From ad56de563611c0dfbc9732fe2429bddc57ffb6aa Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jul 2020 22:58:45 +0200 Subject: [PATCH] [Filebeat][Gsuite] Adds Admin audit Fileset (#19769) * Add application settings * Add calendar settings * Add chat settings * Add chrome os settings * Add contacts settings * Add delegated admin settings * Add drive * Add sites * Add licences settings * Add groups settings * Add gmail settings * Add org settings * Add security settings and split test files * Add domain settings * Add user settings * Add mobile settings * Add CHANGELOG entry * Generate fields.go --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 748 +++ filebeat/docs/modules/gsuite.asciidoc | 1 + x-pack/filebeat/filebeat.reference.yml | 8 + .../filebeat/module/gsuite/_meta/config.yml | 8 + .../module/gsuite/_meta/docs.asciidoc | 1 + .../module/gsuite/admin/_meta/fields.yml | 271 ++ .../module/gsuite/admin/config/config.yml | 50 + .../module/gsuite/admin/config/pipeline.js | 922 ++++ .../filebeat/module/gsuite/admin/manifest.yml | 24 + .../gsuite-admin-application-test.json.log | 9 + ...in-application-test.json.log-expected.json | 466 ++ .../test/gsuite-admin-calendar-test.json.log | 13 + ...admin-calendar-test.json.log-expected.json | 655 +++ .../test/gsuite-admin-chat-test.json.log | 4 + ...ite-admin-chat-test.json.log-expected.json | 201 + .../test/gsuite-admin-chromeos-test.json.log | 21 + ...admin-chromeos-test.json.log-expected.json | 1062 +++++ .../test/gsuite-admin-contacts-test.json.log | 1 + ...admin-contacts-test.json.log-expected.json | 54 + .../gsuite-admin-delegatedadmin-test.json.log | 8 + ...delegatedadmin-test.json.log-expected.json | 400 ++ .../test/gsuite-admin-docs-test.json.log | 3 + ...ite-admin-docs-test.json.log-expected.json | 160 + .../test/gsuite-admin-domain-test.json.log | 85 + ...e-admin-domain-test.json.log-expected.json | 4183 +++++++++++++++++ .../test/gsuite-admin-gmail-test.json.log | 9 + ...te-admin-gmail-test.json.log-expected.json | 463 ++ .../test/gsuite-admin-groups-test.json.log | 14 + ...e-admin-groups-test.json.log-expected.json | 731 +++ .../test/gsuite-admin-licenses-test.json.log | 8 + ...admin-licenses-test.json.log-expected.json | 407 ++ .../test/gsuite-admin-mobile-test.json.log | 31 + ...e-admin-mobile-test.json.log-expected.json | 1566 ++++++ .../admin/test/gsuite-admin-org-test.json.log | 17 + ...uite-admin-org-test.json.log-expected.json | 839 ++++ .../test/gsuite-admin-security-test.json.log | 24 + ...admin-security-test.json.log-expected.json | 1222 +++++ .../test/gsuite-admin-sites-test.json.log | 5 + ...te-admin-sites-test.json.log-expected.json | 258 + .../test/gsuite-admin-user-test.json.log | 74 + ...ite-admin-user-test.json.log-expected.json | 3766 +++++++++++++++ x-pack/filebeat/module/gsuite/fields.go | 2 +- x-pack/filebeat/modules.d/gsuite.yml.disabled | 8 + 44 files changed, 18802 insertions(+), 1 deletion(-) create mode 100644 x-pack/filebeat/module/gsuite/admin/_meta/fields.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/config/config.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/config/pipeline.js create mode 100644 x-pack/filebeat/module/gsuite/admin/manifest.yml create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log create mode 100644 x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index ee796c027f1..091dcab8f35 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -57,6 +57,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adds Gsuite module with SAML support. {pull}19329[19329] - Adds Gsuite User Accounts support. {pull}19329[19329] - Adds Gsuite Login audit support. {pull}19702[19702] +- Adds Gsuite Admin support. {pull}19769[19769] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 685401feb3f..3724fb42503 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -61465,6 +61465,754 @@ type: keyword -- +*`gsuite.admin.application.edition`*:: ++ +-- +The GSuite edition. + +type: keyword + +-- + +*`gsuite.admin.application.name`*:: ++ +-- +The application's name. + +type: keyword + +-- + +*`gsuite.admin.application.enabled`*:: ++ +-- +The enabled application. + +type: keyword + +-- + +*`gsuite.admin.application.licences_order_number`*:: ++ +-- +Order number used to redeem licenses. + +type: keyword + +-- + +*`gsuite.admin.application.licences_purchased`*:: ++ +-- +Number of licences purchased. + +type: keyword + +-- + +*`gsuite.admin.application.id`*:: ++ +-- +The application ID. + +type: keyword + +-- + +*`gsuite.admin.application.asp_id`*:: ++ +-- +The application specific password ID. + +type: keyword + +-- + +*`gsuite.admin.application.package_id`*:: ++ +-- +The mobile application package ID. + +type: keyword + +-- + +*`gsuite.admin.group.email`*:: ++ +-- +The group's primary email address. + +type: keyword + +-- + +*`gsuite.admin.new_value`*:: ++ +-- +The new value for the setting. + +type: keyword + +-- + +*`gsuite.admin.old_value`*:: ++ +-- +The old value for the setting. + +type: keyword + +-- + +*`gsuite.admin.org_unit.name`*:: ++ +-- +The organizational unit name. + +type: keyword + +-- + +*`gsuite.admin.org_unit.full`*:: ++ +-- +The org unit full path including the root org unit name. + +type: keyword + +-- + +*`gsuite.admin.setting.name`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`gsuite.admin.user_defined_setting.name`*:: ++ +-- +The name of the user-defined setting. + +type: keyword + +-- + +*`gsuite.admin.setting.description`*:: ++ +-- +The setting name. + +type: keyword + +-- + +*`gsuite.admin.group.priorities`*:: ++ +-- +Group priorities. + +type: keyword + +-- + +*`gsuite.admin.domain.alias`*:: ++ +-- +The domain alias. + +type: keyword + +-- + +*`gsuite.admin.domain.name`*:: ++ +-- +The primary domain name. + +type: keyword + +-- + +*`gsuite.admin.domain.secondary_name`*:: ++ +-- +The secondary domain name. + +type: keyword + +-- + +*`gsuite.admin.managed_configuration`*:: ++ +-- +The name of the managed configuration. + +type: keyword + +-- + +*`gsuite.admin.non_featured_services_selection`*:: ++ +-- +Non-featured services selection. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + + +type: keyword + +-- + +*`gsuite.admin.field`*:: ++ +-- +The name of the field. + +type: keyword + +-- + +*`gsuite.admin.resource.id`*:: ++ +-- +The name of the resource identifier. + +type: keyword + +-- + +*`gsuite.admin.user.email`*:: ++ +-- +The user's primary email address. + +type: keyword + +-- + +*`gsuite.admin.user.nickname`*:: ++ +-- +The user's nickname. + +type: keyword + +-- + +*`gsuite.admin.user.birthdate`*:: ++ +-- +The user's birth date. + +type: date + +-- + +*`gsuite.admin.gateway.name`*:: ++ +-- +Gateway name. Present on some chat settings. + +type: keyword + +-- + +*`gsuite.admin.chrome_os.session_type`*:: ++ +-- +Chrome OS session type. + +type: keyword + +-- + +*`gsuite.admin.device.serial_number`*:: ++ +-- +Device serial number. + +type: keyword + +-- + +*`gsuite.admin.device.id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.admin.device.type`*:: ++ +-- +Device type. + +type: keyword + +-- + +*`gsuite.admin.print_server.name`*:: ++ +-- +The name of the print server. + +type: keyword + +-- + +*`gsuite.admin.printer.name`*:: ++ +-- +The name of the printer. + +type: keyword + +-- + +*`gsuite.admin.device.command_details`*:: ++ +-- +Command details. + +type: keyword + +-- + +*`gsuite.admin.role.id`*:: ++ +-- +Unique identifier for this role privilege. + +type: keyword + +-- + +*`gsuite.admin.role.name`*:: ++ +-- +The role name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + + +type: keyword + +-- + +*`gsuite.admin.privilege.name`*:: ++ +-- +Privilege name. + +type: keyword + +-- + +*`gsuite.admin.service.name`*:: ++ +-- +The service name. + +type: keyword + +-- + +*`gsuite.admin.url.name`*:: ++ +-- +The website name. + +type: keyword + +-- + +*`gsuite.admin.product.name`*:: ++ +-- +The product name. + +type: keyword + +-- + +*`gsuite.admin.product.sku`*:: ++ +-- +The product SKU. + +type: keyword + +-- + +*`gsuite.admin.bulk_upload.failed`*:: ++ +-- +Number of failed records in bulk upload operation. + +type: long + +-- + +*`gsuite.admin.bulk_upload.total`*:: ++ +-- +Number of total records in bulk upload operation. + +type: long + +-- + +*`gsuite.admin.group.allowed_list`*:: ++ +-- +Names of allow-listed groups. + +type: keyword + +-- + +*`gsuite.admin.email.quarantine_name`*:: ++ +-- +The name of the quarantine. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.message_id`*:: ++ +-- +The log search filter's email message ID. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.start_date`*:: ++ +-- +The log search filter's start date. + +type: date + +-- + +*`gsuite.admin.email.log_search_filter.end_date`*:: ++ +-- +The log search filter's ending date. + +type: date + +-- + +*`gsuite.admin.email.log_search_filter.recipient.value`*:: ++ +-- +The log search filter's email recipient. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.sender.value`*:: ++ +-- +The log search filter's email sender. + +type: keyword + +-- + +*`gsuite.admin.email.log_search_filter.recipient.ip`*:: ++ +-- +The log search filter's email recipient's IP address. + +type: ip + +-- + +*`gsuite.admin.email.log_search_filter.sender.ip`*:: ++ +-- +The log search filter's email sender's IP address. + +type: ip + +-- + +*`gsuite.admin.chrome_licenses.enabled`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`gsuite.admin.chrome_licenses.allowed`*:: ++ +-- +Licences enabled. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + + +type: keyword + +-- + +*`gsuite.admin.oauth2.service.name`*:: ++ +-- +OAuth2 service name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.id`*:: ++ +-- +OAuth2 application ID. + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.name`*:: ++ +-- +OAuth2 application name. + +type: keyword + +-- + +*`gsuite.admin.oauth2.application.type`*:: ++ +-- +OAuth2 application type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + + +type: keyword + +-- + +*`gsuite.admin.verification_method`*:: ++ +-- +Related verification method. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + +type: keyword + +-- + +*`gsuite.admin.alert.name`*:: ++ +-- +The alert name. + +type: keyword + +-- + +*`gsuite.admin.rule.name`*:: ++ +-- +The rule name. + +type: keyword + +-- + +*`gsuite.admin.api.client.name`*:: ++ +-- +The API client name. + +type: keyword + +-- + +*`gsuite.admin.api.scopes`*:: ++ +-- +The API scopes. + +type: keyword + +-- + +*`gsuite.admin.mdm.token`*:: ++ +-- +The MDM vendor enrollment token. + +type: keyword + +-- + +*`gsuite.admin.mdm.vendor`*:: ++ +-- +The MDM vendor's name. + +type: keyword + +-- + +*`gsuite.admin.info_type`*:: ++ +-- +This will be used to state what kind of information was changed. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + + +type: keyword + +-- + +*`gsuite.admin.email_monitor.dest_email`*:: ++ +-- +The destination address of the email monitor. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.chat`*:: ++ +-- +The chat email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.draft`*:: ++ +-- +The draft email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.incoming`*:: ++ +-- +The incoming email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_monitor.level.outgoing`*:: ++ +-- +The outgoing email monitor level. + +type: keyword + +-- + +*`gsuite.admin.email_dump.include_deleted`*:: ++ +-- +Indicates if deleted emails are included in the export. + +type: boolean + +-- + +*`gsuite.admin.email_dump.package_content`*:: ++ +-- +The contents of the mailbox package. + +type: keyword + +-- + +*`gsuite.admin.email_dump.query`*:: ++ +-- +The search query used for the dump. + +type: keyword + +-- + +*`gsuite.admin.request.id`*:: ++ +-- +The request ID. + +type: keyword + +-- + +*`gsuite.admin.mobile.action.id`*:: ++ +-- +The mobile device action's ID. + +type: keyword + +-- + +*`gsuite.admin.mobile.action.type`*:: ++ +-- +The mobile device action's type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`gsuite.admin.mobile.certificate.name`*:: ++ +-- +The mobile certificate common name. + +type: keyword + +-- + +*`gsuite.admin.mobile.company_owned_devices`*:: ++ +-- +The number of devices a company owns. + +type: long + +-- + +*`gsuite.admin.distribution.entity.name`*:: ++ +-- +The distribution entity value, which can be a group name or an org-unit name. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + +*`gsuite.admin.distribution.entity.type`*:: ++ +-- +The distribution entity type, which can be a group or an org-unit. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + + +type: keyword + +-- + + *`gsuite.login.affected_email_address`*:: + -- diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc index 565617a40d6..c44cbb0a9a1 100644 --- a/filebeat/docs/modules/gsuite.asciidoc +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -24,6 +24,7 @@ It is compatible with a subset of applications under the https://developers.goog - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events] +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events] === Configure the module diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 9ce66483ad0..db893ed28e9 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -735,6 +735,14 @@ filebeat.modules: # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s #------------------------------- HAProxy Module ------------------------------- - module: haproxy diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index 65b289a5010..4422edc0ac7 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -23,3 +23,11 @@ # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc index 9af088e36f9..e33621fa8cf 100644 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -19,6 +19,7 @@ It is compatible with a subset of applications under the https://developers.goog - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/saml[SAML Audit Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events] +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events] === Configure the module diff --git a/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml new file mode 100644 index 00000000000..7c82f3ed6e7 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/_meta/fields.yml @@ -0,0 +1,271 @@ +- name: admin + type: group + fields: + - name: application.edition + type: keyword + description: The GSuite edition. + - name: application.name + type: keyword + description: The application's name. + - name: application.enabled + type: keyword + description: The enabled application. + - name: application.licences_order_number + type: keyword + description: Order number used to redeem licenses. + - name: application.licences_purchased + type: keyword + description: Number of licences purchased. + - name: application.id + type: keyword + description: The application ID. + - name: application.asp_id + type: keyword + description: The application specific password ID. + - name: application.package_id + type: keyword + description: The mobile application package ID. + - name: group.email + type: keyword + description: The group's primary email address. + - name: new_value + type: keyword + description: The new value for the setting. + - name: old_value + type: keyword + description: The old value for the setting. + - name: org_unit.name + type: keyword + description: The organizational unit name. + - name: org_unit.full + type: keyword + description: The org unit full path including the root org unit name. + - name: setting.name + type: keyword + description: The setting name. + - name: user_defined_setting.name + type: keyword + description: The name of the user-defined setting. + - name: setting.description + type: keyword + description: The setting name. + - name: group.priorities + type: keyword + description: Group priorities. + - name: domain.alias + type: keyword + description: The domain alias. + - name: domain.name + type: keyword + description: The primary domain name. + - name: domain.secondary_name + type: keyword + description: The secondary domain name. + - name: managed_configuration + type: keyword + description: The name of the managed configuration. + - name: non_featured_services_selection + type: keyword + description: > + Non-featured services selection. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings#FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED + - name: field + type: keyword + description: The name of the field. + - name: resource.id + type: keyword + description: The name of the resource identifier. + - name: user.email + type: keyword + description: The user's primary email address. + - name: user.nickname + type: keyword + description: The user's nickname. + - name: user.birthdate + type: date + description: The user's birth date. + - name: gateway.name + type: keyword + description: Gateway name. Present on some chat settings. + - name: chrome_os.session_type + type: keyword + description: Chrome OS session type. + - name: device.serial_number + type: keyword + description: Device serial number. + - name: device.id + type: keyword + - name: device.type + type: keyword + description: Device type. + - name: print_server.name + type: keyword + description: The name of the print server. + - name: printer.name + type: keyword + description: The name of the printer. + - name: device.command_details + type: keyword + description: Command details. + - name: role.id + type: keyword + description: Unique identifier for this role privilege. + - name: role.name + type: keyword + description: > + The role name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings + - name: privilege.name + type: keyword + description: Privilege name. + - name: service.name + type: keyword + description: The service name. + - name: url.name + type: keyword + description: The website name. + - name: product.name + type: keyword + description: The product name. + - name: product.sku + type: keyword + description: The product SKU. + - name: bulk_upload.failed + type: long + description: Number of failed records in bulk upload operation. + - name: bulk_upload.total + type: long + description: Number of total records in bulk upload operation. + - name: group.allowed_list + type: keyword + description: Names of allow-listed groups. + - name: email.quarantine_name + type: keyword + description: The name of the quarantine. + - name: email.log_search_filter.message_id + type: keyword + description: The log search filter's email message ID. + - name: email.log_search_filter.start_date + type: date + description: The log search filter's start date. + - name: email.log_search_filter.end_date + type: date + description: The log search filter's ending date. + - name: email.log_search_filter.recipient.value + type: keyword + description: The log search filter's email recipient. + - name: email.log_search_filter.sender.value + type: keyword + description: The log search filter's email sender. + - name: email.log_search_filter.recipient.ip + type: ip + description: The log search filter's email recipient's IP address. + - name: email.log_search_filter.sender.ip + type: ip + description: The log search filter's email sender's IP address. + - name: chrome_licenses.enabled + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: chrome_licenses.allowed + type: keyword + description: > + Licences enabled. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-org-settings + - name: oauth2.service.name + type: keyword + description: > + OAuth2 service name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: oauth2.application.id + type: keyword + description: OAuth2 application ID. + - name: oauth2.application.name + type: keyword + description: OAuth2 application name. + - name: oauth2.application.type + type: keyword + description: > + OAuth2 application type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings + - name: verification_method + type: keyword + description: > + Related verification method. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings and + https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: alert.name + type: keyword + description: The alert name. + - name: rule.name + type: keyword + description: The rule name. + - name: api.client.name + type: keyword + description: The API client name. + - name: api.scopes + type: keyword + description: The API scopes. + - name: mdm.token + type: keyword + description: The MDM vendor enrollment token. + - name: mdm.vendor + type: keyword + description: The MDM vendor's name. + - name: info_type + type: keyword + description: > + This will be used to state what kind of information was changed. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings + - name: email_monitor.dest_email + type: keyword + description: The destination address of the email monitor. + - name: email_monitor.level.chat + type: keyword + description: The chat email monitor level. + - name: email_monitor.level.draft + type: keyword + description: The draft email monitor level. + - name: email_monitor.level.incoming + type: keyword + description: The incoming email monitor level. + - name: email_monitor.level.outgoing + type: keyword + description: The outgoing email monitor level. + - name: email_dump.include_deleted + type: boolean + description: Indicates if deleted emails are included in the export. + - name: email_dump.package_content + type: keyword + description: The contents of the mailbox package. + - name: email_dump.query + type: keyword + description: The search query used for the dump. + - name: request.id + type: keyword + description: The request ID. + - name: mobile.action.id + type: keyword + description: The mobile device action's ID. + - name: mobile.action.type + type: keyword + description: > + The mobile device action's type. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: mobile.certificate.name + type: keyword + description: The mobile certificate common name. + - name: mobile.company_owned_devices + type: long + description: The number of devices a company owns. + - name: distribution.entity.name + type: keyword + description: > + The distribution entity value, which can be a group name or an org-unit name. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings + - name: distribution.entity.type + type: keyword + description: > + The distribution entity type, which can be a group or an org-unit. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-mobile-settings diff --git a/x-pack/filebeat/module/gsuite/admin/config/config.yml b/x-pack/filebeat/module/gsuite/admin/config/config.yml new file mode 100644 index 00000000000..b5c62d3657f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/admin +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-admin + file: ${path.home}/module/gsuite/admin/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/admin/config/pipeline.js b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js new file mode 100644 index 00000000000..764f4bb695f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/config/pipeline.js @@ -0,0 +1,922 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var login = (function () { + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["iam"]); + switch (evt.Get("event.action")) { + case "CHANGE_APPLICATION_SETTING": + case "UPDATE_MANAGED_CONFIGURATION": + case "GPLUS_PREMIUM_FEATURES": + case "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED": + case "UPDATE_BUILDING": + case "UPDATE_CALENDAR_RESOURCE_FEATURE": + case "RENAME_CALENDAR_RESOURCE": + case "UPDATE_CALENDAR_RESOURCE": + case "CHANGE_CALENDAR_SETTING": + case "CANCEL_CALENDAR_EVENTS": + case "RELEASE_CALENDAR_RESOURCES": + case "MEET_INTEROP_MODIFY_GATEWAY": + case "CHANGE_CHAT_SETTING": + case "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING": + case "CHANGE_DEVICE_STATE": + case "CHANGE_CHROME_OS_APPLICATION_SETTING": + case "CHANGE_CHROME_OS_DEVICE_ANNOTATION": + case "CHANGE_CHROME_OS_DEVICE_SETTING": + case "CHANGE_CHROME_OS_DEVICE_STATE": + case "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING": + case "UPDATE_CHROME_OS_PRINT_SERVER": + case "UPDATE_CHROME_OS_PRINTER": + case "CHANGE_CHROME_OS_SETTING": + case "CHANGE_CHROME_OS_USER_SETTING": + case "MOVE_DEVICE_TO_ORG_UNIT_DETAILED": + case "UPDATE_DEVICE": + case "SEND_CHROME_OS_DEVICE_COMMAND": + case "CHANGE_CONTACTS_SETTING": + case "ASSIGN_ROLE": + case "ADD_PRIVILEGE": + case "REMOVE_PRIVILEGE": + case "RENAME_ROLE": + case "UPDATE_ROLE": + case "UNASSIGN_ROLE": + case "TRANSFER_DOCUMENT_OWNERSHIP": + case "CHANGE_DOCS_SETTING": + case "CHANGE_SITES_SETTING": + case "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES": + case "ORG_USERS_LICENSE_ASSIGNMENT": + case "ORG_ALL_USERS_LICENSE_ASSIGNMENT": + case "USER_LICENSE_ASSIGNMENT": + case "CHANGE_LICENSE_AUTO_ASSIGN": + case "USER_LICENSE_REASSIGNMENT": + case "ORG_LICENSE_REVOKE": + case "USER_LICENSE_REVOKE": + case "UPDATE_DYNAMIC_LICENSE": + case "DROP_FROM_QUARANTINE": + case "CHANGE_EMAIL_SETTING": + case "CHANGE_GMAIL_SETTING": + case "REJECT_FROM_QUARANTINE": + case "RELEASE_FROM_QUARANTINE": + case "CHROME_LICENSES_ENABLED": + case "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED": + case "ASSIGN_CUSTOM_LOGO": + case "UNASSIGN_CUSTOM_LOGO": + case "REVOKE_ENROLLMENT_TOKEN": + case "CHROME_LICENSES_ALLOWED": + case "EDIT_ORG_UNIT_DESCRIPTION": + case "MOVE_ORG_UNIT": + case "EDIT_ORG_UNIT_NAME": + case "REVOKE_DEVICE_ENROLLMENT_TOKEN": + case "TOGGLE_SERVICE_ENABLED": + case "ALLOW_STRONG_AUTHENTICATION": + case "ALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS": + case "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID": + case "ADD_TO_TRUSTED_OAUTH2_APPS": + case "REMOVE_FROM_TRUSTED_OAUTH2_APPS": + case "BLOCK_ON_DEVICE_ACCESS": + case "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY": + case "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION": + case "CHANGE_TWO_STEP_VERIFICATION_START_DATE": + case "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS": + case "TOGGLE_CAA_ENABLEMENT": + case "CHANGE_CAA_ERROR_MESSAGE": + case "CHANGE_CAA_APP_ASSIGNMENTS": + case "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "TRUST_DOMAIN_OWNED_OAUTH2_APPS": + case "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY": + case "ENFORCE_STRONG_AUTHENTICATION": + case "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS": + case "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED": + case "SESSION_CONTROL_SETTINGS_CHANGE": + case "CHANGE_SESSION_LENGTH": + case "UNBLOCK_ON_DEVICE_ACCESS": + case "CHANGE_ACCOUNT_AUTO_RENEWAL": + case "ADD_APPLICATION": + case "ADD_APPLICATION_TO_WHITELIST": + case "CHANGE_ADVERTISEMENT_OPTION": + case "CHANGE_ALERT_CRITERIA": + case "ALERT_RECEIVERS_CHANGED": + case "RENAME_ALERT": + case "ALERT_STATUS_CHANGED": + case "ADD_DOMAIN_ALIAS": + case "REMOVE_DOMAIN_ALIAS": + case "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS": + case "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET": + case "ENABLE_API_ACCESS": + case "AUTHORIZE_API_CLIENT_ACCESS": + case "REMOVE_API_CLIENT_ACCESS": + case "CHROME_LICENSES_REDEEMED": + case "TOGGLE_AUTO_ADD_NEW_SERVICE": + case "CHANGE_PRIMARY_DOMAIN": + case "CHANGE_WHITELIST_SETTING": + case "COMMUNICATION_PREFERENCES_SETTING_CHANGE": + case "CHANGE_CONFLICT_ACCOUNT_ACTION": + case "ENABLE_FEEDBACK_SOLICITATION": + case "TOGGLE_CONTACT_SHARING": + case "TOGGLE_USE_CUSTOM_LOGO": + case "CHANGE_CUSTOM_LOGO": + case "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA": + case "CHANGE_DATA_LOCALIZATION_SETTING": + case "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO": + case "CHANGE_DOMAIN_DEFAULT_LOCALE": + case "CHANGE_DOMAIN_DEFAULT_TIMEZONE": + case "CHANGE_DOMAIN_NAME": + case "TOGGLE_ENABLE_PRE_RELEASE_FEATURES": + case "CHANGE_DOMAIN_SUPPORT_MESSAGE": + case "ADD_TRUSTED_DOMAINS": + case "REMOVE_TRUSTED_DOMAINS": + case "CHANGE_EDU_TYPE": + case "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY": + case "TOGGLE_SSO_ENABLED": + case "TOGGLE_SSL": + case "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO": + case "CHANGE_LOGIN_BACKGROUND_COLOR": + case "CHANGE_LOGIN_BORDER_COLOR": + case "CHANGE_LOGIN_ACTIVITY_TRACE": + case "PLAY_FOR_WORK_ENROLL": + case "PLAY_FOR_WORK_UNENROLL": + case "TOGGLE_NEW_APP_FEATURES": + case "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL": + case "TOGGLE_OPEN_ID_ENABLED": + case "CHANGE_ORGANIZATION_NAME": + case "TOGGLE_OUTBOUND_RELAY": + case "CHANGE_PASSWORD_MAX_LENGTH": + case "CHANGE_PASSWORD_MIN_LENGTH": + case "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL": + case "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS": + case "REMOVE_APPLICATION": + case "REMOVE_APPLICATION_FROM_WHITELIST": + case "CHANGE_RENEW_DOMAIN_REGISTRATION": + case "CHANGE_RESELLER_ACCESS": + case "RULE_ACTIONS_CHANGED": + case "CHANGE_RULE_CRITERIA": + case "RENAME_RULE": + case "RULE_STATUS_CHANGED": + case "ADD_SECONDARY_DOMAIN": + case "REMOVE_SECONDARY_DOMAIN": + case "UPDATE_DOMAIN_SECONDARY_EMAIL": + case "CHANGE_SSO_SETTINGS": + case "UPDATE_RULE": + case "ADD_MOBILE_CERTIFICATE": + case "COMPANY_OWNED_DEVICE_BLOCKED": + case "COMPANY_OWNED_DEVICE_UNBLOCKED": + case "COMPANY_OWNED_DEVICE_WIPED": + case "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT": + case "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER": + case "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST": + case "CHANGE_MOBILE_APPLICATION_SETTINGS": + case "ADD_MOBILE_APPLICATION_TO_WHITELIST": + case "CHANGE_MOBILE_SETTING": + case "CHANGE_ADMIN_RESTRICTIONS_PIN": + case "CHANGE_MOBILE_WIRELESS_NETWORK": + case "ADD_MOBILE_WIRELESS_NETWORK": + case "REMOVE_MOBILE_WIRELESS_NETWORK": + case "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD": + case "REMOVE_MOBILE_CERTIFICATE": + evt.Put("event.type", ["change"]); + break; + case "CREATE_APPLICATION_SETTING": + case "CREATE_MANAGED_CONFIGURATION": + case "CREATE_BUILDING": + case "CREATE_CALENDAR_RESOURCE": + case "CREATE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_CREATE_GATEWAY": + case "INSERT_CHROME_OS_PRINT_SERVER": + case "INSERT_CHROME_OS_PRINTER": + case "CREATE_ROLE": + case "ADD_WEB_ADDRESS": + case "EMAIL_UNDELETE": + case "CREATE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED": + case "CREATE_DEVICE_ENROLLMENT_TOKEN": + case "CREATE_ENROLLMENT_TOKEN": + case "CREATE_ORG_UNIT": + case "CREATE_ALERT": + case "CREATE_PLAY_FOR_WORK_TOKEN": + case "GENERATE_TRANSFER_TOKEN": + case "REGENERATE_OAUTH_CONSUMER_SECRET": + case "CREATE_RULE": + case "GENERATE_PIN": + case "COMPANY_DEVICES_BULK_CREATION": + evt.Put("event.type", ["creation"]); + break; + case "DELETE_APPLICATION_SETTING": + case "DELETE_MANAGED_CONFIGURATION": + case "DELETE_BUILDING": + case "DELETE_CALENDAR_RESOURCE": + case "DELETE_CALENDAR_RESOURCE_FEATURE": + case "MEET_INTEROP_DELETE_GATEWAY": + case "DELETE_CHROME_OS_PRINT_SERVER": + case "DELETE_CHROME_OS_PRINTER": + case "REMOVE_CHROME_OS_APPLICATION_SETTINGS": + case "DELETE_ROLE": + case "DELETE_WEB_ADDRESS": + case "DELETE_GMAIL_SETTING": + case "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED": + case "REMOVE_ORG_UNIT": + case "DELETE_ALERT": + case "DELETE_PLAY_FOR_WORK_TOKEN": + case "DELETE_RULE": + case "COMPANY_DEVICE_DELETION": + evt.Put("event.type", ["deletion"]); + break; + case "DELETE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "CREATE_GROUP": + evt.Put("event.type", ["group", "creation"]); + break; + case "REORDER_GROUP_BASED_POLICIES_EVENT": + case "CHANGE_GROUP_DESCRIPTION": + case "ADD_GROUP_MEMBER": + case "REMOVE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS": + case "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE": + case "CHANGE_GROUP_NAME": + case "CHANGE_GROUP_SETTING": + case "GROUP_MEMBER_BULK_UPLOAD": + case "WHITELISTED_GROUPS_UPDATED": + evt.Put("event.type", ["group", "change"]); + break; + case "REVOKE_3LO_DEVICE_TOKENS": + case "REVOKE_3LO_TOKEN": + case "ADD_RECOVERY_EMAIL": + case "ADD_RECOVERY_PHONE": + case "GRANT_ADMIN_PRIVILEGE": + case "REVOKE_ADMIN_PRIVILEGE": + case "REVOKE_ASP": + case "TOGGLE_AUTOMATIC_CONTACT_SHARING": + case "CANCEL_USER_INVITE": + case "CHANGE_USER_CUSTOM_FIELD": + case "CHANGE_USER_EXTERNAL_ID": + case "CHANGE_USER_GENDER": + case "CHANGE_USER_IM": + case "ENABLE_USER_IP_WHITELIST": + case "CHANGE_USER_KEYWORD": + case "CHANGE_USER_LANGUAGE": + case "CHANGE_USER_LOCATION": + case "CHANGE_USER_ORGANIZATION": + case "CHANGE_USER_PHONE_NUMBER": + case "CHANGE_RECOVERY_EMAIL": + case "CHANGE_RECOVERY_PHONE": + case "CHANGE_USER_RELATION": + case "CHANGE_USER_ADDRESS": + case "GRANT_DELEGATED_ADMIN_PRIVILEGES": + case "CHANGE_FIRST_NAME": + case "GMAIL_RESET_USER": + case "CHANGE_LAST_NAME": + case "MAIL_ROUTING_DESTINATION_ADDED": + case "MAIL_ROUTING_DESTINATION_REMOVED": + case "ADD_NICKNAME": + case "REMOVE_NICKNAME": + case "CHANGE_PASSWORD": + case "CHANGE_PASSWORD_ON_NEXT_LOGIN": + case "REMOVE_RECOVERY_EMAIL": + case "REMOVE_RECOVERY_PHONE": + case "RESET_SIGNIN_COOKIES": + case "SECURITY_KEY_REGISTERED_FOR_USER": + case "REVOKE_SECURITY_KEY": + case "TURN_OFF_2_STEP_VERIFICATION": + case "UNBLOCK_USER_SESSION": + case "UNENROLL_USER_FROM_TITANIUM": + case "ARCHIVE_USER": + case "UPDATE_BIRTHDATE": + case "DOWNGRADE_USER_FROM_GPLUS": + case "USER_ENROLLED_IN_TWO_STEP_VERIFICATION": + case "MOVE_USER_TO_ORG_UNIT": + case "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD": + case "RENAME_USER": + case "UNENROLL_USER_FROM_STRONG_AUTH": + case "SUSPEND_USER": + case "UNARCHIVE_USER": + case "UNSUSPEND_USER": + case "UPGRADE_USER_TO_GPLUS": + case "MOBILE_DEVICE_APPROVE": + case "MOBILE_DEVICE_BLOCK": + case "MOBILE_DEVICE_WIPE": + case "MOBILE_ACCOUNT_WIPE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE": + case "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK": + evt.Put("event.type", ["user", "change"]); + break; + case "DELETE_2SV_SCRATCH_CODES": + case "DELETE_ACCOUNT_INFO_DUMP": + case "DELETE_EMAIL_MONITOR": + case "DELETE_MAILBOX_DUMP": + case "DELETE_USER": + case "MOBILE_DEVICE_DELETE": + evt.Put("event.type", ["user", "deletion"]); + break; + case "GENERATE_2SV_SCRATCH_CODES": + case "CREATE_EMAIL_MONITOR": + case "CREATE_DATA_TRANSFER_REQUEST": + case "CREATE_USER": + case "UNDELETE_USER": + evt.Put("event.type", ["user", "creation"]); + break; + case "ISSUE_DEVICE_COMMAND": + case "DRIVE_DATA_RESTORE": + case "VIEW_SITE_DETAILS": + case "EMAIL_LOG_SEARCH": + case "SKIP_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS_MX": + case "VERIFY_DOMAIN_ALIAS": + case "VIEW_DNS_LOGIN_DETAILS": + case "MX_RECORD_VERIFICATION_CLAIM": + case "UPLOAD_OAUTH_CERTIFICATE": + case "SKIP_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN_MX": + case "VERIFY_SECONDARY_DOMAIN": + case "BULK_UPLOAD": + case "DOWNLOAD_PENDING_INVITES_LIST": + case "DOWNLOAD_USERLIST_CSV": + case "USERS_BULK_UPLOAD": + case "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS": + case "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS": + evt.Put("event.type", ["info"]); + break; + case "GROUP_LIST_DOWNLOAD": + case "GROUP_MEMBERS_DOWNLOAD": + evt.Put("event.type", ["group", "info"]); + break; + case "REQUEST_ACCOUNT_INFO": + case "REQUEST_MAILBOX_DUMP": + case "RESEND_USER_INVITE": + case "BULK_UPLOAD_NOTIFICATION_SENT": + case "USER_INVITE": + case "VIEW_TEMP_PASSWORD": + case "USERS_BULK_UPLOAD_NOTIFICATION_SENT": + case "ACTION_CANCELLED": + case "ACTION_REQUESTED": + evt.Put("event.type", ["user", "info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.intValue !== null) { + return param.intValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.admin."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setGroupInfo = function(evt) { + var email = evt.Get("gsuite.admin.group.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("group.name", data[0]); + evt.Put("group.domain", data[1]); + }; + + var setRelatedUserInfo = function(evt) { + var email = evt.Get("gsuite.admin.user.