diff --git a/packages/zoom/changelog.yml b/packages/zoom/changelog.yml index 4798bd7b4f3..82c20ab56fc 100644 --- a/packages/zoom/changelog.yml +++ b/packages/zoom/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.1" + changes: + - description: Fix ingest pipeline conditional field handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/9077 - version: 1.18.0 changes: - description: ECS version updated to 8.11.0. diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml index 50923953743..568feef3d3c 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/account.yml @@ -7,18 +7,23 @@ processors: - append: field: event.category value: configuration - if: "['account.settings_updated'].contains(ctx?.event?.action)" + if: ctx.event?.action == 'account.settings_updated' - append: field: event.type value: user - append: field: event.type value: creation - if: ctx?.event?.action == 'account.created' + if: ctx.event?.action == 'account.created' - append: field: event.type value: change - if: "['account.updated', 'account.settings_updated', 'account.disassociated'].contains(ctx?.event?.action)" + if: >- + [ + 'account.updated', + 'account.settings_updated', + 'account.disassociated' + ].contains(ctx.event?.action) - rename: field: zoom.account_id target_field: zoom.master_account_id @@ -32,7 +37,7 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.zoom?.time_stamp != null + if: ctx.zoom?.time_stamp != null ignore_failure: true - rename: field: zoom.object @@ -43,11 +48,11 @@ processors: # - set: field: user.target.id - value: '{{zoom.account.owner_id}}' + value: '{{{zoom.account.owner_id}}}' ignore_empty_value: true - set: field: user.target.email - value: '{{zoom.account.owner_email}}' + value: '{{{zoom.account.owner_email}}}' ignore_empty_value: true # @@ -55,57 +60,57 @@ processors: # - set: field: user.target.id - value: '{{zoom.old_values.id}}' - if: 'ctx.zoom?.old_values?.id != null' + value: '{{{zoom.old_values.id}}}' + if: ctx.zoom?.old_values?.id != null - set: field: user.target.email - value: '{{zoom.old_values.account_email}}' - if: 'ctx.zoom?.old_values?.account_email != null' + value: '{{{zoom.old_values.account_email}}}' + if: ctx.zoom?.old_values?.account_email != null - set: field: user.target.full_name - value: '{{zoom.old_values.account_name}}' - if: 'ctx.zoom?.old_values?.account_name != null' + value: '{{{zoom.old_values.account_name}}}' + if: ctx.zoom?.old_values?.account_name != null - set: field: user.target.name - value: '{{zoom.old_values.account_alias}}' - if: 'ctx.zoom?.old_values?.account_alias != null' + value: '{{{zoom.old_values.account_alias}}}' + if: ctx.zoom?.old_values?.account_alias != null # # set user.changes from account.account_* fields (updated account). # - set: field: user.changes.id - value: '{{zoom.account.id}}' - if: 'ctx.zoom?.account?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.account?.id' + value: '{{{zoom.account.id}}}' + if: ctx.zoom?.account?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.account?.id - set: field: user.changes.email - value: '{{zoom.account.account_email}}' - if: 'ctx.zoom?.account?.account_email != null && ctx.zoom?.old_values?.account_email != ctx.zoom?.account?.account_email' + value: '{{{zoom.account.account_email}}}' + if: ctx.zoom?.account?.account_email != null && ctx.zoom?.old_values?.account_email != ctx.zoom?.account?.account_email - set: field: user.changes.full_name - value: '{{zoom.account.account_name}}' - if: 'ctx.zoom?.account?.account_name != null && ctx.zoom?.old_values?.account_name != ctx.zoom?.account?.account_name' + value: '{{{zoom.account.account_name}}}' + if: ctx.zoom?.account?.account_name != null && ctx.zoom?.old_values?.account_name != ctx.zoom?.account?.account_name - set: field: user.changes.name - value: '{{zoom.account.account_alias}}' - if: 'ctx.zoom?.account?.account_alias != null && ctx.zoom?.old_values?.account_alias != ctx.zoom?.account?.account_alias' + value: '{{{zoom.account.account_alias}}}' + if: ctx.zoom?.account?.account_alias != null && ctx.zoom?.old_values?.account_alias != ctx.zoom?.account?.account_alias # # Append to related.user array # - append: field: related.user - value: "{{zoom.account.owner_id}}" + value: "{{{zoom.account.owner_id}}}" allow_duplicates: false if: ctx.zoom?.account?.owner_id != null - append: field: related.user - value: "{{user.target.id}}" + value: "{{{user.target.id}}}" allow_duplicates: false if: ctx.user?.target?.id != null - append: field: related.user - value: "{{user.changes.id}}" + value: "{{{user.changes.id}}}" allow_duplicates: false if: ctx.user?.changes?.id != null diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml index 2a6546b3f48..2e54d61c70f 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_channel.yml @@ -4,19 +4,24 @@ processors: - append: field: event.type value: user - if: "['chat_channel.member_invited', 