Skip to content

Commit

Permalink
[Filebeat][Gsuite] Adds Drive audit Fileset (elastic#19704)
Browse files Browse the repository at this point in the history
* Add Gsuite Drive fileset

* Update config

* Update docs

* Add CHANGELOG entry

* Change url

* Update config

* Regenerate test files
  • Loading branch information
marc-gr authored Jul 14, 2020
1 parent 5cbc3d4 commit 7d27fac
Show file tree
Hide file tree
Showing 14 changed files with 2,335 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Adds Gsuite User Accounts support. {pull}19329[19329]
- Adds Gsuite Login audit support. {pull}19702[19702]
- Adds Gsuite Admin support. {pull}19769[19769]
- Adds Gsuite Drive support. {pull}19704[19704]

*Heartbeat*

Expand Down
220 changes: 220 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -62213,6 +62213,226 @@ type: keyword
--


*`gsuite.drive.billable`*::
+
--
Whether this activity is billable.

type: boolean

--

*`gsuite.drive.source_folder_id`*::
+
--
type: keyword

--

*`gsuite.drive.source_folder_title`*::
+
--
type: keyword

--

*`gsuite.drive.destination_folder_id`*::
+
--
type: keyword

--

*`gsuite.drive.destination_folder_title`*::
+
--
type: keyword

--

*`gsuite.drive.file.id`*::
+
--
type: keyword

--

*`gsuite.drive.file.type`*::
+
--
Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive


type: keyword

--

*`gsuite.drive.originating_app_id`*::
+
--
The Google Cloud Project ID of the application that performed the action.


type: keyword

--

*`gsuite.drive.file.owner.email`*::
+
--
type: keyword

--

*`gsuite.drive.file.owner.is_shared_drive`*::
+
--
Boolean flag denoting whether owner is a shared drive.


type: boolean

--

*`gsuite.drive.primary_event`*::
+
--
Whether this is a primary event. A single user action in Drive may generate several events.


type: boolean

--

*`gsuite.drive.shared_drive_id`*::
+
--
The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.


type: keyword

--

*`gsuite.drive.visibility`*::
+
--
Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive


type: keyword

--

*`gsuite.drive.new_value`*::
+
--
When a setting or property of the file changes, the new value for it will appear here.


type: keyword

--

*`gsuite.drive.old_value`*::
+
--
When a setting or property of the file changes, the old value for it will appear here.


type: keyword

--

*`gsuite.drive.sheets_import_range_recipient_doc`*::
+
--
Doc ID of the recipient of a sheets import range.

type: keyword

--

*`gsuite.drive.old_visibility`*::
+
--
When visibility changes, this holds the old value.


type: keyword

--

*`gsuite.drive.visibility_change`*::
+
--
When visibility changes, this holds the new overall visibility of the file.


type: keyword

--

*`gsuite.drive.target_domain`*::
+
--
The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.


type: keyword

--

*`gsuite.drive.added_role`*::
+
--
Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive


type: keyword

--

*`gsuite.drive.membership_change_type`*::
+
--
Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive


type: keyword

--

*`gsuite.drive.shared_drive_settings_change_type`*::
+
--
Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive


type: keyword

--

*`gsuite.drive.removed_role`*::
+
--
Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive


type: keyword

--

*`gsuite.drive.target`*::
+
--
Target user or group.

type: keyword

--


*`gsuite.login.affected_email_address`*::
+
--
Expand Down
1 change: 1 addition & 0 deletions filebeat/docs/modules/gsuite.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ It is compatible with a subset of applications under the https://developers.goog
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events]
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events]
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events]
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events]

=== Configure the module

Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -743,6 +743,14 @@ filebeat.modules:
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 5s
drive:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: [email protected]
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 5s

#------------------------------- HAProxy Module -------------------------------
- module: haproxy
Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/gsuite/_meta/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,11 @@
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 5s
drive:
enabled: true
# var.jwt_file: credentials.json
# var.delegated_account: [email protected]
# var.initial_interval: 24h
# var.http_client_timeout: 60s
# var.user_key: all
# var.interval: 5s
1 change: 1 addition & 0 deletions x-pack/filebeat/module/gsuite/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ It is compatible with a subset of applications under the https://developers.goog
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events]
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events]
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events]
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events]

=== Configure the module

Expand Down
89 changes: 89 additions & 0 deletions x-pack/filebeat/module/gsuite/drive/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
- name: drive
type: group
fields:
- name: billable
type: boolean
description: Whether this activity is billable.
- name: source_folder_id
type: keyword
- name: source_folder_title
type: keyword
- name: destination_folder_id
type: keyword
- name: destination_folder_title
type: keyword
- name: file.id
type: keyword
- name: file.type
type: keyword
description: >
Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: originating_app_id
type: keyword
description: >
The Google Cloud Project ID of the application that performed the action.
- name: file.owner.email
type: keyword
- name: file.owner.is_shared_drive
type: boolean
description: >
Boolean flag denoting whether owner is a shared drive.
- name: primary_event
type: boolean
description: >
Whether this is a primary event. A single user action in Drive may generate several events.
- name: shared_drive_id
type: keyword
description: >
The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.
- name: visibility
type: keyword
description: >
Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: new_value
type: keyword
description: >
When a setting or property of the file changes, the new value for it will appear here.
- name: old_value
type: keyword
description: >
When a setting or property of the file changes, the old value for it will appear here.
- name: sheets_import_range_recipient_doc
type: keyword
description: Doc ID of the recipient of a sheets import range.
- name: old_visibility
type: keyword
description: >
When visibility changes, this holds the old value.
- name: visibility_change
type: keyword
description: >
When visibility changes, this holds the new overall visibility of the file.
- name: target_domain
type: keyword
description: >
The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.
- name: added_role
type: keyword
description: >
Added membership role of a user/group in a Team Drive.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: membership_change_type
type: keyword
description: >
Type of change in Team Drive membership of a user/group.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: shared_drive_settings_change_type
type: keyword
description: >
Type of change in Team Drive settings.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: removed_role
type: keyword
description: >
Removed membership role of a user/group in a Team Drive.
For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
- name: target
type: keyword
description: Target user or group.

Loading

0 comments on commit 7d27fac

Please sign in to comment.