[Filebeat] [Google Workspace module] - Improve ECS utilization

[defendable-forfot]

We are ingesting Google Workspace data (admin, login, saml, user_accounts) into our Elasticsearch for search, detection in Elastic Security and visualization through Kibana. However, we have noticed a few specific fields where the Google Workspace module could see minor improvements in the ECS utilization.

Note: we are running filebeat version 8.3.3, but have noticed that none of the newer releases solves our issues.

admin, login, saml, user_accounts

    google_workspace.kind

        ECS fields: event.kind

        Suggestion: The event.kind field is not currently populated. This should be set to the value “event”. As the document that is received could be categorized as an event.

    source.email.user

        ECS fields: source.email.user | user.email

        Suggestion: The source.email.user field is populated with the correct data. This data should also populate the user.email field.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

The email address is a trivial fix. The event.kind appears to be a constant is seems always being "admin#reports#activity" (https://developers.google.com/admin-sdk/reports/v1/guides/push). This looks like it would map to the "event" value for event.kind.

[elasticmachine]

Package google_workspace - 2.1.0 containing this change is available at https://epr.elastic.co/search?package=google_workspace