Skip to content

[zoom] Add support for the activity data stream#19481

Merged
brijesh-elastic merged 6 commits into
elastic:mainfrom
brijesh-elastic:zoom-activity-datastream
Jul 6, 2026
Merged

[zoom] Add support for the activity data stream#19481
brijesh-elastic merged 6 commits into
elastic:mainfrom
brijesh-elastic:zoom-activity-datastream

Conversation

@brijesh-elastic

@brijesh-elastic brijesh-elastic commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

zoom: add support for activity data stream

This data stream collects sign in / sign out activity logs report of users under a Zoom account.
API documentation is available here[1] and test samples were derived from documentation.

This PR also updates the README documentation to follow the latest guidelines.

[1] https://developers.zoom.us/docs/api/meetings/#tag/reports/get/report/activities

Note

To Reviewers:

  • This data stream has not been tested with a live instance.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/zoom directory.
  • Run the following command to run tests.

elastic-package test -v

Related issues

Screenshots

Zoom Activity Overview Dashboard

@brijesh-elastic brijesh-elastic self-assigned this Jun 10, 2026
@brijesh-elastic brijesh-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request dashboard Relates to a Kibana dashboard bug, enhancement, or modification. Integration:zoom Zoom Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jun 10, 2026
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Elastic Docs Style Checker (Vale)

Summary: 2 warnings, 1 suggestion found

⚠️ Warnings (2): Fix when the suggestion improves clarity or correctness.
File Line Rule Message
packages/zoom/_dev/build/docs/README.md 5 Elastic.EndPuntuaction Don't end headings with punctuation.
packages/zoom/manifest.yml 76 Elastic.DontUse Don't use 'Please'.
💡 Suggestions (1): Optional style improvements. Apply when helpful.
File Line Rule Message
packages/zoom/_dev/build/docs/README.md 47 Elastic.Versions Use 'or later' instead of 'or higher' when referring to versions.

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod

elastic-vault-github-plugin-prod Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

🚀 Benchmarks report

Package zoom 👍(1) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
webhook 3105.59 2057.61 -1047.98 (-33.74%) 💔

To see the full report comment with /test benchmark fullreport

@brijesh-elastic
brijesh-elastic marked this pull request as ready for review July 1, 2026 13:14
@brijesh-elastic
brijesh-elastic requested review from a team as code owners July 1, 2026 13:14
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

value: sign-out
if: ctx.zoom?.activity?.type == 'Sign out'
- set:
field: event.category

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟡 Medium confidence: medium path: packages/zoom/data_stream/activity/elasticsearch/ingest_pipeline/default.yml:78

Use append with allow_duplicates: false (not set) for the ECS array fields event.category and event.type, so the pipeline composes with any prior/@​custom categorization instead of clobbering it.

Details

event.category and event.type are ECS array fields. The pipeline populates them with set processors that assign the whole list value. The documented convention for new data streams is to build these arrays with append (using allow_duplicates: false), which is idempotent and preserves any values a prior or @​custom pipeline may have already added. Functionally the current set produces correct output for the values in scope here, so this is a standards/composability improvement rather than a broken behavior; the same applies to the two event.type processors (set_event_type_start, set_event_type_end).

Recommendation:

Replace the set processors for event.category / event.type with append:

  - append:
      field: event.category
      tag: append_event_category_auth_session
      value:
        - authentication
        - session
      allow_duplicates: false
      if: ctx.zoom?.activity?.type == 'Sign in' || ctx.zoom?.activity?.type == 'Sign out'
  - append:
      field: event.type
      tag: append_event_type_start
      value: start
      allow_duplicates: false
      if: ctx.zoom?.activity?.type == 'Sign in'
  - append:
      field: event.type
      tag: append_event_type_end
      value: end
      allow_duplicates: false
      if: ctx.zoom?.activity?.type == 'Sign out'

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Comment thread packages/zoom/data_stream/activity/agent/stream/cel.yml.hbs Outdated
Comment thread packages/zoom/data_stream/activity/agent/stream/cel.yml.hbs Outdated
Comment thread packages/zoom/data_stream/activity/agent/stream/cel.yml.hbs Outdated
@brijesh-elastic
brijesh-elastic requested a review from efd6 July 2, 2026 05:26
@mergify

mergify Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

if: ctx.source?.ip != null

# cleanup
- remove:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟠 High confidence: high path: packages/zoom/data_stream/activity/elasticsearch/ingest_pipeline/default.yml:174

The pipeline never removes event.original when preserve_original_event is disabled, so the manifest's preserve_original_event toggle (default false) is a no-op and the full raw event is always stored; add a conditional remove of event.original.

Details

The pipeline renames message to event.original (tag rename_message_to_event_original) and never removes it. The data stream manifest declares a preserve_original_event variable defaulting to false, and the CEL template only appends the preserve_original_event tag when that variable is true. Because no processor removes event.original when the tag is absent, event.original is retained on every document regardless of the setting. Result: the documented preserve_original_event: false default has no effect and the full raw JSON of every activity record is stored unconditionally (storage bloat and behavior contradicting the exposed option). The standard Elastic pattern removes event.original unless the preserve_original_event tag is present.

Recommendation:

Add a conditional remove of event.original in the cleanup section (keeping it only when the preserve_original_event tag is set):

  - remove:
      field: event.original
      tag: remove_original_event
      if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
      ignore_missing: true

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@vera-review-bot

Copy link
Copy Markdown

Review summary

Issues found across the latest commits [7c20fef](https://github.com/elastic/integrations/commit/7c20fefc634ee4f86654b6b327b266a53f542cc6) — 1 high
  • 🟠 The pipeline never removes event.original when preserve_original_event is disabled, so the manifest's preserve_original_event toggle (default false) is a no-op and the full raw event is always stored; add a conditional remove of event.original. (link) (Unresolved)
Issues found across earlier commits [6b66ef7](https://github.com/elastic/integrations/commit/6b66ef738a60e7221d27b456a4512a34ba0ae7ca) — 1 medium
  • 🟡 Use append with allow_duplicates: false (not set) for the ECS array fields event.category and event.type, so the pipeline composes with any prior/@​custom categorization instead of clobbering it. (link) (Unresolved)

I'll pick up this PR for review again after 15 minutes.

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

Comment thread packages/zoom/data_stream/activity/manifest.yml Outdated
Comment thread packages/zoom/manifest.yml Outdated
Comment thread packages/zoom/_dev/build/docs/README.md Outdated
Comment thread packages/zoom/data_stream/activity/agent/stream/cel.yml.hbs Outdated
Comment thread packages/zoom/data_stream/activity/agent/stream/cel.yml.hbs Outdated
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

✅ All changelog entries have the correct PR link.

@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💚 Build Succeeded

History

cc @brijesh-elastic

@navnit-elastic navnit-elastic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@brijesh-elastic
brijesh-elastic merged commit a0cd15a into elastic:main Jul 6, 2026
12 checks passed
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

Package zoom - 1.24.0 containing this change is available at https://epr.elastic.co/package/zoom/1.24.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:zoom Zoom Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants