[google_workspace] - Updated google drive event schema and mappings to incorporate missing fields and avoid conflicts #10633
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
ShourieG added integration 
| Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
ShourieG changed the title Contributor Author
| /test |
💚 Build Succeeded
History
cc @ShourieG |
|
kcreddy approved these changes Jul 29, 2024
Contributor
kcreddy left a comment
kcreddy left a comment There was a problem hiding this comment.
Minor clarification. LGTM
packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
| Package google_workspace - 2.24.0 containing this change is available at https://epr.elastic.co/search?package=google_workspace |
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
…o incorporate missing fields and avoid conflicts (elastic#10633) * Updated google drive event schema and mappings to incorporate missing fields. * updated changelog * updated docs
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
…o incorporate missing fields and avoid conflicts (elastic#10633) * Updated google drive event schema and mappings to incorporate missing fields. * updated changelog * updated docs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Type of change
Proposed commit message
WHAT: Updated google drive event schema and mappings to incorporate missing fields and avoid conflicts.
WHY: It seems that there are some drive events that contain certain fields which were unmapped. The fields in question are as follows: -
as defined here. The only exception is the field owner_is_team_drive, which seems to be present in certain events but does not have an explicit definition anywhere. This also creates a scenario where for certain logs the target_user and target are both present in the source event, where they have different meanings and are not the same, hence target has to be mapped conditionally on our end.
Sample Log:
{ "actor": { "email": "[john.doe@example.com](mailto:john.doe@example.com)", "profileId": "987654" }, "etag": "-xyz1234567890/abcdefg", "events": { "name": "email_as_attachment", "parameters": [ { "name": "target", "value": "[jane.smith@example.org](mailto:jane.smith@example.org)" }, { "name": "target_user", "value": "[manager@example.com](mailto:manager@example.com)" }, { "boolValue": true, "name": "primary_event" }, { "boolValue": true, "name": "billable" }, { "boolValue": false, "name": "owner_is_shared_drive" }, { "name": "owner", "value": "[admin@example.co](mailto:admin@example.co)" }, { "name": "doc_id", "value": "doc123-456" }, { "name": "doc_type", "value": "spreadsheet" }, { "boolValue": false, "name": "is_encrypted" }, { "name": "doc_title", "value": "Quarterly Report" }, { "name": "visibility", "value": "shared_externally" }, { "boolValue": false, "name": "actor_is_collaborator_account" }, { "boolValue": false, "name": "owner_is_team_drive" } ], "type": "access" }, "id": { "applicationName": "drive", "customerId": "customer12345", "time": "2024-07-29T12:34:56.789Z", "uniqueQualifier": "4567890" }, "kind": "admin#reports#activity" }Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots