google_workspace: add google keep data stream (elastic#13836)

This adds support for the Google Keep audit event type as a new data stream to
enhance the overall visibility of data in the Google Workspace integration.

This changes includes updating navigation links in to the relevant dashboards.

Sanitized test case inputs were obtained from live Google Workspace instance
using the Admin SDK for Reports API[1].

[1] https://developers.google.com/workspace/admin/reports/reference/rest

Author: navnit-elastic

packages/google_workspace/_dev/build/docs/README.md

@@ -32,6 +32,7 @@ It is compatible with a subset of applications under the [Google Reports API v1]
 | [Chat](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/chat) | The Chat activity report returns information about how your account's users use and manage Spaces. |
 | [Vault](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/vault) | The Vault activity report returns information about various types of Vault Audit activity events. |
 | [Meet](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/meet) | The Meet activity report returns information about various aspects of call events. |
+| [Keep](https://developers.google.com/admin-sdk/reports/v1/appendix/activity/keep) | The Keep activity report returns information about how your account's users manage and modify their notes. |
 
 ## Requirements
 
@@ -48,7 +49,7 @@ This integration will make use of the following *oauth2 scope*:
 
 Once you have downloaded your service account credentials as a JSON file, you are ready to set up your integration.
 
-Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `calendar`, `chat`, `chrome`, `context_aware_access`, `data_studio`, `device`, `drive`, `gcp`, `groups`, `group_enterprise`, `login`, `meet`, `rules`, `saml`, `token`, `user accounts` and `vault` logs.
+Click the Advanced option of Google Workspace Audit Reports. The default value of "API Host" is `https://www.googleapis.com`. The API Host will be used for collecting `access_transparency`, `admin`, `calendar`, `chat`, `chrome`, `context_aware_access`, `data_studio`, `device`, `drive`, `gcp`, `groups`, `group_enterprise`, `keep`, `login`, `meet`, `rules`, `saml`, `token`, `user accounts` and `vault` logs.
 
 >  NOTE: The `Delegated Account` value in the configuration, is expected to be the email of the administrator account, and not the email of the ServiceAccount.
 
@@ -310,3 +311,11 @@ This is the `meet` dataset.
 {{event "meet"}}
 
 {{fields "meet"}}
+
+### Keep
+
+This is the `keep` dataset.
+
+{{event "keep"}}
+
+{{fields "keep"}}

packages/google_workspace/_dev/deploy/docker/config.yml

@@ -1482,6 +1482,172 @@ rules:
               ]
           }
           `}}
+  - path: /admin/reports/v1/activity/users/all/applications/keep
+    methods: ['GET']
+    query_params:
+      maxResults: 1
+      pageToken: page-3
+    request_headers:
+      Authorization:
+        - "Bearer 1/fFAGRNJru1FTz70BzhT3Zg"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          {{ minify_json `
+          {
+              "kind": "admin#reports#activities",
+              "items": [
+                  {
+                      "kind": "admin#reports#activity",
+                      "id": {
+                          "time": "2025-03-27T12:46:57.714Z",
+                          "uniqueQualifier": "0",
+                          "applicationName": "keep",
+                          "customerId": "1"
+                      },
+                      "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU",
+                      "actor": {
+                          "callerType": "USER",
+                          "email": "[email protected]",
+                          "profileId": "1"
+                      },
+                      "events": [
+                          {
+                              "type": "user_action",
+                              "name": "modified_acl",
+                              "parameters": [
+                                  {
+                                      "name": "owner_email",
+                                      "value": "[email protected]"
+                                  },
+                                  {
+                                      "name": "note_name",
+                                      "value": "https://keep.googleapis.com/v1/notes/abc-xyz"
+                                  }
+                              ]
+                          }
+                      ]
+                  }
+              ]
+          }
+          `}}
+  - path: /admin/reports/v1/activity/users/all/applications/keep
+    methods: ['GET']
+    query_params:
+      maxResults: 1
+      pageToken: page-2
+    request_headers:
+      Authorization:
+        - "Bearer 1/fFAGRNJru1FTz70BzhT3Zg"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          {{ minify_json `
+          {
+              "kind": "admin#reports#activities",
+              "nextPageToken": "page-3",
+              "items": [
+                  {
+                      "kind": "admin#reports#activity",
+                      "id": {
+                          "time": "2025-03-27T12:46:29.430Z",
+                          "uniqueQualifier": "1",
+                          "applicationName": "keep",
+                          "customerId": "1"
+                      },
+                      "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU",
+                      "actor": {
+                          "callerType": "USER",
+                          "email": "[email protected]",
+                          "profileId": "1"
+                      },
+                      "events": [
+                          {
+                              "type": "user_action",
+                              "name": "deleted_attachment",
+                              "parameters": [
+                                  {
+                                      "name": "owner_email",
+                                      "value": "[email protected]"
+                                  },
+                                  {
+                                      "name": "note_name",
+                                      "value": "https://keep.googleapis.com/v1/notes/abc-xyz"
+                                  },
+                                  {
+                                      "name": "attachment_name",
+                                      "value": "https://keep.googleapis.com/v1/notes/abc-xyz/attachments/abcdefgh"
+                                  }
+                              ]
+                          }
+                      ]
+                  }
+              ]
+          }
+          `}}
+  - path: /admin/reports/v1/activity/users/all/applications/keep
+    methods: ['GET']
+    query_params:
+      maxResults: 1
+      pageToken: null
+    request_headers:
+      Authorization:
+        - "Bearer 1/fFAGRNJru1FTz70BzhT3Zg"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json"
+        body: |-
+          {{ minify_json `
+          {
+              "kind": "admin#reports#activities",
+              "nextPageToken": "page-2",
+              "items": [
+                  {
+                      "kind": "admin#reports#activity",
+                      "id": {
+                          "time": "2025-03-27T12:45:08.310Z",
+                          "uniqueQualifier": "0",
+                          "applicationName": "keep",
+                          "customerId": "1"
+                      },
+                      "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU",
+                      "actor": {
+                          "callerType": "USER",
+                          "email": "[email protected]",
+                          "profileId": "1"
+                      },
+                      "events": [
+                          {
+                              "type": "user_action",
+                              "name": "uploaded_attachment",
+                              "parameters": [
+                                  {
+                                      "name": "owner_email",
+                                      "value": "[email protected]"
+                                  },
+                                  {
+                                      "name": "note_name",
+                                      "value": "https://keep.googleapis.com/v1/notes/abc-xyz"
+                                  },
+                                  {
+                                      "name": "attachment_name",
+                                      "value": "https://keep.googleapis.com/v1/notes/abc-xyz/attachments/abcdefgh"
+                                  }
+                              ]
+                          }
+                      ]
+                  }
+              ]
+          }
+          `}}
   - path: /admin/reports/v1/activity/users/all/applications/drive
     methods: [GET]
     query_params:

packages/google_workspace/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.41.0"
+  changes:
+    - description: Add support for Keep event type.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13836
 - version: "2.40.0"
   changes:
     - description: Add support for Meet event type.

packages/google_workspace/data_stream/keep/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_duplicate_custom_fields

packages/google_workspace/data_stream/keep/_dev/test/pipeline/test-keep.log

@@ -0,0 +1,5 @@
+{"kind": "admin#reports#activity", "id": {"time": "2025-03-27T12:46:57.714Z", "uniqueQualifier": "0", "applicationName": "keep", "customerId": "1"}, "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU", "actor": {"callerType": "USER", "email": "[email protected]", "profileId": "1"}, "events": {"type": "user_action", "name": "modified_acl", "parameters": [{"name": "owner_email", "value": "[email protected]"}, {"name": "note_name", "value": "https://keep.googleapis.com/v1/notes/abc-xyz"}]}}
+{"kind": "admin#reports#activity", "id": {"time": "2025-03-27T12:46:29.430Z", "uniqueQualifier": "1", "applicationName": "keep", "customerId": "1"}, "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU", "actor": {"callerType": "USER", "email": "[email protected]", "profileId": "1"}, "events": {"type": "user_action", "name": "deleted_attachment", "parameters": [{"name": "owner_email", "value": "[email protected]"}, {"name": "note_name", "value": "https://keep.googleapis.com/v1/notes/abc-xyz"}, {"name": "attachment_name", "value": "https://keep.googleapis.com/v1/notes/abc-xyz/attachments/abcdefgh"}]}}
+{"kind": "admin#reports#activity", "id": {"time": "2025-03-27T12:45:08.310Z", "uniqueQualifier": "0", "applicationName": "keep", "customerId": "1"}, "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU", "actor": {"callerType": "USER", "email": "[email protected]", "profileId": "1"}, "events": {"type": "user_action", "name": "uploaded_attachment", "parameters": [{"name": "owner_email", "value": "[email protected]"}, {"name": "note_name", "value": "https://keep.googleapis.com/v1/notes/abc-xyz"}, {"name": "attachment_name", "value": "https://keep.googleapis.com/v1/notes/abc-xyz/attachments/abcdefgh"}]}}
+{"kind": "admin#reports#activity", "id": {"time": "2025-03-25T10:13:35.077Z", "uniqueQualifier": "0", "applicationName": "keep", "customerId": "1"}, "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU", "actor": {"callerType": "USER", "email": "[email protected]", "profileId": "1"}, "events": {"type": "user_action", "name": "edited_note_content", "parameters": [{"name": "owner_email", "value": "[email protected]"}, {"name": "note_name", "value": "https://keep.googleapis.com/v1/notes/abc-xyz"}]}}
+{"kind": "admin#reports#activity", "id": {"time": "2025-03-25T09:32:46.784Z", "uniqueQualifier": "0", "applicationName": "keep", "customerId": "1"}, "etag": "abcdefgh-SHfJfeOMlTPu983WfVweBonaAPdmU", "actor": {"callerType": "USER", "email": "[email protected]", "profileId": "1"}, "events": {"type": "user_action", "name": "created_note", "parameters": [{"name": "owner_email", "value": "[email protected]"}, {"name": "note_name", "value": "https://keep.googleapis.com/v1/notes/abc-xyz"}]}}