admin changes the information that appears on // member profiles for network users network. ProcessProfileFields: [ "iam", "user"], + // Network or verified admin changes the Yammer network's configuration. + // This includes setting the interval for exporting data and enabling chat. + NetworkConfigurationUpdated: [ "configuration", "change" ], // Verified admin updates the Yammer network's security configuration. // This includes setting password expiration policies and restrictions // on IP addresses. - NetworkSecurityConfigurationUpdated: [ "iam", "admin"], + NetworkSecurityConfigurationUpdated: [ ["iam", "configuration"], ["admin", "change"]], + // Verified admin updates the setting for the network data retention + // policy to either Hard Delete or Soft Delete. Only verified admins + // can perform this operation. + SoftDeleteSettingsUpdated: [ "configuration", "change" ], + // Network or verified admin changes the information that appears on + // member profiles for network users network. + ProcessProfileFields: [ "configuration", "change" ], + // Verified admin turns Private Content Mode on or off. This mode + // lets an admin view the posts in private groups and view private + // messages between individual users (or groups of users). Only verified + // admins only can perform this operation. + SupervisorAdminToggled: [ "configuration", "change" ], // User uploads a file. FileCreated: [ "file", "creation"], // User creates a group. diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/account.yml b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml index a873c6ae62c0..c5368f0ab05f 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/account.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml @@ -3,6 +3,10 @@ processors: - append: field: event.category value: iam +- append: + field: event.category + value: configuration + if: "['account.settings_updated'].contains(ctx?.event?.action)" - append: field: event.type value: user diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/user.yml b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml index 02afc6d66362..2f7a82bfc758 100644 --- a/x-pack/filebeat/module/zoom/webhook/ingest/user.yml +++ b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml @@ -1,5 +1,9 @@ description: Pipeline for parsing Zoom user webhooks processors: +- append: + field: event.category + value: configuration + if: "['user.settings_updated'].contains(ctx?.event?.action)" - append: field: event.type value: iam diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json index 3ca08b077f0d..3921a3c71041 100644 --- a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json @@ -101,6 +101,9 @@ }, { "event.action": "user.settings_updated", + "event.category": [ + "configuration" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event" @@ -136,6 +139,9 @@ }, { "event.action": "user.settings_updated", + "event.category": [ + "configuration" + ], "event.dataset": "zoom.webhook", "event.kind": [ "event"