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var setEventDuration = function(evt) { + var start = evt.Get("event.start"); + var end = evt.Get("event.end"); + if (!start || !end) { + return; + } + + var millisToNano = 1e6; + var tsStart = Date.parse(start) * millisToNano; + var tsEnd = Date.parse(end) * millisToNano; + + evt.Put("event.duration", tsEnd-tsStart); + }; + + var setEventOutcome = function(evt) { + var failed = evt.Get("gsuite.admin.group.bulk_upload.failed"); + if (failed === null) { + return; + } + + if (failed === 0) { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + }; + + var setGroupAllowedlist = function(evt) { + var allowedList = evt.Get("gsuite.admin.WHITELISTED_GROUPS"); + if (!allowedList) { + return; + } + + evt.Put("gsuite.admin.group.allowed_list", allowedList.split(",")); + evt.Delete("gsuite.admin.WHITELISTED_GROUPS"); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.admin.APPLICATION_EDITION", + to: "gsuite.admin.application.edition", + }, + { + from: "gsuite.admin.APPLICATION_NAME", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.APPLICATION_ENABLED", + to: "gsuite.admin.application.enabled", + }, + { + from: "gsuite.admin.APP_LICENSES_ORDER_NUMBER", + to: "gsuite.admin.application.licences_order_number", + }, + { + from: "gsuite.admin.CHROME_NUM_LICENSES_PURCHASED", + to: "gsuite.admin.application.licences_purchased", + type: "long", + }, + { + from: "gsuite.admin.REAUTH_APPLICATION", + to: "gsuite.admin.application.name", + }, + { + from: "gsuite.admin.GROUP_EMAIL", + to: "gsuite.admin.group.email", + }, + { + from: "gsuite.admin.GROUP_NAME", + to: "group.name", + }, + { + from: "gsuite.admin.NEW_VALUE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_VALUE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ORG_UNIT_NAME", + to: "gsuite.admin.org_unit.name", + }, + { + from: "gsuite.admin.SETTING_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.SETTING_DESCRIPTION", + to: "gsuite.admin.setting.description", + }, + { + from: "gsuite.admin.USER_DEFINED_SETTING_NAME", + to: "gsuite.admin.user_defined_setting.name", + }, + { + from: "gsuite.admin.GROUP_PRIORITIES", + to: "gsuite.admin.group.priorities", + }, + { + from: "gsuite.admin.DOMAIN_NAME", + to: "gsuite.admin.domain.name", + }, + { + from: "gsuite.admin.DOMAIN_ALIAS", + to: "gsuite.admin.domain.alias", + }, + { + from: "gsuite.admin.SECONDARY_DOMAIN_NAME", + to: "gsuite.admin.domain.secondary_name", + }, + { + from: "gsuite.admin.MANAGED_CONFIGURATION_NAME", + to: "gsuite.admin.managed_configuration", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION", + to: "gsuite.admin.non_featured_services_selection", + }, + { + from: "gsuite.admin.FIELD_NAME", + to: "gsuite.admin.field", + }, + { + from: "gsuite.admin.RESOURCE_IDENTIFIER", + to: "gsuite.admin.resource.id", + }, + { + from: "gsuite.admin.USER_EMAIL", + to: "gsuite.admin.user.email", + }, + { + from: "gsuite.admin.GATEWAY_NAME", + to: "gsuite.admin.gateway.name", + }, + { + from: "gsuite.admin.APP_ID", + to: "gsuite.admin.application.id", + }, + { + from: "gsuite.admin.ASP_ID", + to: "gsuite.admin.application.asp_id", + }, + { + from: "gsuite.admin.CHROME_OS_SESSION_TYPE", + to: "gsuite.admin.chrome_os.session_type", + }, + { + from: "gsuite.admin.DEVICE_NEW_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.DEVICE_SERIAL_NUMBER", + to: "gsuite.admin.device.serial_number", + }, + { + from: "gsuite.admin.DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DEVICE_TYPE", + to: "gsuite.admin.device.type", + }, + { + from: "gsuite.admin.PRINT_SERVER_NAME", + to: "gsuite.admin.print_server.name", + }, + { + from: "gsuite.admin.PRINTER_NAME", + to: "gsuite.admin.printer.name", + }, + { + from: "gsuite.admin.DEVICE_COMMAND_DETAILS", + to: "gsuite.admin.device.command_details", + }, + { + from: "gsuite.admin.DEVICE_NEW_ORG_UNIT", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.DEVICE_PREVIOUS_ORG_UNIT", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ROLE_NAME", + to: "gsuite.admin.role.name", + }, + { + from: "gsuite.admin.ROLE_ID", + to: "gsuite.admin.role.id", + }, + { + from: "gsuite.admin.PRIVILEGE_NAME", + to: "gsuite.admin.privilege.name", + }, + { + from: "gsuite.admin.BEGIN_DATE_TIME", + to: "event.start", + }, + { + from: "gsuite.admin.END_DATE_TIME", + to: "event.end", + }, + { + from: "gsuite.admin.START_DATE", + to: "event.start", + }, + { + from: "gsuite.admin.END_DATE", + to: "event.end", + }, + { + from: "gsuite.admin.SITE_LOCATION", + to: "url.path", + }, + { + from: "gsuite.admin.WEB_ADDRESS", + to: "url.full", + }, + { + from: "gsuite.admin.SITE_NAME", + to: "gsuite.admin.url.name", + }, + { + from: "gsuite.admin.SERVICE_NAME", + to: "gsuite.admin.service.name", + }, + { + from: "gsuite.admin.PRODUCT_NAME", + to: "gsuite.admin.product.name", + }, + { + from: "gsuite.admin.SKU_NAME", + to: "gsuite.admin.product.sku", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_FAIL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.failed", + type: "long", + }, + { + from: "gsuite.admin.BULK_UPLOAD_TOTAL_USERS_NUMBER", + to: "gsuite.admin.bulk_upload.total", + type: "long", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_MSG_ID", + to: "gsuite.admin.email.log_search_filter.message_id", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_END_DATE", + to: "gsuite.admin.email.log_search_filter.end_date", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_RECIPIENT", + to: "gsuite.admin.email.log_search_filter.recipient.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SENDER", + to: "gsuite.admin.email.log_search_filter.sender.value", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP", + to: "gsuite.admin.email.log_search_filter.recipient.ip", + type: "ip", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_SMTP_SENDER_IP", + to: "gsuite.admin.email.log_search_filter.sender.ip", + type: "ip", + }, + { + from: "gsuite.admin.EMAIL_LOG_SEARCH_START_DATE", + to: "gsuite.admin.email.log_search_filter.start_date", + }, + { + from: "gsuite.admin.QUARANTINE_NAME", + to: "gsuite.admin.email.quarantine_name", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ENABLED", + to: "gsuite.admin.chrome_licenses.enabled", + }, + { + from: "gsuite.admin.CHROME_LICENSES_ALLOWED", + to: "gsuite.admin.chrome_licenses.allowed", + }, + { + from: "gsuite.admin.FULL_ORG_UNIT_PATH", + to: "gsuite.admin.org_unit.full", + }, + { + from: "gsuite.admin.OAUTH2_SERVICE_NAME", + to: "gsuite.admin.oauth2.service.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_ID", + to: "gsuite.admin.oauth2.application.id", + }, + { + from: "gsuite.admin.OAUTH2_APP_NAME", + to: "gsuite.admin.oauth2.application.name", + }, + { + from: "gsuite.admin.OAUTH2_APP_TYPE", + to: "gsuite.admin.oauth2.application.type", + }, + { + from: "gsuite.admin.ALLOWED_TWO_STEP_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.DOMAIN_VERIFICATION_METHOD", + to: "gsuite.admin.verification_method", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.CAA_ASSIGNMENTS_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_NEW", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REAUTH_SETTING_OLD", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.ALERT_NAME", + to: "gsuite.admin.alert.name", + }, + { + from: "gsuite.admin.API_CLIENT_NAME", + to: "gsuite.admin.api.client.name", + }, + { + from: "gsuite.admin.API_SCOPES", + to: "gsuite.admin.api.scopes", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_TOKEN_ID", + to: "gsuite.admin.mdm.token", + }, + { + from: "gsuite.admin.PLAY_FOR_WORK_MDM_VENDOR_NAME", + to: "gsuite.admin.mdm.vendor", + }, + { + from: "gsuite.admin.INFO_TYPE", + to: "gsuite.admin.info_type", + }, + { + from: "gsuite.admin.RULE_NAME", + to: "gsuite.admin.rule.name", + }, + { + from: "gsuite.admin.USER_CUSTOM_FIELD", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_DEST_EMAIL", + to: "gsuite.admin.email_monitor.dest_email", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_CHAT", + to: "gsuite.admin.email_monitor.level.chat", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_DRAFT_EMAIL", + to: "gsuite.admin.email_monitor.level.draft", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_INCOMING_EMAIL", + to: "gsuite.admin.email_monitor.level.incoming", + }, + { + from: "gsuite.admin.EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL", + to: "gsuite.admin.email_monitor.level.outgoing", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_INCLUDE_DELETED", + to: "gsuite.admin.email_dump.include_deleted", + }, + { + from: "gsuite.admin.EMAIL_EXPORT_PACKAGE_CONTENT", + to: "gsuite.admin.email_dump.package_content", + }, + { + from: "gsuite.admin.SEARCH_QUERY_FOR_DUMP", + to: "gsuite.admin.email_dump.query", + }, + { + from: "gsuite.admin.DESTINATION_USER_EMAIL", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.REQUEST_ID", + to: "gsuite.admin.request.id", + }, + { + from: "gsuite.admin.GMAIL_RESET_REASON", + to: "message", + }, + { + from: "gsuite.admin.USER_NICKNAME", + to: "gsuite.admin.user.nickname", + }, + { + from: "gsuite.admin.BIRTHDATE", + to: "gsuite.admin.user.birthdate", + }, + { + from: "gsuite.admin.ACTION_ID", + to: "gsuite.admin.mobile.action.id", + }, + { + from: "gsuite.admin.ACTION_TYPE", + to: "gsuite.admin.mobile.action.type", + }, + { + from: "gsuite.admin.MOBILE_CERTIFICATE_COMMON_NAME", + to: "gsuite.admin.mobile.certificate.name", + }, + { + from: "gsuite.admin.NUMBER_OF_COMPANY_OWNED_DEVICES", + to: "gsuite.admin.mobile.company_owned_devices", + type: "long", + }, + { + from: "gsuite.admin.COMPANY_DEVICE_ID", + to: "gsuite.admin.device.id", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_NAME", + to: "gsuite.admin.distribution.entity.name", + }, + { + from: "gsuite.admin.DISTRIBUTION_ENTITY_TYPE", + to: "gsuite.admin.distribution.entity.type", + }, + { + from: "gsuite.admin.MOBILE_APP_PACKAGE_ID", + to: "gsuite.admin.application.package_id", + }, + { + from: "gsuite.admin.NEW_PERMISSION_GRANT_STATE", + to: "gsuite.admin.new_value", + }, + { + from: "gsuite.admin.OLD_PERMISSION_GRANT_STATE", + to: "gsuite.admin.old_value", + }, + { + from: "gsuite.admin.PERMISSION_GROUP_NAME", + to: "gsuite.admin.setting.name", + }, + { + from: "gsuite.admin.MOBILE_WIRELESS_NETWORK_NAME", + to: "network.name", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setGroupInfo) + .Add(setRelatedUserInfo) + .Add(setEventDuration) + .Add(setEventOutcome) + .Add(setGroupAllowedlist) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return login.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/admin/manifest.yml b/x-pack/filebeat/module/gsuite/admin/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log new file mode 100644 index 00000000000..2d2d36e96a3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CHANGE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_APPLICATION_SETTING","parameters":[{"name":"APPLICATION_EDITION","value":"basic"},{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"REORDER_GROUP_BASED_POLICIES_EVENT","parameters":[{"name":"APPLICATION_NAME","value":"drive"},{"name":"GROUP_PRIORITIES","multiValue":["a","b"]},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"GPLUS_PREMIUM_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"CREATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"DELETE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"UPDATE_MANAGED_CONFIGURATION","parameters":[{"name":"MANAGED_CONFIGURATION_NAME","value":"a"},{"name":"MOBILE_APP_PACKAGE_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"APPLICATION_SETTINGS","name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","parameters":[{"name":"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION","value":"FLASHLIGHT_EDU_SELECTION_MANUAL"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json new file mode 100644 index 00000000000..1475c5272e7 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -0,0 +1,466 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.edition": "basic", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"REORDER_GROUP_BASED_POLICIES_EVENT\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_PRIORITIES\",\"multiValue\":[\"a\",\"b\"]},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "drive", + "gsuite.admin.group.priorities": [ + "a", + "b" + ], + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1853, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GPLUS_PREMIUM_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"GPLUS_PREMIUM_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2346, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"CREATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2770, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"DELETE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3218, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_MANAGED_CONFIGURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"UPDATE_MANAGED_CONFIGURATION\",\"parameters\":[{\"name\":\"MANAGED_CONFIGURATION_NAME\",\"value\":\"a\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "1234", + "gsuite.admin.managed_configuration": "a", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"APPLICATION_SETTINGS\",\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED\",\"parameters\":[{\"name\":\"FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTION\",\"value\":\"FLASHLIGHT_EDU_SELECTION_MANUAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.non_featured_services_selection": "FLASHLIGHT_EDU_SELECTION_MANUAL", + "gsuite.event.type": "APPLICATION_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4114, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log new file mode 100644 index 00000000000..bcbed9ee886 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log @@ -0,0 +1,13 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_BUILDING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CREATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"DELETE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE_FEATURE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RENAME_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"UPDATE_CALENDAR_RESOURCE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"FIELD_NAME","value":"field"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RESOURCE_IDENTIFIER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CHANGE_CALENDAR_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"CANCEL_CALENDAR_EVENTS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CALENDAR_SETTINGS","name":"RELEASE_CALENDAR_RESOURCES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json new file mode 100644 index 00000000000..52947846853 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -0,0 +1,655 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 414, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_BUILDING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_BUILDING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 828, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1361, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1784, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CREATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"DELETE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE_FEATURE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3069, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RENAME_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CALENDAR_RESOURCE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"UPDATE_CALENDAR_RESOURCE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"FIELD_NAME\",\"value\":\"field\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RESOURCE_IDENTIFIER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.field": "field", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.resource.id": "1234", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4077, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CALENDAR_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CHANGE_CALENDAR_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4619, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CANCEL_CALENDAR_EVENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"CANCEL_CALENDAR_EVENTS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5208, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RELEASE_CALENDAR_RESOURCES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CALENDAR_SETTINGS\",\"name\":\"RELEASE_CALENDAR_RESOURCES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "CALENDAR_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5598, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log new file mode 100644 index 00000000000..b078b332402 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log @@ -0,0 +1,4 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_CREATE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_DELETE_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"MEET_INTEROP_MODIFY_GATEWAY","parameters":[{"name":"GATEWAY_NAME","value":"gateway"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHAT_SETTINGS","name":"CHANGE_CHAT_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json new file mode 100644 index 00000000000..9a1e9c5e2b5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -0,0 +1,201 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_CREATE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_CREATE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_DELETE_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_DELETE_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 384, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MEET_INTEROP_MODIFY_GATEWAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"MEET_INTEROP_MODIFY_GATEWAY\",\"parameters\":[{\"name\":\"GATEWAY_NAME\",\"value\":\"gateway\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.gateway.name": "gateway", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 768, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHAT_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHAT_SETTINGS\",\"name\":\"CHANGE_CHAT_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHAT_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1152, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log new file mode 100644 index 00000000000..9c3bd721f39 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log @@ -0,0 +1,21 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_DEVICE_STATE","parameters":[{"name":"DEVICE_NEW_STATE","value":"new"},{"name":"DEVICE_PREVIOUS_STATE","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_APPLICATION_SETTING","parameters":[{"name":"APP_ID","value":"2345"},{"name":"CHROME_OS_SESSION_TYPE","value":"type"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"SEND_CHROME_OS_DEVICE_COMMAND","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_ANNOTATION","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"2345"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_DEVICE_STATE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINT_SERVER","parameters":[{"name":"PRINT_SERVER_NAME","value":"server"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"INSERT_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"DELETE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_CHROME_OS_PRINTER","parameters":[{"name":"PRINTER_NAME","value":"printer"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"CHANGE_CHROME_OS_USER_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"ISSUE_DEVICE_COMMAND","parameters":[{"name":"DEVICE_COMMAND_DETAILS","multiValue":["command","-a"]},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"MOVE_DEVICE_TO_ORG_UNIT_DETAILED","parameters":[{"name":"DEVICE_NEW_ORG_UNIT","value":"new"},{"name":"DEVICE_PREVIOUS_ORG_UNIT","value":"prev"},{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"REMOVE_CHROME_OS_APPLICATION_SETTINGS","parameters":[{"name":"APP_ID","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CHROME_OS_SETTINGS","name":"UPDATE_DEVICE","parameters":[{"name":"DEVICE_SERIAL_NUMBER","value":"1234"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json new file mode 100644 index 00000000000..18295dd26ee --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -0,0 +1,1062 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_DEVICE_STATE\",\"parameters\":[{\"name\":\"DEVICE_NEW_STATE\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_STATE\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 648, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"2345\"},{\"name\":\"CHROME_OS_SESSION_TYPE\",\"value\":\"type\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "2345", + "gsuite.admin.chrome_os.session_type": "type", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1162, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"SEND_CHROME_OS_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_ANNOTATION\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"2345\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "2345", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_DEVICE_STATE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3641, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "INSERT_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4151, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4546, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINT_SERVER\",\"parameters\":[{\"name\":\"PRINT_SERVER_NAME\",\"value\":\"server\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.print_server.name": "server", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4941, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "INSERT_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"INSERT_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5406, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"DELETE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_CHROME_OS_PRINTER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_CHROME_OS_PRINTER\",\"parameters\":[{\"name\":\"PRINTER_NAME\",\"value\":\"printer\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.printer.name": "printer", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6178, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6634, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CHROME_OS_USER_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"CHANGE_CHROME_OS_USER_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7135, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ISSUE_DEVICE_COMMAND", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"ISSUE_DEVICE_COMMAND\",\"parameters\":[{\"name\":\"DEVICE_COMMAND_DETAILS\",\"multiValue\":[\"command\",\"-a\"]},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.command_details": [ + "command", + "-a" + ], + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7635, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"MOVE_DEVICE_TO_ORG_UNIT_DETAILED\",\"parameters\":[{\"name\":\"DEVICE_NEW_ORG_UNIT\",\"value\":\"new\"},{\"name\":\"DEVICE_PREVIOUS_ORG_UNIT\",\"value\":\"prev\"},{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "prev", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8124, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"REMOVE_CHROME_OS_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"1234\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "1234", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DEVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CHROME_OS_SETTINGS\",\"name\":\"UPDATE_DEVICE\",\"parameters\":[{\"name\":\"DEVICE_SERIAL_NUMBER\",\"value\":\"1234\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.serial_number": "1234", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "CHROME_OS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9465, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log new file mode 100644 index 00000000000..5aececc68aa --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log @@ -0,0 +1 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"CONTACTS_SETTINGS","name":"CHANGE_CONTACTS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json new file mode 100644 index 00000000000..7d4741eb11c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -0,0 +1,54 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CONTACTS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"CONTACTS_SETTINGS\",\"name\":\"CHANGE_CONTACTS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "CONTACTS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log new file mode 100644 index 00000000000..da76df3f767 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"CREATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"DELETE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"ADD_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"REMOVE_PRIVILEGE","parameters":[{"name":"PRIVILEGE_NAME","value":"privilege"},{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"RENAME_ROLE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UPDATE_ROLE","parameters":[{"name":"ROLE_ID","value":"1234"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DELEGATED_ADMIN_SETTINGS","name":"UNASSIGN_ROLE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"ROLE_NAME","value":"_DIRECTORY_SYNC_ADMIN_ROLE"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json new file mode 100644 index 00000000000..db951c82cf3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -0,0 +1,400 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"CREATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 483, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"DELETE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 912, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"ADD_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"REMOVE_PRIVILEGE\",\"parameters\":[{\"name\":\"PRIVILEGE_NAME\",\"value\":\"privilege\"},{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.privilege.name": "privilege", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"RENAME_ROLE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2298, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UPDATE_ROLE\",\"parameters\":[{\"name\":\"ROLE_ID\",\"value\":\"1234\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.role.id": "1234", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2728, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNASSIGN_ROLE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DELEGATED_ADMIN_SETTINGS\",\"name\":\"UNASSIGN_ROLE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"ROLE_NAME\",\"value\":\"_DIRECTORY_SYNC_ADMIN_ROLE\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.role.name": "_DIRECTORY_SYNC_ADMIN_ROLE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DELEGATED_ADMIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3157, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log new file mode 100644 index 00000000000..c3166fb87d2 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log @@ -0,0 +1,3 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json new file mode 100644 index 00000000000..1f43ad582c5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -0,0 +1,160 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"TRANSFER_DOCUMENT_OWNERSHIP\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DRIVE_DATA_RESTORE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 10800000000000, + "event.end": "2002-10-02T15:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T12:00:00Z", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 471, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOCS_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"CHANGE_DOCS_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOCS_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 967, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log new file mode 100644 index 00000000000..b452d9e8d94 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log @@ -0,0 +1,85 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ACCOUNT_AUTO_RENEWAL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"NON_AUTO_RENEWAL"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_ENABLED","value":"app enabled"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_APPLICATION_TO_WHITELIST","parameters":[{"name":"APP_ID","value":"id"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ADVERTISEMENT_OPTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ALERT_CRITERIA","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_ALERT","parameters":[{"name":"ALERT_NAME","value":"alert name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_RECEIVERS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_ALERT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ALERT_STATUS_CHANGED","parameters":[{"name":"ALERT_NAME","value":"alert name"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS_MX","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_DOMAIN_ALIAS","parameters":[{"name":"DOMAIN_ALIAS","value":"alias"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"DOMAIN_VERIFICATION_METHOD","value":"ANALYTICS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_API_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"true"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"AUTHORIZE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"},{"name":"API_SCOPES","multiValue":["a","b"]}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_API_CLIENT_ACCESS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"API_CLIENT_NAME","value":"api client"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHROME_LICENSES_REDEEMED","parameters":[{"name":"APP_LICENSES_ORDER_NUMBER","value":"abcd123"},{"name":"APPLICATION_NAME","value":"app name"},{"name":"CHROME_NUM_LICENSES_PURCHASED","intValue":1}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_AUTO_ADD_NEW_SERVICE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PRIMARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_WHITELIST_SETTING","parameters":[{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"COMMUNICATION_PREFERENCES_SETTING_CHANGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SETTING_NAME","value":"setting"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CONFLICT_ACCOUNT_ACTION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_FEEDBACK_SOLICITATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_CONTACT_SHARING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"false"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_CUSTOM_LOGO","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_LOCALIZATION_SETTING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_PLAY_FOR_WORK_TOKEN","parameters":[{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VIEW_DNS_LOGIN_DETAILS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_LOCALE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_DEFAULT_TIMEZONE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_PRE_RELEASE_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_DOMAIN_SUPPORT_MESSAGE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_TRUSTED_DOMAINS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EDU_TYPE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSO_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_SSL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"INFO_TYPE","value":"ADDRESS"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_TRANSFER_TOKEN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BACKGROUND_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_BORDER_COLOR","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_LOGIN_ACTIVITY_TRACE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_ENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"},{"name":"PLAY_FOR_WORK_TOKEN_ID","value":"token"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"PLAY_FOR_WORK_UNENROLL","parameters":[{"name":"PLAY_FOR_WORK_MDM_VENDOR_NAME","value":"vendor"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"MX_RECORD_VERIFICATION_CLAIM","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_NEW_APP_FEATURES","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPLOAD_OAUTH_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REGENERATE_OAUTH_CONSUMER_SECRET","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OPEN_ID_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_ORGANIZATION_NAME","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"TOGGLE_OUTBOUND_RELAY","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MAX_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_PASSWORD_MIN_LENGTH","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"APP_ID","value":"appid"},{"name":"APPLICATION_NAME","value":"app name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RENEW_DOMAIN_REGISTRATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RESELLER_ACCESS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_ACTIONS_CHANGED","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CREATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_RULE_CRITERIA","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"DELETE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RENAME_RULE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"RULE_STATUS_CHANGED","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"RULE_NAME","value":"rule"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"ADD_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"REMOVE_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"SKIP_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN_MX","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"VERIFY_SECONDARY_DOMAIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"SECONDARY_DOMAIN_NAME","value":"example2.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_DOMAIN_SECONDARY_EMAIL","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"CHANGE_SSO_SETTINGS","parameters":[{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"GENERATE_PIN"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"DOMAIN_SETTINGS","name":"UPDATE_RULE","parameters":[{"name":"RULE_NAME","value":"rule"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json new file mode 100644 index 00000000000..523c942555b --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -0,0 +1,4183 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ACCOUNT_AUTO_RENEWAL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"NON_AUTO_RENEWAL\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "NON_AUTO_RENEWAL", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_ENABLED\",\"value\":\"app enabled\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.enabled": "app enabled", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 437, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 900, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ADVERTISEMENT_OPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ADVERTISEMENT_OPTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1323, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ALERT_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ALERT_CRITERIA\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2154, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_ALERT\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2535, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALERT_RECEIVERS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_RECEIVERS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2907, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_ALERT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_ALERT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3360, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALERT_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ALERT_STATUS_CHANGED\",\"parameters\":[{\"name\":\"ALERT_NAME\",\"value\":\"alert name\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.alert.name": "alert name", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3759, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4209, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4627, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SKIP_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5048, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_DOMAIN_ALIAS_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS_MX\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5470, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_DOMAIN_ALIAS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_DOMAIN_ALIAS\",\"parameters\":[{\"name\":\"DOMAIN_ALIAS\",\"value\":\"alias\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"DOMAIN_VERIFICATION_METHOD\",\"value\":\"ANALYTICS\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.alias": "alias", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.verification_method": "ANALYTICS", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5894, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OAUTH_ACCESS_TO_ALL_APIS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6373, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ALLOW_ADMIN_PASSWORD_RESET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6803, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_API_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_API_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"true\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "true", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7235, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "AUTHORIZE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"AUTHORIZE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"},{\"name\":\"API_SCOPES\",\"multiValue\":[\"a\",\"b\"]}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.api.scopes": [ + "a", + "b" + ], + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7687, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_API_CLIENT_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_API_CLIENT_ACCESS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"API_CLIENT_NAME\",\"value\":\"api client\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.api.client.name": "api client", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8169, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_LICENSES_REDEEMED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHROME_LICENSES_REDEEMED\",\"parameters\":[{\"name\":\"APP_LICENSES_ORDER_NUMBER\",\"value\":\"abcd123\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"},{\"name\":\"CHROME_NUM_LICENSES_PURCHASED\",\"intValue\":1}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.licences_order_number": "abcd123", + "gsuite.admin.application.licences_purchased": 1, + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8603, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_AUTO_ADD_NEW_SERVICE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9100, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PRIMARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PRIMARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9526, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_WHITELIST_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_WHITELIST_SETTING\",\"parameters\":[{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9946, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"COMMUNICATION_PREFERENCES_SETTING_CHANGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10401, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CONFLICT_ACCOUNT_ACTION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_FEEDBACK_SOLICITATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_FEEDBACK_SOLICITATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11381, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_CONTACT_SHARING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11843, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12264, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_USE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"false\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "false", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12657, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13078, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_FOR_RUSSIA\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13458, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_LOCALIZATION_SETTING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13919, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14377, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_PLAY_FOR_WORK_TOKEN\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14846, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VIEW_DNS_LOGIN_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VIEW_DNS_LOGIN_DETAILS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15239, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_LOCALE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15623, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_DEFAULT_TIMEZONE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16545, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_PRE_RELEASE_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_DOMAIN_SUPPORT_MESSAGE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17852, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_TRUSTED_DOMAINS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_TRUSTED_DOMAINS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_EDU_TYPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EDU_TYPE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18617, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_ENABLE_OAUTH_CONSUMER_KEY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19064, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_SSO_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSO_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19493, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_SSL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_SSL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_EU_REPRESENTATIVE_CONTACT_INFO\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"INFO_TYPE\",\"value\":\"ADDRESS\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.info_type": "ADDRESS", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20315, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GENERATE_TRANSFER_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_TRANSFER_TOKEN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BACKGROUND_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21103, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LOGIN_BORDER_COLOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_BORDER_COLOR\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21564, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_LOGIN_ACTIVITY_TRACE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22021, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "PLAY_FOR_WORK_ENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_ENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"},{\"name\":\"PLAY_FOR_WORK_TOKEN_ID\",\"value\":\"token\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.token": "token", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22480, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "PLAY_FOR_WORK_UNENROLL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"PLAY_FOR_WORK_UNENROLL\",\"parameters\":[{\"name\":\"PLAY_FOR_WORK_MDM_VENDOR_NAME\",\"value\":\"vendor\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mdm.vendor": "vendor", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22925, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MX_RECORD_VERIFICATION_CLAIM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"MX_RECORD_VERIFICATION_CLAIM\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23322, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_NEW_APP_FEATURES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_NEW_APP_FEATURES\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23761, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_USE_NEXT_GEN_CONTROL_PANEL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24181, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPLOAD_OAUTH_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPLOAD_OAUTH_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REGENERATE_OAUTH_CONSUMER_SECRET\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24997, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_OPEN_ID_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OPEN_ID_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25391, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ORGANIZATION_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_ORGANIZATION_NAME\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25810, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_OUTBOUND_RELAY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"TOGGLE_OUTBOUND_RELAY\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26266, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD_MAX_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MAX_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD_MIN_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_PASSWORD_MIN_LENGTH\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27216, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27674, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28139, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_APPLICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28610, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"appid\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"app name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "appid", + "gsuite.admin.application.name": "app name", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29026, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RENEW_DOMAIN_REGISTRATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RESELLER_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RESELLER_ACCESS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29921, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RULE_ACTIONS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_ACTIONS_CHANGED\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30330, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CREATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30703, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RULE_CRITERIA", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_RULE_CRITERIA\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31067, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"DELETE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RENAME_RULE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 31804, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RULE_STATUS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"RULE_STATUS_CHANGED\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32202, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"ADD_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 32644, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"REMOVE_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33082, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SKIP_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"SKIP_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_SECONDARY_DOMAIN_MX", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN_MX\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 33965, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VERIFY_SECONDARY_DOMAIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"VERIFY_SECONDARY_DOMAIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"SECONDARY_DOMAIN_NAME\",\"value\":\"example2.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.domain.secondary_name": "example2.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34409, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_DOMAIN_SECONDARY_EMAIL\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 34850, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SSO_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"CHANGE_SSO_SETTINGS\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35311, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GENERATE_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"GENERATE_PIN\"}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 35692, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_RULE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"DOMAIN_SETTINGS\",\"name\":\"UPDATE_RULE\",\"parameters\":[{\"name\":\"RULE_NAME\",\"value\":\"rule\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.rule.name": "rule", + "gsuite.event.type": "DOMAIN_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 36006, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log new file mode 100644 index 00000000000..f9ecb940c0f --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log @@ -0,0 +1,9 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DROP_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_LOG_SEARCH","parameters":[{"name":"EMAIL_LOG_SEARCH_END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"EMAIL_LOG_SEARCH_RECIPIENT","value":"recipient"},{"name":"EMAIL_LOG_SEARCH_SENDER","value":"sender"},{"name":"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_SMTP_SENDER_IP","value":"1.1.1.1"},{"name":"EMAIL_LOG_SEARCH_START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"EMAIL_UNDELETE","parameters":[{"name":"END_DATE","value":"2002-10-02T12:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"START_DATE","value":"2002-10-02T10:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_EMAIL_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CHANGE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"CREATE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"DELETE_GMAIL_SETTING","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_DESCRIPTION","value":"setting description"},{"name":"SETTING_NAME","value":"setting"},{"name":"USER_DEFINED_SETTING_NAME","value":"setting name"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"REJECT_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"EMAIL_SETTINGS","name":"RELEASE_FROM_QUARANTINE","parameters":[{"name":"EMAIL_LOG_SEARCH_MSG_ID","value":"id"},{"name":"QUARANTINE_NAME","value":"quarantine"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json new file mode 100644 index 00000000000..c62f1599a2e --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -0,0 +1,463 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DROP_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DROP_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EMAIL_LOG_SEARCH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_LOG_SEARCH\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"EMAIL_LOG_SEARCH_RECIPIENT\",\"value\":\"recipient\"},{\"name\":\"EMAIL_LOG_SEARCH_SENDER\",\"value\":\"sender\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_RECIPIENT_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_SMTP_SENDER_IP\",\"value\":\"1.1.1.1\"},{\"name\":\"EMAIL_LOG_SEARCH_START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.end_date": "2002-10-02T12:00:00Z", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.log_search_filter.recipient.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.recipient.value": "recipient", + "gsuite.admin.email.log_search_filter.sender.ip": "1.1.1.1", + "gsuite.admin.email.log_search_filter.sender.value": "sender", + "gsuite.admin.email.log_search_filter.start_date": "2002-10-02T10:00:00Z", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 432, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EMAIL_UNDELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 7200000000000, + "event.end": "2002-10-02T12:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"EMAIL_UNDELETE\",\"parameters\":[{\"name\":\"END_DATE\",\"value\":\"2002-10-02T12:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"START_DATE\",\"value\":\"2002-10-02T10:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T10:00:00Z", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1185, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_EMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_EMAIL_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CHANGE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2251, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"CREATE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2789, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_GMAIL_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"DELETE_GMAIL_SETTING\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_DESCRIPTION\",\"value\":\"setting description\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"USER_DEFINED_SETTING_NAME\",\"value\":\"setting name\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.description": "setting description", + "gsuite.admin.setting.name": "setting", + "gsuite.admin.user_defined_setting.name": "setting name", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3327, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REJECT_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"REJECT_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3865, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RELEASE_FROM_QUARANTINE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"EMAIL_SETTINGS\",\"name\":\"RELEASE_FROM_QUARANTINE\",\"parameters\":[{\"name\":\"EMAIL_LOG_SEARCH_MSG_ID\",\"value\":\"id\"},{\"name\":\"QUARANTINE_NAME\",\"value\":\"quarantine\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email.log_search_filter.message_id": "id", + "gsuite.admin.email.quarantine_name": "quarantine", + "gsuite.event.type": "EMAIL_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4299, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log new file mode 100644 index 00000000000..2c60ded89cc --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log @@ -0,0 +1,14 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CREATE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"DELETE_GROUP","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_DESCRIPTION","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_LIST_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"ADD_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"REMOVE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBER_BULK_UPLOAD","parameters":[{"name":"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER","value":"0"},{"name":"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"GROUP_MEMBERS_DOWNLOAD"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_NAME","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"CHANGE_GROUP_SETTING","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"GROUP_SETTINGS","name":"WHITELISTED_GROUPS_UPDATED","parameters":[{"name":"WHITELISTED_GROUPS","value":"a,b,c"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json