Configure the module

edit

In order for filebeat to ingest data from the Google Reports API you must set up a ServiceAccount that has access to the Admin SDK API.

Additionally Domain-Wide Delegation is required for your application to work properly.

This module will make use of the following oauth2 scope:

  • https://www.googleapis.com/auth/admin.reports.audit.readonly

Once you have downloaded your service account credentials as a JSON file, you can set up your module:

Configuration options
edit
- module: gsuite
  saml:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  user_accounts:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  login:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  admin:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  drive:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  groups:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"

Every fileset has the following configuration options:

var.jwt_file
Specifies the path to the JWT credentials file.
var.delegated_account
Email of the admin user used to access the API.
var.http_client_timeout
Duration of the time limit on HTTP requests made by the module. Defaults to 60s.
var.interval
Duration between requests to the API. Defaults to 2h.

GSuite defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more here.

var.user_key
Specifies the user key to fetch reports from. Defaults to all.
var.initial_interval
It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to 24h.

GSuite Reports ECS fields

edit

This is a list of GSuite Reports fields that are mapped to ECS.

GSuite Reports ECS Fields

items[].id.time

@timestamp

items[].id.uniqueQualifier

event.id

items[].id.applicationName

event.provider

items[].events[].name

event.action

items[].customerId

organization.id

items[].ipAddress

source.ip, related.ip`, source.as.*, source.geo.*

items[].actor.email

source.user.email, source.user.name, source.user.domain

items[].actor.profileId

source.user.id

These are the common ones to all filesets.

Fields

edit

For a description of each field in the module, see the exported fields section.