diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 091dcab8f35..8a190abb0ed 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adds Gsuite User Accounts support. {pull}19329[19329] - Adds Gsuite Login audit support. {pull}19702[19702] - Adds Gsuite Admin support. {pull}19769[19769] +- Adds Gsuite Drive support. {pull}19704[19704] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 3724fb42503..a15f2b36f27 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -62213,6 +62213,226 @@ type: keyword -- +*`gsuite.drive.billable`*:: ++ +-- +Whether this activity is billable. + +type: boolean + +-- + +*`gsuite.drive.source_folder_id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.source_folder_title`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.destination_folder_id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.destination_folder_title`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.file.id`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.file.type`*:: ++ +-- +Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.originating_app_id`*:: ++ +-- +The Google Cloud Project ID of the application that performed the action. + + +type: keyword + +-- + +*`gsuite.drive.file.owner.email`*:: ++ +-- +type: keyword + +-- + +*`gsuite.drive.file.owner.is_shared_drive`*:: ++ +-- +Boolean flag denoting whether owner is a shared drive. + + +type: boolean + +-- + +*`gsuite.drive.primary_event`*:: ++ +-- +Whether this is a primary event. A single user action in Drive may generate several events. + + +type: boolean + +-- + +*`gsuite.drive.shared_drive_id`*:: ++ +-- +The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + + +type: keyword + +-- + +*`gsuite.drive.visibility`*:: ++ +-- +Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.new_value`*:: ++ +-- +When a setting or property of the file changes, the new value for it will appear here. + + +type: keyword + +-- + +*`gsuite.drive.old_value`*:: ++ +-- +When a setting or property of the file changes, the old value for it will appear here. + + +type: keyword + +-- + +*`gsuite.drive.sheets_import_range_recipient_doc`*:: ++ +-- +Doc ID of the recipient of a sheets import range. + +type: keyword + +-- + +*`gsuite.drive.old_visibility`*:: ++ +-- +When visibility changes, this holds the old value. + + +type: keyword + +-- + +*`gsuite.drive.visibility_change`*:: ++ +-- +When visibility changes, this holds the new overall visibility of the file. + + +type: keyword + +-- + +*`gsuite.drive.target_domain`*:: ++ +-- +The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + + +type: keyword + +-- + +*`gsuite.drive.added_role`*:: ++ +-- +Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.membership_change_type`*:: ++ +-- +Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.shared_drive_settings_change_type`*:: ++ +-- +Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.removed_role`*:: ++ +-- +Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + + +type: keyword + +-- + +*`gsuite.drive.target`*:: ++ +-- +Target user or group. + +type: keyword + +-- + + *`gsuite.login.affected_email_address`*:: + -- diff --git a/filebeat/docs/modules/gsuite.asciidoc b/filebeat/docs/modules/gsuite.asciidoc index ca3bb741516..60e44b0648c 100644 --- a/filebeat/docs/modules/gsuite.asciidoc +++ b/filebeat/docs/modules/gsuite.asciidoc @@ -25,6 +25,7 @@ It is compatible with a subset of applications under the https://developers.goog - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events] +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events] === Configure the module diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index db893ed28e9..4a30bd84353 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -743,6 +743,14 @@ filebeat.modules: # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s #------------------------------- HAProxy Module ------------------------------- - module: haproxy diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index 4422edc0ac7..57bc21e69ac 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -31,3 +31,11 @@ # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s diff --git a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc index cd774c15358..50eb3941b6e 100644 --- a/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/gsuite/_meta/docs.asciidoc @@ -20,6 +20,7 @@ It is compatible with a subset of applications under the https://developers.goog - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events] - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events] +- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events] === Configure the module diff --git a/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml new file