'chat_channel.member_joined', 'chat_channel.member_left'].contains(ctx?.event?.action)" + if: >- + [ + 'chat_channel.member_invited', + 'chat_channel.member_joined', + 'chat_channel.member_left' + ].contains(ctx.event?.action) - append: field: event.type value: creation - if: ctx?.event?.action == 'chat_channel.created' + if: ctx.event?.action == 'chat_channel.created' - append: field: event.type value: deletion - if: ctx?.event?.action == 'chat_channel.deleted' + if: ctx.event?.action == 'chat_channel.deleted' - append: field: event.type value: change - if: ctx?.event?.action == 'chat_channel.updated' + if: ctx.event?.action == 'chat_channel.updated' - rename: field: zoom.object target_field: zoom.chat_channel @@ -26,30 +31,30 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.zoom?.chat_channel?.timestamp != null + if: ctx.zoom?.chat_channel?.timestamp != null ignore_failure: true - remove: field: zoom.chat_channel.date_time ignore_missing: true - if: ctx?.zoom?.chat_channel?.timestamp != null + if: ctx.zoom?.chat_channel?.timestamp != null - date: field: zoom.chat_channel.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "ctx?.zoom?.chat_channel?.date_time != null && ctx?.zoom?.chat_channel?.timestamp == null" + if: ctx.zoom?.chat_channel?.date_time != null && ctx.zoom?.chat_channel?.timestamp == null ignore_failure: true - remove: field: zoom.chat_channel.timestamp ignore_missing: true - if: ctx?.zoom?.chat_channel?.timestamp != null + if: ctx.zoom?.chat_channel?.timestamp != null - foreach: field: zoom.chat_channel.members ignore_missing: true processor: append: field: related.user - value: ["{{_ingest._value.display_name}}", "{{_ingest._value.id}}"] + value: ["{{{_ingest._value.display_name}}}", "{{{_ingest._value.id}}}"] allow_duplicates: false # Removing to prevent nested values, added to related.user above - remove: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml index af3325847f3..e79b65a8a36 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/chat_message.yml @@ -7,46 +7,46 @@ processors: - append: field: event.type value: creation - if: ctx?.event?.action == 'chat_message.sent' + if: ctx.event?.action == 'chat_message.sent' - append: field: event.type value: deletion - if: ctx?.event?.action == 'chat_message.deleted' + if: ctx.event?.action == 'chat_message.deleted' - append: field: event.type value: change - if: ctx?.event?.action == 'chat_message.updated' + if: ctx.event?.action == 'chat_message.updated' - rename: field: zoom.object target_field: zoom.chat_message ignore_missing: true - append: field: related.user - value: "{{zoom.chat_message.contact_id}}" - if: "ctx?.zoom?.chat_message?.contact_id != null" + value: "{{{zoom.chat_message.contact_id}}}" + if: ctx.zoom?.chat_message?.contact_id != null - date: field: zoom.chat_message.timestamp target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.zoom?.chat_message?.timestamp != null + if: ctx.zoom?.chat_message?.timestamp != null ignore_failure: true - remove: field: zoom.chat_message.date_time ignore_missing: true - if: ctx?.zoom?.chat_message?.timestamp != null + if: ctx.zoom?.chat_message?.timestamp != null - date: field: zoom.chat_message.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.zoom?.chat_message?.timestamp == null + if: ctx.zoom?.chat_message?.timestamp == null ignore_failure: true - remove: field: zoom.chat_message.timestamp ignore_missing: true - remove: - if: ctx?.zoom?.chat_message?.message == null + if: ctx.zoom?.chat_message?.message == null field: zoom.chat_message.message ignore_missing: true on_failure: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml index 4308e61ba56..6def48a876c 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/default.yml @@ -60,19 +60,19 @@ processors: ignore_missing: true - append: field: related.user - value: "{{zoom.operator_id}}" - if: "ctx.zoom?.operator_id != null" + value: "{{{zoom.operator_id}}}" + if: ctx.zoom?.operator_id != null # Set user.id from operator data (user who performs an action). - set: field: user.id - value: "{{zoom.operator_id}}" - if: "ctx.zoom?.operator_id != null" + value: "{{{zoom.operator_id}}}" + if: ctx.zoom?.operator_id != null # Set user.name from operator data only when user.id also set above. - set: field: user.email - value: "{{zoom.operator}}" + value: "{{{zoom.operator}}}" ignore_empty_value: true - if: "ctx.zoom?.operator_id != null" + if: ctx.zoom?.operator_id != null # Removing some fields that have complex nested arrays that might impact performance - remove: field: @@ -94,31 +94,31 @@ processors: ignore_missing: true - pipeline: name: '{{ IngestPipeline "meeting" }}' - if: "ctx?.event?.action.startsWith('meeting')" + if: ctx.event?.action?.startsWith('meeting') == true - pipeline: name: '{{ IngestPipeline "account" }}' - if: "ctx?.event?.action.startsWith('account')" + if: ctx.event?.action?.startsWith('account') == true - pipeline: name: '{{ IngestPipeline "chat_message" }}' - if: "ctx?.event?.action.startsWith('chat_message')" + if: ctx.event?.action?.startsWith('chat_message') == true - pipeline: name: '{{ IngestPipeline "chat_channel" }}' - if: "ctx?.event?.action.startsWith('chat_channel')" + if: ctx.event?.action?.startsWith('chat_channel') == true - pipeline: name: '{{ IngestPipeline "phone" }}' - if: "ctx?.event?.action.startsWith('phone')" + if: ctx.event?.action?.startsWith('phone') == true - pipeline: name: '{{ IngestPipeline "recording" }}' - if: "ctx?.event?.action.startsWith('recording')" + if: ctx.event?.action?.startsWith('recording') == true - pipeline: name: '{{ IngestPipeline "user" }}' - if: "ctx?.event?.action.startsWith('user')" + if: ctx.event?.action?.startsWith('user') == true - pipeline: name: '{{ IngestPipeline "webinar" }}' - if: "ctx?.event?.action.startsWith('webinar')" + if: ctx.event?.action?.startsWith('webinar') == true - pipeline: name: '{{ IngestPipeline "zoomroom" }}' - if: "ctx?.event?.action.startsWith('zoomroom')" + if: ctx.event?.action?.startsWith('zoomroom') == true on_failure: - set: field: event.kind diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml index 7bc3ebe65b6..ebc2cee87a9 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/meeting.yml @@ -4,35 +4,35 @@ processors: - append: field: event.type value: info - if: ctx?.event?.action != 'meeting.alert' + if: ctx.event?.action != 'meeting.alert' - append: field: event.type value: error - if: ctx?.event?.action == 'meeting.alert' + if: ctx.event?.action == 'meeting.alert' - append: field: event.type value: allowed - if: ctx?.event?.action == 'meeting.registration_approved' + if: ctx.event?.action == 'meeting.registration_approved' - append: field: event.type value: creation - if: "['meeting.registration_created', 'meeting.created'].contains(ctx?.event?.action)" + if: "['meeting.registration_created', 'meeting.created'].contains(ctx.event?.action)" - append: field: event.type value: deletion - if: ctx?.event?.action == 'meeting.deleted' + if: ctx.event?.action == 'meeting.deleted' - append: field: event.type value: change - if: ctx?.event?.action == 'meeting.updated' + if: ctx.event?.action == 'meeting.updated' - append: field: event.type value: start - if: "['meeting.started', 'meeting.sharing_started'].contains(ctx?.event?.action)" + if: "['meeting.started', 'meeting.sharing_started'].contains(ctx.event?.action)" - append: field: event.type value: end - if: "['meeting.ended', 'meeting.sharing_ended'].contains(ctx?.event?.action)" + if: "['meeting.ended', 'meeting.sharing_ended'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.meeting @@ -45,7 +45,7 @@ processors: field: zoom.registrant.join_url target_field: url.full ignore_missing: true - if: ctx?.url?.full == null + if: ctx.url?.full == null # # Set user.* from participant, if any. @@ -54,14 +54,14 @@ processors: field: - user ignore_missing: true - if: 'ctx.zoom?.participant != null' + if: ctx.zoom?.participant != null - set: field: user.id - value: '{{zoom.participant.id}}' + value: '{{{zoom.participant.id}}}' ignore_empty_value: true - set: field: user.full_name - value: '{{zoom.participant.user_name}}' + value: '{{{zoom.participant.user_name}}}' ignore_empty_value: true # @@ -69,7 +69,7 @@ processors: # - set: field: user.id - value: '{{zoom.meeting.host_id}}' + value: '{{{zoom.meeting.host_id}}}' ignore_empty_value: true override: false @@ -78,90 +78,100 @@ processors: # - append: field: related.user - value: "{{zoom.participant.id}}" + value: "{{{zoom.participant.id}}}" allow_duplicates: false - if: 'ctx.zoom?.participant?.id != null' + if: ctx.zoom?.participant?.id != null - append: field: related.user - value: "{{zoom.meeting.host_id}}" + value: "{{{zoom.meeting.host_id}}}" allow_duplicates: false - if: 'ctx.zoom?.meeting?.host_id != null' + if: ctx.zoom?.meeting?.host_id != null - date: field: zoom.meeting.start_time target_field: event.start formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.started' + if: ctx.event?.action == 'meeting.started' ignore_failure: true - date: field: zoom.participant.sharing_details.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.sharing_started' + if: ctx.event?.action == 'meeting.sharing_started' ignore_failure: true - date: field: zoom.participant.