diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index cc74c8b873de..b66bebde9bcd 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -648,6 +648,7 @@ field. You can revert this change by configuring tags for the module and omittin - Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983] - Improve Santa module with `x509` ECS mappings {pull}20976[20976] - Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973] +- Added new module for Zoom webhooks {pull}20414[20414] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index b1cb4170aa36..2a022f83bcfc 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -80,6 +80,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> -- @@ -127575,6 +127576,1550 @@ type: boolean -- +[[exported-fields-zoom]] +== Zoom fields + +Module for handling incoming Zoom webhook requests + + + +[float] +=== zoom + +Module for parsing Zoom API Webhooks. + + + +*`zoom.master_account_id`*:: ++ +-- +Master Account related to a specific Sub Account + + +type: keyword + +-- + +*`zoom.sub_account_id`*:: ++ +-- +Related Sub Account + + +type: keyword + +-- + +*`zoom.operator_id`*:: ++ +-- +UserID that triggered the event + + +type: keyword + +-- + +*`zoom.operator`*:: ++ +-- +Username/Email related to the user that triggered the event + + +type: keyword + +-- + +*`zoom.account_id`*:: ++ +-- +Related accountID to the event + + +type: keyword + +-- + +*`zoom.timestamp`*:: ++ +-- +Timestamp related to the event + + +type: date + +-- + +*`zoom.creation_type`*:: ++ +-- +Creation type + + +type: keyword + +-- + +*`zoom.account.owner_id`*:: ++ +-- +UserID of the user whose sub account was created/disassociated + + +type: keyword + +-- + +*`zoom.account.email`*:: ++ +-- +Email related to the user the action was performed on + + +type: keyword + +-- + +*`zoom.account.owner_email`*:: ++ +-- +Email of the user whose sub account was created/disassociated + + +type: keyword + +-- + +*`zoom.account.account_name`*:: ++ +-- +When an account name is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.account.account_alias`*:: ++ +-- +When an account alias is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.account.account_support_name`*:: ++ +-- +When an account support_name is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.account.account_support_email`*:: ++ +-- +When an account support_email is updated, this is the new value set + + +type: keyword + +-- + +*`zoom.chat_channel.name`*:: ++ +-- +The name of the channel that has been added/modified/deleted + + +type: keyword + +-- + +*`zoom.chat_channel.id`*:: ++ +-- +The ID of the channel that has been added/modified/deleted + + +type: keyword + +-- + +*`zoom.chat_channel.type`*:: ++ +-- +Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) + + +type: keyword + +-- + +*`zoom.chat_message.id`*:: ++ +-- +Unique ID of the related chat message + + +type: keyword + +-- + +*`zoom.chat_message.type`*:: ++ +-- +Type of message, can be either "to_contact" or "to_channel" + + +type: keyword + +-- + +*`zoom.chat_message.session_id`*:: ++ +-- +SessionID for the channel related to the message + + +type: keyword + +-- + +*`zoom.chat_message.contact_email`*:: ++ +-- +Email address related to the user sending the message + + +type: keyword + +-- + +*`zoom.chat_message.contact_id`*:: ++ +-- +UserID belonging to the user receiving a message + + +type: keyword + +-- + +*`zoom.chat_message.channel_id`*:: ++ +-- +ChannelID related to the message + + +type: keyword + +-- + +*`zoom.chat_message.channel_name`*:: ++ +-- +Channel name related to the message + + +type: keyword + +-- + +*`zoom.chat_message.message`*:: ++ +-- +A string containing the full message that was sent + + +type: keyword + +-- + +*`zoom.meeting.id`*:: ++ +-- +Unique ID of the related meeting + + +type: keyword + +-- + +*`zoom.meeting.uuid`*:: ++ +-- +The UUID of the related meeting + + +type: keyword + +-- + +*`zoom.meeting.host_id`*:: ++ +-- +The UserID of the configured meeting host + + +type: keyword + +-- + +*`zoom.meeting.topic`*:: ++ +-- +Topic of the related meeting + + +type: keyword + +-- + +*`zoom.meeting.type`*:: ++ +-- +Type of meeting created + + +type: keyword + +-- + +*`zoom.meeting.start_time`*:: ++ +-- +Date and time the meeting started + + +type: date + +-- + +*`zoom.meeting.timezone`*:: ++ +-- +Which timezone is used for the meeting timestamps + + +type: keyword + +-- + +*`zoom.meeting.duration`*:: ++ +-- +The duration of a meeting in minutes + + +type: long + +-- + +*`zoom.meeting.issues`*:: ++ +-- +When a user reports an issue with the meeting, for example: "Unstable audio quality" + + +type: keyword + +-- + +*`zoom.meeting.password`*:: ++ +-- +Password related to the meeting + + +type: keyword + +-- + +*`zoom.phone.id`*:: ++ +-- +Unique ID for the phone or conversation + + +type: keyword + +-- + +*`zoom.phone.user_id`*:: ++ +-- +UserID for the phone