mode 100644 index 00000000000..9c031b89ce5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/_meta/fields.yml @@ -0,0 +1,89 @@ +- name: drive + type: group + fields: + - name: billable + type: boolean + description: Whether this activity is billable. + - name: source_folder_id + type: keyword + - name: source_folder_title + type: keyword + - name: destination_folder_id + type: keyword + - name: destination_folder_title + type: keyword + - name: file.id + type: keyword + - name: file.type + type: keyword + description: > + Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: originating_app_id + type: keyword + description: > + The Google Cloud Project ID of the application that performed the action. + - name: file.owner.email + type: keyword + - name: file.owner.is_shared_drive + type: boolean + description: > + Boolean flag denoting whether owner is a shared drive. + - name: primary_event + type: boolean + description: > + Whether this is a primary event. A single user action in Drive may generate several events. + - name: shared_drive_id + type: keyword + description: > + The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive. + - name: visibility + type: keyword + description: > + Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: new_value + type: keyword + description: > + When a setting or property of the file changes, the new value for it will appear here. + - name: old_value + type: keyword + description: > + When a setting or property of the file changes, the old value for it will appear here. + - name: sheets_import_range_recipient_doc + type: keyword + description: Doc ID of the recipient of a sheets import range. + - name: old_visibility + type: keyword + description: > + When visibility changes, this holds the old value. + - name: visibility_change + type: keyword + description: > + When visibility changes, this holds the new overall visibility of the file. + - name: target_domain + type: keyword + description: > + The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document. + - name: added_role + type: keyword + description: > + Added membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: membership_change_type + type: keyword + description: > + Type of change in Team Drive membership of a user/group. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: shared_drive_settings_change_type + type: keyword + description: > + Type of change in Team Drive settings. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: removed_role + type: keyword + description: > + Removed membership role of a user/group in a Team Drive. + For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive + - name: target + type: keyword + description: Target user or group. + diff --git a/x-pack/filebeat/module/gsuite/drive/config/config.yml b/x-pack/filebeat/module/gsuite/drive/config/config.yml new file mode 100644 index 00000000000..5f1bd6ecbf3 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/config.yml @@ -0,0 +1,50 @@ +{{ if eq .input "httpjson" }} +type: httpjson + +url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive +json_objects_array: items +split_events_by: events + +interval: {{ .interval }} + +{{ if .http_client_timeout }} +http_client_timeout: {{ .http_client_timeout }} +{{ end }} + +oauth2.provider: google +oauth2.google.jwt_file: {{ .jwt_file }} +oauth2.google.delegated_account: {{ .delegated_account }} +oauth2.scopes: + - https://www.googleapis.com/auth/admin.reports.audit.readonly + +date_cursor.url_field: startTime +date_cursor.initial_interval: {{ .initial_interval }} + +pagination.id_field: nextPageToken +pagination.url_field: pageToken + +{{ else if eq .input "file" }} +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 + - script: + lang: javascript + id: gsuite-common + file: ${path.home}/module/gsuite/config/common.js + - script: + lang: javascript + id: gsuite-drive + file: ${path.home}/module/gsuite/drive/config/pipeline.js diff --git a/x-pack/filebeat/module/gsuite/drive/config/pipeline.js b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js new file mode 100644 index 00000000000..eb1d1170ea5 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/config/pipeline.js @@ -0,0 +1,190 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +var drive = (function () { + var path = require("path"); + var processor = require("processor"); + + var categorizeEvent = function(evt) { + evt.Put("event.category", ["file"]); + switch (evt.Get("event.action")) { + case "add_to_folder": + case "edit": + case "add_lock": + case "move": + case "remove_from_folder": + case "rename": + case "remove_lock": + case "sheets_import_range": + evt.Put("event.type", ["change"]); + break; + case "approval_canceled": + case "approval_comment_added": + case "approval_requested": + case "approval_reviewer_responded": + case "change_acl_editors": + case "change_document_access_scope": + case "change_document_visibility": + case "shared_drive_membership_change": + case "shared_drive_settings_change": + case "sheets_import_range_access_change": + case "change_user_access": + evt.AppendTo("event.category", "iam"); + evt.Put("event.type", ["change"]); + break; + case "create": + case "untrash": + case "upload": + evt.Put("event.type", ["creation"]); + break; + case "delete": + case "trash": + evt.Put("event.type", ["deletion"]); + break; + case "download": + case "preview": + case "print": + case "view": + evt.Put("event.type", ["info"]); + break; + } + }; + + var getParamValue = function(param) { + if (param.value) { + return param.value; + } + if (param.multiValue) { + return param.multiValue; + } + if (param.boolValue !== null) { + return param.boolValue; + } + }; + + var flattenParams = function(evt) { + var params = evt.Get("json.events.parameters"); + if (!params || !Array.isArray(params)) { + return; + } + + params.forEach(function(p){ + evt.Put("gsuite.drive."+p.name, getParamValue(p)); + }); + + evt.Delete("json.events.parameters"); + }; + + var setFileInfo = function(evt) { + var type = evt.Get("gsuite.drive.file.type"); + if (!type) { + return; + } + + switch (type) { + case "folder": + case "shared_drive": + evt.Put("file.type", "dir"); + break; + default: + evt.Put("file.type", "file"); + } + + // path returns extensions with a preceding ., e.g.: .tmp, .png + // according to ecs the expected format is without it, so we need to remove it. + var ext = path.extname(evt.Get("file.name")); + if (!ext) { + return; + } + + if (ext.charAt(0) === ".") { + ext = ext.substr(1); + } + evt.Put("file.extension", ext); + }; + + var setOwnerInfo = function(evt) { + var email = evt.Get("gsuite.drive.file.owner.email"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.Put("file.owner", data[0]); + evt.AppendTo("related.user", data[0]); + }; + + var setTargetRelatedUser = function(evt) { + var email = evt.Get("gsuite.drive.target"); + if (!email) { + return; + } + + var data = email.split("@"); + if (data.length !== 2) { + return; + } + + evt.AppendTo("related.user", data[0]); + }; + + var pipeline = new processor.Chain() + .Add(categorizeEvent) + .Add(flattenParams) + .Convert({ + fields: [ + { + from: "gsuite.drive.doc_id", + to: "gsuite.drive.file.id", + }, + { + from: "gsuite.drive.doc_title", + to: "file.name", + }, + { + from: "gsuite.drive.doc_type", + to: "gsuite.drive.file.type", + }, + { + from: "gsuite.drive.owner", + to: "gsuite.drive.file.owner.email", + }, + { + from: "gsuite.drive.owner_is_shared_drive", + to: "gsuite.drive.file.owner.is_shared_drive", + }, + { + from: "gsuite.drive.new_settings_state", + to: "gsuite.drive.new_value", + }, + { + from: "gsuite.drive.old_settings_state", + to: "gsuite.drive.old_value", + }, + { + from: "gsuite.drive.target_user", + to: "gsuite.drive.target", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(setFileInfo) + .Add(setOwnerInfo) + .Add(setTargetRelatedUser) + .Build(); + + return { + process: pipeline.Run, + }; +}()); + +function process(evt) { + return drive.process(evt); +} diff --git a/x-pack/filebeat/module/gsuite/drive/manifest.yml b/x-pack/filebeat/module/gsuite/drive/manifest.yml new file mode 100644 index 00000000000..48570efe448 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/manifest.yml @@ -0,0 +1,24 @@ +module_version: 1.0 + +var: + - name: input + default: httpjson + - name: jwt_file + - name: delegated_account + - name: initial_interval + default: 24h + - name: http_client_timeout + default: 60s + - name: user_key + default: all + - name: interval + default: 2h + - name: tags + default: [forwarded] + +input: config/config.yml +ingest_pipeline: ../ingest/common.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log new file mode 100644 index 00000000000..3cd073a7379 --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log @@ -0,0 +1,28 @@ +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_to_folder","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_canceled","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_comment_added","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_requested","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"approval_reviewer_responded","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"create","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"delete","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"download","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"edit","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"add_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"move","parameters":[{"name":"billable","boolValue":false},{"name":"destination_folder_id","value":"1234"},{"name":"destination_folder_title","value":"folder