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" + if: >- + [ + 'meeting.participant_put_in_waiting_room', + 'meeting.participant_joined_waiting_room', + 'meeting.participant_left_waiting_room' + ].contains(ctx.event?.action) ignore_failure: true - date: field: zoom.participant.join_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.participant_joined' + if: ctx.event?.action == 'meeting.participant_joined' ignore_failure: true - date: field: zoom.participant.leave_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.participant_left' + if: ctx.event?.action == 'meeting.participant_left' ignore_failure: true - date: field: zoom.time_stamp target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'meeting.updated' + if: ctx.event?.action == 'meeting.updated' ignore_failure: true - script: lang: painless - if: ctx?.zoom?.meeting?.duration != null + if: ctx.zoom?.meeting?.duration != null source: >- ctx.event.duration = ctx.zoom.meeting.duration * 60L * 1000000000L; - remove: field: zoom.meeting.start_time ignore_missing: true - if: ctx?.event?.action == 'meeting.started' + if: ctx.event?.action == 'meeting.started' - remove: field: zoom.meeting.duration ignore_missing: true - if: ctx?.event?.duration != null + if: ctx.event?.duration != null - remove: field: zoom.participant.sharing_details.date_time ignore_missing: true - if: ctx?.event?.action == 'meeting.sharing_started' + if: ctx.event?.action == 'meeting.sharing_started' - remove: field: zoom.participant.date_time ignore_missing: true - if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" + if: >- + [ + 'meeting.participant_put_in_waiting_room', + 'meeting.participant_joined_waiting_room', + 'meeting.participant_left_waiting_room' + ].contains(ctx.event?.action) - remove: field: zoom.participant.join_time ignore_missing: true - if: ctx?.event?.action == 'meeting.participant_joined' + if: ctx.event?.action == 'meeting.participant_joined' - remove: field: zoom.participant.leave_time ignore_missing: true - if: ctx?.event?.action == 'meeting.participant_left' + if: ctx.event?.action == 'meeting.participant_left' - remove: field: zoom.time_stamp ignore_missing: true - if: ctx?.event?.action == 'meeting.updated' + if: ctx.event?.action == 'meeting.updated' on_failure: - set: field: event.kind diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml index e1b8e662591..90aa2b6b29c 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/phone.yml @@ -7,15 +7,15 @@ processors: - append: field: event.type value: creation - if: "['phone.caller_ringing', 'phone.callee_ringing'].contains(ctx?.event?.action)" + if: "['phone.caller_ringing', 'phone.callee_ringing'].contains(ctx.event?.action)" - append: field: event.type value: start - if: "['phone.callee_answered', 'phone.caller_connected'].contains(ctx?.event?.action)" + if: "['phone.callee_answered', 'phone.caller_connected'].contains(ctx.event?.action)" - append: field: event.type value: end - if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended'].contains(ctx?.event?.action)" + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.phone @@ -29,35 +29,41 @@ processors: target_field: '@timestamp' formats: - ISO_INSTANT - if: "['phone.callee_ringing', 'phone.caller_ringing', 'phone.caller_ended'].contains(ctx?.event?.action)" + if: "['phone.callee_ringing', 'phone.caller_ringing', 'phone.caller_ended'].contains(ctx.event?.action)" ignore_failure: true - date: field: zoom.phone.connected_start_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'phone.caller_connected' + if: ctx.event?.action == 'phone.caller_connected' ignore_failure: true - date: field: zoom.phone.answer_start_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "ctx?.zoom?.phone.answer_start_time != null && ctx?.event?.action == 'phone.callee_answered'" + if: ctx.zoom?.phone?.answer_start_time != null && ctx.event?.action == 'phone.callee_answered' ignore_failure: true - date: field: zoom.phone.call_end_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended', 'phone.callee_rejected'].contains(ctx?.event?.action)" + if: >- + [ + 'phone.callee_missed', + 'phone.callee_ended', + 'phone.caller_ended', + 'phone.callee_rejected' + ].contains(ctx.event?.action) ignore_failure: true - date: field: zoom.phone.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'phone.voicemail_received' + if: ctx.event?.action == 'phone.voicemail_received' ignore_failure: true - convert: field: zoom.phone.duration @@ -66,7 +72,7 @@ processors: # Calculates duration when duration is unknown but start and end time is known (with ringing_start_time) - script: lang: painless - if: "ctx?.zoom?.phone?.ringing_start_time != null && ctx?.zoom?.phone?.answer_start_time == null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.phone?.duration == null" + if: ctx.zoom?.phone?.ringing_start_time != null && ctx.zoom?.phone?.answer_start_time == null && ctx.zoom?.phone?.call_end_time != null && ctx.zoom?.phone?.duration == null source: >- ctx.event.start = ctx.zoom.phone.ringing_start_time; ctx.event.end = ctx.zoom.phone.call_end_time; @@ -77,7 +83,7 @@ processors: # Calculates duration when duration is unknown but start and end time is known (with answer_start_time) - script: lang: painless - if: "ctx?.zoom?.phone?.ringing_start_time == null && ctx?.zoom?.phone?.answer_start_time != null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.phone?.duration == null" + if: ctx.zoom?.phone?.ringing_start_time == null && ctx.zoom?.phone?.answer_start_time != null && ctx.zoom?.phone?.call_end_time != null && ctx.zoom?.phone?.duration == null source: >- ctx.event.start = ctx.zoom.phone.answer_start_time; ctx.event.end = ctx.zoom.phone.call_end_time; @@ -88,7 +94,7 @@ processors: # Duration is in minutes, so multiply by seconds and then multiply again to convert seconds to nano - script: lang: painless - if: ctx?.zoom?.duration != null + if: ctx.zoom?.duration != null source: >- ctx.event.duration = ctx.zoom.phone.duration * 60L * 1000000000L; @@ -144,30 +150,30 @@ processors: ignore_missing: true - append: field: related.user - value: "{{zoom.phone.callee.user_id}}" + value: "{{{zoom.phone.callee.user_id}}}" allow_duplicates: false - if: ctx?.zoom?.phone?.callee?.user_id != null + if: ctx.zoom?.phone?.callee?.user_id != null - append: field: related.user - value: "{{zoom.phone.callee_user_id}}" + value: "{{{zoom.phone.callee_user_id}}}" allow_duplicates: false - if: ctx?.zoom?.phone?.callee_user_id != null + if: ctx.zoom?.phone?.callee_user_id != null - append: field: related.user - value: "{{zoom.phone.caller.user_id}}" + value: "{{{zoom.phone.caller.user_id}}}" allow_duplicates: false - if: ctx?.zoom?.phone?.caller?.user_id != null + if: ctx.zoom?.phone?.caller?.user_id != null - remove: field: zoom.phone.date_time ignore_missing: true - if: ctx?.event?.action == 'phone.voicemail_received' + if: ctx.event?.action == 'phone.voicemail_received' - set: field: source.user.id - value: '{{zoom.phone.caller.user_id}}' + value: '{{{zoom.phone.caller.user_id}}}' ignore_empty_value: true - set: field: destination.user.id - value: '{{zoom.phone.callee.user_id}}' + value: '{{{zoom.phone.callee.user_id}}}' ignore_empty_value: true on_failure: - set: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml index 2471ba46823..14c881b8e88 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/recording.yml @@ -7,31 +7,31 @@ processors: - append: field: event.type value: creation - if: ctx?.event?.action == 'recording.registration_created' + if: ctx.event?.action == 'recording.registration_created' - append: field: event.type value: allowed - if: ctx?.event?.action == 'recording.registration_approved' + if: ctx.event?.action == 'recording.registration_approved' - append: field: event.type value: denied - if: ctx?.event?.action == 'recording.registration_denied' + if: ctx.event?.action == 'recording.registration_denied' - append: field: event.type value: deletion - if: "['recording.deleted', 'recording.trashed'].contains(ctx?.event?.action)" + if: "['recording.deleted', 'recording.trashed'].contains(ctx.event?.action)" - append: field: event.type value: change - if: "['recording.paused', 'recording.resumed', 'recording.renamed', 'recording.recovered'].contains(ctx?.event?.action)" + if: "['recording.paused', 'recording.resumed', 'recording.renamed', 'recording.recovered'].contains(ctx.event?.action)" - append: field: event.type value: start - if: ctx?.event?.action == 'recording.started' + if: ctx.event?.action == 'recording.started' - append: field: event.type value: end - if: "['recording.stopped', 'recording.completed', 'recording.transcript_completed'].contains(ctx?.event?.action)" + if: "['recording.stopped', 'recording.completed', 'recording.transcript_completed'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.recording @@ -45,27 +45,27 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.event?.action == 'recording.renamed' + if: ctx.event?.action == 'recording.renamed' ignore_failure: true - remove: field: zoom.recording.recording_file.recording_start - if: 'ctx.zoom?.recording?.recording_file?.recording_start == ""' + if: ctx.zoom?.recording?.recording_file?.recording_start == "" - remove: field: zoom.recording.recording_file.recording_end - if: 'ctx.zoom?.recording?.recording_file?.recording_end == ""' + if: ctx.zoom?.recording?.recording_file?.recording_end == "" - set: field: event.start - value: '{{ zoom.recording.recording_file.recording_start }}' + value: '{{{ zoom.recording.recording_file.recording_start }}}' ignore_empty_value: true - if: ctx?.event?.action == 'recording.started' + if: ctx.event?.action == 'recording.started' - set: field: event.end - value: '{{ zoom.recording.recording_file.recording_end }}' + value: '{{{ zoom.recording.recording_file.recording_end }}}' ignore_empty_value: true - if: ctx?.event?.action == 'recording.stopped' + if: ctx.event?.action == 'recording.stopped' - script: lang: painless - if: "ctx?.event?.end != null && ctx?.event?.start != null && ctx?.event?.action == 'recording.stopped'" + if: ctx.event?.end != null && ctx.event?.start != null && ctx.event?.action == 'recording.stopped' source: >- ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); @@ -75,40 +75,40 @@ processors: target_field: '@timestamp' formats: - ISO_INSTANT - if: "ctx?.zoom?.recording?.recording_file?.recording_start != null && ctx?.event?.action == 'recording.started'" + if: ctx.zoom?.recording?.recording_file?.recording_start != null && ctx.event?.action == 'recording.started' ignore_failure: true - append: field: related.user - value: "{{zoom.recording.host_id}}" - if: "ctx?.zoom?.recording?.host_id != null" + value: "{{{zoom.recording.host_id}}}" + if: ctx.zoom?.recording?.host_id != null - append: field: related.user - value: "{{zoom.registrant.id}}" - if: "ctx?.zoom?.registrant?.id != null" + value: "{{{zoom.registrant.id}}}" + if: ctx.zoom?.registrant?.id != null - remove: field: zoom.time_stamp ignore_missing: true - if: ctx?.event?.action == 'recording.renamed' + if: ctx.event?.action == 'recording.renamed' - set: field: 'user.email' - value: '{{zoom.registrant.email}}' + value: '{{{zoom.registrant.email}}}' ignore_empty_value: true - if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' + if: ctx.user?.id == null && ctx.zoom?.registrant != null - set: field: 'user.full_name' value: '{{zoom.registrant.first_name}} {{zoom.registrant.last_name}}' ignore_empty_value: true - if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' + if: ctx.user?.id == null && ctx.zoom?.registrant != null - set: field: 'user.id' - value: '{{zoom.registrant.id}}' + value: '{{{zoom.registrant.id}}}' ignore_empty_value: true - if: 'ctx.user?.id == null && ctx.zoom?.registrant != null' + if: ctx.user?.id == null && ctx.zoom?.registrant != null - set: field: 'user.id' - value: '{{zoom.recording.host_id}}' + value: '{{{zoom.recording.host_id}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant == null' + if: ctx.zoom?.registrant == null on_failure: - set: field: event.kind diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml index a249c2c53ca..80de6fab4dd 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/user.yml @@ -4,35 +4,44 @@ processors: - append: field: event.category value: configuration - if: "['user.settings_updated'].contains(ctx?.event?.action)" + if: ctx.event?.action == 'user.settings_updated' - append: field: event.category value: iam - if: "!['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" + if: "!['user.signed_in', 'user.signed_out'].contains(ctx.event?.action)" - append: field: event.category value: authentication - if: "['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" + if: "['user.signed_in', 'user.signed_out'].contains(ctx.event?.action)" - append: field: event.type value: creation - if: ctx?.event?.action == 'user.created' + if: ctx.event?.action == 'user.created' - append: field: event.type value: deletion - if: ctx?.event?.action == 'user.deleted' + if: ctx.event?.action == 'user.deleted' - append: field: event.type value: change - if: "['user.updated', 'user.settings_updated', 'user.deactivated', 'user.activated', 'user.disassociated', 'user.presence_status_updated', 'user.personal_notes_updated'].contains(ctx?.event?.action)" + if: >- + [ + 'user.updated', + 'user.settings_updated', + 'user.deactivated', + 'user.activated', + 'user.disassociated', + 'user.presence_status_updated', + 'user.personal_notes_updated' + ].contains(ctx.event?.action) - append: field: event.type value: start - if: ctx?.event?.action == 'user.signed_in' + if: ctx.event?.action == 'user.signed_in' - append: field: event.type value: end - if: ctx?.event?.action == 'user.signed_out' + if: ctx.event?.action == 'user.signed_out' - rename: field: zoom.object target_field: zoom.user @@ -42,19 +51,25 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: "['user.updated', 'user.settings_updated'].contains(ctx?.event?.action)" + if: "['user.updated', 'user.settings_updated'].contains(ctx.event?.action)" ignore_failure: true - date: field: zoom.user.date_time target_field: '@timestamp' formats: - ISO_INSTANT - if: "['user.signed_in', 'user.signed_out', 'user.personal_notes_updated', 'user.presence_status_updated'].contains(ctx?.event?.action)" + if: >- + [ + 'user.signed_in', + 'user.signed_out', + 'user.personal_notes_updated', + 'user.presence_status_updated' + ].contains(ctx.event?.action) ignore_failure: true - append: field: related.user - value: "{{zoom.user.id}}" - if: "ctx?.zoom?.user?.id != null" + value: "{{{zoom.user.id}}}" + if: ctx.zoom?.user?.id != null - remove: field: - zoom.time_stamp @@ -66,11 +81,11 @@ processors: # - set: field: user.id - value: '{{zoom.operator_id}}' + value: '{{{zoom.operator_id}}}' ignore_empty_value: true - set: field: user.email - value: '{{zoom.operator}}' + value: '{{{zoom.operator}}}' ignore_empty_value: true # @@ -78,43 +93,43 @@ processors: # - set: field: user.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null' + if: ctx.zoom?.operator == null && ctx.zoom?.operator_id == null - set: field: user.