[Filebeat][Gsuite] Adds Groups audit Fileset (elastic#19725)

* Add support for Gsuite groups fileset

* Add CHANGELOG entry

* Update config

* Regenerate test files

CHANGELOG.next.asciidoc

@@ -59,6 +59,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Adds Gsuite Login audit support. {pull}19702[19702]
 - Adds Gsuite Admin support. {pull}19769[19769]
 - Adds Gsuite Drive support. {pull}19704[19704]
+- Adds Gsuite Groups support. {pull}19725[19725]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -62433,6 +62433,116 @@ type: keyword
 --
 
 
+*`gsuite.groups.acl_permission`*::
++
+--
+Group permission setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.email`*::
++
+--
+Group email.
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.member.email`*::
++
+--
+Member email.
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.member.role`*::
++
+--
+Member role. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.setting`*::
++
+--
+Group setting updated. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.new_value`*::
++
+--
+New value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.old_value`*::
++
+--
+Old value(s) of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+
+type: keyword
+
+--
+
+*`gsuite.groups.value`*::
++
+--
+Value of the group setting. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.message.id`*::
++
+--
+SMTP message Id of an email message. Present for moderation events.
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.message.moderation_action`*::
++
+--
+Message moderation action. Possible values are `approved` and `rejected`.
+
+
+type: keyword
+
+--
+
+*`gsuite.groups.status`*::
++
+--
+A status describing the output of an operation. Possible values are `failed` and `succeeded`.
+
+
+type: keyword
+
+--
+
+
 *`gsuite.login.affected_email_address`*::
 +
 --

filebeat/docs/modules/gsuite.asciidoc

@@ -26,6 +26,7 @@ It is compatible with a subset of applications under the https://developers.goog
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events]
+- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[Groups Audit Activity Events]
 
 === Configure the module
 

x-pack/filebeat/filebeat.reference.yml

@@ -751,6 +751,14 @@ filebeat.modules:
     # var.http_client_timeout: 60s
     # var.user_key: all
     # var.interval: 5s
+  groups:
+    enabled: true
+    # var.jwt_file: credentials.json
+    # var.delegated_account: admin@example.com
+    # var.initial_interval: 24h
+    # var.http_client_timeout: 60s
+    # var.user_key: all
+    # var.interval: 5s
 
 #------------------------------- HAProxy Module -------------------------------
 - module: haproxy

x-pack/filebeat/module/gsuite/_meta/config.yml

@@ -39,3 +39,11 @@
     # var.http_client_timeout: 60s
     # var.user_key: all
     # var.interval: 5s
+  groups:
+    enabled: true
+    # var.jwt_file: credentials.json
+    # var.delegated_account: admin@example.com
+    # var.initial_interval: 24h
+    # var.http_client_timeout: 60s
+    # var.user_key: all
+    # var.interval: 5s

x-pack/filebeat/module/gsuite/_meta/docs.asciidoc

@@ -21,6 +21,7 @@ It is compatible with a subset of applications under the https://developers.goog
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events]
+- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups[Groups Audit Activity Events]
 
 === Configure the module
 

x-pack/filebeat/module/gsuite/groups/_meta/fields.yml

@@ -0,0 +1,57 @@
+- name: groups
+  type: group
+  fields:
+    - name: acl_permission
+      type: keyword
+      description: >
+        Group permission setting updated.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+    - name: email
+      type: keyword
+      description: >
+        Group email.
+    - name: member.email
+      type: keyword
+      description: >
+        Member email.
+    - name: member.role
+      type: keyword
+      description: >
+        Member role.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+    - name: setting
+      type: keyword
+      description: >
+        Group setting updated.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+    - name: new_value
+      type: keyword
+      description: >
+        New value(s) of the group setting.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+    - name: old_value
+      type: keyword
+      description:
+        Old value(s) of the group setting.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+    - name: value
+      type: keyword
+      description: >
+        Value of the group setting.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/groups
+    - name: message.id
+      type: keyword
+      description: >
+        SMTP message Id of an email message.
+        Present for moderation events.
+    - name: message.moderation_action
+      type: keyword
+      description: >
+        Message moderation action.
+        Possible values are `approved` and `rejected`.
+    - name: status
+      type: keyword
+      description: >
+        A status describing the output of an operation.
+        Possible values are `failed` and `succeeded`.
+

x-pack/filebeat/module/gsuite/groups/config/config.yml

@@ -0,0 +1,50 @@
+{{ if eq .input "httpjson" }}
+type: httpjson
+
+url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups
+json_objects_array: items
+split_events_by: events
+
+interval: {{ .interval }}
+
+{{ if .http_client_timeout }}
+http_client_timeout: {{ .http_client_timeout }}
+{{ end }}
+
+oauth2.provider: google
+oauth2.google.jwt_file: {{ .jwt_file }}
+oauth2.google.delegated_account: {{ .delegated_account }}
+oauth2.scopes:
+  - https://www.googleapis.com/auth/admin.reports.audit.readonly
+
+date_cursor.url_field: startTime
+date_cursor.initial_interval: {{ .initial_interval }}
+
+pagination.id_field: nextPageToken
+pagination.url_field: pageToken
+
+{{ else if eq .input "file" }}
+type: log
+paths:
+{{ range $i, $path := .paths }}
+  - {{$path}}
+{{ end }}
+exclude_files: [".gz$"]
+{{ end }}
+
+tags: {{.tags | tojson}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+
+processors:
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.5.0
+  - script:
+      lang: javascript
+      id: gsuite-common
+      file: ${path.home}/module/gsuite/config/common.js
+  - script:
+      lang: javascript
+      id: gsuite-groups
+      file: ${path.home}/module/gsuite/groups/config/pipeline.js