Skip to content

[Google Workspace] Update mappings for recent admin log event changes #16058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Google Workspace] Update mappings for recent admin log event changes #16058

wants to merge 4 commits into from
+1,098 −279

Conversation

@moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented Nov 20, 2025
edited
Loading

Proposed commit message

google_workspace: addresses the recent schema changes for the admin log 
event. this also covers the updated mapping based on the latest schema updates here [1].

map the following events in change event type:
 - ADMIN_EVENTS_TOGGLE_NEW_APP_FEATURES_PREFERENCE
 - CHANGE_API_ACCESS
 - CHANGE_APP_ACCESS
 - CHANGE_UNCONFIGURED_APPS_ACCESS
 - CHANGE_UNDERAGE_UNCONFIGURED_APPS_ACCESS

map the following events in configuration event category:
 - ADMIN_EVENTS_TOGGLE_NEW_APP_FEATURES_PREFERENCE
 - CHANGE_API_ACCESS

[1] https://support.google.com/a/answer/16601511

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/google_workspace directory.
  • Run the following command to run tests.

elastic-package test -v

Related issues

@moxarth-rathod moxarth-rathod self-assigned this Nov 20, 2025
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner November 20, 2025 09:34
@moxarth-rathod moxarth-rathod added enhancement New feature or request Integration:google_workspace Google Workspace Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Nov 20, 2025
@elasticmachine
Copy link

elasticmachine commented Nov 20, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 20, 2025
edited
Loading

🚀 Benchmarks report

Package google_workspace 👍(9) 💚(12) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
context_aware_access 5000 3610.11 -1389.89 (-27.8%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Nov 20, 2025
efd6
efd6 reviewed Nov 24, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be helpful to include a summary of the field changes in the commit message.

packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml Outdated
field: event.category
value: configuration
if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING"].contains(ctx?.event?.action)'
if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","DELETE_APPLICATION_SETTING","DELETE_GMAIL_SETTING","ADMIN_EVENTS_TOGGLE_NEW_APP_FEATURES_PREFERENCE","CHANGE_API_ACCESS"].contains(ctx?.event?.action)'
Copy link
Contributor

@efd6 efd6 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These conditions are going to continue to be hard to maintain. This is not new here, but we can make the situation better for the next time. Can you make these be one type per line? Same for the condition below.

Please also note here what the change was.

packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 166 to 168
if (ctx["json"]["events"]["parameters"][i]["messageValue"] != null) {
ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["messageValue"];
}
Copy link
Contributor

@efd6 efd6 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we improve the readability of these while we are here?

Suggested change
if (ctx["json"]["events"]["parameters"][i]["messageValue"] != null) {
ctx.google_workspace.admin[ctx["json"]["events"]["parameters"][i]["name"]] = ctx["json"]["events"]["parameters"][i]["messageValue"];
}
if (ctx.json.events.parameters[i].messageValue != null) {
ctx.google_workspace.admin[ctx.json.events.parameters[i].name] = ctx.json.events.parameters[i]messageValue;
}

(also above)

packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml Outdated
lang: painless
tag: script_setting_metadata
description: Script to flatten the setting metadata parameters.
if: 'ctx?.google_workspace?.admin?.SETTING_METADATA?.parameter != null && ctx.google_workspace.admin.SETTING_METADATA.parameter instanceof List'
Copy link
Contributor

@efd6 efd6 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: 'ctx?.google_workspace?.admin?.SETTING_METADATA?.parameter != null && ctx.google_workspace.admin.SETTING_METADATA.parameter instanceof List'
if: ctx.google_workspace?.admin?.SETTING_METADATA?.parameter instanceof List

packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 177 to 178
if (ctx["google_workspace"]["admin"]["SETTING_METADATA"]["parameter"][i]["value"] != null) {
ctx.google_workspace.admin.SETTING_METADATA[ctx["google_workspace"]["admin"]["SETTING_METADATA"]["parameter"][i]["name"]] = ctx["google_workspace"]["admin"]["SETTING_METADATA"]["parameter"][i]["value"];
Copy link
Contributor

