elastic · efd6 · Aug 4, 2024 · Aug 1, 2024
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.25.0"
+ changes:
+ - description: Add GeoIP processors to all data streams.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/10682
 - version: "2.24.0"
  changes:
  - description: Updated google drive event schema and mappings to incorporate missing fields.

@@ -73,6 +73,24 @@
  ]
  },
  "source": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
  "ip": "89.160.20.112",
  "user": {
  "domain": "bar.com",

@@ -107,6 +107,26 @@ processors:
  - append:
  field: error.message
  value: '{{{_ingest.on_failure_message}}}'
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
  - set:
  field: google_workspace.ip_address
  copy_from: source.ip

@@ -1,32 +1,32 @@
 {
  "@timestamp": "2020-10-02T15:00:00.000Z",
  "agent": {
- "ephemeral_id": "2fe6b5c7-2099-40a4-b604-3307a3659e18",
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "ephemeral_id": "e3f2296a-a4a2-4d03-9105-cee5b37c1408",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "data_stream": {
  "dataset": "google_workspace.access_transparency",
- "namespace": "ep",
+ "namespace": "83912",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "snapshot": false,
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "event": {
  "action": "APPLICATION_EVENT",
  "agent_id_status": "verified",
- "created": "2023-04-06T05:05:54.066Z",
+ "created": "2024-08-01T21:50:19.274Z",
  "dataset": "google_workspace.access_transparency",
  "id": "1",
- "ingested": "2023-04-06T05:05:58Z",
+ "ingested": "2024-08-01T21:50:31Z",
  "kind": [
  "event"
  ],
@@ -98,6 +98,18 @@
  ]
  },
  "source": {
+ "as": {
+ "number": 35908
+ },
+ "geo": {
+ "continent_name": "Asia",
+ "country_iso_code": "BT",
+ "country_name": "Bhutan",
+ "location": {
+ "lat": 27.5,
+ "lon": 90.5
+ }
+ },
  "ip": "67.43.156.13",
  "user": {
  "domain": "bar.com",
@@ -118,4 +130,4 @@
  "id": "1",
  "name": "foo"
  }
-}
+}
@@ -1,24 +1,24 @@
 {
  "@timestamp": "2022-04-04T15:04:05.000Z",
  "agent": {
- "ephemeral_id": "416ea592-bbd6-4286-8950-b30981d4e0dd",
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "ephemeral_id": "e64e710c-e02b-4997-bb7e-83b936dd6aa5",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "data_stream": {
  "dataset": "google_workspace.admin",
- "namespace": "ep",
+ "namespace": "62273",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "snapshot": false,
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "event": {
  "action": "CHANGE_APPLICATION_SETTING",
@@ -27,10 +27,10 @@
  "iam",
  "configuration"
  ],
- "created": "2023-04-06T05:06:41.510Z",
+ "created": "2024-08-01T21:51:15.529Z",
  "dataset": "google_workspace.admin",
  "id": "1",
- "ingested": "2023-04-06T05:06:45Z",
+ "ingested": "2024-08-01T21:51:27Z",
  "kind": "event",
  "original": "{\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"events\":{\"name\":\"CHANGE_APPLICATION_SETTING\",\"parameters\":[{\"name\":\"APPLICATION_EDITION\",\"value\":\"basic\"},{\"name\":\"APPLICATION_NAME\",\"value\":\"drive\"},{\"name\":\"GROUP_EMAIL\",\"value\":\"group@example.com\"},{\"name\":\"NEW_VALUE\",\"value\":\"new\"},{\"name\":\"OLD_VALUE\",\"value\":\"old\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"org\"},{\"name\":\"SETTING_NAME\",\"value\":\"setting\"}],\"type\":\"APPLICATION_SETTINGS\"},\"id\":{\"applicationName\":\"admin\",\"customerId\":\"1\",\"time\":\"2022-04-04T15:04:05Z\",\"uniqueQualifier\":1},\"ipAddress\":\"98.235.162.24\",\"kind\":\"admin#reports#activity\",\"ownerDomain\":\"elastic.com\"}",
  "provider": "admin",
@@ -117,4 +117,4 @@
  }
  }
  }
-}
+}
@@ -431,6 +431,26 @@ processors:
  - append:
  field: error.message
  value: '{{{_ingest.on_failure_message}}}'
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
  - set:
  field: source.ip
  copy_from: google_workspace.alert.data.source.ip