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true - if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null' + if: ctx.zoom?.operator == null && ctx.zoom?.operator_id == null - set: field: user.full_name value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' ignore_empty_value: true - if: 'ctx.zoom?.operator == null && ctx.zoom?.operator_id == null && ctx.zoom?.user?.first_name != null' + if: ctx.zoom?.operator == null && ctx.zoom?.operator_id == null && ctx.zoom?.user?.first_name != null # # set user.target.* from old_values # - set: field: user.target.id - value: '{{zoom.old_values.id}}' + value: '{{{zoom.old_values.id}}}' ignore_empty_value: true - set: field: user.target.id - value: '{{zoom.old_values.id}}' + value: '{{{zoom.old_values.id}}}' ignore_empty_value: true - set: field: user.target.email - value: '{{zoom.old_values.email}}' + value: '{{{zoom.old_values.email}}}' ignore_empty_value: true - set: field: user.target.email - value: '{{zoom.old_values.email}}' + value: '{{{zoom.old_values.email}}}' ignore_empty_value: true - set: field: user.target.full_name value: '{{zoom.old_values.first_name}} {{zoom.old_values.last_name}}' - if: 'ctx.zoom?.old_values?.first_name != null' + if: ctx.zoom?.old_values?.first_name != null # # set user.target.* from user.* without overriding old_values. @@ -122,28 +137,28 @@ processors: # - set: field: user.target.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' + if: ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null - set: field: user.target.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' + if: ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null - set: field: user.target.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null' + if: ctx.zoom?.old_values != null || ctx.zoom?.operator != null || ctx.zoom?.operator_id != null - set: field: user.target.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true override: false - if: 'ctx.zoom?.old_values != null' + if: ctx.zoom?.old_values != null - set: field: user.target.full_name value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' @@ -155,33 +170,33 @@ processors: # - set: field: user.changes.id - value: '{{zoom.user.id}}' + value: '{{{zoom.user.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.old_values?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.user?.id' + if: ctx.zoom?.old_values?.id != null && ctx.zoom?.old_values?.id != ctx.zoom?.user?.id - set: field: user.changes.email - value: '{{zoom.user.email}}' + value: '{{{zoom.user.email}}}' ignore_empty_value: true - if: 'ctx.zoom?.old_values?.email != null && ctx.zoom?.old_values?.email != ctx.zoom?.user?.email' + if: ctx.zoom?.old_values?.email != null && ctx.zoom?.old_values?.email != ctx.zoom?.user?.email - set: field: user.changes.full_name value: '{{zoom.user.first_name}} {{zoom.user.last_name}}' ignore_empty_value: true - if: 'ctx.zoom?.old_values?.first_name != null && ctx.zoom?.old_values?.last_name != null && (ctx.zoom?.old_values?.last_name != ctx.zoom?.user?.last_name || ctx.zoom?.old_values?.first_name != ctx.zoom?.user?.first_name)' + if: ctx.zoom?.old_values?.first_name != null && ctx.zoom?.old_values?.last_name != null && (ctx.zoom?.old_values?.last_name != ctx.zoom?.user?.last_name || ctx.zoom?.old_values?.first_name != ctx.zoom?.user?.first_name) # # append to related.user # - append: field: related.user - value: "{{zoom.user.id}}" + value: "{{{zoom.user.id}}}" allow_duplicates: false - if: "ctx.zoom?.user?.id != null" + if: ctx.zoom?.user?.id != null - append: field: related.user - value: "{{zoom.old_values.id}}" + value: "{{{zoom.old_values.id}}}" allow_duplicates: false - if: "ctx.zoom?.old_values?.id != null" + if: ctx.zoom?.old_values?.id != null on_failure: - set: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml index 6d9cff0ce4f..b3d4bd0724d 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/webinar.yml @@ -4,39 +4,45 @@ processors: - append: field: event.type value: info - if: ctx?.event?.action != 'webinar.alert' + if: ctx.event?.action != 'webinar.alert' - append: field: event.type value: error - if: ctx?.event?.action == 'webinar.alert' + if: ctx.event?.action == 'webinar.alert' - append: field: event.type value: creation - if: "['webinar.created', 'webinar.registration_created'].contains(ctx?.event?.action)" + if: "['webinar.created', 'webinar.registration_created'].contains(ctx.event?.action)" - append: field: event.type value: deletion - if: ctx?.event?.action == 'webinar.deleted' + if: ctx.event?.action == 'webinar.deleted' - append: field: event.type value: allowed - if: ctx?.event?.action == 'webinar.registration_approved' + if: ctx.event?.action == 'webinar.registration_approved' - append: field: event.type value: denied - if: ctx?.event?.action == 'webinar.registration_denied' + if: ctx.event?.action == 'webinar.registration_denied' - append: field: event.type value: change - if: "['webinar.updated', 'webinar.registration_approved', 'webinar.registration_denied', 