diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 3342ea6fc29..ec1fd37b1b7 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,13 @@ # newer versions go on top +- version: "2.47.0" + changes: + - description: >- + Add support for `resource_ids`, `network_info.region_code`, `network_info.subdivision_code`, and `network_info.ip_asn` fields for login data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/15743 + - description: Convert `login.timestamp` to long for login data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/15743 - version: "2.46.0" changes: - description: >- diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log index 8882c935173..827498dd209 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log @@ -15,3 +15,4 @@ {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"password"},{"name":"is_suspicious","boolValue":true},{"name":"login_type","value":"google_password"}]}} {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"risky_sensitive_action_allowed","parameters":[{"name":"login_challenge_method","value":"password"},{"name":"is_suspicious","boolValue":true},{"name":"login_type","value":"google_password"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"sensitive_action_name","value":"Allowing access to data"}]}} {"actor":{"email":"tl.zeous.daclitan@company.com","profileId":"111111111"},"etag":"Q2W123123123123","events":{"name":"login_verification","parameters":[{"name":"login_type","value":"google_password"},{"multiValue":["security_key"],"name":"login_challenge_method"},{"name":"login_challenge_status","value":"passed"},{"boolValue":true,"name":"is_second_factor"}],"type":"login"},"id":{"applicationName":"login","customerId":"123","time":"2025-02-27T05:59:58.481Z","uniqueQualifier":"123"},"ipAddress":"81.2.69.144","kind":"admin#reports#activity"} +{"actor":{"callerType":"KEY","key":"Google"},"etag":"\"Fn96D9A6wOUVq518\"","events":{"name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"intValue":"1759325583000000","name":"login_timestamp"}],"resourceIds":["1084964178399"],"type":"account_warning"},"id":{"applicationName":"login","customerId":"2","time":"2025-10-01T13:33:03.000Z","uniqueQualifier":"-780557281442037232"},"ipAddress":"1.128.0.0","kind":"admin#reports#activity","networkInfo":{"regionCode":"FR","subdivisionCode":"FR-NAQ"},"resourceDetails":[{"id":"0000000000000","type":"USER"}]} diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json index a9a9e27bce6..5c4931c7ce4 100644 --- a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json +++ b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json @@ -1349,6 +1349,73 @@ "id": "111111111", "name": "tl.zeous.daclitan" } + }, + { + "@timestamp": "2025-10-01T13:33:03.000Z", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "suspicious_login", + "category": [ + "authentication" + ], + "id": "-780557281442037232", + "kind": "event", + "original": "{\"actor\":{\"callerType\":\"KEY\",\"key\":\"Google\"},\"etag\":\"\\\"Fn96D9A6wOUVq518\\\"\",\"events\":{\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"intValue\":\"1759325583000000\",\"name\":\"login_timestamp\"}],\"resourceIds\":[\"1084964178399\"],\"type\":\"account_warning\"},\"id\":{\"applicationName\":\"login\",\"customerId\":\"2\",\"time\":\"2025-10-01T13:33:03.000Z\",\"uniqueQualifier\":\"-780557281442037232\"},\"ipAddress\":\"1.128.0.0\",\"kind\":\"admin#reports#activity\",\"networkInfo\":{\"regionCode\":\"FR\",\"subdivisionCode\":\"FR-NAQ\"},\"resourceDetails\":[{\"id\":\"0000000000000\",\"type\":\"USER\"}]}", + "provider": "login", + "start": "2025-10-01T13:33:03.000Z", + "type": [ + "info" + ] + }, + "google_workspace": { + "actor": { + "key": "Google", + "type": "KEY" + }, + "event": { + "type": "account_warning" + }, + "kind": "admin#reports#activity", + "login": { + "affected_email_address": "foo@elastic.co", + "network_info": { + "region_code": "FR", + "subdivision_code": "FR-NAQ" + }, + "timestamp": 1759325583000000 + } + }, + "organization": { + "id": "2" + }, + "related": { + "ip": [ + "1.128.0.0" + ], + "user": [ + "foo" + ] + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "target": { + "domain": "elastic.co", + "name": "foo" + } + } } ] } diff --git a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml index 357b7df94b4..289f6f9c5c8 100644 --- a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml @@ -215,6 +215,27 @@ processors: ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["boolValue"]; } } + - rename: + field: json.networkInfo.ipAsn + target_field: google_workspace.login.network_info.ip_asn + ignore_missing: true + - rename: + field: json.networkInfo.regionCode + target_field: google_workspace.login.network_info.region_code + ignore_missing: true + - rename: + field: json.networkInfo.subdivisionCode + target_field: google_workspace.login.network_info.subdivision_code + ignore_missing: true + - rename: + field: json.resourceIds + target_field: google_workspace.login.resource_ids + ignore_missing: true + - convert: + field: google_workspace.login.timestamp + target_field: google_workspace.login.timestamp + type: long + ignore_missing: true - script: lang: painless if: ctx?.google_workspace?.login?.timestamp != null diff --git a/packages/google_workspace/data_stream/login/fields/fields.yml b/packages/google_workspace/data_stream/login/fields/fields.yml index b71519baafc..817e5507bd8 100644 --- a/packages/google_workspace/data_stream/login/fields/fields.yml +++ b/packages/google_workspace/data_stream/login/fields/fields.yml @@ -15,6 +15,17 @@ type: keyword description: | Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. + - name: network_info + type: group + fields: + - name: ip_asn + type: keyword + - name: region_code + type: keyword + - name: subdivision_code + type: keyword + - name: resource_ids + type: keyword - name: timestamp type: long description: | diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md index 56a8c3badc8..8cf069a9889 100644 --- a/packages/google_workspace/docs/README.md +++ b/packages/google_workspace/docs/README.md @@ -627,6 +627,10 @@ An example event for `login` looks as following: | google_workspace.login.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | | google_workspace.login.is_second_factor | | boolean | | google_workspace.login.is_suspicious | | boolean | +| google_workspace.login.network_info.ip_asn | | keyword | +| google_workspace.login.network_info.region_code | | keyword | +| google_workspace.login.network_info.subdivision_code | | keyword | +| google_workspace.login.resource_ids | | keyword | | google_workspace.login.sensitive_action_name | | keyword | | google_workspace.login.timestamp | UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | long | | google_workspace.login.type | Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword | diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index d481400df30..26beb0b1bbf 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace -version: "2.46.0" +version: "2.47.0" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent.