diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b4882537384..9ac8908a010 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -836,6 +836,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] - Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] - Upgrade Cisco ASA/FTD/Umbrella to ECS 1.8.0. {pull}23819[23819] +- Add new ECS user and categories features to google_workspace/gsuite {issue}23118[23118] {pull}23709[23709] *Heartbeat* @@ -1045,4 +1046,3 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Journalbeat* - diff --git a/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js index 1071a61aef0..4e9b5630a0d 100644 --- a/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/admin/config/pipeline.js @@ -422,6 +422,17 @@ var login = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var setEventDuration = function(evt) { diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json index 6e14b17286f..abd84e26272 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-application-test.json.log-expected.json @@ -55,7 +55,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -112,7 +115,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -169,7 +175,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -224,7 +233,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -275,7 +287,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -325,7 +340,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -375,7 +393,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -426,7 +447,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -476,6 +500,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json index b58fc898aa5..b2d9d491215 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-calendar-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -97,7 +100,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -150,7 +156,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -200,7 +209,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -250,7 +262,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -300,7 +315,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -350,7 +368,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -404,7 +425,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -455,7 +479,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -508,7 +535,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -565,7 +595,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -615,7 +648,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -665,6 +704,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json index fd36d938cfa..4caec2adf2d 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chat-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -145,7 +151,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -202,6 +211,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json index be4e9edc547..f81d96a81f1 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-chromeos-test.json.log-expected.json @@ -55,7 +55,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -107,7 +110,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -165,7 +171,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -215,7 +224,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -264,7 +276,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -317,7 +332,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -369,7 +387,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -422,7 +443,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -471,7 +495,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -520,7 +547,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -571,7 +601,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -620,7 +653,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -669,7 +705,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -720,7 +759,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -773,7 +815,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -826,7 +871,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -880,7 +928,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -932,7 +983,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -981,7 +1035,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1031,7 +1088,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1085,6 +1145,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json index 7c057be7bfd..5db40eec65c 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-contacts-test.json.log-expected.json @@ -51,6 +51,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json index e38c013ed50..608736f7167 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-delegatedadmin-test.json.log-expected.json @@ -49,7 +49,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -99,7 +105,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -149,7 +158,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -200,7 +212,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -251,7 +266,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -301,7 +319,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -351,7 +372,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -403,6 +427,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json index 3d9032bcb6c..fd8de3b21d1 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-docs-test.json.log-expected.json @@ -49,7 +49,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -102,7 +108,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -159,6 +171,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json index aedc198aeec..65e1fe272a7 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-domain-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -98,7 +101,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -148,7 +154,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -199,7 +208,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -248,7 +260,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -297,7 +312,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -346,7 +364,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -397,7 +418,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -447,7 +471,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -498,7 +525,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -548,7 +578,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -598,7 +631,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -648,7 +684,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -698,7 +737,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -749,7 +791,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -800,7 +845,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -851,7 +899,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -903,7 +954,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -957,7 +1011,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1007,7 +1064,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1058,7 +1118,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1108,7 +1171,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1158,7 +1224,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1210,7 +1279,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1263,7 +1335,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1314,7 +1389,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1366,7 +1444,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1417,7 +1498,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1466,7 +1550,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1517,7 +1604,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1566,7 +1656,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1617,7 +1710,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1669,7 +1765,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1720,7 +1819,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1769,7 +1871,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1818,7 +1923,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1869,7 +1977,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1920,7 +2031,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1970,7 +2084,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2020,7 +2137,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2071,7 +2191,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2120,7 +2243,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2169,7 +2295,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2220,7 +2349,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2271,7 +2403,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2322,7 +2457,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2373,7 +2511,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2424,7 +2565,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2472,7 +2616,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2523,7 +2670,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2574,7 +2724,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2625,7 +2778,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2675,7 +2831,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2724,7 +2883,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2775,7 +2937,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2826,7 +2994,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2877,7 +3048,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2926,7 +3100,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2975,7 +3152,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3026,7 +3206,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3077,7 +3260,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3130,7 +3316,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3181,7 +3370,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3232,7 +3424,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3283,7 +3478,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3335,7 +3533,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3385,7 +3586,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3435,7 +3639,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3486,7 +3693,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3536,7 +3746,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3585,7 +3798,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3634,7 +3850,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3683,7 +3902,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3732,7 +3954,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3782,7 +4007,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3833,7 +4061,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3883,7 +4114,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3933,7 +4167,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3983,7 +4220,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4033,7 +4273,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4083,7 +4326,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4134,7 +4380,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4184,7 +4433,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4232,7 +4484,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -4281,6 +4536,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json index 5d748bc3990..86bbb3cbcbb 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-gmail-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -102,7 +105,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -155,7 +161,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -212,7 +224,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -265,7 +280,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -318,7 +336,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -371,7 +392,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -421,7 +445,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -471,6 +498,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json index d322acefbf9..d9c9e452f40 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-groups-test.json.log-expected.json @@ -49,7 +49,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -101,7 +104,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -153,7 +159,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -202,7 +211,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -256,7 +268,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -310,7 +330,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -366,7 +394,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -422,7 +458,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -478,7 +522,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -529,7 +581,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -578,7 +633,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -631,7 +689,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -686,7 +747,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -740,6 +804,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json index 9a6738eb30b..c4dd9cdd54c 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-licenses-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -99,7 +102,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -151,7 +157,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -202,7 +214,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -255,7 +270,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -306,7 +327,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -358,7 +382,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -410,6 +440,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json index 436ec466cf4..099e46ceb46 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-mobile-test.json.log-expected.json @@ -52,7 +52,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -107,7 +113,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -158,7 +170,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -207,7 +222,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -257,7 +275,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -307,7 +328,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -357,7 +381,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -407,7 +434,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -462,7 +492,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -512,7 +545,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -564,7 +600,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -620,7 +659,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -672,7 +714,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -725,7 +770,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -778,7 +829,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -831,7 +888,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -884,7 +947,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -938,7 +1007,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -988,7 +1060,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1039,7 +1114,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1090,7 +1168,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1141,7 +1222,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1192,7 +1276,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1243,7 +1330,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1291,7 +1381,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1339,7 +1432,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1387,7 +1483,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1435,7 +1534,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1488,7 +1590,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1541,7 +1649,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1594,6 +1708,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json index cb63268bf24..efb0d4fefd7 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-org-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -100,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -151,7 +157,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -204,7 +213,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -253,7 +265,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -302,7 +317,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -351,7 +369,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -400,7 +421,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -449,7 +473,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -500,7 +527,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -549,7 +579,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -598,7 +631,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -647,7 +683,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -697,7 +736,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -747,7 +789,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -796,7 +841,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -851,6 +899,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json index d3e6ddbea99..38b52a4fde7 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-security-test.json.log-expected.json @@ -49,7 +49,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -100,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -151,7 +157,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -205,7 +214,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -257,7 +269,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -309,7 +324,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -359,7 +377,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -414,7 +435,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -469,7 +493,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -524,7 +551,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -579,7 +609,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -633,7 +666,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -682,7 +718,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -732,7 +771,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -785,7 +827,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -834,7 +879,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -883,7 +931,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -938,7 +989,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -995,7 +1049,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1047,7 +1104,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1102,7 +1162,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1155,7 +1218,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1206,7 +1272,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1256,6 +1325,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json index aa6e0b98b67..23436a2de5f 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-sites-test.json.log-expected.json @@ -51,7 +51,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -105,7 +108,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -159,7 +165,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -211,7 +220,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -260,6 +272,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json index a04a9e8490b..0d31e53291c 100644 --- a/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/admin/test/admin-user-test.json.log-expected.json @@ -48,7 +48,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -99,7 +105,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -152,7 +164,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -204,7 +222,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -255,7 +279,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -306,7 +336,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -357,7 +393,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -408,7 +450,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -460,7 +508,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -512,7 +566,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -563,7 +623,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -615,7 +678,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -667,7 +736,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -721,7 +796,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -774,7 +855,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -827,7 +914,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -880,7 +973,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -933,7 +1032,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -986,7 +1091,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1039,7 +1150,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1092,7 +1209,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1145,7 +1268,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1198,7 +1327,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1249,7 +1384,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1300,7 +1441,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1353,7 +1500,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1406,7 +1559,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1465,7 +1624,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1518,7 +1683,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1570,7 +1741,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1622,7 +1799,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1674,7 +1857,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1726,7 +1915,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1779,7 +1974,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1831,7 +2032,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1884,7 +2091,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1936,7 +2149,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1988,7 +2207,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2040,7 +2265,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2092,7 +2323,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2143,7 +2380,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2196,7 +2439,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2244,7 +2493,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2295,7 +2547,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2346,7 +2604,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2397,7 +2661,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2454,7 +2724,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2506,7 +2782,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2557,7 +2839,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2608,7 +2896,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2659,7 +2953,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2711,7 +3011,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2763,7 +3069,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2814,7 +3126,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2865,7 +3183,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2916,7 +3240,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -2967,7 +3297,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3019,7 +3355,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3070,7 +3412,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3121,7 +3469,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3172,7 +3526,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3223,7 +3583,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3271,7 +3637,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3324,7 +3693,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3376,7 +3751,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3428,7 +3809,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3479,7 +3866,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3530,7 +3923,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3581,7 +3980,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3632,7 +4037,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3683,7 +4094,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3734,7 +4151,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3784,7 +4207,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -3835,6 +4261,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/config/common.js b/x-pack/filebeat/module/google_workspace/config/common.js index a031e4e26aa..d918512df4e 100644 --- a/x-pack/filebeat/module/google_workspace/config/common.js +++ b/x-pack/filebeat/module/google_workspace/config/common.js @@ -50,7 +50,10 @@ var googleWorkspace = (function () { return; } + evt.Put("user.id", evt.Get("source.user.id")); + evt.Put("user.name", data[0]); evt.Put("source.user.name", data[0]); + evt.Put("user.domain", data[1]); evt.Put("source.user.domain", data[1]); }; diff --git a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json index 7577f101f35..2cf11698199 100644 --- a/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/drive/test/drive-test.json.log-expected.json @@ -59,7 +59,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -121,7 +124,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -183,7 +189,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -245,7 +254,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -307,7 +319,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -367,7 +382,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -427,7 +445,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -487,7 +508,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -547,7 +571,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -607,7 +634,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -671,7 +701,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -731,7 +764,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -791,7 +827,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -853,7 +892,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -915,7 +957,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -975,7 +1020,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1035,7 +1083,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1095,7 +1146,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1155,7 +1209,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1215,7 +1272,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1276,7 +1336,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1342,7 +1405,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1409,7 +1475,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1476,7 +1545,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1543,7 +1615,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1610,7 +1685,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1672,7 +1750,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1740,6 +1821,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js index 7f91d9db844..5b3029af0f4 100644 --- a/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/groups/config/pipeline.js @@ -129,6 +129,17 @@ var groups = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var pipeline = new processor.Chain() diff --git a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json index 1a129341981..5faa1d30d53 100644 --- a/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/groups/test/groups-test.json.log-expected.json @@ -57,7 +57,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -110,7 +113,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -165,7 +171,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -218,7 +232,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -271,7 +288,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -327,7 +347,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -379,7 +402,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -431,7 +457,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -487,7 +516,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -542,7 +574,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -598,7 +633,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -653,7 +691,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -709,7 +750,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -765,7 +809,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -821,7 +868,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -877,7 +927,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -933,7 +986,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -989,7 +1045,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1045,7 +1109,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1101,7 +1173,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1156,7 +1236,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1211,7 +1299,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1266,7 +1362,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1321,7 +1425,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -1376,6 +1488,14 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/login/config/pipeline.js b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js index 62b5b8a7542..9f9610393f1 100644 --- a/x-pack/filebeat/module/google_workspace/login/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/login/config/pipeline.js @@ -9,14 +9,17 @@ var login = (function () { evt.Put("event.category", ["authentication"]); switch (evt.Get("event.action")) { case "login_failure": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "failure"); break; case "login_success": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "success"); break; case "logout": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["end"]); break; case "account_disabled_generic": @@ -83,9 +86,25 @@ var login = (function () { evt.Delete("json.events.parameters"); }; + var addTargetUser = function(evt) { + var affectedEmail = evt.Get("google_workspace.login.affected_email_address"); + if (affectedEmail) { + evt.Put("user.target.email", affectedEmail); + var data = affectedEmail.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.AppendTo("related.user", data[0]); + } + }; + var pipeline = new processor.Chain() .Add(categorizeEvent) .Add(processParams) + .Add(addTargetUser) .Build(); return { diff --git a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json index 9e26d2af48b..48f7038df80 100644 --- a/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/login/test/login-test.json.log-expected.json @@ -47,7 +47,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -97,7 +103,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -147,7 +159,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -197,7 +215,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "elastic.co", + "user.target.email": "foo@elastic.co", + "user.target.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -245,13 +269,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.login", "event.id": "1", @@ -297,7 +325,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -348,7 +379,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -400,13 +434,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "logout", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.login", "event.id": "1", @@ -449,13 +487,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.login", "event.id": "1", @@ -501,6 +543,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js index caf62937f7a..9a779f8dd88 100644 --- a/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js +++ b/x-pack/filebeat/module/google_workspace/saml/config/pipeline.js @@ -7,7 +7,7 @@ var saml = (function () { var categorizeEvent = function(evt) { evt.Put("event.type", ["start"]); - evt.Put("event.category", ["authentication"]); + evt.Put("event.category", ["authentication", "session"]); switch (evt.Get("event.action")) { case "login_failure": evt.Put("event.outcome", "failure"); diff --git a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json index ff3ef42e1c8..90f6463ce34 100644 --- a/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/saml/test/saml-test.json.log-expected.json @@ -3,7 +3,8 @@ "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.saml", "event.id": "1", @@ -52,13 +53,17 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:01.000Z", "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "google_workspace.saml", "event.id": "1", @@ -105,6 +110,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json index ed49851f291..cce07c42cf2 100644 --- a/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/google_workspace/user_accounts/test/user_accounts-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -144,7 +150,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -193,7 +202,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -242,7 +254,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -291,7 +306,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -340,7 +358,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "@timestamp": "2020-10-02T15:00:00.000Z", @@ -389,6 +410,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml index a0a3f17d8b7..12e3730dc93 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/config.yml +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js index 8302ec5a1e5..9fdaa12998e 100644 --- a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -422,6 +422,17 @@ var login = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var setEventDuration = function(evt) { diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index e33c671e30b..83556673967 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -54,7 +54,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_APPLICATION_SETTING", @@ -110,7 +113,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_APPLICATION_SETTING", @@ -166,7 +172,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", @@ -220,7 +229,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GPLUS_PREMIUM_FEATURES", @@ -270,7 +282,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_MANAGED_CONFIGURATION", @@ -319,7 +334,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_MANAGED_CONFIGURATION", @@ -368,7 +386,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_MANAGED_CONFIGURATION", @@ -418,7 +439,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", @@ -467,6 +491,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index 110753ae98d..10e0ec1aac4 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_BUILDING", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_BUILDING", @@ -147,7 +153,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_CALENDAR_RESOURCE", @@ -196,7 +205,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CALENDAR_RESOURCE", @@ -245,7 +257,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", @@ -294,7 +309,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", @@ -343,7 +361,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", @@ -396,7 +417,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_CALENDAR_RESOURCE", @@ -446,7 +470,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CALENDAR_RESOURCE", @@ -498,7 +525,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CALENDAR_SETTING", @@ -554,7 +584,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CANCEL_CALENDAR_EVENTS", @@ -603,7 +636,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RELEASE_CALENDAR_RESOURCES", @@ -652,6 +691,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 0c7828946da..5fde8049c7c 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -45,7 +45,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MEET_INTEROP_DELETE_GATEWAY", @@ -93,7 +96,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MEET_INTEROP_MODIFY_GATEWAY", @@ -142,7 +148,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHAT_SETTING", @@ -198,6 +207,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index e4a8b714110..4627a127b8f 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -54,7 +54,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DEVICE_STATE", @@ -105,7 +108,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", @@ -162,7 +168,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", @@ -211,7 +220,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", @@ -259,7 +271,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", @@ -311,7 +326,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", @@ -362,7 +380,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", @@ -414,7 +435,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "INSERT_CHROME_OS_PRINT_SERVER", @@ -462,7 +486,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CHROME_OS_PRINT_SERVER", @@ -510,7 +537,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", @@ -560,7 +590,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "INSERT_CHROME_OS_PRINTER", @@ -608,7 +641,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_CHROME_OS_PRINTER", @@ -656,7 +692,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_CHROME_OS_PRINTER", @@ -706,7 +745,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_SETTING", @@ -758,7 +800,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CHROME_OS_USER_SETTING", @@ -810,7 +855,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ISSUE_DEVICE_COMMAND", @@ -863,7 +911,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", @@ -914,7 +965,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", @@ -962,7 +1016,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_DEVICE", @@ -1011,7 +1068,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CONTACTS_SETTING", @@ -1064,6 +1124,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index 3f071102276..825e497e5a0 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -50,6 +50,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json index b5c6d47d8b3..01b558fdf49 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -48,7 +48,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_ROLE", @@ -97,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_ROLE", @@ -146,7 +155,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_PRIVILEGE", @@ -196,7 +208,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_PRIVILEGE", @@ -246,7 +261,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_ROLE", @@ -295,7 +313,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_ROLE", @@ -344,7 +365,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNASSIGN_ROLE", @@ -395,6 +419,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index 311ecf3e237..da5410ee7d3 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -48,7 +48,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DRIVE_DATA_RESTORE", @@ -100,7 +106,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_DOCS_SETTING", @@ -156,6 +168,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index ff5c3d1d2a5..05143097e3d 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_APPLICATION", @@ -96,7 +99,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_APPLICATION_TO_WHITELIST", @@ -145,7 +151,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ADVERTISEMENT_OPTION", @@ -195,7 +204,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_ALERT", @@ -243,7 +255,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ALERT_CRITERIA", @@ -291,7 +306,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_ALERT", @@ -339,7 +357,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ALERT_RECEIVERS_CHANGED", @@ -389,7 +410,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_ALERT", @@ -438,7 +462,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ALERT_STATUS_CHANGED", @@ -488,7 +515,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_DOMAIN_ALIAS", @@ -537,7 +567,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_DOMAIN_ALIAS", @@ -586,7 +619,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SKIP_DOMAIN_ALIAS_MX", @@ -635,7 +671,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_DOMAIN_ALIAS_MX", @@ -684,7 +723,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_DOMAIN_ALIAS", @@ -734,7 +776,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", @@ -784,7 +829,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", @@ -834,7 +882,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_API_ACCESS", @@ -885,7 +936,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "AUTHORIZE_API_CLIENT_ACCESS", @@ -938,7 +992,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_API_CLIENT_ACCESS", @@ -987,7 +1044,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_LICENSES_REDEEMED", @@ -1037,7 +1097,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", @@ -1086,7 +1149,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_PRIMARY_DOMAIN", @@ -1135,7 +1201,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_WHITELIST_SETTING", @@ -1186,7 +1255,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", @@ -1238,7 +1310,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", @@ -1288,7 +1363,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_FEEDBACK_SOLICITATION", @@ -1339,7 +1417,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_CONTACT_SHARING", @@ -1389,7 +1470,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", @@ -1437,7 +1521,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_USE_CUSTOM_LOGO", @@ -1487,7 +1574,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CUSTOM_LOGO", @@ -1535,7 +1625,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", @@ -1585,7 +1678,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", @@ -1636,7 +1732,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", @@ -1686,7 +1785,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", @@ -1734,7 +1836,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VIEW_DNS_LOGIN_DETAILS", @@ -1782,7 +1887,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", @@ -1832,7 +1940,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", @@ -1882,7 +1993,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_NAME", @@ -1931,7 +2045,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", @@ -1980,7 +2097,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", @@ -2030,7 +2150,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_TRUSTED_DOMAINS", @@ -2078,7 +2201,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_TRUSTED_DOMAINS", @@ -2126,7 +2252,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_EDU_TYPE", @@ -2176,7 +2305,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", @@ -2226,7 +2358,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_SSO_ENABLED", @@ -2276,7 +2411,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_SSL", @@ -2326,7 +2464,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", @@ -2376,7 +2517,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GENERATE_TRANSFER_TOKEN", @@ -2423,7 +2567,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", @@ -2473,7 +2620,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_LOGIN_BORDER_COLOR", @@ -2523,7 +2673,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", @@ -2573,7 +2726,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "PLAY_FOR_WORK_ENROLL", @@ -2622,7 +2778,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "PLAY_FOR_WORK_UNENROLL", @@ -2670,7 +2829,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MX_RECORD_VERIFICATION_CLAIM", @@ -2720,7 +2882,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "TOGGLE_NEW_APP_FEATURES", @@ -2770,7 +2938,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", @@ -2820,7 +2991,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPLOAD_OAUTH_CERTIFICATE", @@ -2868,7 +3042,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", @@ -2916,7 +3093,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_OPEN_ID_ENABLED", @@ -2966,7 +3146,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ORGANIZATION_NAME", @@ -3016,7 +3199,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_OUTBOUND_RELAY", @@ -3068,7 +3254,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_PASSWORD_MAX_LENGTH", @@ -3118,7 +3307,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_PASSWORD_MIN_LENGTH", @@ -3168,7 +3360,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", @@ -3218,7 +3413,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", @@ -3269,7 +3467,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_APPLICATION", @@ -3318,7 +3519,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", @@ -3367,7 +3571,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", @@ -3417,7 +3624,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_RESELLER_ACCESS", @@ -3466,7 +3676,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RULE_ACTIONS_CHANGED", @@ -3514,7 +3727,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_RULE", @@ -3562,7 +3778,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_RULE_CRITERIA", @@ -3610,7 +3829,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_RULE", @@ -3658,7 +3880,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RENAME_RULE", @@ -3707,7 +3932,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RULE_STATUS_CHANGED", @@ -3757,7 +3985,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_SECONDARY_DOMAIN", @@ -3806,7 +4037,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_SECONDARY_DOMAIN", @@ -3855,7 +4089,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SKIP_SECONDARY_DOMAIN_MX", @@ -3904,7 +4141,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_SECONDARY_DOMAIN_MX", @@ -3953,7 +4193,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VERIFY_SECONDARY_DOMAIN", @@ -4002,7 +4245,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", @@ -4052,7 +4298,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SSO_SETTINGS", @@ -4101,7 +4350,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GENERATE_PIN", @@ -4148,7 +4400,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_RULE", @@ -4196,6 +4451,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index 1db80ed600b..ab2ea5b15fa 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EMAIL_LOG_SEARCH", @@ -100,7 +103,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EMAIL_UNDELETE", @@ -152,7 +158,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_EMAIL_SETTING", @@ -208,7 +220,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GMAIL_SETTING", @@ -260,7 +275,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_GMAIL_SETTING", @@ -312,7 +330,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_GMAIL_SETTING", @@ -364,7 +385,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REJECT_FROM_QUARANTINE", @@ -413,7 +437,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "RELEASE_FROM_QUARANTINE", @@ -462,6 +489,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json index ff894cd6c05..b8d46167531 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_GROUP", @@ -99,7 +102,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GROUP_DESCRIPTION", @@ -150,7 +156,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GROUP_LIST_DOWNLOAD", @@ -198,7 +207,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_GROUP_MEMBER", @@ -251,7 +263,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "REMOVE_GROUP_MEMBER", @@ -304,7 +324,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "UPDATE_GROUP_MEMBER", @@ -359,7 +387,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", @@ -414,7 +450,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", @@ -469,7 +513,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "GROUP_MEMBER_BULK_UPLOAD", @@ -519,7 +571,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "GROUP_MEMBERS_DOWNLOAD", @@ -567,7 +622,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GROUP_NAME", @@ -619,7 +677,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_GROUP_SETTING", @@ -673,7 +734,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "WHITELISTED_GROUPS_UPDATED", @@ -726,6 +790,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json index 1fd3a0da6e2..2f36dd24262 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", @@ -97,7 +100,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USER_LICENSE_ASSIGNMENT", @@ -148,7 +154,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", @@ -198,7 +210,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USER_LICENSE_REASSIGNMENT", @@ -250,7 +265,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ORG_LICENSE_REVOKE", @@ -300,7 +321,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USER_LICENSE_REVOKE", @@ -351,7 +375,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UPDATE_DYNAMIC_LICENSE", @@ -402,6 +432,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json index 10f080230c4..7b41064d5a8 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -51,7 +51,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ACTION_REQUESTED", @@ -105,7 +111,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_MOBILE_CERTIFICATE", @@ -155,7 +167,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_DEVICES_BULK_CREATION", @@ -203,7 +218,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", @@ -252,7 +270,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_DEVICE_DELETION", @@ -301,7 +322,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", @@ -350,7 +374,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "COMPANY_OWNED_DEVICE_WIPED", @@ -399,7 +426,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", @@ -453,7 +483,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", @@ -502,7 +535,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", @@ -553,7 +589,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", @@ -608,7 +647,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", @@ -659,7 +701,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOBILE_DEVICE_APPROVE", @@ -711,7 +756,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_BLOCK", @@ -763,7 +814,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_DELETE", @@ -815,7 +872,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_WIPE", @@ -867,7 +930,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_MOBILE_SETTING", @@ -920,7 +989,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", @@ -969,7 +1041,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", @@ -1019,7 +1094,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_MOBILE_WIRELESS_NETWORK", @@ -1069,7 +1147,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", @@ -1119,7 +1200,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", @@ -1169,7 +1253,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_MOBILE_CERTIFICATE", @@ -1219,7 +1306,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", @@ -1266,7 +1356,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", @@ -1313,7 +1406,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", @@ -1360,7 +1456,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", @@ -1407,7 +1506,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOBILE_ACCOUNT_WIPE", @@ -1459,7 +1561,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", @@ -1511,7 +1619,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", @@ -1563,6 +1677,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json index b4cdd02f0bd..854d75f96fd 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -47,7 +47,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", @@ -98,7 +101,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", @@ -148,7 +154,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", @@ -200,7 +209,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", @@ -248,7 +260,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ASSIGN_CUSTOM_LOGO", @@ -296,7 +311,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNASSIGN_CUSTOM_LOGO", @@ -344,7 +362,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_ENROLLMENT_TOKEN", @@ -392,7 +413,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REVOKE_ENROLLMENT_TOKEN", @@ -440,7 +464,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHROME_LICENSES_ALLOWED", @@ -490,7 +517,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CREATE_ORG_UNIT", @@ -538,7 +568,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_ORG_UNIT", @@ -586,7 +619,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EDIT_ORG_UNIT_DESCRIPTION", @@ -634,7 +670,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOVE_ORG_UNIT", @@ -683,7 +722,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "EDIT_ORG_UNIT_NAME", @@ -732,7 +774,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", @@ -780,7 +825,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_SERVICE_ENABLED", @@ -834,6 +882,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index d08d68f872e..609025f9137 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -48,7 +48,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -98,7 +101,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", @@ -148,7 +154,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", @@ -201,7 +210,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", @@ -252,7 +264,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", @@ -303,7 +318,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "BLOCK_ON_DEVICE_ACCESS", @@ -352,7 +370,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", @@ -406,7 +427,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", @@ -460,7 +484,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", @@ -514,7 +541,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", @@ -568,7 +598,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", @@ -621,7 +654,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TOGGLE_CAA_ENABLEMENT", @@ -669,7 +705,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CAA_ERROR_MESSAGE", @@ -718,7 +757,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", @@ -770,7 +812,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -818,7 +863,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", @@ -866,7 +914,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", @@ -920,7 +971,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "ENFORCE_STRONG_AUTHENTICATION", @@ -976,7 +1030,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", @@ -1027,7 +1084,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", @@ -1081,7 +1141,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", @@ -1133,7 +1196,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SESSION_LENGTH", @@ -1183,7 +1249,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "UNBLOCK_ON_DEVICE_ACCESS", @@ -1232,6 +1301,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index 8847953dbf3..6d7d3e37714 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -50,7 +50,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "DELETE_WEB_ADDRESS", @@ -103,7 +106,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SITES_SETTING", @@ -156,7 +162,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", @@ -207,7 +216,10 @@ "forwarded" ], "url.full": "http://example.com/path/in/url", - "url.path": "/path/in/url" + "url.path": "/path/in/url", + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "VIEW_SITE_DETAILS", @@ -255,6 +267,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json index b3be5557b03..832cbfc26b7 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -47,7 +47,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GENERATE_2SV_SCRATCH_CODES", @@ -97,7 +103,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_3LO_DEVICE_TOKENS", @@ -149,7 +161,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_3LO_TOKEN", @@ -200,7 +218,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_RECOVERY_EMAIL", @@ -250,7 +274,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_RECOVERY_PHONE", @@ -300,7 +330,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GRANT_ADMIN_PRIVILEGE", @@ -350,7 +386,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_ADMIN_PRIVILEGE", @@ -400,7 +442,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_ASP", @@ -451,7 +499,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", @@ -502,7 +556,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "BULK_UPLOAD", @@ -552,7 +612,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", @@ -603,7 +666,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CANCEL_USER_INVITE", @@ -654,7 +723,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_CUSTOM_FIELD", @@ -707,7 +782,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_EXTERNAL_ID", @@ -759,7 +840,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_GENDER", @@ -811,7 +898,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_IM", @@ -863,7 +956,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ENABLE_USER_IP_WHITELIST", @@ -915,7 +1014,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_KEYWORD", @@ -967,7 +1072,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_LANGUAGE", @@ -1019,7 +1130,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_LOCATION", @@ -1071,7 +1188,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_ORGANIZATION", @@ -1123,7 +1246,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_PHONE_NUMBER", @@ -1175,7 +1304,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_RECOVERY_EMAIL", @@ -1225,7 +1360,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_RECOVERY_PHONE", @@ -1275,7 +1416,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_RELATION", @@ -1327,7 +1474,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_USER_ADDRESS", @@ -1379,7 +1532,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_EMAIL_MONITOR", @@ -1437,7 +1596,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_DATA_TRANSFER_REQUEST", @@ -1489,7 +1654,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", @@ -1540,7 +1711,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_ACCOUNT_INFO_DUMP", @@ -1591,7 +1768,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_EMAIL_MONITOR", @@ -1642,7 +1825,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_MAILBOX_DUMP", @@ -1693,7 +1882,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_FIRST_NAME", @@ -1745,7 +1940,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "GMAIL_RESET_USER", @@ -1796,7 +1997,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_LAST_NAME", @@ -1848,7 +2055,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MAIL_ROUTING_DESTINATION_ADDED", @@ -1899,7 +2112,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", @@ -1950,7 +2169,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ADD_NICKNAME", @@ -2001,7 +2226,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REMOVE_NICKNAME", @@ -2052,7 +2283,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_PASSWORD", @@ -2102,7 +2339,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", @@ -2154,7 +2397,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DOWNLOAD_PENDING_INVITES_LIST", @@ -2201,7 +2450,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "REMOVE_RECOVERY_EMAIL", @@ -2251,7 +2503,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REMOVE_RECOVERY_PHONE", @@ -2301,7 +2559,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REQUEST_ACCOUNT_INFO", @@ -2351,7 +2615,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REQUEST_MAILBOX_DUMP", @@ -2407,7 +2677,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RESEND_USER_INVITE", @@ -2458,7 +2734,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RESET_SIGNIN_COOKIES", @@ -2508,7 +2790,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", @@ -2558,7 +2846,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "REVOKE_SECURITY_KEY", @@ -2608,7 +2902,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USER_INVITE", @@ -2659,7 +2959,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "VIEW_TEMP_PASSWORD", @@ -2710,7 +3016,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "TURN_OFF_2_STEP_VERIFICATION", @@ -2760,7 +3072,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNBLOCK_USER_SESSION", @@ -2810,7 +3128,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNENROLL_USER_FROM_TITANIUM", @@ -2860,7 +3184,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "ARCHIVE_USER", @@ -2910,7 +3240,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UPDATE_BIRTHDATE", @@ -2961,7 +3297,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "CREATE_USER", @@ -3011,7 +3353,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DELETE_USER", @@ -3061,7 +3409,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DOWNGRADE_USER_FROM_GPLUS", @@ -3111,7 +3465,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", @@ -3161,7 +3521,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "DOWNLOAD_USERLIST_CSV", @@ -3208,7 +3574,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "MOVE_USER_TO_ORG_UNIT", @@ -3260,7 +3629,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", @@ -3311,7 +3686,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "RENAME_USER", @@ -3362,7 +3743,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", @@ -3412,7 +3799,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "SUSPEND_USER", @@ -3462,7 +3855,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNARCHIVE_USER", @@ -3512,7 +3911,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNDELETE_USER", @@ -3562,7 +3967,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UNSUSPEND_USER", @@ -3612,7 +4023,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "UPGRADE_USER_TO_GPLUS", @@ -3662,7 +4079,13 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" }, { "event.action": "USERS_BULK_UPLOAD", @@ -3711,7 +4134,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", @@ -3761,6 +4187,12 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/config/common.js b/x-pack/filebeat/module/gsuite/config/common.js index 2867ee518f8..64ce7b0620f 100644 --- a/x-pack/filebeat/module/gsuite/config/common.js +++ b/x-pack/filebeat/module/gsuite/config/common.js @@ -50,7 +50,10 @@ var gsuite = (function () { return; } + evt.Put("user.id", evt.Get("source.user.id")); + evt.Put("user.name", data[0]); evt.Put("source.user.name", data[0]); + evt.Put("user.domain", data[1]); evt.Put("source.user.domain", data[1]); }; diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml index 1bbe63a6574..80583ee31b6 100644 --- a/x-pack/filebeat/module/gsuite/drive/config/config.yml +++ b/x-pack/filebeat/module/gsuite/drive/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json index 77b16b9e929..07868860ee6 100644 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -58,7 +58,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_canceled", @@ -119,7 +122,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_comment_added", @@ -180,7 +186,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_requested", @@ -241,7 +250,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approval_reviewer_responded", @@ -302,7 +314,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "create", @@ -361,7 +376,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "delete", @@ -420,7 +438,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "download", @@ -479,7 +500,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "edit", @@ -538,7 +562,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "add_lock", @@ -597,7 +624,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "move", @@ -660,7 +690,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "preview", @@ -719,7 +752,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "print", @@ -778,7 +814,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "remove_from_folder", @@ -839,7 +878,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "rename", @@ -900,7 +942,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "untrash", @@ -959,7 +1004,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "sheets_import_range", @@ -1018,7 +1066,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "trash", @@ -1077,7 +1128,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "remove_lock", @@ -1136,7 +1190,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "upload", @@ -1195,7 +1252,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "view", @@ -1255,7 +1315,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_acl_editors", @@ -1320,7 +1383,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_document_access_scope", @@ -1386,7 +1452,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_document_visibility", @@ -1452,7 +1521,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "shared_drive_membership_change", @@ -1518,7 +1590,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "shared_drive_settings_change", @@ -1584,7 +1659,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "sheets_import_range_access_change", @@ -1645,7 +1723,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_user_access", @@ -1712,6 +1793,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/groups/config/config.yml b/x-pack/filebeat/module/gsuite/groups/config/config.yml index c0034e6af7a..75482518477 100644 --- a/x-pack/filebeat/module/gsuite/groups/config/config.yml +++ b/x-pack/filebeat/module/gsuite/groups/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js index 21f859a13e6..a0144435049 100644 --- a/x-pack/filebeat/module/gsuite/groups/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/groups/config/pipeline.js @@ -129,6 +129,17 @@ var groups = (function () { } evt.AppendTo("related.user", data[0]); + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.Put("user.target.email", email); + var groupName = evt.Get("group.name"); + if (groupName) { + evt.Put("user.target.group.name", groupName); + } + var groupDomain = evt.Get("group.domain"); + if (groupDomain) { + evt.Put("user.target.group.domain", groupDomain); + } }; var pipeline = new processor.Chain() diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json index b99c77b57a5..2e43310ea93 100644 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -56,7 +56,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "accept_invitation", @@ -108,7 +111,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "approve_join_request", @@ -162,7 +168,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "join", @@ -214,7 +228,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "request_to_join", @@ -266,7 +283,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_basic_setting", @@ -321,7 +341,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "create_group", @@ -372,7 +395,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "delete_group", @@ -423,7 +449,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_identity_setting", @@ -478,7 +507,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "add_info_setting", @@ -532,7 +564,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_info_setting", @@ -587,7 +622,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "remove_info_setting", @@ -641,7 +679,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_new_members_restrictions_setting", @@ -696,7 +737,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_post_replies_setting", @@ -751,7 +795,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_spam_moderation_setting", @@ -806,7 +853,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "change_topic_setting", @@ -861,7 +911,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "moderate_message", @@ -916,7 +969,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "always_post_from_user", @@ -971,7 +1027,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "add_user", @@ -1026,7 +1090,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "ban_user_with_moderation", @@ -1081,7 +1153,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "revoke_invitation", @@ -1135,7 +1215,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "invite_user", @@ -1189,7 +1277,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "reject_join_request", @@ -1243,7 +1339,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "reinvite_user", @@ -1297,7 +1401,15 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" }, { "event.action": "remove_user", @@ -1351,6 +1463,14 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo", + "user.target.domain": "example.com", + "user.target.email": "user@example.com", + "user.target.group.domain": "example.com", + "user.target.group.name": "group", + "user.target.name": "user" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/login/config/config.yml b/x-pack/filebeat/module/gsuite/login/config/config.yml index 41606ccb83c..ab40715bd4a 100644 --- a/x-pack/filebeat/module/gsuite/login/config/config.yml +++ b/x-pack/filebeat/module/gsuite/login/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/login/config/pipeline.js b/x-pack/filebeat/module/gsuite/login/config/pipeline.js index 13c155661a0..0fb518b351d 100644 --- a/x-pack/filebeat/module/gsuite/login/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/login/config/pipeline.js @@ -9,14 +9,17 @@ var login = (function () { evt.Put("event.category", ["authentication"]); switch (evt.Get("event.action")) { case "login_failure": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "failure"); break; case "login_success": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["start"]); evt.Put("event.outcome", "success"); break; case "logout": + evt.AppendTo("event.category", "session"); evt.Put("event.type", ["end"]); break; case "account_disabled_generic": @@ -83,9 +86,25 @@ var login = (function () { evt.Delete("json.events.parameters"); }; + var addTargetUser = function(evt) { + var affectedEmail = evt.Get("google_workspace.login.affected_email_address"); + if (affectedEmail) { + evt.Put("user.target.email", affectedEmail); + var data = affectedEmail.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("user.target.name", data[0]); + evt.Put("user.target.domain", data[1]); + evt.AppendTo("related.user", data[0]); + } + }; + var pipeline = new processor.Chain() .Add(categorizeEvent) .Add(processParams) + .Add(addTargetUser) .Build(); return { diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json index 287e6245a25..261bf54dbf6 100644 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -46,7 +46,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "account_disabled_generic", @@ -95,7 +98,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "account_disabled_spamming_through_relay", @@ -144,7 +150,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "account_disabled_spamming", @@ -193,7 +202,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "gov_attack_warning", @@ -240,12 +252,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.login", "event.id": "1", @@ -291,7 +307,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_challenge", @@ -341,7 +360,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_verification", @@ -392,12 +414,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "logout", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.login", "event.id": "1", @@ -440,12 +466,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.login", "event.id": "1", @@ -491,6 +521,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/saml/config/config.yml b/x-pack/filebeat/module/gsuite/saml/config/config.yml index e7d9992f045..62f1e7d9f4e 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/config.yml +++ b/x-pack/filebeat/module/gsuite/saml/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js index 3ad58062823..2011e6d437b 100644 --- a/x-pack/filebeat/module/gsuite/saml/config/pipeline.js +++ b/x-pack/filebeat/module/gsuite/saml/config/pipeline.js @@ -7,7 +7,7 @@ var saml = (function () { var categorizeEvent = function(evt) { evt.Put("event.type", ["start"]); - evt.Put("event.category", ["authentication"]); + evt.Put("event.category", ["authentication", "session"]); switch (evt.Get("event.action")) { case "login_failure": evt.Put("event.outcome", "failure"); diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index 6dd2d0216b0..850766be83d 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -2,7 +2,8 @@ { "event.action": "login_failure", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.saml", "event.id": "1", @@ -51,12 +52,16 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "login_success", "event.category": [ - "authentication" + "authentication", + "session" ], "event.dataset": "gsuite.saml", "event.id": "1", @@ -103,6 +108,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml index 09cba1a7fd2..c6aa5ded144 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml +++ b/x-pack/filebeat/module/gsuite/user_accounts/config/config.yml @@ -39,7 +39,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 - script: lang: javascript id: gsuite-common diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json index 689aad5cde2..5943488f324 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -45,7 +45,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "2sv_enroll", @@ -93,7 +96,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "password_edit", @@ -141,7 +147,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "recovery_email_edit", @@ -189,7 +198,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "recovery_phone_edit", @@ -237,7 +249,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "recovery_secret_qa_edit", @@ -285,7 +300,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "titanium_enroll", @@ -333,7 +351,10 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" }, { "event.action": "titanium_unenroll", @@ -381,6 +402,9 @@ "source.user.name": "foo", "tags": [ "forwarded" - ] + ], + "user.domain": "bar.com", + "user.id": "1", + "user.name": "foo" } ] \ No newline at end of file