'webinar.registration_cancelled'].contains(ctx?.event?.action)" + if: >- + [ + 'webinar.updated', + 'webinar.registration_approved', + 'webinar.registration_denied', + 'webinar.registration_cancelled' + ].contains(ctx.event?.action) - append: field: event.type value: start - if: "['webinar.started', 'webinar.sharing_started'].contains(ctx?.event?.action)" + if: "['webinar.started', 'webinar.sharing_started'].contains(ctx.event?.action)" - append: field: event.type value: end - if: "['webinar.ended', 'webinar.sharing_ended'].contains(ctx?.event?.action)" + if: "['webinar.ended', 'webinar.sharing_ended'].contains(ctx.event?.action)" - rename: field: zoom.object target_field: zoom.webinar @@ -46,28 +52,28 @@ processors: target_field: '@timestamp' formats: - UNIX_MS - if: ctx?.event?.action == 'webinar.updated' + if: ctx.event?.action == 'webinar.updated' ignore_failure: true - date: field: zoom.webinar.start_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'webinar.started' + if: ctx.event?.action == 'webinar.started' ignore_failure: true - date: field: zoom.participant.join_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'webinar.participant_joined' + if: ctx.event?.action == 'webinar.participant_joined' ignore_failure: true - date: field: zoom.participant.leave_time target_field: '@timestamp' formats: - ISO_INSTANT - if: ctx?.event?.action == 'webinar.participant_left' + if: ctx.event?.action == 'webinar.participant_left' ignore_failure: true # @@ -75,66 +81,66 @@ processors: # - set: field: user.id - value: '{{zoom.participant.id}}' + value: '{{{zoom.participant.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.participant != null' + if: ctx.zoom?.participant != null - set: field: user.full_name - value: '{{zoom.participant.user_name}}' + value: '{{{zoom.participant.user_name}}}' ignore_empty_value: true - if: 'ctx.zoom?.participant != null' + if: ctx.zoom?.participant != null # # set user.* from registrant # - set: field: user.id - value: '{{zoom.registrant.id}}' + value: '{{{zoom.registrant.id}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant != null' + if: ctx.zoom?.registrant != null - set: field: user.email - value: '{{zoom.registrant.email}}' + value: '{{{zoom.registrant.email}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant != null' + if: ctx.zoom?.registrant != null - set: field: user.full_name value: '{{zoom.registrant.first_name}} {{zoom.registrant.last_name}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant != null' + if: ctx.zoom?.registrant != null # # set user.* from operator # - set: field: user.id - value: '{{zoom.operator_id}}' + value: '{{{zoom.operator_id}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant == null && ctx.zoom?.participant == null' + if: ctx.zoom?.registrant == null && ctx.zoom?.participant == null - set: field: user.email - value: '{{zoom.operator}}' + value: '{{{zoom.operator}}}' ignore_empty_value: true - if: 'ctx.zoom?.registrant == null && ctx.zoom?.participant == null' + if: ctx.zoom?.registrant == null && ctx.zoom?.participant == null # # append to related.user # - append: field: related.user - value: "{{zoom.webinar.host_id}}" + value: "{{{zoom.webinar.host_id}}}" allow_duplicates: false - if: "ctx.zoom?.webinar?.host_id != null" + if: ctx.zoom?.webinar?.host_id != null - append: field: related.user - value: "{{zoom.registrant.id}}" + value: "{{{zoom.registrant.id}}}" allow_duplicates: false - if: "ctx.zoom?.registrant?.id != null" + if: ctx.zoom?.registrant?.id != null - append: field: related.user - value: "{{zoom.participant.id}}" + value: "{{{zoom.participant.id}}}" allow_duplicates: false - if: "ctx.zoom?.participant?.id != null" + if: ctx.zoom?.participant?.id != null on_failure: - set: diff --git a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml index 232a54fe6fd..e91586a150d 100644 --- a/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml +++ b/packages/zoom/data_stream/webhook/elasticsearch/ingest_pipeline/zoomroom.yml @@ -4,15 +4,15 @@ processors: - append: field: event.type value: info - if: "['zoomroom.checked_in', 'zoomroom.checked_out'].contains(ctx?.event?.action)" + if: "['zoomroom.checked_in', 'zoomroom.checked_out'].contains(ctx.event?.action)" - append: field: event.type value: start - if: ctx?.event?.action == 'zoomroom.checked_in' + if: ctx.event?.action == 'zoomroom.checked_in' - append: field: event.type value: end - if: ctx?.event?.action == 'zoomroom.checked_out' + if: ctx.event?.action == 'zoomroom.checked_out' - rename: field: zoom.object target_field: zoom.zoomroom diff --git a/packages/zoom/manifest.yml b/packages/zoom/manifest.yml index eda21403602..7ba5859cfa4 100644 --- a/packages/zoom/manifest.yml +++ b/packages/zoom/manifest.yml @@ -1,6 +1,6 @@ name: zoom title: Zoom -version: "1.18.0" +version: "1.18.1" description: Collect logs from Zoom with Elastic Agent. type: integration format_version: "3.0.0"