Skip to content

[google_workspace] Add support for Gmail events #14399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[google_workspace] Add support for Gmail events #14399

wants to merge 5 commits into from

Conversation

navnit-elastic
Copy link
Contributor

@navnit-elastic navnit-elastic commented Jul 2, 2025
edited
Loading

Proposed commit message

google_workspace: add support for Gmail event type as a new data stream

This adds support for the Gmail logs as a new data stream to enhance
the overall visibility of data in the Google Workspace integration.

This changes includes updating navigation links in to the relevant dashboards.

Sanitized test case inputs were obtained from a live Google Workspace instance
using the BigQuery API[1]. The schema for Gmail logs can be found in the
documentation[2].

[1] https://cloud.google.com/bigquery/docs/reference/rest/v2/jobs
[2] https://support.google.com/a/answer/12384955

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

How to test this PR locally

Pipeline Test:

--- Test results for package: google_workspace - START ---
╭──────────────────┬─────────────┬───────────┬───────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE          │ DATA STREAM │ TEST TYPE │ TEST NAME                                 │ RESULT │ TIME ELAPSED │
├──────────────────┼─────────────┼───────────┼───────────────────────────────────────────┼────────┼──────────────┤
│ google_workspace │ gmail       │ pipeline  │ (ingest pipeline warnings test-gmail.log) │ PASS   │ 394.314923ms │
│ google_workspace │ gmail       │ pipeline  │ test-gmail.log                            │ PASS   │ 272.136463ms │
╰──────────────────┴─────────────┴───────────┴───────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: google_workspace - END   ---
Done

System Tests:

--- Test results for package: google_workspace - START ---
╭──────────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE          │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├──────────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ google_workspace │ gmail       │ system    │ default   │ PASS   │ 40.551859829s │
╰──────────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: google_workspace - END   ---
Done

Related issues

Screenshots

Dashboard:
google_workspace-gmail-screenshot

Integration Configuration:
config-1
config-2

Documentation:

google_workspace-docs2

@navnit-elastic navnit-elastic self-assigned this Jul 2, 2025
@navnit-elastic navnit-elastic added enhancement New feature or request Integration:google_workspace Google Workspace dashboard Relates to a Kibana dashboard bug, enhancement, or modification. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jul 2, 2025
@navnit-elastic navnit-elastic force-pushed the google_workspace-2.42.0 branch from c36663c to 273f54f Compare July 2, 2025 09:47
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 2, 2025
@navnit-elastic navnit-elastic force-pushed the google_workspace-2.42.0 branch from 273f54f to 91fccc6 Compare July 11, 2025 06:52
@navnit-elastic
Merge branch 'main' into google_workspace-2.42.0
71c446e 
Conflicts:
	packages/google_workspace/changelog.yml
andrewkroh
andrewkroh reviewed Jul 15, 2025
View reviewed changes
packages/google_workspace/data_stream/gmail/fields/ecs.yml
@@ -0,0 +1,7 @@
# Define ECS constant fields as constant_keyword
- name: observer.vendor
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both fields here should use external: ecs. https://github.com/elastic/integrations/wiki/Fleet-Package-Code-Review-Comments#defining-an-ecs-field-without-using-an-external-definition

packages/google_workspace/data_stream/gmail/fields/base-fields.yml Outdated
Comment on lines 1 to 20
- name: data_stream.type
type: constant_keyword
description: Data stream type.
- name: data_stream.dataset
type: constant_keyword
description: Data stream dataset.
- name: data_stream.namespace
type: constant_keyword
description: Data stream namespace.
- name: event.module
type: constant_keyword
description: Event module.
value: google_workspace
- name: event.dataset
type: constant_keyword
description: Event dataset.
value: google_workspace.gmail
- name: '@timestamp'
type: date
description: Event timestamp.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use external: ecs for all ECS fields to ensure consistency.

Suggested change
- name: data_stream.type
type: constant_keyword
description: Data stream type.
- name: data_stream.dataset
type: constant_keyword
description: Data stream dataset.
- name: data_stream.namespace
type: constant_keyword
description: Data stream namespace.
- name: event.module
type: constant_keyword
description: Event module.
value: google_workspace
- name: event.dataset
type: constant_keyword
description: Event dataset.
value: google_workspace.gmail
- name: '@timestamp'
type: date
description: Event timestamp.
- name: data_stream.type
external: ecs
- name: data_stream.dataset
external: ecs
- name: data_stream.namespace
external: ecs
- name: event.module
type: constant_keyword
external: ecs
value: google_workspace
- name: event.dataset
type: constant_keyword
external: ecs
value: google_workspace.gmail
- name: "@timestamp"
external: ecs

@navnit-elastic navnit-elastic force-pushed the google_workspace-2.42.0 branch from 94caef8 to 6c0c6a6 Compare July 16, 2025 09:03
@navnit-elastic navnit-elastic force-pushed the google_workspace-2.42.0 branch from 6c0c6a6 to 7415bb0 Compare July 17, 2025 11:02
@navnit-elastic
Add flow for handling BigQuery job
6d75e24 
Modify setup steps in documentation

Add additional fields definations
@navnit-elastic
Merge branch 'main' into google_workspace-2.42.0
7a19c54 
Conflicts:
	packages/google_workspace/changelog.yml
	packages/google_workspace/manifest.yml
@navnit-elastic navnit-elastic marked this pull request as ready for review July 30, 2025 06:36
@navnit-elastic navnit-elastic requested a review from a team as a code owner July 30, 2025 06:36
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @navnit-elastic

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
94.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@navnit-elastic navnit-elastic

Labels
dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:google_workspace Google Workspace Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Google Workspace]: Add support for Gmail event type
3 participants
@navnit-elastic @elasticmachine @andrewkroh