owner related to a Call Log being completed + + +type: keyword + +-- + +*`zoom.phone.download_url`*:: ++ +-- +Download URL for the voicemail + + +type: keyword + +-- + +*`zoom.phone.ringing_start_time`*:: ++ +-- +The timestamp when a ringtone was established to the callee + + +type: date + +-- + +*`zoom.phone.connected_start_time`*:: ++ +-- +The date and time when a ringtone was established to the callee + + +type: date + +-- + +*`zoom.phone.answer_start_time`*:: ++ +-- +The date and time when the call was answered + + +type: date + +-- + +*`zoom.phone.call_end_time`*:: ++ +-- +The date and time when the call ended + + +type: date + +-- + +*`zoom.phone.call_id`*:: ++ +-- +Unique ID of the related call + + +type: keyword + +-- + +*`zoom.phone.duration`*:: ++ +-- +Duration of a voicemail in minutes + + +type: long + +-- + +*`zoom.phone.caller.id`*:: ++ +-- +UserID of the caller related to the voicemail/call + + +type: keyword + +-- + +*`zoom.phone.caller.user_id`*:: ++ +-- +UserID of the person which initiated the call + + +type: keyword + +-- + +*`zoom.phone.caller.number_type`*:: ++ +-- +The type of number, can be 1(Internal) or 2(External) + + +type: keyword + +-- + +*`zoom.phone.caller.name`*:: ++ +-- +The name of the related callee + + +type: keyword + +-- + +*`zoom.phone.caller.phone_number`*:: ++ +-- +Phone Number of the caller related to the call + + +type: keyword + +-- + +*`zoom.phone.caller.extension_type`*:: ++ +-- +Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup + + +type: keyword + +-- + +*`zoom.phone.caller.extension_number`*:: ++ +-- +Extension number of the caller + + +type: keyword + +-- + +*`zoom.phone.caller.timezone`*:: ++ +-- +Timezone of the caller + + +type: keyword + +-- + +*`zoom.phone.caller.device_type`*:: ++ +-- +Device type used by the caller + + +type: keyword + +-- + +*`zoom.phone.callee.id`*:: ++ +-- +UserID of the callee related to the voicemail/call + + +type: keyword + +-- + +*`zoom.phone.callee.user_id`*:: ++ +-- +UserID of the related callee of a voicemail/call + + +type: keyword + +-- + +*`zoom.phone.callee.name`*:: ++ +-- +The name of the related callee + + +type: keyword + +-- + +*`zoom.phone.callee.number_type`*:: ++ +-- +The type of number, can be 1(Internal) or 2(External) + + +type: keyword + +-- + +*`zoom.phone.callee.phone_number`*:: ++ +-- +Phone Number of the callee related to the call + + +type: keyword + +-- + +*`zoom.phone.callee.extension_type`*:: ++ +-- +Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup + + +type: keyword + +-- + +*`zoom.phone.callee.extension_number`*:: ++ +-- +Extension number of the callee related to the call + + +type: keyword + +-- + +*`zoom.phone.callee.timezone`*:: ++ +-- +Timezone of the callee related to the call + + +type: keyword + +-- + +*`zoom.phone.callee.device_type`*:: ++ +-- +Device type used by the callee related to the call + + +type: keyword + +-- + +*`zoom.phone.date_time`*:: ++ +-- +Date and time of the related phone event + + +type: date + +-- + +*`zoom.recording.id`*:: ++ +-- +Unique ID of the related recording + + +type: keyword + +-- + +*`zoom.recording.uuid`*:: ++ +-- +UUID of the related recording + + +type: keyword + +-- + +*`zoom.recording.host_id`*:: ++ +-- +UserID of the host of the meeting that was recorded + + +type: keyword + +-- + +*`zoom.recording.topic`*:: ++ +-- +Topic of the meeting related to the recording + + +type: keyword + +-- + +*`zoom.recording.type`*:: ++ +-- +Type of recording, can be multiple type of values, please check Zoom documentation + + +type: keyword + +-- + +*`zoom.recording.start_time`*:: ++ +-- +The date and time when the recording started + + +type: date + +-- + +*`zoom.recording.timezone`*:: ++ +-- +The timezone used for the recording date + + +type: keyword + +-- + +*`zoom.recording.duration`*:: ++ +-- +Duration of the recording in minutes + + +type: long + +-- + +*`zoom.recording.share_url`*:: ++ +-- +The URL to access the recording + + +type: keyword + +-- + +*`zoom.recording.total_size`*:: ++ +-- +Total size of the recording in bytes + + +type: long + +-- + +*`zoom.recording.recording_count`*:: ++ +-- +Number of recording files related to the recording + + +type: long + +-- + +*`zoom.recording.recording_file.recording_start`*:: ++ +-- +The date and time the recording started + + +type: date + +-- + +*`zoom.recording.recording_file.recording_end`*:: ++ +-- +The date and time the recording finished + + +type: date + +-- + +*`zoom.recording.host_email`*:: ++ +-- +Email address of the host related to the meeting that was recorded + + +type: keyword + +-- + +*`zoom.user.id`*:: ++ +-- +UserID related to the user event + + +type: keyword + +-- + +*`zoom.user.first_name`*:: ++ +-- +User first name related to the user event + + +type: keyword + +-- + +*`zoom.user.last_name`*:: ++ +-- +User last name related to the user event + + +type: keyword + +-- + +*`zoom.user.email`*:: ++ +-- +User email related to the user event + + +type: keyword + +-- + +*`zoom.user.type`*:: ++ +-- +User type related to the user event + + +type: keyword + +-- + +*`zoom.user.phone_number`*:: ++ +-- +User phone number related to the user event + + +type: keyword + +-- + +*`zoom.user.phone_country`*:: ++ +-- +User country code related to the user event + + +type: keyword + +-- + +*`zoom.user.company`*:: ++ +-- +User company related to the user event + + +type: keyword + +-- + +*`zoom.user.pmi`*:: ++ +-- +User personal meeting ID related to the user event + + +type: keyword + +-- + +*`zoom.user.use_pmi`*:: ++ +-- +If a user has PMI enabled + + +type: boolean + +-- + +*`zoom.user.pic_url`*:: ++ +-- +Full URL to the profile picture used by the user + + +type: keyword + +-- + +*`zoom.user.vanity_name`*:: ++ +-- +Name of the personal meeting room related to the user event + + +type: keyword + +-- + +*`zoom.user.timezone`*:: ++ +-- +Timezone configured for the user + + +type: keyword + +-- + +*`zoom.user.language`*:: ++ +-- +Language configured for the user + + +type: keyword + +-- + +*`zoom.user.host_key`*:: ++ +-- +Host key set for the user + + +type: keyword + +-- + +*`zoom.user.role`*:: ++ +-- +The configured role for the user + + +type: keyword + +-- + +*`zoom.user.dept`*:: ++ +-- +The configured departement for the user + + +type: keyword + +-- + +*`zoom.user.presence_status`*:: ++ +-- +Current presence status of user + + +type: keyword + +-- + +*`zoom.user.personal_notes`*:: ++ +-- +Personal notes for the User + + +type: keyword + +-- + +*`zoom.user.client_type`*:: ++ +-- +Type of client used by the user. Can be browser, mac, win, iphone or android + + +type: keyword + +-- + +*`zoom.user.version`*:: ++ +-- +Version of the client used by the user + + +type: keyword + +-- + +*`zoom.webinar.id`*:: ++ +-- +Unique ID for the related webinar + + +type: keyword + +-- + +*`zoom.webinar.join_url`*:: ++ +-- +The URL configured to join the webinar + + +type: keyword + +-- + +*`zoom.webinar.uuid`*:: ++ +-- +UUID for the related webinar + + +type: keyword + +-- + +*`zoom.webinar.host_id`*:: ++ +-- +UserID for the configured host of the webinar + + +type: keyword + +-- + +*`zoom.webinar.topic`*:: ++ +-- +Meeting topic of the related webinar + + +type: keyword + +-- + +*`zoom.webinar.type`*:: ++ +-- +Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) + + +type: keyword + +-- + +*`zoom.webinar.start_time`*:: ++ +-- +The date and time when the webinar started + + +type: date + +-- + +*`zoom.webinar.timezone`*:: ++ +-- +Timezone used for the dates related to the webinar + + +type: keyword + +-- + +*`zoom.webinar.duration`*:: ++ +-- +Duration of the webinar in minutes + + +type: long + +-- + +*`zoom.webinar.agenda`*:: ++ +-- +The configured agenda of the webinar + + +type: keyword + +-- + +*`zoom.webinar.password`*:: ++ +-- +Password configured to access the webinar + + +type: keyword + +-- + +*`zoom.webinar.issues`*:: ++ +-- +Any reported issues about a webinar is reported in this field + + +type: keyword + +-- + +*`zoom.zoomroom.id`*:: ++ +-- +Unique ID of the Zoom room + + +type: keyword + +-- + +*`zoom.zoomroom.room_name`*:: ++ +-- +The configured name of the Zoom room + + +type: keyword + +-- + +*`zoom.zoomroom.calendar_name`*:: ++ +-- +Calendar name of the Zoom room + + +type: keyword + +-- + +*`zoom.zoomroom.calendar_id`*:: ++ +-- +Unique ID of the calendar used by the Zoom room + + +type: keyword + +-- + +*`zoom.zoomroom.event_id`*:: ++ +-- +Unique ID of the calendar event associated with the Zoom Room + + +type: keyword + +-- + +*`zoom.zoomroom.change_key`*:: ++ +-- +Key used by Microsoft products integration that represents a specific version of a calendar + + +type: keyword + +-- + +*`zoom.zoomroom.resource_email`*:: ++ +-- +Email address associated with the calendar in use by the Zoom room + + +type: keyword + +-- + +*`zoom.zoomroom.email`*:: ++ +-- +Email address associated with the Zoom room itself + + +type: keyword + +-- + +*`zoom.zoomroom.issue`*:: ++ +-- +Any reported alerts or issues related to the Zoom room or its equipment + + +type: keyword + +-- + +*`zoom.zoomroom.alert_type`*:: ++ +-- +An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation + + +type: keyword + +-- + +*`zoom.zoomroom.component`*:: ++ +-- +An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation + + +type: keyword + +-- + +*`zoom.zoomroom.alert_kind`*:: ++ +-- +An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) + + +type: keyword + +-- + +*`zoom.registrant.id`*:: ++ +-- +Unique ID of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.status`*:: ++ +-- +Status of the specific user registration + + +type: keyword + +-- + +*`zoom.registrant.email`*:: ++ +-- +Email of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.first_name`*:: ++ +-- +First name