[Google Workspace] Adding additional date format to admin pipeline

packages/google_workspace/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.19.1"
+ changes:
+ - description: Fixing timestamp format for Admin datastream
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/8912
 - version: "2.19.0"
  changes:
  - description: Limit request tracer log count to five.

packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log

@@ -1,3 +1,4 @@
 {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"TRANSFER_DOCUMENT_OWNERSHIP","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
 {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2002-10-02T12:00:00Z"},{"name":"END_DATE_TIME","value":"2002-10-02T15:00:00Z"},{"name":"USER_EMAIL","value":"user@example.com"}]}}
 {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"CHANGE_DOCS_SETTING","parameters":[{"name":"DOMAIN_NAME","value":"example.com"},{"name":"GROUP_EMAIL","value":"group@example.com"},{"name":"NEW_VALUE","value":"new"},{"name":"OLD_VALUE","value":"old"},{"name":"ORG_UNIT_NAME","value":"org"},{"name":"SETTING_NAME","value":"setting"}]}}
+{"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"admin","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"DOCS_SETTINGS","name":"DRIVE_DATA_RESTORE","parameters":[{"name":"BEGIN_DATE_TIME","value":"2023/12/08 18:30 UTC"},{"name":"END_DATE_TIME","value":"2024/01/02 11:33 UTC"},{"name":"USER_EMAIL","value":"user@example.com"}]}}

packages/google_workspace/data_stream/admin/_dev/test/pipeline/test-admin-docs.log-expected.json

@@ -271,6 +271,92 @@
  }
  }
  }
+ },
+ {
+ "@timestamp": "2020-10-02T15:00:00.000Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "DRIVE_DATA_RESTORE",
+ "category": [
+ "iam"
+ ],
+ "duration": 2134980000000000,
+ "end": "2024-01-02T11:33:00.000Z",
+ "id": "1",
+ "kind": "event",
+ "original": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2020-10-02T15:00:00Z\",\"uniqueQualifier\":1,\"applicationName\":\"admin\",\"customerId\":\"1\"},\"actor\":{\"callerType\":\"USER\",\"email\":\"foo@bar.com\",\"profileId\":1},\"ownerDomain\":\"elastic.com\",\"ipAddress\":\"67.43.156.13\",\"events\":{\"type\":\"DOCS_SETTINGS\",\"name\":\"DRIVE_DATA_RESTORE\",\"parameters\":[{\"name\":\"BEGIN_DATE_TIME\",\"value\":\"2023/12/08 18:30 UTC\"},{\"name\":\"END_DATE_TIME\",\"value\":\"2024/01/02 11:33 UTC\"},{\"name\":\"USER_EMAIL\",\"value\":\"user@example.com\"}]}}",
+ "provider": "admin",
+ "start": "2023-12-08T18:30:00.000Z",
+ "type": [
+ "info"
+ ]
+ },
+ "google_workspace": {
+ "actor": {
+ "type": "USER"
+ },
+ "admin": {
+ "user": {
+ "email": "user@example.com"
+ }
+ },
+ "event": {
+ "type": "DOCS_SETTINGS"
+ },
+ "kind": "admin#reports#activity",
+ "organization": {
+ "domain": "elastic.com"
+ }
+ },
+ "organization": {
+ "id": "1"
+ },
+ "related": {
+ "ip": [
+ "67.43.156.13"
+ ],
+ "user": [
+ "foo",
+ "user"
+ ]
+ },
+ "source": {
+ "as": {
+ "number": 35908
+ },
+ "geo": {
+ "continent_name": "Asia",
+ "country_iso_code": "BT",
+ "country_name": "Bhutan",
+ "location": {
+ "lat": 27.5,
+ "lon": 90.5
+ }
+ },
+ "ip": "67.43.156.13",
+ "user": {
+ "domain": "bar.com",
+ "email": "foo@bar.com",
+ "id": "1",
+ "name": "foo"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "user": {
+ "domain": "bar.com",
+ "email": "foo@bar.com",
+ "id": "1",
+ "name": "foo",
+ "target": {
+ "domain": "example.com",
+ "email": "user@example.com",
+ "name": "user"
+ }
+ }
  }
  ]
 }

packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml

@@ -28,6 +28,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  - fingerprint:
  description: Hashes the ID object and uses it as the document id to avoid duplicate events.
  fields:
@@ -578,6 +579,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_END_DATE != null
  - date:
  field: google_workspace.admin.EMAIL_LOG_SEARCH_START_DATE
@@ -589,6 +591,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  if: ctx?.google_workspace?.admin?.EMAIL_LOG_SEARCH_START_DATE != null
  - date:
  field: google_workspace.admin.BIRTHDATE
@@ -600,6 +603,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  if: ctx?.google_workspace?.admin?.BIRTHDATE != null
  - date:
  field: google_workspace.admin.BEGIN_DATE_TIME
@@ -611,6 +615,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  if: ctx?.google_workspace?.admin?.BEGIN_DATE_TIME != null
  - date:
  field: google_workspace.admin.START_DATE
@@ -622,6 +627,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  if: ctx?.google_workspace?.admin?.START_DATE != null
  - date:
  field: google_workspace.admin.END_DATE
@@ -633,6 +639,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  if: ctx?.google_workspace?.admin?.END_DATE != null
  - date:
  field: google_workspace.admin.END_DATE_TIME
@@ -644,6 +651,7 @@ processors:
  - yyyy-MM-dd'T'HH:mm:ssZ
  - yyyy-MM-dd'T'HH:mm:ss.SSSZ
  - yyyy/MM/dd HH:mm:ss z
+ - yyyy/MM/dd HH:mm z
  if: ctx?.google_workspace?.admin?.END_DATE_TIME != null
  - script:
  lang: painless

packages/google_workspace/manifest.yml

@@ -1,6 +1,6 @@
 name: google_workspace
 title: Google Workspace
-version: "2.19.0"
+version: "2.19.1"
 source:
  license: Elastic-2.0
 description: Collect logs from Google Workspace with Elastic Agent.