@efd6 efd6 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (ctx["google_workspace"]["admin"]["SETTING_METADATA"]["parameter"][i]["value"] != null) {
ctx.google_workspace.admin.SETTING_METADATA[ctx["google_workspace"]["admin"]["SETTING_METADATA"]["parameter"][i]["name"]] = ctx["google_workspace"]["admin"]["SETTING_METADATA"]["parameter"][i]["value"];
def value = ctx.google_workspace.admin.SETTING_METADATA.parameter[i].value;
if (value != null) {
ctx.google_workspace.admin.SETTING_METADATA[ctx.google_workspace.admin.SETTING_METADATA.parameter[i].name] = value;

kcreddy
kcreddy reviewed Nov 24, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a link to the newly added changes?
I believe this one?

packages/google_workspace/changelog.yml
changes:
- description: >-
Add support for `setting.metadata.*` fields.
Move `user_defined_setting.name` under `setting.metadata` as per the schema changes.
Copy link
Contributor

@kcreddy kcreddy Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a field called user_defined_setting.name or is it USER_DEFINED_NAME?
In this PR, I see the handling of the latter.

Copy link
Contributor Author

@moxarth-rathod moxarth-rathod Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original field was user_defined_setting.name. In the new log schema, it has been moved under setting.metadata and renamed to setting.metadata.user_defined.name.

Copy link
Contributor

@kcreddy kcreddy Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC the field user_defined_setting.name is no longer provided by the GW admin logs.
Can we remove this old field mapping from pipeline and also fields.yml?

Copy link
Contributor

@kcreddy kcreddy Nov 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@moxarth-rathod Can you add a link to the PR description: #16058 (review) about the documented changes, it helps in review.

@elasticmachine
Copy link

elasticmachine commented Nov 24, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @moxarth-rathod