of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.last_name`*:: ++ +-- +Last name of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.address`*:: ++ +-- +Address of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.city`*:: ++ +-- +City of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.country`*:: ++ +-- +Country of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.zip`*:: ++ +-- +Zip code of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.state`*:: ++ +-- +State of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.phone`*:: ++ +-- +Phone number of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.industry`*:: ++ +-- +Related industry of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.org`*:: ++ +-- +Organization related to the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.job_title`*:: ++ +-- +Job title of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.purchasing_time_frame`*:: ++ +-- +Choosen purchase timeframe of the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.role_in_purchase_process`*:: ++ +-- +Choosen role in a purchase process related to the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.no_of_employees`*:: ++ +-- +Number of employees choosen by the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.comments`*:: ++ +-- +Comments left by the user registering to a meeting or webinar + + +type: keyword + +-- + +*`zoom.registrant.join_url`*:: ++ +-- +The URL that the registrant can use to join the webinar + + +type: keyword + +-- + +*`zoom.participant.id`*:: ++ +-- +Unique ID of the participant related to a meeting + + +type: keyword + +-- + +*`zoom.participant.user_id`*:: ++ +-- +UserID of the participant related to a meeting + + +type: keyword + +-- + +*`zoom.participant.user_name`*:: ++ +-- +Username of the participant related to a meeting + + +type: keyword + +-- + +*`zoom.participant.join_time`*:: ++ +-- +The date and time a participant joined a meeting + + +type: date + +-- + +*`zoom.participant.leave_time`*:: ++ +-- +The date and time a participant left a meeting + + +type: date + +-- + +*`zoom.participant.sharing_details.link_source`*:: ++ +-- +Method of sharing with dropbox integration + + +type: keyword + +-- + +*`zoom.participant.sharing_details.content`*:: ++ +-- +Type of content that was shared + + +type: keyword + +-- + +*`zoom.participant.sharing_details.file_link`*:: ++ +-- +The file link that was shared + + +type: keyword + +-- + +*`zoom.participant.sharing_details.date_time`*:: ++ +-- +Timestamp the sharing started + + +type: keyword + +-- + +*`zoom.participant.sharing_details.source`*:: ++ +-- +The file source that was share + + +type: keyword + +-- + +*`zoom.old_values`*:: ++ +-- +Includes the old values when updating a object like user, meeting, account or webinar + + +type: flattened + +-- + +*`zoom.settings`*:: ++ +-- +The current active settings related to a object like user, meeting, account or webinar + + +type: flattened + +-- + [[exported-fields-zscaler]] == Zscaler NSS fields diff --git a/filebeat/docs/modules/zoom.asciidoc b/filebeat/docs/modules/zoom.asciidoc new file mode 100644 index 000000000000..4c191cf7abf9 --- /dev/null +++ b/filebeat/docs/modules/zoom.asciidoc @@ -0,0 +1,69 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-zoom]] +[role="xpack"] + +:modulename: zoom +:has-dashboards: false + + +== Zoom module +beta[] + +This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom. + +To configure Zoom to send webhooks to the filebeat module, please follow the https://marketplace.zoom.us/docs/guides/build/webhook-only-app[Zoom Documentation]. + +include::../include/gs-link.asciidoc[] + +:fileset_ex: webhook + +include::../include/configuring-intro.asciidoc[] +include::../include/config-option-intro.asciidoc[] + +[float] +==== `webhook` fileset settings + +When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +This is configured with the `secret.header` and `secret.value` settings as shown below. + +Example config: + +[source,yaml] +---- +- module: zoom + webhook: + enabled: true + var.input: http_endpoint + var.listen_address: 0.0.0.0 + var.listen_port: 8080 + var.secret.header: Authorization + var.secret.value: ZOOMTOKEN +---- + +include::../include/var-paths.asciidoc[] + +*`var.listen_address`*:: + +The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces. + +*`var.listen_port`*:: + +The port the module should be listening on. + +*`var.ssl`*:: + +Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See <> for more information. + +:modulename!: +:has-dashboards!