Set event.module and event.dataset (elastic#1263)

packages/google_workspace/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.6.0"
+  changes:
+    - description: Set "event.module" and "event.dataset"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1263
 - version: "0.5.0"
   changes:
     - description: add system tests and remove log input

packages/google_workspace/data_stream/admin/fields/base-fields.yml

@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: google_workspace
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: google_workspace.admin
 - name: '@timestamp'
   type: date
   description: Event timestamp.

packages/google_workspace/data_stream/admin/fields/ecs.yml

@@ -111,10 +111,6 @@
       type: keyword
       ignore_above: 1024
       description: "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy."
-    - name: dataset
-      type: keyword
-      ignore_above: 1024
-      description: "Name of the dataset."
     - name: duration
       type: long
       format: duration

packages/google_workspace/data_stream/drive/fields/base-fields.yml

@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: google_workspace
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: google_workspace.drive
 - name: '@timestamp'
   type: date
   description: Event timestamp.

packages/google_workspace/data_stream/drive/fields/ecs.yml

@@ -38,11 +38,6 @@
       type: keyword
       ignore_above: 1024
       description: "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy."
-    - name: dataset
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: "Name of the dataset."
     - name: duration
       level: core
       type: long

packages/google_workspace/data_stream/groups/fields/base-fields.yml

@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: google_workspace
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: google_workspace.groups
 - name: '@timestamp'
   type: date
   description: Event timestamp.

packages/google_workspace/data_stream/groups/fields/ecs.yml

@@ -38,11 +38,6 @@
       type: keyword
       ignore_above: 1024
       description: "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy."
-    - name: dataset
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: "Name of the dataset."
     - name: duration
       level: core
       type: long

packages/google_workspace/data_stream/login/fields/base-fields.yml

@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: google_workspace
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: google_workspace.login
 - name: '@timestamp'
   type: date
   description: Event timestamp.

packages/google_workspace/data_stream/login/fields/ecs.yml

@@ -38,11 +38,6 @@
       type: keyword
       ignore_above: 1024
       description: "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy."
-    - name: dataset
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: "Name of the dataset."
     - name: duration
       level: core
       type: long

packages/google_workspace/data_stream/saml/fields/base-fields.yml

@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: google_workspace
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: google_workspace.saml
 - name: '@timestamp'
   type: date
   description: Event timestamp.

packages/google_workspace/data_stream/saml/fields/ecs.yml

@@ -38,11 +38,6 @@
       type: keyword
       ignore_above: 1024
       description: "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy."
-    - name: dataset
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: "Name of the dataset."
     - name: duration
       level: core
       type: long

packages/google_workspace/data_stream/user_accounts/fields/base-fields.yml

@@ -7,6 +7,14 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: google_workspace
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: google_workspace.user_accounts
 - name: '@timestamp'
   type: date
   description: Event timestamp.

packages/google_workspace/data_stream/user_accounts/fields/ecs.yml

@@ -38,11 +38,6 @@
       type: keyword
       ignore_above: 1024
       description: "This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy."
-    - name: dataset
-      level: core
-      type: keyword
-      ignore_above: 1024
-      description: "Name of the dataset."
     - name: duration
       level: core
       type: long

packages/google_workspace/docs/README.md

@@ -195,11 +195,12 @@ An example event for `saml` looks as following:
 | ecs.version | ECS version | keyword |
 | event.action | The action captured by the event. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
-| event.dataset | Name of the dataset. | keyword |
+| event.dataset | Event dataset | constant_keyword |
 | event.duration | Duration of the event in nanoseconds. | long |
 | event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
 | event.id | Unique ID to describe the event. | keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
+| event.module | Event module | constant_keyword |
 | event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
@@ -412,11 +413,12 @@ An example event for `user_accounts` looks as following:
 | ecs.version | ECS version | keyword |
 | event.action | The action captured by the event. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
-| event.dataset | Name of the dataset. | keyword |
+| event.dataset | Event dataset | constant_keyword |
 | event.duration | Duration of the event in nanoseconds. | long |
 | event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
 | event.id | Unique ID to describe the event. | keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
+| event.module | Event module | constant_keyword |
 | event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
@@ -631,11 +633,12 @@ An example event for `login` looks as following:
 | ecs.version | ECS version | keyword |
 | event.action | The action captured by the event. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
-| event.dataset | Name of the dataset. | keyword |
+| event.dataset | Event dataset | constant_keyword |
 | event.duration | Duration of the event in nanoseconds. | long |
 | event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
 | event.id | Unique ID to describe the event. | keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
+| event.module | Event module | constant_keyword |
 | event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
@@ -855,11 +858,12 @@ An example event for `admin` looks as following:
 | ecs.version | ECS version | keyword |
 | event.action | The action captured by the event. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
-| event.dataset | Name of the dataset. | keyword |
+| event.dataset | Event dataset | constant_keyword |
 | event.duration | Duration of the event in nanoseconds. | long |
 | event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
 | event.id | Unique ID to describe the event. | keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
+| event.module | Event module | constant_keyword |
 | event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
@@ -1184,11 +1188,12 @@ An example event for `drive` looks as following:
 | ecs.version | ECS version | keyword |
 | event.action | The action captured by the event. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
-| event.dataset | Name of the dataset. | keyword |
+| event.dataset | Event dataset | constant_keyword |
 | event.duration | Duration of the event in nanoseconds. | long |
 | event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
 | event.id | Unique ID to describe the event. | keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
+| event.module | Event module | constant_keyword |
 | event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |
@@ -1445,11 +1450,12 @@ An example event for `groups` looks as following:
 | ecs.version | ECS version | keyword |
 | event.action | The action captured by the event. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. | keyword |
-| event.dataset | Name of the dataset. | keyword |
+| event.dataset | Event dataset | constant_keyword |
 | event.duration | Duration of the event in nanoseconds. | long |
 | event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
 | event.id | Unique ID to describe the event. | keyword |
 | event.ingested | Timestamp when an event arrived in the central data store. | date |
+| event.module | Event module | constant_keyword |
 | event.original | Raw text message of entire event. Used to demonstrate log integrity. | keyword |
 | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. | keyword |
 | event.provider | Source of the event. | keyword |

packages/google_workspace/manifest.yml

@@ -1,6 +1,6 @@
 name: google_workspace
 title: Google Workspace
-version: 0.5.0
+version: 0.6.0
 release: experimental
 description: Google Workspace Integration
 type: integration
@@ -14,7 +14,7 @@ icons:
 categories:
   - security
 conditions:
-  kibana.version: ^7.12.1
+  kibana.version: ^7.14.0
 policy_templates:
   - name: google_workspace
     title: Google Workspace logs