Google Workspace Parser

megan201296 commented 2 years ago

Provided JSON logs from Google Workspace to @philhagen . Will include details here of what should be extracted.

User Logs

raw["actor"]["email"]
raw["ipAddress"]
raw["events"]
- ["name"]
- ["type"]

Note: While "events" is a list of dictionaries containing name/type keys, this log type only includes one item in that list (from all that I've observed at least). Other log types will potentially have multiple items in the events list that .

Drive Logs

Exclude the following parameters (i.e. raw["events"][*]["params"]):

"name": "primary_event"
"name": "billable"
"name": "is_encrypted"
"name": "owner_is_shared_drive"
"name": "owner_is_team_drive"
"name": "actor_is_collaborator_account"

Admin Logs

TODO

Login Logs

TODO

philhagen commented 2 years ago

still need to type-cast the fields as integer, etc. they're all showing as strings :/

philhagen commented 2 years ago

integer conversion should be done in 06284092e96be71f940e6959cef645dcdca5e562

megan201296 commented 2 years ago

Need Token logs parsed too. Everything can be kept from events/params. Sent you the sample in Slack (since I can't attach JSON here). Let me know if you need anything else.

philhagen / sof-elk