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 936d44f2cb44..c69ac708b9f7 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -59,6 +59,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> @@ -121,4 +122,5 @@ include::modules/system.asciidoc[] include::modules/tomcat.asciidoc[] include::modules/traefik.asciidoc[] include::modules/zeek.asciidoc[] +include::modules/zoom.asciidoc[] include::modules/zscaler.asciidoc[] diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index d994c67e262b..e233008f21bc 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -261,6 +261,7 @@ def clean_keys(obj): "gsuite.login", "gsuite.saml", "gsuite.user_accounts", + "zoom.webhook", } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 4e6b8466c8fd..301f30a8a06c 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -1450,6 +1450,27 @@ filebeat.modules: # Filebeat will choose the paths depending on your OS. #var.paths: +#--------------------------------- Zoom Module --------------------------------- +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN + #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler zia: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index e39c6c7c6243..7a17ab869d66 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -50,6 +50,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/tomcat" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zeek" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zoom" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/zscaler" _ "github.com/elastic/beats/v7/x-pack/filebeat/processors/decode_cef" ) diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml new file mode 100644 index 000000000000..43c8ed436285 --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -0,0 +1,19 @@ +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN diff --git a/x-pack/filebeat/module/zoom/_meta/docs.asciidoc b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc new file mode 100644 index 000000000000..e0b467fc63ac --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/docs.asciidoc @@ -0,0 +1,56 @@ +[role="xpack"] + +:modulename: zoom +:has-dashboards: false + + +== Zoom module +beta[] + +This is a module for Zoom webhook logs. The module creates an HTTP listener that accepts incoming webhooks from Zoom. + +To configure Zoom to send webhooks to the filebeat module, please follow the https://marketplace.zoom.us/docs/guides/build/webhook-only-app[Zoom Documentation]. + +include::../include/gs-link.asciidoc[] + +:fileset_ex: webhook + +include::../include/configuring-intro.asciidoc[] +include::../include/config-option-intro.asciidoc[] + +[float] +==== `webhook` fileset settings + +When a webhook integration is created on Zoom, it will show a special token used to ensure that filebeat only handles HTTP requests from the correct source. +This is configured with the `secret.header` and `secret.value` settings as shown below. + +Example config: + +[source,yaml] +---- +- module: zoom + webhook: + enabled: true + var.input: http_endpoint + var.listen_address: 0.0.0.0 + var.listen_port: 8080 + var.secret.header: Authorization + var.secret.value: ZOOMTOKEN +---- + +include::../include/var-paths.asciidoc[] + +*`var.listen_address`*:: + +The IP address of the interface the module should listen on. Also supports 0.0.0.0 to listen on all interfaces. + +*`var.listen_port`*:: + +The port the module should be listening on. + +*`var.ssl`*:: + +Configuration options for SSL parameters like the SSL certificate and CA to use for the HTTP(s) listener See <> for more information. + +:modulename!: +:has-dashboards!: diff --git a/x-pack/filebeat/module/zoom/_meta/fields.yml b/x-pack/filebeat/module/zoom/_meta/fields.yml new file mode 100644 index 000000000000..effe0e74b04a --- /dev/null +++ b/x-pack/filebeat/module/zoom/_meta/fields.yml @@ -0,0 +1,5 @@ +- key: zoom + title: Zoom + description: > + Module for handling incoming Zoom webhook requests + fields: diff --git a/x-pack/filebeat/module/zoom/fields.go b/x-pack/filebeat/module/zoom/fields.go new file mode 100644 index 000000000000..7a2df6de41f7 --- /dev/null +++ b/x-pack/filebeat/module/zoom/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package zoom + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "zoom", asset.ModuleFieldsPri, AssetZoom); err != nil { + panic(err) + } +} + +// AssetZoom returns asset data. +// This is the base64 encoded gzipped contents of module/zoom. +func AssetZoom() string { + return "eJzUnF9v27oVwN/vpyD6lAJpit5hA5aHAUXSu2VL7+3SZgXui0BTRxYbilRJyq7z6Qf+k2RblmSH9N36UMSOcvjjIXl4/lB8g55gc42ehah+QkhTzeAa/e4+5aCIpLWmgl+jv/2EEEIfRd4wQIWQqMQ8Z5QvEeVEVOYH82doDYtSiCck4XsDSqufECoosFxdWwHm3xvEcQVto+Gf3tRwjZZSNHXvWwkMsIJrtACNe9/nUOCG6cwKv0YFZgq2fr3HHv71+lBjqVry95/u0FdHr656f7GL3+9ChZUGmWFCRMN1RvOtp0KfnmCzFnL3dyOIFtOKRu+daKMHrCFHWiCMVA2EFpSgz80iPDHIp5pFErgHTzPVvqhBYi1k1MYfFci7W6RLrJGWdLkEaRRTAoIVTIDEpTCy336oMGX98TEkjQJ5HGHKYfKyjdLEBIamFSiNq3qQIscajkP4EuTtaugwApGAjbjMtBlPGTdeLNoTuzMEV2LNIcmUFUU3OdalUGAWaGgWrbFyfYf8bU4VVkoQaj6NwoKZfvFIx2YzIEysBg1pDbIQsoIcCT5Dm0kwU+gzrEPzbTzeryVwhHnLZqQjqlBTmyWVXyJdUmW+MP3hsEYrzBpACkaNRQuLGcUqHa0VHxFXNXUtZGod91tJAB95Rh+it828AJ+UWGekxJwDu4qr8C8GwCjXr0Pfitv3SqzQAkyf8hzyt5XIaUHNSgQGh9bgFmtM+2tIO/sblzPuLvVlU1t9BsahXfMK3WCOFoDeXdzxFdXw5jfONq8v0c8XnyRdYQ2vkZDoTxefmgWj5PXhPlSgFF5CVF0/cvq96as7dMG0iHyL00hp1OqlXyLiNAhUlyDRKy0yIrjGRL8yqrOf3Qi8mkZVoJTxV2Jq8bOTeXdrA5X+rN2ZEbMV6vuXZifGeS5BqUHHQQHPTZR1Em0CL2wBTPClJepRSiBAV+ZbfASlG5OolDdO5t3t6SPtqeJae8/lLP6paEMPvojqPVJamlGzE4byMNGKhrGA5Qy9cQfVoZijAtCUL89jCH1joyBNE3v/e3w8jaQUKu4ytDBbARERvKDLRnZEyLQ6iqVFTUlEKCPuFPWk2qecGnz8MkqgNJY6M4F7pJj9FmtAmOc2GeDXt8OxTU3gmD96FjyqY09JiYJc6wsryNuNMcC1qQs1ypc30uYBBvnMznD8bA4izcjhlodyVFHeaBjnoUo1ED14C5uaiSGUiStsM2hNddlX2qXVIvzAVc3gGr165ErjBQOEm5wK9L3BjOrNsA8UOlBjpQYwX9CFT17i/jZzeD3WpeCpHNkw02wbxj8kgq9Aqv15tE1jxiCFB7PDs+Z2qHsJ4hvMGLoXS7QAtzea4T20cB1rLtacCZxnjYzoHd56qejx4b7FXglK9r3QbRyzp1O+zKIbN7NeW0uB1m6xmNa00aVxEsAuAarKbuIRzBgMuzcOlwjOgWjI0wDnWxY5FjTmag3ybMSByfK6tkdnpHk2A56fEw14Ps10nmgZs7H1EXkXu93awdoFOrWHdUoBGdf2bvuHtoHd3aClfDuhK8+Xyhp7yBqkEhytrbNCOdXUwXr+aT7eVAuQkase1tx5p9I10OY+3l3ccQ2SY2bTRT9ffPjhP85gTZpI7K+BcbPraOyHzHUvohdid9dfrdTxmThvfOGHBq7iF7Y+BLntQPdId8bcrIFL+7t/N9DAJcKNFg9AwEqnSpuZoEos4Z5y+PtOMX6yY7GHoOsaHxiGabL4sciXEIUcSZLDihKIPPK3VqgbdhsSLTZHQEX2lvct9l6a6DiLnc5/HjQzO1vfTMT/JUMI/0dbCJzbaO9Nxnnj+wcYbTiD0YY/ymifOAxnMuQn0p3fuB8LamKedCnCHWvl0hKHD/hIIELmZ0u3t81NwMRNuQ+l2+eSRE+5b+97Rnz4uU2ehhKJozgQBHeIKdPvgWlnis/VXpqMfCu/NctVwzStWbc52oMY6hLV9sgqIiWQJ3e2NBekqYDrwwnDDv+c6Zi21dHMfk+18c2wT8dZU7yV1u/Y9rq8D5YwHbLNMpEQ6Q2j2Y/jJlNt4ezh3qZ4CQGljlsWQmOWKfo8PHonVD6MQGQEDqppsZlWUvtTtn+G+HSwzvvrgArKYO94wlzVdZhGTO+jXTXJlukpK/QgKvDh/SQ+aEG5zUPP2eSSHkbpb3fDlaSZ255xwFMEy0OnZQ67TZaioFLFPjhpaJAVPHi4Yw4Ww2mojNyToSJPLgsEB89HT8DE9Uosi/U7TkBJE3lbJOf6+7jvZDS7GchNZDYvFRGRn6Q2Iqoa8/hUVupJyqpo7OGzNQzMWvt4mpFqFGSH4BZCMMC7jtoE3F0RTjSUWKFPH+8QcLxgY+a6piSu9/VLw1hwv2y9RwqzxaKaEt3I7RjdEBxGW2FO9Sayufy1lzbcG0ZpgpBTjFa6tEvvzFfw+Me1xjBfNlHPDt57icezWN/lCSLagn8YJ+UJNkiBngkhBYsciPX0YITP5MihHvaBY3DkUBu31wTPM3FqCQo4AeOc6ybiwaqbRkqDERpArgGz6CaI/HLMuNgNiV6W6w7L3Mpt1fM4CkMYBa5jlwjCWwtW+J4pbF9YWEixtsnsCpNLtKb8EtH2UBXmuRR0xKSvQKpDMf5J2P9xAtsU8DD9INAaFpTjyFHB3oGzYLJ9a6Mk3wTlafINveWoBTLtWLg5UAlyqqfoJlVCtX03o9NQP7k6By1yIvVjCGyHzjPP4kliGLz0cJ65NQj+/Zs/X3x1D7y+RH+5eADSSHuoP/zZmupSNBoV9Ae4nIOtN/71wKP950Y7e85cawAcy+O0g5DO79rKsRrUvazYnFmSON8adDWRbQ00eAk8x8l8ECf+mEWd8Ej0tjHu5YHncMU+a/7eBq61MBPanTBXCC/MSsXdGKreI9y9vWrv1BgkfRaiMtFK2tKgLcrI7ftHBhjMf5HDtJ2p1T/sMROKYGamo4z9epcX+yKkpIMWWtly0GYS2jj3THi2LdRdN9C9dGFhH6bVWWK+hLjx5b9g0+rtIyVSKFGYUEbkDdEKUa5h6W2wzYlLcGGOVv37Zladw4zbDk+sIVCikQTSpvqHtN0OCOWm68fOmHPjtlyIagWsmDCPxtgmMuSYgdTKOFjepO84CB2peUQrBN8bWleHMkkts5UbOfJ8z93cBenvQWgnbngTNFTnbetX1gAz6nx0+5V9QIWifiEa7vcpmFu77xauqGrBd/Vwpv61g+BeUPIkl1sdbr+O2Gk3qk/0QH0xTq9VKda2rryzL/khbC9x8PHEu4sv4dolfzDxhgE2nwb7ImFJlZaY67Ruh38nzzQG0r+A3r0vKOSoD9eDjJ3Z+twmsgxla+17uAPe/gBX8kt+IuguRQH1l652Gpk2QV31Hidi9ZtbRCuwXcePxUmojuhY3VC9iU4Yu/5540ufkTmf6fA1cScx/k5rV5pNYCwjLh9jK6Mz2hx4xGRBvwofGZXyvFFRJ2e4pTBIjk0s5G426gWwv8kl5vTZRUpDFdUIwN/EIrNXscbD/qdYuNtdo8/cRpISK8qXNo2aFTLypTNCKODIN+POito2YndECgYZ5VloKaulIFG3s9AXW1qlHOGuV76tVBOKi0wUGVQ1ExuImf/rTlq2whHx3exV0OLsiZUJSGKOh5eIGBQ6Nm66apy7VdZWdUJrNo5rzOqYWZ6rsdSU0Dp5xNNraPuGitGrPHp0qV/ajsIX/+Bj3z9/MaOdi0mLXHgL0rQH+RGADPAq6utJU4R2xc/nUyU2tiDLQWPK1BWj/Clzac14w/4RdClyM+i+OZcazKWoF+JHP0N7NC8RXEfNSrXnPZzg3gVrJT54qccIYEEZZEarcc2lPZ9nxL4YcPz9uZMrsu4SGpt08WM+Vh0eA4w9G1v1OcE7ChzEEyzP3CtQgxgFw1oDhyNB7jhhTQ6uxilY7t+ycnV1eyeuu7NRLL4B0YjRp/DCbHvFVbhSd2L3VqDN81HpbbnPnxvDRNMVtM1s2/Lj8P8bAAD//+6SIKA=" +} diff --git a/x-pack/filebeat/module/zoom/module.yml b/x-pack/filebeat/module/zoom/module.yml new file mode 100644 index 000000000000..ed97d539c095 --- /dev/null +++ b/x-pack/filebeat/module/zoom/module.yml @@ -0,0 +1 @@ +--- diff --git a/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml b/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml new file mode 100644 index 000000000000..62f1c447f000 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/_meta/fields.yml @@ -0,0 +1,619 @@ +- name: zoom + type: group + release: beta + default_field: false + description: > + Module for parsing Zoom API Webhooks. + fields: + - name: master_account_id + type: keyword + description: > + Master Account related to a specific Sub Account + - name: sub_account_id + type: keyword + description: > + Related Sub Account + - name: operator_id + type: keyword + description: > + UserID that triggered the event + - name: operator + type: keyword + description: > + Username/Email related to the user that triggered the event + - name: account_id + type: keyword + description: > + Related accountID to the event + - name: timestamp + type: date + description: > + Timestamp related to the event + - name: creation_type + type: keyword + description: > + Creation type + - name: account.owner_id + type: keyword + description: > + UserID of the user whose sub account was created/disassociated + - name: account.email + type: keyword + description: > + Email related to the user the action was performed on + - name: account.owner_email + type: keyword + description: > + Email of the user whose sub account was created/disassociated + - name: account.account_name + type: keyword + description: > + When an account name is updated, this is the new value set + - name: account.account_alias + type: keyword + description: > + When an account alias is updated, this is the new value set + - name: account.account_support_name + type: keyword + description: > + When an account support_name is updated, this is the new value set + - name: account.account_support_email + type: keyword + description: > + When an account support_email is updated, this is the new value set + - name: chat_channel.name + type: keyword + description: > + The name of the channel that has been added/modified/deleted + - name: chat_channel.id + type: keyword + description: > + The ID of the channel that has been added/modified/deleted + - name: chat_channel.type + type: keyword + description: > + Type of channel related to the event. Can be 1(Invite-Only), 2(Private) or 3(Public) + - name: chat_message.id + type: keyword + description: > + Unique ID of the related chat message + - name: chat_message.type + type: keyword + description: > + Type of message, can be either "to_contact" or "to_channel" + - name: chat_message.session_id + type: keyword + description: > + SessionID for the channel related to the message + - name: chat_message.contact_email + type: keyword + description: > + Email address related to the user sending the message + - name: chat_message.contact_id + type: keyword + description: > + UserID belonging to the user receiving a message + - name: chat_message.channel_id + type: keyword + description: > + ChannelID related to the message + - name: chat_message.channel_name + type: keyword + description: > + Channel name related to the message + - name: chat_message.message + type: keyword + description: > + A string containing the full message that was sent + - name: meeting.id + type: keyword + description: > + Unique ID of the related meeting + - name: meeting.uuid + type: keyword + description: > + The UUID of the related meeting + - name: meeting.host_id + type: keyword + description: > + The UserID of the configured meeting host + - name: meeting.topic + type: keyword + description: > + Topic of the related meeting + - name: meeting.type + type: keyword + description: > + Type of meeting created + - name: meeting.start_time + type: date + description: > + Date and time the meeting started + - name: meeting.timezone + type: keyword + description: > + Which timezone is used for the meeting timestamps + - name: meeting.duration + type: long + description: > + The duration of a meeting in minutes + - name: meeting.issues + type: keyword + description: > + When a user reports an issue with the meeting, for example: "Unstable audio quality" + - name: meeting.password + type: keyword + description: > + Password related to the meeting + - name: phone.id + type: keyword + description: > + Unique ID for the phone or conversation + - name: phone.user_id + type: keyword + description: > + UserID for the phone owner related to a Call Log being completed + - name: phone.download_url + type: keyword + description: > + Download URL for the voicemail + - name: phone.ringing_start_time + type: date + description: > + The timestamp when a ringtone was established to the callee + - name: phone.connected_start_time + type: date + description: > + The date and time when a ringtone was established to the callee + - name: phone.answer_start_time + type: date + description: > + The date and time when the call was answered + - name: phone.call_end_time + type: date + description: > + The date and time when the call ended + - name: phone.call_id + type: keyword + description: > + Unique ID of the related call + - name: phone.duration + type: long + description: > + Duration of a voicemail in minutes + - name: phone.caller.id + type: keyword + description: > + UserID of the caller related to the voicemail/call + - name: phone.caller.user_id + type: keyword + description: > + UserID of the person which initiated the call + - name: phone.caller.number_type + type: keyword + description: > + The type of number, can be 1(Internal) or 2(External) + - name: phone.caller.name + type: keyword + description: > + The name of the related callee + - name: phone.caller.phone_number + type: keyword + description: > + Phone Number of the caller related to the call + - name: phone.caller.extension_type + type: keyword + description: > + Extension type of the caller number, can be user, callQueue, autoReceptionist or shareLineGroup + - name: phone.caller.extension_number + type: keyword + description: > + Extension number of the caller + - name: phone.caller.timezone + type: keyword + description: > + Timezone of the caller + - name: phone.caller.device_type + type: keyword + description: > + Device