[Filebeat][Gsuite] Adds Drive audit Fileset (#19704)

* Add Gsuite Drive fileset

* Update config

* Update docs

* Add CHANGELOG entry

* Change url

* Update config

* Regenerate test files

CHANGELOG.next.asciidoc

@@ -58,6 +58,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Adds Gsuite User Accounts support. {pull}19329[19329]
 - Adds Gsuite Login audit support. {pull}19702[19702]
 - Adds Gsuite Admin support. {pull}19769[19769]
+- Adds Gsuite Drive support. {pull}19704[19704]
 
 *Heartbeat*
 

filebeat/docs/fields.asciidoc

@@ -62213,6 +62213,226 @@ type: keyword
 --
 
 
+*`gsuite.drive.billable`*::
++
+--
+Whether this activity is billable.
+
+type: boolean
+
+--
+
+*`gsuite.drive.source_folder_id`*::
++
+--
+type: keyword
+
+--
+
+*`gsuite.drive.source_folder_title`*::
++
+--
+type: keyword
+
+--
+
+*`gsuite.drive.destination_folder_id`*::
++
+--
+type: keyword
+
+--
+
+*`gsuite.drive.destination_folder_title`*::
++
+--
+type: keyword
+
+--
+
+*`gsuite.drive.file.id`*::
++
+--
+type: keyword
+
+--
+
+*`gsuite.drive.file.type`*::
++
+--
+Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.originating_app_id`*::
++
+--
+The Google Cloud Project ID of the application that performed the action.
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.file.owner.email`*::
++
+--
+type: keyword
+
+--
+
+*`gsuite.drive.file.owner.is_shared_drive`*::
++
+--
+Boolean flag denoting whether owner is a shared drive.
+
+
+type: boolean
+
+--
+
+*`gsuite.drive.primary_event`*::
++
+--
+Whether this is a primary event. A single user action in Drive may generate several events.
+
+
+type: boolean
+
+--
+
+*`gsuite.drive.shared_drive_id`*::
++
+--
+The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.visibility`*::
++
+--
+Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.new_value`*::
++
+--
+When a setting or property of the file changes, the new value for it will appear here.
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.old_value`*::
++
+--
+When a setting or property of the file changes, the old value for it will appear here.
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.sheets_import_range_recipient_doc`*::
++
+--
+Doc ID of the recipient of a sheets import range.
+
+type: keyword
+
+--
+
+*`gsuite.drive.old_visibility`*::
++
+--
+When visibility changes, this holds the old value.
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.visibility_change`*::
++
+--
+When visibility changes, this holds the new overall visibility of the file.
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.target_domain`*::
++
+--
+The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.added_role`*::
++
+--
+Added membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.membership_change_type`*::
++
+--
+Type of change in Team Drive membership of a user/group. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.shared_drive_settings_change_type`*::
++
+--
+Type of change in Team Drive settings. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.removed_role`*::
++
+--
+Removed membership role of a user/group in a Team Drive. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+
+
+type: keyword
+
+--
+
+*`gsuite.drive.target`*::
++
+--
+Target user or group.
+
+type: keyword
+
+--
+
+
 *`gsuite.login.affected_email_address`*::
 +
 --

filebeat/docs/modules/gsuite.asciidoc

@@ -25,6 +25,7 @@ It is compatible with a subset of applications under the https://developers.goog
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events]
+- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events]
 
 === Configure the module
 

x-pack/filebeat/filebeat.reference.yml

@@ -743,6 +743,14 @@ filebeat.modules:
     # var.http_client_timeout: 60s
     # var.user_key: all
     # var.interval: 5s
+  drive:
+    enabled: true
+    # var.jwt_file: credentials.json
+    # var.delegated_account: admin@example.com
+    # var.initial_interval: 24h
+    # var.http_client_timeout: 60s
+    # var.user_key: all
+    # var.interval: 5s
 
 #------------------------------- HAProxy Module -------------------------------
 - module: haproxy

x-pack/filebeat/module/gsuite/_meta/config.yml

@@ -31,3 +31,11 @@
     # var.http_client_timeout: 60s
     # var.user_key: all
     # var.interval: 5s
+  drive:
+    enabled: true
+    # var.jwt_file: credentials.json
+    # var.delegated_account: admin@example.com
+    # var.initial_interval: 24h
+    # var.http_client_timeout: 60s
+    # var.user_key: all
+    # var.interval: 5s

x-pack/filebeat/module/gsuite/_meta/docs.asciidoc

@@ -20,6 +20,7 @@ It is compatible with a subset of applications under the https://developers.goog
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/user-accounts[User Accounts Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login[Login Audit Activity Events]
 - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings[Admin Audit Activity Events]
+- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive[Drive Activity Events]
 
 === Configure the module
 

x-pack/filebeat/module/gsuite/drive/_meta/fields.yml

@@ -0,0 +1,89 @@
+- name: drive
+  type: group
+  fields:
+    - name: billable
+      type: boolean
+      description: Whether this activity is billable.
+    - name: source_folder_id
+      type: keyword
+    - name: source_folder_title
+      type: keyword
+    - name: destination_folder_id
+      type: keyword
+    - name: destination_folder_title
+      type: keyword
+    - name: file.id
+      type: keyword
+    - name: file.type
+      type: keyword
+      description: >
+        Document Drive type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+    - name: originating_app_id
+      type: keyword
+      description: >
+        The Google Cloud Project ID of the application that performed the action.
+    - name: file.owner.email
+      type: keyword
+    - name: file.owner.is_shared_drive
+      type: boolean
+      description: >
+        Boolean flag denoting whether owner is a shared drive.
+    - name: primary_event
+      type: boolean
+      description: >
+        Whether this is a primary event. A single user action in Drive may generate several events.
+    - name: shared_drive_id
+      type: keyword
+      description: >
+        The unique identifier of the Team Drive. Only populated for for events relating to a Team Drive or item contained inside a Team Drive.
+    - name: visibility
+      type: keyword
+      description: >
+        Visibility of target file. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+    - name: new_value
+      type: keyword
+      description: >
+        When a setting or property of the file changes, the new value for it will appear here.
+    - name: old_value
+      type: keyword
+      description: >
+        When a setting or property of the file changes, the old value for it will appear here.
+    - name: sheets_import_range_recipient_doc
+      type: keyword
+      description: Doc ID of the recipient of a sheets import range.
+    - name: old_visibility
+      type: keyword
+      description: >
+        When visibility changes, this holds the old value.
+    - name: visibility_change
+      type: keyword
+      description: >
+        When visibility changes, this holds the new overall visibility of the file.
+    - name: target_domain
+      type: keyword
+      description: >
+        The domain for which the acccess scope was changed. This can also be the alias all to indicate the access scope was changed for all domains that have visibility for this document.
+    - name: added_role
+      type: keyword
+      description: >
+        Added membership role of a user/group in a Team Drive.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+    - name: membership_change_type
+      type: keyword
+      description: >
+        Type of change in Team Drive membership of a user/group.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+    - name: shared_drive_settings_change_type
+      type: keyword
+      description: >
+        Type of change in Team Drive settings.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+    - name: removed_role
+      type: keyword
+      description: >
+        Removed membership role of a user/group in a Team Drive.
+        For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/drive
+    - name: target
+      type: keyword
+      description: Target user or group.
+