title"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"preview","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"print","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_from_folder","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"source_folder_id","value":"1234"},{"name":"source_folder_title","value":"a folder title"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"rename","parameters":[{"name":"billable","boolValue":true},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"bar.gif"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_value","value":"foo.gif","new_value":"bar.gif"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"untrash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"sheets_import_range","parameters":[{"name":"sheets_import_range_recipient_doc","value":"1234"},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"trash","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"remove_lock","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"upload","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"access","name":"view","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"shared_drive_id","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_acl_editors","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_access_scope","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_document_visibility","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"owner"},{"name":"old_value","value":"writers"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_visibility","value":"people_within_domain_with_link"},{"name":"visibility_change","value":"external"},{"name":"target_domain","value":"all"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_membership_change","parameters":[{"name":"added_role","value":"editor"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"removed_role","value":"content_manager"},{"name":"membership_change_type","value":"add_to_shared_drive"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"shared_drive_settings_change","parameters":[{"name":"new_settings_state","value":"restricted"},{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"old_settings_state","value":"unrestricted"},{"name":"shared_drive_settings_change_type","value":"direct_acl"},{"name":"target","value":"user@example.com"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"sheets_import_range_access_change","parameters":[{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"visibility","value":"people_with_link"},{"name":"sheets_import_range_recipient_doc","value":"1234"}]}} +{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"drive","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"98.235.162.24","events":{"type":"acl_change","name":"change_user_access","parameters":[{"name":"billable","boolValue":false},{"name":"doc_id","value":"1234"},{"name":"doc_title","value":"document title"},{"name":"doc_type","value":"document"},{"name":"new_value","value":"can_comment"},{"name":"old_value","value":"can_view"},{"name":"old_visibility","value":"people_with_link"},{"name":"originating_app_id","value":"1234"},{"name":"owner","value":"owner@example.com"},{"name":"owner_is_shared_drive","boolValue":false},{"name":"primary_event","boolValue":true},{"name":"target_user","value":"user@example.com"},{"name":"visibility","value":"private"},{"name":"visibility_change","value":"external"}]}} diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json new file mode 100644 index 00000000000..3d75fea232d --- /dev/null +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -0,0 +1,1706 @@ +[ + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_to_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_to_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 0, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_canceled", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_canceled\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 816, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_comment_added", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_comment_added\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 1529, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_requested", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_requested\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2247, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "approval_reviewer_responded", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"approval_reviewer_responded\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 