new file mode 100644 index 00000000000..27ae5a0b4e0 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -0,0 +1,731 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CREATE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_GROUP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"DELETE_GROUP\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "creation" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 379, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_DESCRIPTION\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 758, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_LIST_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_LIST_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1149, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"ADD_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1469, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"REMOVE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1901, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2336, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2841, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_MEMBER_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBER_BULK_UPLOAD\",\"parameters\":[{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_FAILED_NUMBER\",\"value\":\"0\"},{\"name\":\"GROUP_MEMBER_BULK_UPLOAD_TOTAL_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3906, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GROUP_MEMBERS_DOWNLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"GROUP_MEMBERS_DOWNLOAD\"}}", + "event.provider": "admin", + "event.type": [ + "group", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4370, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_NAME\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4693, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_GROUP_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"CHANGE_GROUP_SETTING\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5112, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "WHITELISTED_GROUPS_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"GROUP_SETTINGS\",\"name\":\"WHITELISTED_GROUPS_UPDATED\",\"parameters\":[{\"name\":\"WHITELISTED_GROUPS\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "group", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.group.allowed_list": [ + "a", + "b", + "c" + ], + "gsuite.event.type": "GROUP_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5611, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log new file mode 100644 index 00000000000..c028ff6ba1c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log @@ -0,0 +1,8 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_ALL_USERS_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_ASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"CHANGE_LICENSE_AUTO_ASSIGN","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"SKU_NAME","value":"sku"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REASSIGNMENT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"ORG_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"USER_LICENSE_REVOKE","parameters":[{"name":"OLD_VALUE","value":"old"},{"name":"USER_EMAIL","value":"user@example.com"},{"name":"PRODUCT_NAME","value":"product"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"LICENSES_SETTINGS","name":"UPDATE_DYNAMIC_LICENSE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"PRODUCT_NAME","value":"product"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json new file mode 100644 index 00000000000..380118b588c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -0,0 +1,407 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_ALL_USERS_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 463, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_ASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_ASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"CHANGE_LICENSE_AUTO_ASSIGN\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.product.name": "product", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1398, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_REASSIGNMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REASSIGNMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1854, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ORG_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"ORG_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2359, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_LICENSE_REVOKE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"USER_LICENSE_REVOKE\",\"parameters\":[{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.product.name": "product", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2812, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_DYNAMIC_LICENSE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"LICENSES_SETTINGS\",\"name\":\"UPDATE_DYNAMIC_LICENSE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"product\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.name": "product", + "gsuite.event.type": "LICENSES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3276, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log new file mode 100644 index 00000000000..69c376c4453 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log @@ -0,0 +1,31 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_CANCELLED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ACTION_REQUESTED","parameters":[{"name":"ACTION_ID","value":"id"},{"name":"ACTION_TYPE","value":"ACCOUNT_WIPE"},{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"name"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICES_BULK_CREATION","parameters":[{"name":"NUMBER_OF_COMPANY_OWNED_DEVICES","intValue":10}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_BLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_DEVICE_DELETION","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_UNBLOCKED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"COMPANY_OWNED_DEVICE_WIPED","parameters":[{"name":"COMPANY_DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","parameters":[{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"GROUP"},{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"NEW_PERMISSION_GRANT_STATE","value":"GRANTED"},{"name":"OLD_PERMISSION_GRANT_STATE","value":"DENIED"},{"name":"PERMISSION_GROUP_NAME","value":"LOCATION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_APPLICATION_SETTINGS","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_APPLICATION_TO_WHITELIST","parameters":[{"name":"MOBILE_APP_PACKAGE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"DISTRIBUTION_ENTITY_NAME","value":"ANY"},{"name":"DISTRIBUTION_ENTITY_TYPE","value":"ORG_UNIT"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_DELETE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_ADMIN_RESTRICTIONS_PIN","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ADD_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_WIRELESS_NETWORK","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_WIRELESS_NETWORK_NAME","value":"network"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"REMOVE_MOBILE_CERTIFICATE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"MOBILE_CERTIFICATE_COMMON_NAME","value":"cert"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_ACCOUNT_WIPE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"MOBILE_SETTINGS","name":"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json new file mode 100644 index 00000000000..3c0346e6896 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -0,0 +1,1566 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ACTION_CANCELLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_CANCELLED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ACTION_REQUESTED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ACTION_REQUESTED\",\"parameters\":[{\"name\":\"ACTION_ID\",\"value\":\"id\"},{\"name\":\"ACTION_TYPE\",\"value\":\"ACCOUNT_WIPE\"},{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.mobile.action.id": "id", + "gsuite.admin.mobile.action.type": "ACCOUNT_WIPE", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"name\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "name", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_DEVICES_BULK_CREATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICES_BULK_CREATION\",\"parameters\":[{\"name\":\"NUMBER_OF_COMPANY_OWNED_DEVICES\",\"intValue\":10}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.mobile.company_owned_devices": 10, + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1548, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_BLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1951, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_DEVICE_DELETION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_DEVICE_DELETION\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2376, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_UNBLOCKED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2796, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "COMPANY_OWNED_DEVICE_WIPED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"COMPANY_OWNED_DEVICE_WIPED\",\"parameters\":[{\"name\":\"COMPANY_DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3223, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT\",\"parameters\":[{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"GROUP\"},{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"NEW_PERMISSION_GRANT_STATE\",\"value\":\"GRANTED\"},{\"name\":\"OLD_PERMISSION_GRANT_STATE\",\"value\":\"DENIED\"},{\"name\":\"PERMISSION_GROUP_NAME\",\"value\":\"LOCATION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "GROUP", + "gsuite.admin.new_value": "GRANTED", + "gsuite.admin.old_value": "DENIED", + "gsuite.admin.setting.name": "LOCATION", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3646, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4354, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_APPLICATION_FROM_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4795, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_APPLICATION_SETTINGS\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5341, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_APPLICATION_TO_WHITELIST\",\"parameters\":[{\"name\":\"MOBILE_APP_PACKAGE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"DISTRIBUTION_ENTITY_NAME\",\"value\":\"ANY\"},{\"name\":\"DISTRIBUTION_ENTITY_TYPE\",\"value\":\"ORG_UNIT\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.package_id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.distribution.entity.name": "ANY", + "gsuite.admin.distribution.entity.type": "ORG_UNIT", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6534, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_DELETE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_DELETE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7450, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7908, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_ADMIN_RESTRICTIONS_PIN\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8898, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9328, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ADD_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9817, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_WIRELESS_NETWORK\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10303, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_WIRELESS_NETWORK_NAME\",\"value\":\"network\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10792, + "network.name": "network", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_MOBILE_CERTIFICATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"REMOVE_MOBILE_CERTIFICATE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"MOBILE_CERTIFICATE_COMMON_NAME\",\"value\":\"cert\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.mobile.certificate.name": "cert", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11290, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11773, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12110, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12440, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12782, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_ACCOUNT_WIPE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_ACCOUNT_WIPE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13120, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13577, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"MOBILE_SETTINGS\",\"name\":\"MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "MOBILE_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14053, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log new file mode 100644 index 00000000000..3ad1efedd6a --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log @@ -0,0 +1,17 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ENABLED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ENABLED","value":"DISABLED"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SKU_NAME","value":"sku"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"ASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"UNASSIGN_CUSTOM_LOGO","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_ENROLLMENT_TOKEN","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CHROME_LICENSES_ALLOWED","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CHROME_LICENSES_ALLOWED","value":"EMPTY"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"CREATE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REMOVE_ORG_UNIT","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_DESCRIPTION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"MOVE_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"EDIT_ORG_UNIT_NAME","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"REVOKE_DEVICE_ENROLLMENT_TOKEN","parameters":[{"name":"FULL_ORG_UNIT_PATH","value":"full/org/path"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"ORG_SETTINGS","name":"TOGGLE_SERVICE_ENABLED","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SERVICE_NAME","value":"new"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json new file mode 100644 index 00000000000..79e059bc22b --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -0,0 +1,839 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_LICENSES_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ENABLED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ENABLED\",\"value\":\"DISABLED\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.enabled": "DISABLED", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_CREATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 472, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_DELETED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 982, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SKU_NAME\",\"value\":\"sku\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.product.sku": "sku", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1457, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2002, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"ASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2400, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNASSIGN_CUSTOM_LOGO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"UNASSIGN_CUSTOM_LOGO\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2771, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3144, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3520, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHROME_LICENSES_ALLOWED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CHROME_LICENSES_ALLOWED\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CHROME_LICENSES_ALLOWED\",\"value\":\"EMPTY\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.chrome_licenses.allowed": "EMPTY", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3896, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"CREATE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4365, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REMOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4733, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EDIT_ORG_UNIT_DESCRIPTION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_DESCRIPTION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5101, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOVE_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"MOVE_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5479, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "EDIT_ORG_UNIT_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"EDIT_ORG_UNIT_NAME\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5880, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"REVOKE_DEVICE_ENROLLMENT_TOKEN\",\"parameters\":[{\"name\":\"FULL_ORG_UNIT_PATH\",\"value\":\"full/org/path\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.full": "full/org/path", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6286, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_SERVICE_ENABLED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"ORG_SETTINGS\",\"name\":\"TOGGLE_SERVICE_ENABLED\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SERVICE_NAME\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.service.name": "new", + "gsuite.event.type": "ORG_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log new file mode 100644 index 00000000000..1035f42a2fb --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log @@ -0,0 +1,24 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"},{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ADD_TO_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"REMOVE_FROM_TRUSTED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"OAUTH2_APP_ID","value":"id"},{"name":"OAUTH2_APP_NAME","value":"appname"},{"name":"OAUTH2_APP_TYPE","value":"CHROME_EXTENSION"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"BLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"APPS_SCRIPT"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_TWO_STEP_VERIFICATION_START_DATE","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"ALLOWED_TWO_STEP_VERIFICATION_METHOD","value":"ONLY_SECURITY_KEY"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TOGGLE_CAA_ENABLEMENT","parameters":[{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_ERROR_MESSAGE","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_CAA_APP_ASSIGNMENTS","parameters":[{"name":"APPLICATION_NAME","value":"app"},{"name":"CAA_ASSIGNMENTS_NEW","value":"new"},{"name":"CAA_ASSIGNMENTS_OLD","value":"old"},{"name":"GROUP_NAME","value":"group"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"TRUST_DOMAIN_OWNED_OAUTH2_APPS","parameters":[{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"ENFORCE_STRONG_AUTHENTICATION","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","parameters":[{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"SESSION_CONTROL_SETTINGS_CHANGE","parameters":[{"name":"REAUTH_APPLICATION","value":"ADMIN_CONSOLE"},{"name":"REAUTH_SETTING_NEW","value":"INHERIT"},{"name":"REAUTH_SETTING_OLD","value":"NEVER"},{"name":"ORG_UNIT_NAME","value":"org"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"CHANGE_SESSION_LENGTH","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SECURITY_SETTINGS","name":"UNBLOCK_ON_DEVICE_ACCESS","parameters":[{"name":"OAUTH2_SERVICE_NAME","value":"CALENDAR"},{"name":"ORG_UNIT_NAME","value":"org"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json new file mode 100644 index 00000000000..02062dcdb65 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -0,0 +1,1222 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALLOW_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 461, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"DISALLOW_SERVICE_FOR_OAUTH2_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1348, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ADD_TO_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1903, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"REMOVE_FROM_TRUSTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"OAUTH2_APP_ID\",\"value\":\"id\"},{\"name\":\"OAUTH2_APP_NAME\",\"value\":\"appname\"},{\"name\":\"OAUTH2_APP_TYPE\",\"value\":\"CHROME_EXTENSION\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.application.id": "id", + "gsuite.admin.oauth2.application.name": "appname", + "gsuite.admin.oauth2.application.type": "CHROME_EXTENSION", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2424, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "BLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"BLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"APPS_SCRIPT\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "APPS_SCRIPT", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2950, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3383, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_FREQUENCY\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3917, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4434, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_TWO_STEP_VERIFICATION_START_DATE\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4963, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"ALLOWED_TWO_STEP_VERIFICATION_METHOD\",\"value\":\"ONLY_SECURITY_KEY\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.verification_method": "ONLY_SECURITY_KEY", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5481, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_CAA_ENABLEMENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TOGGLE_CAA_ENABLEMENT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6010, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CAA_ERROR_MESSAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_ERROR_MESSAGE\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6385, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_CAA_APP_ASSIGNMENTS\",\"parameters\":[{\"name\":\"APPLICATION_NAME\",\"value\":\"app\"},{\"name\":\"CAA_ASSIGNMENTS_NEW\",\"value\":\"new\"},{\"name\":\"CAA_ASSIGNMENTS_OLD\",\"value\":\"old\"},{\"name\":\"GROUP_NAME\",\"value\":\"group\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "app", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6802, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNTRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7356, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"TRUST_DOMAIN_OWNED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7746, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8134, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENFORCE_STRONG_AUTHENTICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"ENFORCE_STRONG_AUTHENTICATION\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8652, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED\",\"parameters\":[{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "group.domain": "example.com", + "group.name": "group", + "gsuite.actor.type": "USER", + "gsuite.admin.group.email": "group@example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9718, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"SESSION_CONTROL_SETTINGS_CHANGE\",\"parameters\":[{\"name\":\"REAUTH_APPLICATION\",\"value\":\"ADMIN_CONSOLE\"},{\"name\":\"REAUTH_SETTING_NEW\",\"value\":\"INHERIT\"},{\"name\":\"REAUTH_SETTING_OLD\",\"value\":\"NEVER\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "ADMIN_CONSOLE", + "gsuite.admin.new_value": "INHERIT", + "gsuite.admin.old_value": "NEVER", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10237, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SESSION_LENGTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"CHANGE_SESSION_LENGTH\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10774, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNBLOCK_ON_DEVICE_ACCESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SECURITY_SETTINGS\",\"name\":\"UNBLOCK_ON_DEVICE_ACCESS\",\"parameters\":[{\"name\":\"OAUTH2_SERVICE_NAME\",\"value\":\"CALENDAR\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.oauth2.service.name": "CALENDAR", + "gsuite.admin.org_unit.name": "org", + "gsuite.event.type": "SECURITY_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log new file mode 100644 index 00000000000..ff07d024c4c --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log @@ -0,0 +1,5 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"ADD_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"DELETE_WEB_ADDRESS","parameters":[{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","parameters":[{"name":"SERVICE_NAME","value":"service"},{"name":"SITE_LOCATION","value":"/path/in/url"},{"name":"WEB_ADDRESS","value":"http://example.com/path/in/url"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"SITES_SETTINGS","name":"VIEW_SITE_DETAILS","parameters":[{"name":"SITE_NAME","value":"site"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json new file mode 100644 index 00000000000..27a6d09ff66 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -0,0 +1,258 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"ADD_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_WEB_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"DELETE_WEB_ADDRESS\",\"parameters\":[{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 594, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SITES_SETTING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_SETTING\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.setting.name": "setting", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1191, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES\",\"parameters\":[{\"name\":\"SERVICE_NAME\",\"value\":\"service\"},{\"name\":\"SITE_LOCATION\",\"value\":\"/path/in/url\"},{\"name\":\"WEB_ADDRESS\",\"value\":\"http://example.com/path/in/url\"}]}}", + "event.provider": "admin", + "event.type": [ + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.service.name": "service", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1723, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ], + "url.full": "http://example.com/path/in/url", + "url.path": "/path/in/url" + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VIEW_SITE_DETAILS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"SITES_SETTINGS\",\"name\":\"VIEW_SITE_DETAILS\",\"parameters\":[{\"name\":\"SITE_NAME\",\"value\":\"site\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.url.name": "site", + "gsuite.event.type": "SITES_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log new file mode 100644 index 00000000000..bed874fc9a4 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log @@ -0,0 +1,74 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GENERATE_2SV_SCRATCH_CODES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_DEVICE_TOKENS","parameters":[{"name":"DEVICE_ID","value":"id"},{"name":"DEVICE_TYPE","value":"type"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_3LO_TOKEN","parameters":[{"name":"APP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ADMIN_PRIVILEGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_ASP","parameters":[{"name":"ASP_ID","value":"id"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TOGGLE_AUTOMATIC_CONTACT_SHARING","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"1"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CANCEL_USER_INVITE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DOMAIN_NAME","value":"example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_CUSTOM_FIELD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"USER_CUSTOM_FIELD","value":"custom"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_EXTERNAL_ID","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_GENDER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_IM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ENABLE_USER_IP_WHITELIST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_KEYWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LANGUAGE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_LOCATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ORGANIZATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_PHONE_NUMBER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_RELATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_USER_ADDRESS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"},{"name":"EMAIL_MONITOR_LEVEL_CHAT","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL","value":"info"},{"name":"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL","value":"info"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_DATA_TRANSFER_REQUEST","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"DESTINATION_USER_EMAIL","value":"dest@example.com"},{"name":"APPLICATION_NAME","value":"a,b,c"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GRANT_DELEGATED_ADMIN_PRIVILEGES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_ACCOUNT_INFO_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_EMAIL_MONITOR","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"EMAIL_MONITOR_DEST_EMAIL","value":"dest@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"REQUEST_ID","value":"id"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_FIRST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"GMAIL_RESET_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"GMAIL_RESET_REASON","value":"reason"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_LAST_NAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_ADDED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MAIL_ROUTING_DESTINATION_REMOVED","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ADD_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_NICKNAME","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"USER_NICKNAME","value":"nick"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CHANGE_PASSWORD_ON_NEXT_LOGIN","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_PENDING_INVITES_LIST"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_EMAIL","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REMOVE_RECOVERY_PHONE","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_ACCOUNT_INFO","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REQUEST_MAILBOX_DUMP","parameters":[{"name":"USER_EMAIL","value":"user@example.com"},{"name":"BEGIN_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"EMAIL_EXPORT_INCLUDE_DELETED","value":"true"},{"name":"EMAIL_EXPORT_PACKAGE_CONTENT","value":"contents"},{"name":"SEARCH_QUERY_FOR_DUMP","value":"foo bar"},{"name":"END_DATE_TIME","value":"2002-10-02T16:00:00Z"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESEND_USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RESET_SIGNIN_COOKIES","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SECURITY_KEY_REGISTERED_FOR_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"REVOKE_SECURITY_KEY","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_INVITE","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"VIEW_TEMP_PASSWORD","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"TURN_OFF_2_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNBLOCK_USER_SESSION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_TITANIUM","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"ARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPDATE_BIRTHDATE","parameters":[{"name":"BIRTHDATE","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"CREATE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNGRADE_USER_FROM_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_ENROLLED_IN_TWO_STEP_VERIFICATION","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"DOWNLOAD_USERLIST_CSV"}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"MOVE_USER_TO_ORG_UNIT","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"RENAME_USER","parameters":[{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNENROLL_USER_FROM_STRONG_AUTH","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"SUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNARCHIVE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNDELETE_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UNSUSPEND_USER","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"UPGRADE_USER_TO_GPLUS","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD","parameters":[{"name":"BULK_UPLOAD_FAIL_USERS_NUMBER","value":"0"},{"name":"BULK_UPLOAD_TOTAL_USERS_NUMBER","value":"10"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"USER_SETTINGS","name":"USERS_BULK_UPLOAD_NOTIFICATION_SENT","parameters":[{"name":"USER_EMAIL","value":"user@example.com"}]}} diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json new file mode 100644 index 00000000000..389c1170b51 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -0,0 +1,3766 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GENERATE_2SV_SCRATCH_CODES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GENERATE_2SV_SCRATCH_CODES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 388, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_3LO_DEVICE_TOKENS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_DEVICE_TOKENS\",\"parameters\":[{\"name\":\"DEVICE_ID\",\"value\":\"id\"},{\"name\":\"DEVICE_TYPE\",\"value\":\"type\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.device.id": "id", + "gsuite.admin.device.type": "type", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 778, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_3LO_TOKEN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_3LO_TOKEN\",\"parameters\":[{\"name\":\"APP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1238, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1649, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2031, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GRANT_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2413, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_ADMIN_PRIVILEGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ADMIN_PRIVILEGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2798, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_ASP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_ASP\",\"parameters\":[{\"name\":\"ASP_ID\",\"value\":\"id\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.asp_id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TOGGLE_AUTOMATIC_CONTACT_SHARING\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3589, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"1\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 1, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.admin.domain.name": "example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4020, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4499, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CANCEL_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CANCEL_USER_INVITE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4937, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_CUSTOM_FIELD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_CUSTOM_FIELD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"USER_CUSTOM_FIELD\",\"value\":\"custom\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.setting.name": "custom", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5364, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_EXTERNAL_ID", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_EXTERNAL_ID\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5868, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_GENDER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_GENDER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6325, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_IM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_IM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ENABLE_USER_IP_WHITELIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ENABLE_USER_IP_WHITELIST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7225, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_KEYWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_KEYWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7683, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_LANGUAGE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LANGUAGE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8136, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_LOCATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_LOCATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8590, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_ORGANIZATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ORGANIZATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9044, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_PHONE_NUMBER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_PHONE_NUMBER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9502, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9960, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10345, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_RELATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_RELATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10730, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_USER_ADDRESS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_USER_ADDRESS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11184, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"EMAIL_MONITOR_LEVEL_CHAT\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_DRAFT_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_INCOMING_EMAIL\",\"value\":\"info\"},{\"name\":\"EMAIL_MONITOR_LEVEL_OUTGOING_EMAIL\",\"value\":\"info\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00Z", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.email_monitor.level.chat": "info", + "gsuite.admin.email_monitor.level.draft": "info", + "gsuite.admin.email_monitor.level.incoming": "info", + "gsuite.admin.email_monitor.level.outgoing": "info", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11637, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_DATA_TRANSFER_REQUEST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_DATA_TRANSFER_REQUEST\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"DESTINATION_USER_EMAIL\",\"value\":\"dest@example.com\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"a,b,c\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.application.name": "a,b,c", + "gsuite.admin.new_value": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12429, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GRANT_DELEGATED_ADMIN_PRIVILEGES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12926, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_ACCOUNT_INFO_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_ACCOUNT_INFO_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13357, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_EMAIL_MONITOR", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_EMAIL_MONITOR\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"EMAIL_MONITOR_DEST_EMAIL\",\"value\":\"dest@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_monitor.dest_email": "dest@example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13780, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"REQUEST_ID\",\"value\":\"id\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.request.id": "id", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14227, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_FIRST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_FIRST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14645, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "GMAIL_RESET_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"GMAIL_RESET_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"GMAIL_RESET_REASON\",\"value\":\"reason\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15096, + "message": "reason", + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_LAST_NAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_LAST_NAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15523, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MAIL_ROUTING_DESTINATION_ADDED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_ADDED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15973, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MAIL_ROUTING_DESTINATION_REMOVED\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16402, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ADD_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ADD_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16833, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_NICKNAME", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_NICKNAME\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"USER_NICKNAME\",\"value\":\"nick\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.admin.user.nickname": "nick", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17249, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17668, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CHANGE_PASSWORD_ON_NEXT_LOGIN\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.old_value": "old", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18047, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DOWNLOAD_PENDING_INVITES_LIST", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_PENDING_INVITES_LIST\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18510, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_RECOVERY_EMAIL", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_EMAIL\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18839, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REMOVE_RECOVERY_PHONE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REMOVE_RECOVERY_PHONE\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19224, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REQUEST_ACCOUNT_INFO", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_ACCOUNT_INFO\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REQUEST_MAILBOX_DUMP", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.duration": 3600000000000, + "event.end": "2002-10-02T16:00:00Z", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REQUEST_MAILBOX_DUMP\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"},{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"EMAIL_EXPORT_INCLUDE_DELETED\",\"value\":\"true\"},{\"name\":\"EMAIL_EXPORT_PACKAGE_CONTENT\",\"value\":\"contents\"},{\"name\":\"SEARCH_QUERY_FOR_DUMP\",\"value\":\"foo bar\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2002-10-02T16:00:00Z\"}]}}", + "event.provider": "admin", + "event.start": "2002-10-02T15:00:00Z", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.email_dump.include_deleted": "true", + "gsuite.admin.email_dump.package_content": "contents", + "gsuite.admin.email_dump.query": "foo bar", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19993, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RESEND_USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESEND_USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20656, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RESET_SIGNIN_COOKIES", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RESET_SIGNIN_COOKIES\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21083, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SECURITY_KEY_REGISTERED_FOR_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21467, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "REVOKE_SECURITY_KEY", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"REVOKE_SECURITY_KEY\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 21863, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_INVITE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_INVITE\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22246, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "VIEW_TEMP_PASSWORD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"VIEW_TEMP_PASSWORD\",\"parameters\":[{\"name\":\"DOMAIN_NAME\",\"value\":\"example.com\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.domain.name": "example.com", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 22666, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "TURN_OFF_2_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"TURN_OFF_2_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23093, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNBLOCK_USER_SESSION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNBLOCK_USER_SESSION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23485, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNENROLL_USER_FROM_TITANIUM", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_TITANIUM\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 23869, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "ARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"ARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24260, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPDATE_BIRTHDATE", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPDATE_BIRTHDATE\",\"parameters\":[{\"name\":\"BIRTHDATE\",\"value\":\"2002-10-02T15:00:00Z\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.birthdate": "2002-10-02T15:00:00Z", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 24636, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "CREATE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"CREATE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25068, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "deletion" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25443, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DOWNGRADE_USER_FROM_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNGRADE_USER_FROM_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 25818, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_ENROLLED_IN_TWO_STEP_VERIFICATION\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26207, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "DOWNLOAD_USERLIST_CSV", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"DOWNLOAD_USERLIST_CSV\"}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26609, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "MOVE_USER_TO_ORG_UNIT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"MOVE_USER_TO_ORG_UNIT\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.org_unit.name": "org", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 26930, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27389, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "RENAME_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"RENAME_USER\",\"parameters\":[{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.new_value": "new", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 27834, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNENROLL_USER_FROM_STRONG_AUTH\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28244, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "SUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"SUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 28638, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNARCHIVE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNARCHIVE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29014, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNDELETE_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNDELETE_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29392, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UNSUSPEND_USER", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UNSUSPEND_USER\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 29769, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "UPGRADE_USER_TO_GPLUS", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"UPGRADE_USER_TO_GPLUS\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "change" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30147, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USERS_BULK_UPLOAD", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD\",\"parameters\":[{\"name\":\"BULK_UPLOAD_FAIL_USERS_NUMBER\",\"value\":\"0\"},{\"name\":\"BULK_UPLOAD_TOTAL_USERS_NUMBER\",\"value\":\"10\"}]}}", + "event.provider": "admin", + "event.type": [ + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.bulk_upload.failed": 0, + "gsuite.admin.bulk_upload.total": 10, + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30532, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "client.as.number": 7922, + "client.as.organization.name": "Comcast Cable Communications, LLC", + "client.geo.city_name": "State College", + "client.geo.continent_name": "North America", + "client.geo.country_iso_code": "US", + "client.geo.location.lat": 40.7957, + "client.geo.location.lon": -77.8618, + "client.geo.region_iso_code": "US-PA", + "client.geo.region_name": "Pennsylvania", + "client.ip": "98.235.162.24", + "client.user.domain": "bar.com", + "client.user.email": "foo@bar.com", + "client.user.id": "1", + "client.user.name": "foo", + "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", + "event.category": [ + "iam" + ], + "event.dataset": "gsuite.admin", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"USER_SETTINGS\",\"name\":\"USERS_BULK_UPLOAD_NOTIFICATION_SENT\",\"parameters\":[{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}", + "event.provider": "admin", + "event.type": [ + "user", + "info" + ], + "fileset.name": "admin", + "gsuite.actor.type": "USER", + "gsuite.admin.user.email": "user@example.com", + "gsuite.event.type": "USER_SETTINGS", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 30972, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "user" + ], + "service.type": "gsuite", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index b0cebd8b1fd..85d6b81a11e 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkVlFvGzcMfs+vILqHAcViY3v0w4Bg8IqhyVrE7bBiGM60xPMR1ok3iXJ7+/WDdL7EcWysW9whwPRkiORHfh9J+S5hQ/0M1jGx0gWAsjqawYvh4sUFgKVoAnfK4mfw/QUA7LzhRmxyOahmcjbOiu0SPLa0h5iPpRqT06o4zqBGF0eT9l32DpK6O+dHCfN5NSSNHRmu2eySTi7uHG4kELCvJbSYgwFXkvQwAAx6WBHUkrwFVGhUuzibTi1tyUlHIU7WImtHEyPtFG3L/jLazTRQJ0HjdPvtNFBNgbyhKRrlLStTnDqOuqtlX499TdCohElmfGcaBdhQ/1GC3bs/IUM+7xoqYSD1DvPigf0XdIlGprMHJoCX7xfz25czuPKiDQVIkQKwB20IIrYEVlpkPzkMm//6bn7789V1NcYPkZI0sqUSfiLy9fxD8ffiL5vUoh+LPq7PhvqnyfPGux66QJG8wseGPCzvlV8CR1i+nn9YTuCHYRRy6UsjPqaWQrWhfpmFzbeB/kgUVQLUEuDNVdIGvrt+A1dvfxptESQAemBLXrlmGnyDrEQBjZHkNT6mSlvyeuZReLUoG1Kgv4EWu44s1EFaWLJSG3/7fVJs+cdOiqHtEnjNHh102DtB+7CDczQN1OwokpaZanBLgGC5LmugkA1Sw3YYu0yfcwF5Hy0psvtPti4f+oRtlx8wTJb1q51j/0j+DXt7PuGHcYiSgqED4XOiz9T55hnrJWGNnv8s7+pkWPOnyTcIOCCBNqh5LbGuyShZWPW79ctkvo67bXlUlZP1kTr2/0vgyGu8jzBmrKhFdhVaGyjGg0pP0buHMQ06R35NVUvaiP1sgL/RCOA6U7zHhwF/Aj/mVwdyN/MAdhIjrxyNK1haDyr/Zmzy9HrLn8ap6adF5slR4jWyS4Gqg4fsLKR32AXo2RD+EkRNoPLngS4+L7Icq0hGvK3q8gd6lPhKxBH6kwApdmxY0vGtOoweIyO27mmb3XWOTXmwqnxzvqYtsHWweLufoeT8P21Ibs+JmfGsjPlJXfXn43s7fGzl780aFlc314BJm7w0QwOO1yJhnTxr1aE256sF4H358B3Aj2eOippiZcQeb7oTv/6HU5dJD7CQYU/kHdbV5d5WX6qIkgNKjocV/RUAAP//BvI0zA==" + return "eJzkW0tv4zgSvvevKMwcGhhMHGwfc1gg6Lh7gs4LcTLYwWKh0GRJIkyRapKK2/vrF3zI8UOSHdOZCXZ8SWCJ3/exSBarivQJzHBxBoVpuMUPAJZbgWfwU/jipw8ADA3VvLZcyTP45wcAiG/DtWKNcI1yjoKZM//sBCSpcAXRfRjmpBE28y+eQU6EaR/ZRe3e1qqply9vEbrP10BqaqQ85zSSjj4sX7hWGoHLXOmKuMZApqqxmw2AEglThFw1kgGxUFpbm7PTU4bPKFSN2owKpQqBI6qqU8IqLk8Mm51qrJW25vT5H6cac9QoKZ4SavkztxzNqeDGRi2r9li1CaFW6ZHr8fJRa4AZLuZKs5Xve8zgPg8l+mag8oj5Ye3570Q02Pb0bO0RwC+Pk/H9L2dwLpUtUUNjUAOXYEsEQyoEpirC5Wiz2fhfD+P7m/OrrG0fWqrGGs7QN+9p+W38h39fKnlSNhWRrehu+8xwkWaeWykWUGs0KC3MS5Tw9GL5J+AGnr6N/3gawecwFZz0J6qkaSrU2QwXT86w7luN3xs0VmnIlYbb88aW8OnqFs7vLttnBpQGIoEzlJbnHMO7Wk2VBUKpaqQ1213FZ5T2yFPh68SvEA/9K1SkrpFBrlUFT9xiZf79n5F/5v6JpgjDrjQvuCQCarIQirD1ERwTWkLOBRq0fk6V5BmBAOO5XwYW3AOVw3OYdq773Alw65GhJVz8KavOffAHqWrnwEjDuP05vrjYMv+MS3Y8w4fpYFSjKW4Y3hHtaefrd2wvpQsi+X+9Xx2FZZ5mvmDAgAS2JNYtS5LnSC0ymC7i8nOd+Wjiatn2F67bWzpW9xLo8MZrCHUtOA3dQsbd3w2ZfX3b6p/rT7sCA9JoJ6X7JoVvBeuj8fi7OVGSqcBN6FfRRog12J28glM3GU2mNEOdyaaaoj5Uxa3DgIDh9iEGVoFGhliBJzJoXiGpbjQtiTncKjdBicqhxYQl5m4dPGk0VpDg8mI3GzF1djzGZXhVE2Nc47001ITOSIGJOio15WJdTgTuFeGdwwgrwkUKs4f5aKDWvCJ6AR4QCGMaTc/EkzjP/A6ZwitxHrZZv8v6kA2t5bLo5lSCpXMqwV7FqYuskdwmO7fVPYcIcJgDLm5JmzciaWiVLgKXA4Ka2BK4pKJhXBZhV1LKvrzVr6i1UqodIs4AkwvEM4Y5l8iyY9G69m0c7AhOIsHw6LcPV+Detu9hQdeaK+0jnEPZvjoceMHpZosZDhGcHMy0Evh4nEGm1FFsHVQk7Ldj5DNIlWREL7L0aRuRdnNXRJICWUaVzHnRaJI6bVbnbgSHNfAeF61kliOxjfbrSD9zFxwYFEhTFG1GvgA3Sp60RNASwZJoM4MG+OKSTHDBu+tWrYzhU4FtxuUjfRcBHZAluGRFMv6jTRIW8bWVTfUkrkLz85er88lvV5dff3vIxheP2c3tTfZlfP7weD++yCbj+98vP48n2WR8Nf78ML7oNLEPxo81tB6seyjbdCwxtlplayFXUv1+d5weYjiU10UYnldyOktdupG6hRpgm3JtS0ZsN13Hgz4uD+Qb9Lh5YnFOFkn+8GvACI4I7mKByMWwqkKgLgltZ3q3CFpqVWGmzMigMVzJbKOA8yo5nz0a3E4govmmPd4ZnYsYGdSciMTc6cJjQcCKOdQg6yuW0EbLFPNEmf02qTWX1rtpN+2PGO14YIjA/dRvwbpjJKiqKiJZFqtEB8+8ANMWm3o8qBIp3vNR8u8NbpZFbcmNR3bdfeYCi57B9ewp5t3edB987C6wIxCBv2SLZSjQ+TV2EptF59M35aK9Uqxy16IM5i0+HjlC3uJxhvIWLZJZ5jg13A6x1FqxhqbnoxFnDyYza45BNPn22M0zbcQsa2pfQs4J76vmCSWL/YpWAQQ0UqWZAS49BQQKcLN8IGpeVWOVJd1Rz/5iPMaBWkI2SIRQc2TZRrH7VQNxQyo0/oDNgZ04KGQBv8dh+ght9L0hmkjLJSZnUKu7wwvsELlQRWaQaFpmORduN6nQmPRCm1AFBFwIuB9NDEgjfm+9rU+XsUTbLCly7BLlYQfCyD456DbVY4txTl8WB6jRSHnNUdpRcvGuf+ReSF43cCgZ6rcUFhkOtBivO1VtfX2IpT4auLwbzsF2mO0N1AXkPaTF7GV5PJJ4ELQdYF21Rx8R+T3EWEoXw3HVplXi3vE3t4oijS0/jY4RCm5bxN+j+DQQH/41RjFIG83tYi/LHOf4LlpinxO8Dt6UUelgHjhb2eZOyex7Z8Sqmu28/z3PimfUPI/SswptqY7oQe5RuCxxjQQCybu0EBC52UM4at7szxOGB4QI1Okpn0cZWBi6SaxS+JpE01mTeDk25yMqfGyTynR+dwkBagefoao+/CitpQooPUc+rBpZNcOkY57ri2t4RsmUBpRaCVG5rnnYftbQ4Di0g5duuMxVUoG4q4TFDcy5EDDF5bUXY4lFmJfE+mttbtmv3oKdEwO0JLJ4H6HHPovXB7ZZpSS3So8YGpslH6c4FC7jxeAQJre5dcxkI90eioQzw4iW5ODqglPkDxzWuCEA762AaZInSfAAaRq4pKriW7WdV8loMdKUqMYWKlFJi/FaJayp6lG4JoIZQ4G2J4WYKiWQbHq9NR2XkrlNHg3wHCJWoDFA/BV3T8PaW6X4wy26neraK1dUSYsybeYGCPNyxM7FVP1oL1/tlPK9Qb1IKy37TNjjBD/YXk3y+N17dbivnXggHFF6w/RwJW1E6BEu9sXrbeHsBwKky/P3oj72xtMr570E6kHe8MYSTURR2xBJp0dv0SorkEBVVQ3mU60MVdVELjI1l8iyYNfuoGtX8dxXi5cF9IgEBCIDqLnsu2bEjdV82sSrwZbbtDP27qmzygKBJUyFX2Feclq2191JKLDHyrf/XYXSxUnPRbv3O8+6rHr8BdllVQfZY9R1e75nU7ZmFKpIvd8ff1EQ4scsBn57D8NLkZAIgbLAo+f2V66LL/htWv+nDoY3c7d7yAkXjcYjpzGh0xE7bCDvpcNv0VGq0d+CIMK8r85yk4VbmlnufyC3d8S6CtCYmlOumu5Vtdl6ecmAVCJtZb/UCpMOWrcHbUIqAZO7PWuj/58rxA1PX1WDW06cS50eHMJ3lTh9WB3il8n59RWQxpZu0Qz9vEjpwm1lWU1seTwtAI/+h60BvOeOjCW2MRlVrHvQdwVsHbPOdTrAgoPtu5vjl6vPR7O3EuE5Qs67ruh/AQAA//+ocCHp" } diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index 97a3fdcf94a..ffb174f9989 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -26,3 +26,11 @@ # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + admin: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s