@@ -1,24 +1,24 @@
 {
  "@timestamp": "2022-07-01T10:49:29.436Z",
  "agent": {
- "ephemeral_id": "c184a610-116e-4d73-8068-204b91173c48",
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "ephemeral_id": "245194a8-7787-44f7-ac57-201f8c49a9a0",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "data_stream": {
  "dataset": "google_workspace.alert",
- "namespace": "ep",
+ "namespace": "62301",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "snapshot": false,
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "email": {
  "attachments": {
@@ -57,11 +57,11 @@
  "threat",
  "malware"
  ],
- "created": "2023-04-06T05:07:37.780Z",
+ "created": "2024-08-01T21:52:26.588Z",
  "dataset": "google_workspace.alert",
  "end": "2022-07-01T10:47:04.530Z",
  "id": "91840a82-3af0-46d7-95ec-625c1cf0c3f7",
- "ingested": "2023-04-06T05:07:41Z",
+ "ingested": "2024-08-01T21:52:38Z",
  "kind": "alert",
  "original": "{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"createTime\":\"2022-07-01T10:49:29.436394Z\",\"customerId\":\"02umwv6u\",\"data\":{\"@type\":\"type.googleapis.com/google.apps.alertcenter.type.MailPhishing\",\"domainId\":{\"customerPrimaryDomain\":\"example.com\"},\"isInternal\":true,\"maliciousEntity\":{\"displayName\":\"string\",\"entity\":{\"displayName\":\"example\",\"emailAddress\":\"example@example.com\"},\"fromHeader\":\"header@example.com\"},\"messages\":[{\"attachmentsSha256Hash\":[\"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c\",\"228b48a56dbc2ecf10393227ac9c9dc943881fd7a55452e12a09107476bef2b2\"],\"date\":\"2022-07-01T10:38:13.194711Z\",\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings from sales \",\"messageId\":\"decedih843@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"Sales\"},{\"attachmentsSha256Hash\":[\"5fb1679e08674059b72e271d8902c11a127bb5301b055dc77fa03932ada56a56\"],\"md5HashMessageBody\":\"d29343907090dff4cec4a9a0efb80d20\",\"md5HashSubject\":\"a3708f8228384d932237f85980ff8283\",\"messageBodySnippet\":\" hi greetings \",\"messageId\":\"decedih@example.com\",\"recipient\":\"example@example.com\",\"subjectText\":\"RE: Example salesorderspca JSON request\"}],\"systemActionType\":\"NO_OPERATION\"},\"deleted\":false,\"endTime\":\"2022-07-01T10:47:04.530834Z\",\"etag\":\"wF2Ix2DWDv8=\",\"metadata\":{\"alertId\":\"91840a82-3af0-46d7-95ec-625c1cf0c3f7\",\"assignee\":\"example@example.com\",\"customerId\":\"02umwv6u\",\"etag\":\"wF2Ix2DWDv8=\",\"severity\":\"HIGH\",\"status\":\"NOT_STARTED\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"},\"securityInvestigationToolLink\":\"string\",\"source\":\"Gmail phishing\",\"startTime\":\"2022-07-01T10:38:13.194711Z\",\"type\":\"User reported phishing\",\"updateTime\":\"2022-07-01T10:49:29.436394Z\"}",
  "start": "2022-07-01T10:38:13.194Z",
@@ -179,4 +179,4 @@
  ],
  "name": "example"
  }
-}
+}
@@ -67,6 +67,24 @@
  ]
  },
  "source": {
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "geo": {
+ "city_name": "Linköping",
+ "continent_name": "Europe",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "location": {
+ "lat": 58.4167,
+ "lon": 15.6167
+ },
+ "region_iso_code": "SE-E",
+ "region_name": "Östergötland County"
+ },
  "ip": "89.160.20.112",
  "user": {
  "domain": "bar.com",

@@ -107,6 +107,26 @@ processors:
  - append:
  field: error.message
  value: '{{{_ingest.on_failure_message}}}'
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
  - set:
  field: google_workspace.ip_address
  copy_from: source.ip

@@ -1,32 +1,32 @@
 {
  "@timestamp": "2020-10-02T15:00:00.000Z",
  "agent": {
- "ephemeral_id": "71645243-c58a-4eed-b3ed-d42137115d43",
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "ephemeral_id": "6fde0a21-1448-4531-a5c9-42751772e3a7",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "name": "docker-fleet-agent",
  "type": "filebeat",
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "data_stream": {
  "dataset": "google_workspace.context_aware_access",
- "namespace": "ep",
+ "namespace": "14973",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "f7070b0b-fbce-4ea8-a8b4-9591ca3f2b72",
+ "id": "c43b6bca-79fe-44a7-b837-da9db4bf7be4",
  "snapshot": false,
- "version": "8.6.0"
+ "version": "8.13.0"
  },
  "event": {
  "action": "APPLICATION_EVENT",
  "agent_id_status": "verified",
- "created": "2023-04-06T05:08:37.473Z",
+ "created": "2024-08-01T21:53:36.823Z",
  "dataset": "google_workspace.context_aware_access",
  "id": "1",
- "ingested": "2023-04-06T05:08:41Z",
+ "ingested": "2024-08-01T21:53:48Z",
  "kind": [
  "event"
  ],
@@ -92,6 +92,18 @@
  ]
  },
  "source": {
+ "as": {
+ "number": 35908
+ },
+ "geo": {
+ "continent_name": "Asia",
+ "country_iso_code": "BT",
+ "country_name": "Bhutan",
+ "location": {
+ "lat": 27.5,
+ "lon": 90.5
+ }
+ },
  "ip": "67.43.156.13",
  "user": {
  "domain": "bar.com",
@@ -112,4 +124,4 @@
  "id": "1",
  "name": "foo"
  }
-}
+}
@@ -130,6 +130,18 @@
  ]
  },
  "source": {
+ "as": {
+ "number": 35908
+ },
+ "geo": {
+ "continent_name": "Asia",
+ "country_iso_code": "BT",
+ "country_name": "Bhutan",
+ "location": {
+ "lat": 27.5,
+ "lon": 90.5
+ }
+ },
  "ip": "67.43.156.13",
  "user": {
  "domain": "bar.com",