2961, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "create", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"create\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 3684, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "delete", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"delete\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 4386, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "download", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"download\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5088, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "edit", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"edit\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 5792, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "add_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"add_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 6492, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "move", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"move\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"destination_folder_id\",\"value\":\"1234\"},{\"name\":\"destination_folder_title\",\"value\":\"folder title\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.destination_folder_id": "1234", + "gsuite.drive.destination_folder_title": "folder title", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 7196, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "preview", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"preview\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8102, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "print", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"print\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 8805, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_from_folder", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_from_folder\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"source_folder_id\",\"value\":\"1234\"},{\"name\":\"source_folder_title\",\"value\":\"a folder title\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.source_folder_id": "1234", + "gsuite.drive.source_folder_title": "a folder title", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 9506, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "rename", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"rename\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":true},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"bar.gif\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_value\",\"value\":\"foo.gif\",\"new_value\":\"bar.gif\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.extension": "gif", + "file.name": "bar.gif", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": true, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.old_value": "foo.gif", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 10319, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "untrash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"untrash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11074, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"sheets_import_range\",\"parameters\":[{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 11777, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "trash", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"trash\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "deletion" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 12514, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "remove_lock", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"remove_lock\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13215, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "upload", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"upload\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"}]}}", + "event.provider": "drive", + "event.type": [ + "creation" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 13922, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "view", + "event.category": [ + "file" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"access\",\"name\":\"view\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"shared_drive_id\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "info" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_id": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "access", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 14624, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_acl_editors", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_acl_editors\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 15366, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_access_scope", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_access_scope\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 16275, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_document_visibility", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_document_visibility\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"owner\"},{\"name\":\"old_value\",\"value\":\"writers\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_visibility\",\"value\":\"people_within_domain_with_link\"},{\"name\":\"visibility_change\",\"value\":\"external\"},{\"name\":\"target_domain\",\"value\":\"all\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "owner", + "gsuite.drive.old_value": "writers", + "gsuite.drive.old_visibility": "people_within_domain_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target_domain": "all", + "gsuite.drive.visibility": "people_with_link", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 17233, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_membership_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_membership_change\",\"parameters\":[{\"name\":\"added_role\",\"value\":\"editor\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"removed_role\",\"value\":\"content_manager\"},{\"name\":\"membership_change_type\",\"value\":\"add_to_shared_drive\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.added_role": "editor", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.membership_change_type": "add_to_shared_drive", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.removed_role": "content_manager", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 18189, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "shared_drive_settings_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"shared_drive_settings_change\",\"parameters\":[{\"name\":\"new_settings_state\",\"value\":\"restricted\"},{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"old_settings_state\",\"value\":\"unrestricted\"},{\"name\":\"shared_drive_settings_change_type\",\"value\":\"direct_acl\"},{\"name\":\"target\",\"value\":\"user@example.com\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "restricted", + "gsuite.drive.old_value": "unrestricted", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.shared_drive_settings_change_type": "direct_acl", + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 19117, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "sheets_import_range_access_change", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"sheets_import_range_access_change\",\"parameters\":[{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"visibility\",\"value\":\"people_with_link\"},{\"name\":\"sheets_import_range_recipient_doc\",\"value\":\"1234\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.sheets_import_range_recipient_doc": "1234", + "gsuite.drive.visibility": "people_with_link", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20060, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2020-10-02T15:00:00.000Z", + "event.action": "change_user_access", + "event.category": [ + "file", + "iam" + ], + "event.dataset": "gsuite.drive", + "event.id": "1", + "event.module": "gsuite", + "event.original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"drive\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"98.235.162.24\",\"events\":{\"type\":\"acl_change\",\"name\":\"change_user_access\",\"parameters\":[{\"name\":\"billable\",\"boolValue\":false},{\"name\":\"doc_id\",\"value\":\"1234\"},{\"name\":\"doc_title\",\"value\":\"document title\"},{\"name\":\"doc_type\",\"value\":\"document\"},{\"name\":\"new_value\",\"value\":\"can_comment\"},{\"name\":\"old_value\",\"value\":\"can_view\"},{\"name\":\"old_visibility\",\"value\":\"people_with_link\"},{\"name\":\"originating_app_id\",\"value\":\"1234\"},{\"name\":\"owner\",\"value\":\"owner@example.com\"},{\"name\":\"owner_is_shared_drive\",\"boolValue\":false},{\"name\":\"primary_event\",\"boolValue\":true},{\"name\":\"target_user\",\"value\":\"user@example.com\"},{\"name\":\"visibility\",\"value\":\"private\"},{\"name\":\"visibility_change\",\"value\":\"external\"}]}}", + "event.provider": "drive", + "event.type": [ + "change" + ], + "file.name": "document title", + "file.owner": "owner", + "file.type": "file", + "fileset.name": "drive", + "gsuite.actor.type": "USER", + "gsuite.drive.billable": false, + "gsuite.drive.file.id": "1234", + "gsuite.drive.file.owner.email": "owner@example.com", + "gsuite.drive.file.owner.is_shared_drive": false, + "gsuite.drive.file.type": "document", + "gsuite.drive.new_value": "can_comment", + "gsuite.drive.old_value": "can_view", + "gsuite.drive.old_visibility": "people_with_link", + "gsuite.drive.originating_app_id": "1234", + "gsuite.drive.primary_event": true, + "gsuite.drive.target": "user@example.com", + "gsuite.drive.visibility": "private", + "gsuite.drive.visibility_change": "external", + "gsuite.event.type": "acl_change", + "gsuite.kind": "admin#reports#activity", + "gsuite.organization.domain": "elastic.com", + "input.type": "log", + "log.offset": 20815, + "organization.id": "1", + "related.ip": [ + "98.235.162.24" + ], + "related.user": [ + "foo", + "owner", + "user" + ], + "service.type": "gsuite", + "source.as.number": 7922, + "source.as.organization.name": "Comcast Cable Communications, LLC", + "source.geo.city_name": "State College", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 40.7957, + "source.geo.location.lon": -77.8618, + "source.geo.region_iso_code": "US-PA", + "source.geo.region_name": "Pennsylvania", + "source.ip": "98.235.162.24", + "source.user.domain": "bar.com", + "source.user.email": "foo@bar.com", + "source.user.id": "1", + "source.user.name": "foo", + "tags": [ + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/fields.go b/x-pack/filebeat/module/gsuite/fields.go index 85d6b81a11e..abba51e945c 100644 --- a/x-pack/filebeat/module/gsuite/fields.go +++ b/x-pack/filebeat/module/gsuite/fields.go @@ -19,5 +19,5 @@ func init() { // AssetGsuite returns asset data. // This is the base64 encoded gzipped contents of module/gsuite. func AssetGsuite() string { - return "eJzkW0tv4zgSvvevKMwcGhhMHGwfc1gg6Lh7gs4LcTLYwWKh0GRJIkyRapKK2/vrF3zI8UOSHdOZCXZ8SWCJ3/exSBarivQJzHBxBoVpuMUPAJZbgWfwU/jipw8ADA3VvLZcyTP45wcAiG/DtWKNcI1yjoKZM//sBCSpcAXRfRjmpBE28y+eQU6EaR/ZRe3e1qqply9vEbrP10BqaqQ85zSSjj4sX7hWGoHLXOmKuMZApqqxmw2AEglThFw1kgGxUFpbm7PTU4bPKFSN2owKpQqBI6qqU8IqLk8Mm51qrJW25vT5H6cac9QoKZ4SavkztxzNqeDGRi2r9li1CaFW6ZHr8fJRa4AZLuZKs5Xve8zgPg8l+mag8oj5Ye3570Q02Pb0bO0RwC+Pk/H9L2dwLpUtUUNjUAOXYEsEQyoEpirC5Wiz2fhfD+P7m/OrrG0fWqrGGs7QN+9p+W38h39fKnlSNhWRrehu+8xwkWaeWykWUGs0KC3MS5Tw9GL5J+AGnr6N/3gawecwFZz0J6qkaSrU2QwXT86w7luN3xs0VmnIlYbb88aW8OnqFs7vLttnBpQGIoEzlJbnHMO7Wk2VBUKpaqQ1213FZ5T2yFPh68SvEA/9K1SkrpFBrlUFT9xiZf79n5F/5v6JpgjDrjQvuCQCarIQirD1ERwTWkLOBRq0fk6V5BmBAOO5XwYW3AOVw3OYdq773Alw65GhJVz8KavOffAHqWrnwEjDuP05vrjYMv+MS3Y8w4fpYFSjKW4Y3hHtaefrd2wvpQsi+X+9Xx2FZZ5mvmDAgAS2JNYtS5LnSC0ymC7i8nOd+Wjiatn2F67bWzpW9xLo8MZrCHUtOA3dQsbd3w2ZfX3b6p/rT7sCA9JoJ6X7JoVvBeuj8fi7OVGSqcBN6FfRRog12J28glM3GU2mNEOdyaaaoj5Uxa3DgIDh9iEGVoFGhliBJzJoXiGpbjQtiTncKjdBicqhxYQl5m4dPGk0VpDg8mI3GzF1djzGZXhVE2Nc47001ITOSIGJOio15WJdTgTuFeGdwwgrwkUKs4f5aKDWvCJ6AR4QCGMaTc/EkzjP/A6ZwitxHrZZv8v6kA2t5bLo5lSCpXMqwV7FqYuskdwmO7fVPYcIcJgDLm5JmzciaWiVLgKXA4Ka2BK4pKJhXBZhV1LKvrzVr6i1UqodIs4AkwvEM4Y5l8iyY9G69m0c7AhOIsHw6LcPV+Detu9hQdeaK+0jnEPZvjoceMHpZosZDhGcHMy0Evh4nEGm1FFsHVQk7Ldj5DNIlWREL7L0aRuRdnNXRJICWUaVzHnRaJI6bVbnbgSHNfAeF61kliOxjfbrSD9zFxwYFEhTFG1GvgA3Sp60RNASwZJoM4MG+OKSTHDBu+tWrYzhU4FtxuUjfRcBHZAluGRFMv6jTRIW8bWVTfUkrkLz85er88lvV5dff3vIxheP2c3tTfZlfP7weD++yCbj+98vP48n2WR8Nf78ML7oNLEPxo81tB6seyjbdCwxtlplayFXUv1+d5weYjiU10UYnldyOktdupG6hRpgm3JtS0ZsN13Hgz4uD+Qb9Lh5YnFOFkn+8GvACI4I7mKByMWwqkKgLgltZ3q3CFpqVWGmzMigMVzJbKOA8yo5nz0a3E4govmmPd4ZnYsYGdSciMTc6cJjQcCKOdQg6yuW0EbLFPNEmf02qTWX1rtpN+2PGO14YIjA/dRvwbpjJKiqKiJZFqtEB8+8ANMWm3o8qBIp3vNR8u8NbpZFbcmNR3bdfeYCi57B9ewp5t3edB987C6wIxCBv2SLZSjQ+TV2EptF59M35aK9Uqxy16IM5i0+HjlC3uJxhvIWLZJZ5jg13A6x1FqxhqbnoxFnDyYza45BNPn22M0zbcQsa2pfQs4J76vmCSWL/YpWAQQ0UqWZAS49BQQKcLN8IGpeVWOVJd1Rz/5iPMaBWkI2SIRQc2TZRrH7VQNxQyo0/oDNgZ04KGQBv8dh+ght9L0hmkjLJSZnUKu7wwvsELlQRWaQaFpmORduN6nQmPRCm1AFBFwIuB9NDEgjfm+9rU+XsUTbLCly7BLlYQfCyD456DbVY4txTl8WB6jRSHnNUdpRcvGuf+ReSF43cCgZ6rcUFhkOtBivO1VtfX2IpT4auLwbzsF2mO0N1AXkPaTF7GV5PJJ4ELQdYF21Rx8R+T3EWEoXw3HVplXi3vE3t4oijS0/jY4RCm5bxN+j+DQQH/41RjFIG83tYi/LHOf4LlpinxO8Dt6UUelgHjhb2eZOyex7Z8Sqmu28/z3PimfUPI/SswptqY7oQe5RuCxxjQQCybu0EBC52UM4at7szxOGB4QI1Okpn0cZWBi6SaxS+JpE01mTeDk25yMqfGyTynR+dwkBagefoao+/CitpQooPUc+rBpZNcOkY57ri2t4RsmUBpRaCVG5rnnYftbQ4Di0g5duuMxVUoG4q4TFDcy5EDDF5bUXY4lFmJfE+mttbtmv3oKdEwO0JLJ4H6HHPovXB7ZZpSS3So8YGpslH6c4FC7jxeAQJre5dcxkI90eioQzw4iW5ODqglPkDxzWuCEA762AaZInSfAAaRq4pKriW7WdV8loMdKUqMYWKlFJi/FaJayp6lG4JoIZQ4G2J4WYKiWQbHq9NR2XkrlNHg3wHCJWoDFA/BV3T8PaW6X4wy26neraK1dUSYsybeYGCPNyxM7FVP1oL1/tlPK9Qb1IKy37TNjjBD/YXk3y+N17dbivnXggHFF6w/RwJW1E6BEu9sXrbeHsBwKky/P3oj72xtMr570E6kHe8MYSTURR2xBJp0dv0SorkEBVVQ3mU60MVdVELjI1l8iyYNfuoGtX8dxXi5cF9IgEBCIDqLnsu2bEjdV82sSrwZbbtDP27qmzygKBJUyFX2Feclq2191JKLDHyrf/XYXSxUnPRbv3O8+6rHr8BdllVQfZY9R1e75nU7ZmFKpIvd8ff1EQ4scsBn57D8NLkZAIgbLAo+f2V66LL/htWv+nDoY3c7d7yAkXjcYjpzGh0xE7bCDvpcNv0VGq0d+CIMK8r85yk4VbmlnufyC3d8S6CtCYmlOumu5Vtdl6ecmAVCJtZb/UCpMOWrcHbUIqAZO7PWuj/58rxA1PX1WDW06cS50eHMJ3lTh9WB3il8n59RWQxpZu0Qz9vEjpwm1lWU1seTwtAI/+h60BvOeOjCW2MRlVrHvQdwVsHbPOdTrAgoPtu5vjl6vPR7O3EuE5Qs67ruh/AQAA//+ocCHp" + return "eJzkXE1v3DjSvudXFGYOAQbjNt45+vAC3rgnY4yTGLYzu4PFQmaTJYlrilRIqju9v37BD7XV3VJ/UU6MWV8SSOLzFIsssqpY7DN4wuUFFKbhFt8AWG4FXsAP4cEPbwAYGqp5bbmSF/D/bwAgfg0fFGuEa5RzFMxc+HdnIEmFHUT3xzAnjbCZ//ACciJM+8oua/e1Vk29+niL0P29D6SmRspzTiPp5M3qgw9KI3CZK10R1xjITDV2swFQImGGkKtGMiAWSmtrc3F+znCOQtWozaRQqhA4oao6J6zi8sywp3ONtdLWnM//71xjjholxXNCLZ9zy9GcC25slKWrj65OCLVKT1yPV69aBTzhcqE06zwfUIP7eyjRNwOVR8w3a+//IKLBtqcXa68Afvp8P7376QIupbIlamgMauASbIlgSIXAVEW4nGw2m/7jYXr38fIma9uHlqqxhjP0zQda/j79038vlTwrm4rIVuh+/TzhMk09n6RYQq3RoLSwKFHC47PmH4EbePx9+ufjBN6FqeBEf6RKmqZCnT3h8tEp1j3V+KVBY5WGXGn4dNnYEn65+QSXt9ftOwNKA5HAGUrLc47hW61mygKhVDXSmu2u4hylHXkqvL/3FuKhf4aK1DUyyLWq4JFbrMw//zXx79x/oirCsCvNCy6JgJoshSJsfQSnhJaQc4EGrZ9TJZkjEGA892Zgwb1QOczDtHPd504AZ48MLeHim1id+8OvpKrdAkYaxu2P8cPllvqfuGTjKT5MB6MaTXFD8Y7oQD1/eMX6Urogkv/Hr6uTYOZp6gsKDEhgS2KdWZI8R2qRwWwZzc915q2J1rK9Xrhub8nR3UugZzVeQ6hrwWnoFjLu/t0Qc6hvW/1z/WktMCBN9lK6Jyl8Hay3xuPv50RJZgI3oY+ijRBrsHt5BaduMppMaYY6k001Q32qFJ8cBgQMtw8xsAo0MsQKPJFBc4RIdaNpSczpWvkYJFE5tJiwwtwvB08ajQ4SXF/tZyOmzsZjXLlXNTHGNT5IhprQJ1JgohyVmnGxLk4EHhTCLw4TrAgXKcwe5q2BWvOK6CV4QCCMaTQDE0/iIvM7ZAqvxEXYZv0u6102tJbLop9TCZbOqQQ7ilMXWSO5TV7cunsOEeAwdyxxK9q8EUlDq3QRuBwQ1MSWwCUVDeOyCLuSUvb5q2GJWi2l6iHi7GByjnjGMOcSWTYWrWvf+sGO4CwS7B799mUH7mX7Hgy61lxp7+Gcyvbe4cAzTj9bjHCI4ORkpo7j43F2MqWOYrtARcJhPUY+g1RJRvQyS5+2EWk/d0UkKZBlVMmcF40mqdOmO3cjOKyBDyzRSmY5Ettob0d6zp1zYFAgTZFo0/MF+KjkWUsELRGsiDYjaIBfXZAJznl33aqVMXwmsI24vKfvPKATogQXrEjGv7ZBwjJ+1tlUz6IVmh9/vbm8/+3m+v1vD9n06nP28dPH7Nfp5cPnu+lVdj+9++P63fQ+u5/eTN89TK96Veyd8bGG1oP1D2UbjiX6Vl22FrIT6g8vx+kuhkM5zsPwvJLTp1TTjdQt1A62Gde2ZMT20/W8GOLyQL7BwDJPLC7IMmk9fB8wwkIEtzFB5HxYVSFQF4S2M71fCFpqVWGmzMSgMVzJbCOBc5Q47zwafLqHiOabDqzO6JaIiUHNiUiMna48FgSsGEPtZD3ChDZapqgnijmsk1pzaf0y7ab9iN6OB4YIPEz9Eqx7RoKqqiKSZTFLdPLMCzBtsmlgBVUiZfX8LPmXBjfTorbkxiO77s65wGJgcD17inq3N90H77sL7HFE4LtssQwFunWNncVmcfEZmnJRXylauW1RdsYt3h8ZIW7xOLviFi2SWRY4M9zuYqm1Yg1Nj0cjzgFM5qkZg+j+98/9PLNGPGVN7VPIOeFD2TyhZHFY0iqAgEaqNDPApaeAQAFulu/wmrvSWGVJv9dzuDAe40RZQjRIhFALZNlGsvuogfhIKjT+gM2BnTkoZAF/YMH0HtrkS0M0kZZLTI6gurvDM+wucqGKzCDRtMxyLtxuUqEx6Yk2oQoIuBBw35rokEb8wXzbkFzGEm2zJM+xTygPu8ONHBIH3aY6tjBu0ZfFCdJopLzmKO0kOXk3PHLPJMcNHEqG+iUFiwwnaozXvVJtPT5FU28NXN/ujsH2qO0FpAvIB4gWo5fV8UjiQdC2g3XTHn1E5NfgYyld7ParNrUS947/ca0o0tjyl8kYruC2RnwdxS87/MPvoxSDtNHcLg/SzDjHd1ETh5zg9fCmjEoP846zlW3ulMh+cEZ0pdmO+1/zrJij5nkUPavQlmrEFeQOhYsS10ggkLxKDQGRmz2EUeNmf56we0CIQJ0e8nmUHYahm8Qshc9JNL05iedjcz6hwvs2qUyXt9cQoPbwGarq04/SWqqAMnDkw6qJVU+YdMzz4eoDzFEypQGlVkJUrmsedpg1NBiHdmfRDZe5SkoQ96WwuIEFFwJmuCp7MZZYhEVJrC9rc2bfrYJdEAO0JLJ4Ha7HIcbrHdusUpJbpScMjc2Sj1McCpexMDi4yW1sHSPZSHeARMKpYUJLcnJ2wUnkDxzWuCEAHywB0yRPEsEDpMnAJVUV38rtHCVGi5EmiWpsoRIlaTGOlYQ1VT0JZSKYMRRoB0KImVICyeaqtybHtWRuk0cDPIeIFWgMEF/i7mlYW1WKX53R7ZWuLbmiSlqUaTM3QJjnI3YuZuprW3y1V5QvDeplWmrZR8IeJ6yDbWmSx+/fq0O9duKBcEQZdNNDSdqE0BEK+2J5Wzj7gQDp4vyDqMfeeAbFeS2OehBv98YSVURR2+BJp3tvUSsdSKCqqnbGU60YqqqJXGZqIZFlQa/9Tte+5LnPFq8S6BEJCEQGUAs5VGbEjdV81sTSYMtt2hl7/9TpskBgCVPhZ1iUnJZtuTsJCfaY+fb3KpQuzgYK7V7vPOvT6vgG2adVBzmg1HV9vmZVrtSo+Xz7fswx9f0zLgSZiX7FH7AX/71Ef0nKn1u30gM3K+CBI1RfKJTlSjDUx5y99AP4S3lHY3Q83gRJelBOEyfnx9UTrLUb13iuFG18qHjlJljYwb7p9N+c2N0yZn9FyNlDRuqUQv3+NeO9lxXeCdUwuNXq30idM9N6cmsZOBef1KhdKOkizbLd9PvnvB8nt5UdW/vWA8BNZkqi3a64pakjrHdbBX8LjSAXpACGUvnq4kW0ck/uLyJBoA8r0GANUEX0MvN3k8aTcG3F8aKsKgD9JSi4BMOlG0N//TKMiAsFwlyuyBIKlKidI2JwjpqI0HLAAejqefTZ1mwVAcV59oCkChJP4nVNVTchy5nH25ZBaNAovDU42yOdduBvGWLlgxHiC9O59DdRu1/193nODZ9x0b3oltzdP1aYvo9EF2jDlH4lK0vy/ZPeuSqdrcQifaWh1k7wqANfoSswZp/Mz/7J+g0WbkM6y3WEaChRDx1BpN5kGUf69bswB0tvSkRrMl65kcu0A8xWp8oZU/TUXl0p2lm9V5C+biWyQmAFz7pDuS9gE17Dz8BdVXIDpRLMrGt1n7lmAeHbS+hmrfKLqeh+3pkn/aKHdSDbujGbKHbnCombh8HdDxs0pWhMSL2vpX5D7tiFBEQY1V579xdQwPXKKuAx8dQi9QJ5Qtcg8JvgJvgr4R3FrGo9WXS1Bs4aGEOWaXWEO7lXN5cOEyp00bApeR1qPr1BuB3zPARDXO7YJ+AbR0PDi/ZzN+LUH/tAId5gD+BOK50dtqPDDfW9VnWtOTNtWPkdNNd/jeD16EljpeajW95dQP2r2F5Yu0/ODQYPMPxGioYNs9lKdQhVpP6UQfzxhHBUlsUzrqOjMFoSIdDZy9hlDDeui8/4bQXDNx1tr+aB+JVw0eixl4nQ6Yj9HTINOzr8Eh2lGn2sR4R5XZ3lJgsXUrPc/xbQwQF7F6AxNadcNf1Wtdl6tSmRSqRZ9nNSJqmmfHvQ7kkl4P72wDKwv6aFuOEZKuDglhO3pM5GDIruwgliyIXcX364AdLY0hnNrl9SUbpoJLdZTWw5niwAn8P+VGwfCaymryW2MRlVrH/Q951N9cw61+kACw526BqSN1d/9J69lBCeIxzvr0v03wAAAP//q5wdAA==" } diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index ffb174f9989..4b0877167e5 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -34,3 +34,11 @@ # var.http_client_timeout: 60s # var.user_key: all # var.interval: 5s + drive: + enabled: true + # var.jwt_file: credentials.json + # var.delegated_account: admin@example.com + # var.initial_interval: 24h + # var.http_client_timeout: 60s + # var.user_key: all + # var.interval: 5s