Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Google Workspace] Fixed a bug where a panel in the Login Dashboard did not filter correctly. #12628

Draft
wants to merge 16 commits into
base: main
Choose a base branch
from
Draft

[Google Workspace] Fixed a bug where a panel in the Login Dashboard did not filter correctly. #12628

wants to merge 16 commits into from
+21,147 −8,769

Conversation

StacieClark-Elastic
Copy link
Member

Fixed a bug where a panel in the Login Dashboard did not filter correctly. The 'Successful Logins by Compromised Users [Logs Google Workspace]' panel showed all logins. The panel was renamed to accurately describe the data being shown after a filter for google_workspace.login.is_suspicious: true was added. Updated ingest to store google_workspace.login data that are boolValue to capture is_suspicious flag on logins. Changed name of panel 'Successful Logins by Compromised Users [Logs Google Workspace]' to 'Successful Logins that are Suspicious [Logs Google Workspace]'. Added filter for google_workspace.login.is_suspicious: true to renamed panel.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Load the test data into the local elastic stack:

In the google_workspace package directory

> elastic-package build
start the stack: elastic-package stack up -v --version=8.17.1 (wait for it to finish)

then load the data
> elastic-package test system -v --config-file data_stream/login/_dev/test/system/test-default-config.yml --setup
> elastic-package test system -v --no-provision

Open the dashboard: Kibana->Security->Dashboards->[Logs Google Workspace] Login

Verify that the panel 'Successful Logins by Compromised Users [Logs Google Workspace]' exist
Verify that a single entry for a successful login exists.
Open the record and verify that the entry has the google_workspace.login.is_suspicious flag set to true

Tear down the integration (failure to do this step will leave data on your local filesystem)
> elastic-package test system -v --tear-down

stop the stack: elastic-package stack down

Related issues

qcorporation and others added 15 commits February 4, 2025 12:21
@qcorporation
remove files
ed31586
@taylor-swanson
Update Deployment and Devices integrations to ECS 8.17.0 (part 2) (el…
7e124c4 
…astic#12571)

Updates the following integrations to ECS 8.17.0:

- fortinet_fortiedr
- fortinet_fortigate
- fortinet_fortimail
- fortinet_fortimanager
- fortinet_fortiproxy
- goflow2
- hashicorp_vault
- imperva
- iptables
@taylor-swanson
Update Deployment and Devices integrations to ECS 8.17.0 (part 1) (el…
b8fa530 
…astic#12569)

Update the following integrations to ECS 8.17.0:
- arista_ngfw
- cef
- checkpoint
- cisco_aironet
- cisco_asa
- cisco_ftd
- cisco_ios
- cisco_ise
- cisco_nexus
- cisco_secure_email_gateway
- citrix_waf
@taylor-swanson
Update Deployment and Devices integrations to ECS 8.17.0 (part 3) (el…
60807db 
…astic#12572)

Updated the following integrations to ECS 8.17.0:
- juniper_srx
- modsecurity
- netflow
- osquery
- panw
- pfsense
- proxysg
@taylor-swanson
Update Deployment and Devices integrations to ECS 8.17.0 (part 4) (el…
35c6e66 
…astic#12574)

Updated the following integrations to ECS 8.17.0:
- qnap_nas
- snort
- sonicwall_firewall
- sophos
- squid
- stormshield
- suricata
- tcp
- udp
- watchguard_firebox
- zeek
@taylor-swanson
[snort] Fix time format using incorrect year specifier (elastic#12599)
67cbd45 
- The time format used "week-based-year" (Y) instead of "year-of-era" (y). The former
gives very different results when calculating the month and date, since it is week-based.
- Regenerated test files with updated dates.
@lucian-ioan
[MS365] [Subscriptions] Add Subscriptions data stream (elastic#12490)
7c7e061
@harnish-elastic
[O11y][System] Fix dashboard query in [Metrics System] Host overview (
561d4b7 
elastic#12612)

* Fix dashboard query in [Metrics System] Host overview

* update pr link
@shmsr
packages/openai: New package (elastic#12494)
fd8c7f8
@gpop63
bump package version (elastic#12614)
6122116
@marc-gr
Add 9.0.0 constraint to sec-windows-platform packages (elastic#12381)
f76a96d 
* Add 9.0.0 constraint to sec-windows-platform packages

* Fix typo

* add scanner options to allow small test files

* Update packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs

* Update packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs

* Update packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs

* Update packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs

* Update packages/microsoft_exchange_server/data_stream/httpproxy/agent/stream/filestream.yml.hbs
@marc-gr
Add support for fully rendered security events (elastic#12551)
6aa13dd
@gizas
Docker enablement for 9.0 (elastic#12567)
97fa870 
* Docker Enablement for v9.0.0

Signed-off-by: Andreas Gkizas <[email protected]>
@gizas
Enabling 9.0.0 kibana support for kubernetes, kubernetes_otel, nginx_…
043460a 
…ingress, istio and containerd integrations (elastic#12535)

* Enabling 9.0.0 kibana support for  kubernetes, kubernetes_otel, nginx_ingress, istio and containerd integrations

Signed-off-by: Andreas Gkizas <[email protected]>
@StacieClark-Elastic
bugfix/add-missing-filter-to-a-login-dashboard-panel
60c8fd1 
Fixed a bug where a panel in the Login Dashboard did not filter correctly. The 'Successful Logins by Compromised Users [Logs Google Workspace]' panel showed all logins. The panel was renamed to accurately describe the data being shown after a filter for google_workspace.login.is_suspicious: true was added.
Updated ingest to store google_workspace.login data that are boolValue to capture is_suspicious flag on logins.
Changed name of panel 'Successful Logins by Compromised Users [Logs Google Workspace]' to 'Successful Logins that are Suspicious [Logs Google Workspace]'.
Added filter for google_workspace.login.is_suspicious: true to renamed panel.
@StacieClark-Elastic StacieClark-Elastic added bug Something isn't working, use only for issues Integration:google_workspace Google Workspace Team:Service-Integrations Label for the Service Integrations team labels Feb 5, 2025
@elasticmachine
Copy link

elasticmachine commented Feb 5, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Something isn't working, use only for issues Integration:google_workspace Google Workspace Team:Service-Integrations Label for the Service Integrations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[google_workspace] Missing extra filters for Successful Logins by Compromised Users panel
10 participants
@StacieClark-Elastic @elasticmachine @qcorporation @taylor-swanson @lucian-ioan @harnish-elastic @shmsr @gpop63 @marc-gr @gizas