efd6
efd6 reviewed Nov 24, 2025
View reviewed changes
packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml
value: change
if: '["CHANGE_APPLICATION_SETTING","UPDATE_MANAGED_CONFIGURATION","CHANGE_CALENDAR_SETTING","CHANGE_CHAT_SETTING","CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING","GPLUS_PREMIUM_FEATURES","UPDATE_CALENDAR_RESOURCE_FEATURE","FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED","MEET_INTEROP_MODIFY_GATEWAY","CHANGE_CHROME_OS_APPLICATION_SETTING","CHANGE_CHROME_OS_DEVICE_SETTING","CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING","CHANGE_CHROME_OS_SETTING","CHANGE_CHROME_OS_USER_SETTING","CHANGE_CONTACTS_SETTING","CHANGE_DOCS_SETTING","CHANGE_SITES_SETTING","CHANGE_EMAIL_SETTING","CHANGE_GMAIL_SETTING","ALLOW_STRONG_AUTHENTICATION","ALLOW_SERVICE_FOR_OAUTH2_ACCESS","DISALLOW_SERVICE_FOR_OAUTH2_ACCESS","CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID","CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_FREQUENCY","CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION","CHANGE_TWO_STEP_VERIFICATION_START_DATE","CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS","CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES","ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY","ENFORCE_STRONG_AUTHENTICATION","UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS","WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED","SESSION_CONTROL_SETTINGS_CHANGE","CHANGE_SESSION_LENGTH","TOGGLE_OAUTH_ACCESS_TO_ALL_APIS","TOGGLE_ALLOW_ADMIN_PASSWORD_RESET","ENABLE_API_ACCESS","CHANGE_WHITELIST_SETTING","COMMUNICATION_PREFERENCES_SETTING_CHANGE","ENABLE_FEEDBACK_SOLICITATION","TOGGLE_CONTACT_SHARING","TOGGLE_USE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_SETTING","TOGGLE_ENABLE_OAUTH_CONSUMER_KEY","TOGGLE_SSO_ENABLED","TOGGLE_SSL","TOGGLE_NEW_APP_FEATURES","TOGGLE_USE_NEXT_GEN_CONTROL_PANEL","TOGGLE_OPEN_ID_ENABLED","TOGGLE_OUTBOUND_RELAY","CHANGE_SSO_SETTINGS","ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS","CHANGE_MOBILE_APPLICATION_SETTINGS","CHANGE_MOBILE_SETTING","UPDATE_BUILDING","RENAME_CALENDAR_RESOURCE","UPDATE_CALENDAR_RESOURCE","CANCEL_CALENDAR_EVENTS","RELEASE_CALENDAR_RESOURCES","CHANGE_DEVICE_STATE","CHANGE_CHROME_OS_DEVICE_ANNOTATION","CHANGE_CHROME_OS_DEVICE_STATE","UPDATE_CHROME_OS_PRINT_SERVER","UPDATE_CHROME_OS_PRINTER","MOVE_DEVICE_TO_ORG_UNIT_DETAILED","UPDATE_DEVICE","SEND_CHROME_OS_DEVICE_COMMAND","ASSIGN_ROLE","ADD_PRIVILEGE","REMOVE_PRIVILEGE","RENAME_ROLE","UPDATE_ROLE","UNASSIGN_ROLE","TRANSFER_DOCUMENT_OWNERSHIP","ORG_USERS_LICENSE_ASSIGNMENT","ORG_ALL_USERS_LICENSE_ASSIGNMENT","USER_LICENSE_ASSIGNMENT","CHANGE_LICENSE_AUTO_ASSIGN","USER_LICENSE_REASSIGNMENT","ORG_LICENSE_REVOKE","USER_LICENSE_REVOKE","UPDATE_DYNAMIC_LICENSE","DROP_FROM_QUARANTINE","REJECT_FROM_QUARANTINE","RELEASE_FROM_QUARANTINE","CHROME_LICENSES_ENABLED","CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED","ASSIGN_CUSTOM_LOGO","UNASSIGN_CUSTOM_LOGO","REVOKE_ENROLLMENT_TOKEN","CHROME_LICENSES_ALLOWED","EDIT_ORG_UNIT_DESCRIPTION","MOVE_ORG_UNIT","EDIT_ORG_UNIT_NAME","REVOKE_DEVICE_ENROLLMENT_TOKEN","TOGGLE_SERVICE_ENABLED","ADD_TO_TRUSTED_OAUTH2_APPS","REMOVE_FROM_TRUSTED_OAUTH2_APPS","BLOCK_ON_DEVICE_ACCESS","TOGGLE_CAA_ENABLEMENT","CHANGE_CAA_ERROR_MESSAGE","CHANGE_CAA_APP_ASSIGNMENTS","UNTRUST_DOMAIN_OWNED_OAUTH2_APPS","TRUST_DOMAIN_OWNED_OAUTH2_APPS","UNBLOCK_ON_DEVICE_ACCESS","CHANGE_ACCOUNT_AUTO_RENEWAL","ADD_APPLICATION","ADD_APPLICATION_TO_WHITELIST","CHANGE_ADVERTISEMENT_OPTION","CHANGE_ALERT_CRITERIA","ALERT_RECEIVERS_CHANGED","RENAME_ALERT","ALERT_STATUS_CHANGED","ADD_DOMAIN_ALIAS","REMOVE_DOMAIN_ALIAS","AUTHORIZE_API_CLIENT_ACCESS","REMOVE_API_CLIENT_ACCESS","CHROME_LICENSES_REDEEMED","TOGGLE_AUTO_ADD_NEW_SERVICE","CHANGE_PRIMARY_DOMAIN","CHANGE_CONFLICT_ACCOUNT_ACTION","CHANGE_CUSTOM_LOGO","CHANGE_DATA_LOCALIZATION_FOR_RUSSIA","CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO","CHANGE_DOMAIN_DEFAULT_LOCALE","CHANGE_DOMAIN_DEFAULT_TIMEZONE","CHANGE_DOMAIN_NAME","TOGGLE_ENABLE_PRE_RELEASE_FEATURES","CHANGE_DOMAIN_SUPPORT_MESSAGE","ADD_TRUSTED_DOMAINS","REMOVE_TRUSTED_DOMAINS","