[Google Workspace] Fix pipeline for login data stream (#15743)

moxarth-rathod · web-flow · commit 80b968725f9c · 2025-10-31T20:05:44.000+05:30
google_workspace: convert google_workspace.login.timestamp field to long in login data stream
diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml
@@ -1,4 +1,13 @@
 # newer versions go on top
+- version: "2.47.0"
+  changes:
+    - description: >-
+        Add support for `resource_ids`, `network_info.region_code`, `network_info.subdivision_code`, and `network_info.ip_asn` fields for login data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15743
+    - description: Convert `login.timestamp` to long for login data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15743
 - version: "2.46.0"
   changes:
     - description: >-
diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log
@@ -15,3 +15,4 @@
 {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"login_success","parameters":[{"name":"login_challenge_method","value":"password"},{"name":"is_suspicious","boolValue":true},{"name":"login_type","value":"google_password"}]}}
 {"kind":"admin#reports#activity","id":{"time":"2020-10-02T15:00:00Z","uniqueQualifier":1,"applicationName":"login","customerId":"1"},"actor":{"callerType":"USER","email":"foo@bar.com","profileId":1},"ownerDomain":"elastic.com","ipAddress":"67.43.156.13","events":{"type":"login","name":"risky_sensitive_action_allowed","parameters":[{"name":"login_challenge_method","value":"password"},{"name":"is_suspicious","boolValue":true},{"name":"login_type","value":"google_password"},{"name":"login_challenge_status","value":"Challenge Passed."},{"name":"sensitive_action_name","value":"Allowing access to data"}]}}
 {"actor":{"email":"tl.zeous.daclitan@company.com","profileId":"111111111"},"etag":"Q2W123123123123","events":{"name":"login_verification","parameters":[{"name":"login_type","value":"google_password"},{"multiValue":["security_key"],"name":"login_challenge_method"},{"name":"login_challenge_status","value":"passed"},{"boolValue":true,"name":"is_second_factor"}],"type":"login"},"id":{"applicationName":"login","customerId":"123","time":"2025-02-27T05:59:58.481Z","uniqueQualifier":"123"},"ipAddress":"81.2.69.144","kind":"admin#reports#activity"}
+{"actor":{"callerType":"KEY","key":"Google"},"etag":"\"Fn96D9A6wOUVq518\"","events":{"name":"suspicious_login","parameters":[{"name":"affected_email_address","value":"foo@elastic.co"},{"intValue":"1759325583000000","name":"login_timestamp"}],"resourceIds":["1084964178399"],"type":"account_warning"},"id":{"applicationName":"login","customerId":"2","time":"2025-10-01T13:33:03.000Z","uniqueQualifier":"-780557281442037232"},"ipAddress":"1.128.0.0","kind":"admin#reports#activity","networkInfo":{"regionCode":"FR","subdivisionCode":"FR-NAQ"},"resourceDetails":[{"id":"0000000000000","type":"USER"}]}
diff --git a/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json b/packages/google_workspace/data_stream/login/_dev/test/pipeline/test-login.log-expected.json
@@ -1349,6 +1349,73 @@
                 "id": "111111111",
                 "name": "tl.zeous.daclitan"
             }
+        },
+        {
+            "@timestamp": "2025-10-01T13:33:03.000Z",
+            "ecs": {
+                "version": "8.16.0"
+            },
+            "event": {
+                "action": "suspicious_login",
+                "category": [
+                    "authentication"
+                ],
+                "id": "-780557281442037232",
+                "kind": "event",
+                "original": "{\"actor\":{\"callerType\":\"KEY\",\"key\":\"Google\"},\"etag\":\"\\\"Fn96D9A6wOUVq518\\\"\",\"events\":{\"name\":\"suspicious_login\",\"parameters\":[{\"name\":\"affected_email_address\",\"value\":\"foo@elastic.co\"},{\"intValue\":\"1759325583000000\",\"name\":\"login_timestamp\"}],\"resourceIds\":[\"1084964178399\"],\"type\":\"account_warning\"},\"id\":{\"applicationName\":\"login\",\"customerId\":\"2\",\"time\":\"2025-10-01T13:33:03.000Z\",\"uniqueQualifier\":\"-780557281442037232\"},\"ipAddress\":\"1.128.0.0\",\"kind\":\"admin#reports#activity\",\"networkInfo\":{\"regionCode\":\"FR\",\"subdivisionCode\":\"FR-NAQ\"},\"resourceDetails\":[{\"id\":\"0000000000000\",\"type\":\"USER\"}]}",
+                "provider": "login",
+                "start": "2025-10-01T13:33:03.000Z",
+                "type": [
+                    "info"
+                ]
+            },
+            "google_workspace": {
+                "actor": {
+                    "key": "Google",
+                    "type": "KEY"
+                },
+                "event": {
+                    "type": "account_warning"
+                },
+                "kind": "admin#reports#activity",
+                "login": {
+                    "affected_email_address": "foo@elastic.co",
+                    "network_info": {
+                        "region_code": "FR",
+                        "subdivision_code": "FR-NAQ"
+                    },
+                    "timestamp": 1759325583000000
+                }
+            },
+            "organization": {
+                "id": "2"
+            },
+            "related": {
+                "ip": [
+                    "1.128.0.0"
+                ],
+                "user": [
+                    "foo"
+                ]
+            },
+            "source": {
+                "as": {
+                    "number": 1221,
+                    "organization": {
+                        "name": "Telstra Pty Ltd"
+                    }
+                },
+                "ip": "1.128.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "target": {
+                    "domain": "elastic.co",
+                    "name": "foo"
+                }
+            }
         }
     ]
 }
diff --git a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml
@@ -215,6 +215,27 @@ processors:
             ctx.google_workspace.login[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["boolValue"];
           }    
         }
+  - rename:
+      field: json.networkInfo.ipAsn
+      target_field: google_workspace.login.network_info.ip_asn
+      ignore_missing: true
+  - rename:
+      field: json.networkInfo.regionCode
+      target_field: google_workspace.login.network_info.region_code
+      ignore_missing: true
+  - rename:
+      field: json.networkInfo.subdivisionCode
+      target_field: google_workspace.login.network_info.subdivision_code
+      ignore_missing: true
+  - rename:
+      field: json.resourceIds
+      target_field: google_workspace.login.resource_ids
+      ignore_missing: true
+  - convert:
+      field: google_workspace.login.timestamp
+      target_field: google_workspace.login.timestamp
+      type: long
+      ignore_missing: true
   - script:
       lang: painless
       if: ctx?.google_workspace?.login?.timestamp != null
diff --git a/packages/google_workspace/data_stream/login/fields/fields.yml b/packages/google_workspace/data_stream/login/fields/fields.yml
@@ -15,6 +15,17 @@
       type: keyword
       description: |
         Login challenge status. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login.
+    - name: network_info
+      type: group
+      fields:
+        - name: ip_asn
+          type: keyword
+        - name: region_code
+          type: keyword
+        - name: subdivision_code
+          type: keyword
+    - name: resource_ids
+      type: keyword
     - name: timestamp
       type: long
       description: |
diff --git a/packages/google_workspace/docs/README.md b/packages/google_workspace/docs/README.md
@@ -627,6 +627,10 @@ An example event for `login` looks as following:
 | google_workspace.login.failure_type | Login failure type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword |
 | google_workspace.login.is_second_factor |  | boolean |
 | google_workspace.login.is_suspicious |  | boolean |
+| google_workspace.login.network_info.ip_asn |  | keyword |
+| google_workspace.login.network_info.region_code |  | keyword |
+| google_workspace.login.network_info.subdivision_code |  | keyword |
+| google_workspace.login.resource_ids |  | keyword |
 | google_workspace.login.sensitive_action_name |  | keyword |
 | google_workspace.login.timestamp | UNIX timestmap of login in microseconds. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | long |
 | google_workspace.login.type | Login credentials type. For a list of possible values refer to https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login. | keyword |
diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml
@@ -1,6 +1,6 @@
 name: google_workspace
 title: Google Workspace
-version: "2.46.0"
+version: "2.47.0"
 source:
   license: Elastic-2.0
 description: Collect logs from Google Workspace with Elastic Agent.
