[Filebeat] [Google Workspace module] - Improve ECS utilization #4317
Description
We are ingesting Google Workspace data (admin, login, saml, user_accounts) into our Elasticsearch for search, detection in Elastic Security and visualization through Kibana. However, we have noticed a few specific fields where the Google Workspace module could see minor improvements in the ECS utilization.
Note: we are running filebeat version 8.3.3, but have noticed that none of the newer releases solves our issues.
admin, login, saml, user_accounts google_workspace.kind ECS fields: event.kind Suggestion: The event.kind field is not currently populated. This should be set to the value “event”. As the document that is received could be categorized as an event. source.email.user ECS fields: source.email.user | user.email Suggestion: The source.email.user field is populated with the correct data. This data should also populate the user.email field.