CHANGE_EDU_TYPE","CHANGE_EU_REPRESENTATIVE_CONTACT_INFO","CHANGE_LOGIN_BACKGROUND_COLOR","CHANGE_LOGIN_BORDER_COLOR","CHANGE_LOGIN_ACTIVITY_TRACE","PLAY_FOR_WORK_ENROLL","PLAY_FOR_WORK_UNENROLL","UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL","CHANGE_ORGANIZATION_NAME","CHANGE_PASSWORD_MAX_LENGTH","CHANGE_PASSWORD_MIN_LENGTH","REMOVE_APPLICATION","REMOVE_APPLICATION_FROM_WHITELIST","CHANGE_RENEW_DOMAIN_REGISTRATION","CHANGE_RESELLER_ACCESS","RULE_ACTIONS_CHANGED","CHANGE_RULE_CRITERIA","RENAME_RULE","RULE_STATUS_CHANGED","ADD_SECONDARY_DOMAIN","REMOVE_SECONDARY_DOMAIN","UPDATE_DOMAIN_SECONDARY_EMAIL","UPDATE_RULE","ADD_MOBILE_CERTIFICATE","COMPANY_OWNED_DEVICE_BLOCKED","COMPANY_OWNED_DEVICE_UNBLOCKED","COMPANY_OWNED_DEVICE_WIPED","CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT","CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER","REMOVE_MOBILE_APPLICATION_FROM_WHITELIST","ADD_MOBILE_APPLICATION_TO_WHITELIST","CHANGE_ADMIN_RESTRICTIONS_PIN","CHANGE_MOBILE_WIRELESS_NETWORK","ADD_MOBILE_WIRELESS_NETWORK","REMOVE_MOBILE_WIRELESS_NETWORK","CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD","REMOVE_MOBILE_CERTIFICATE","CREATE_APPLICATION_SETTING","CREATE_GMAIL_SETTING","REORDER_GROUP_BASED_POLICIES_EVENT","CHANGE_GROUP_DESCRIPTION","ADD_GROUP_MEMBER","REMOVE_GROUP_MEMBER","UPDATE_GROUP_MEMBER","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS","UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE","CHANGE_GROUP_NAME","CHANGE_GROUP_SETTING","GROUP_MEMBER_BULK_UPLOAD","WHITELISTED_GROUPS_UPDATED","REVOKE_3LO_DEVICE_TOKENS","REVOKE_3LO_TOKEN","ADD_RECOVERY_EMAIL","ADD_RECOVERY_PHONE","GRANT_ADMIN_PRIVILEGE","REVOKE_ADMIN_PRIVILEGE","REVOKE_ASP","TOGGLE_AUTOMATIC_CONTACT_SHARING","CANCEL_USER_INVITE","CHANGE_USER_CUSTOM_FIELD","CHANGE_USER_EXTERNAL_ID","CHANGE_USER_GENDER","CHANGE_USER_IM","ENABLE_USER_IP_WHITELIST","CHANGE_USER_KEYWORD","CHANGE_USER_LANGUAGE","CHANGE_USER_LOCATION","CHANGE_USER_ORGANIZATION","CHANGE_USER_PHONE_NUMBER","CHANGE_RECOVERY_EMAIL","CHANGE_RECOVERY_PHONE","CHANGE_USER_RELATION","CHANGE_USER_ADDRESS","GRANT_DELEGATED_ADMIN_PRIVILEGES","CHANGE_FIRST_NAME","GMAIL_RESET_USER","CHANGE_LAST_NAME","MAIL_ROUTING_DESTINATION_ADDED","MAIL_ROUTING_DESTINATION_REMOVED","ADD_NICKNAME","REMOVE_NICKNAME","CHANGE_PASSWORD","CHANGE_PASSWORD_ON_NEXT_LOGIN","REMOVE_RECOVERY_EMAIL","REMOVE_RECOVERY_PHONE","RESET_SIGNIN_COOKIES","SECURITY_KEY_REGISTERED_FOR_USER","REVOKE_SECURITY_KEY","TURN_OFF_2_STEP_VERIFICATION","UNBLOCK_USER_SESSION","UNENROLL_USER_FROM_TITANIUM","ARCHIVE_USER","UPDATE_BIRTHDATE","DOWNGRADE_USER_FROM_GPLUS","USER_ENROLLED_IN_TWO_STEP_VERIFICATION","MOVE_USER_TO_ORG_UNIT","USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD","RENAME_USER","UNENROLL_USER_FROM_STRONG_AUTH","SUSPEND_USER","UNARCHIVE_USER","UNSUSPEND_USER","UPGRADE_USER_TO_GPLUS","MOBILE_DEVICE_APPROVE","MOBILE_DEVICE_BLOCK","MOBILE_DEVICE_WIPE","MOBILE_ACCOUNT_WIPE","MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE","MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK"].contains(ctx?.event?.action)'
if: '[
"CHANGE_APPLICATION_SETTING",
Copy link
Contributor

@efd6 efd6 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we don't have a good/robust heuristic for ordering these based on frequency of occurrence in the real world, we should probably just lexically order these. If we do have this heuristic, we should say so. Same for the conditions below.

Allocating these arrays for each check is troubling. @joegallo Can you suggest an alternative to this that would be a good balance of readability (so probably not a stream of if-else if-…-else) and performance?

kcreddy
kcreddy approved these changes Nov 25, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for my comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees

@moxarth-rathod moxarth-rathod

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:google_workspace Google Workspace Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Google Workspace] Update mappings for recent admin log event changes

5 participants

@moxarth-rathod @elasticmachine @kcreddy @efd6 @andrewkroh