type used by the caller + - name: phone.callee.id + type: keyword + description: > + UserID of the callee related to the voicemail/call + - name: phone.callee.user_id + type: keyword + description: > + UserID of the related callee of a voicemail/call + - name: phone.callee.name + type: keyword + description: > + The name of the related callee + - name: phone.callee.number_type + type: keyword + description: > + The type of number, can be 1(Internal) or 2(External) + - name: phone.callee.phone_number + type: keyword + description: > + Phone Number of the callee related to the call + - name: phone.callee.extension_type + type: keyword + description: > + Extension type of the callee number, can be user, callQueue, autoReceptionist or shareLineGroup + - name: phone.callee.extension_number + type: keyword + description: > + Extension number of the callee related to the call + - name: phone.callee.timezone + type: keyword + description: > + Timezone of the callee related to the call + - name: phone.callee.device_type + type: keyword + description: > + Device type used by the callee related to the call + - name: phone.date_time + type: date + description: > + Date and time of the related phone event + - name: recording.id + type: keyword + description: > + Unique ID of the related recording + - name: recording.uuid + type: keyword + description: > + UUID of the related recording + - name: recording.host_id + type: keyword + description: > + UserID of the host of the meeting that was recorded + - name: recording.topic + type: keyword + description: > + Topic of the meeting related to the recording + - name: recording.type + type: keyword + description: > + Type of recording, can be multiple type of values, please check Zoom documentation + - name: recording.start_time + type: date + description: > + The date and time when the recording started + - name: recording.timezone + type: keyword + description: > + The timezone used for the recording date + - name: recording.duration + type: long + description: > + Duration of the recording in minutes + - name: recording.share_url + type: keyword + description: > + The URL to access the recording + - name: recording.total_size + type: long + description: > + Total size of the recording in bytes + - name: recording.recording_count + type: long + description: > + Number of recording files related to the recording + - name: recording.recording_file.recording_start + type: date + description: > + The date and time the recording started + - name: recording.recording_file.recording_end + type: date + description: > + The date and time the recording finished + - name: recording.host_email + type: keyword + description: > + Email address of the host related to the meeting that was recorded + - name: user.id + type: keyword + description: > + UserID related to the user event + - name: user.first_name + type: keyword + description: > + User first name related to the user event + - name: user.last_name + type: keyword + description: > + User last name related to the user event + - name: user.email + type: keyword + description: > + User email related to the user event + - name: user.type + type: keyword + description: > + User type related to the user event + - name: user.phone_number + type: keyword + description: > + User phone number related to the user event + - name: user.phone_country + type: keyword + description: > + User country code related to the user event + - name: user.company + type: keyword + description: > + User company related to the user event + - name: user.pmi + type: keyword + description: > + User personal meeting ID related to the user event + - name: user.use_pmi + type: boolean + description: > + If a user has PMI enabled + - name: user.pic_url + type: keyword + description: > + Full URL to the profile picture used by the user + - name: user.vanity_name + type: keyword + description: > + Name of the personal meeting room related to the user event + - name: user.timezone + type: keyword + description: > + Timezone configured for the user + - name: user.language + type: keyword + description: > + Language configured for the user + - name: user.host_key + type: keyword + description: > + Host key set for the user + - name: user.role + type: keyword + description: > + The configured role for the user + - name: user.dept + type: keyword + description: > + The configured departement for the user + - name: user.presence_status + type: keyword + description: > + Current presence status of user + - name: user.personal_notes + type: keyword + description: > + Personal notes for the User + - name: user.client_type + type: keyword + description: > + Type of client used by the user. Can be browser, mac, win, iphone or android + - name: user.version + type: keyword + description: > + Version of the client used by the user + - name: webinar.id + type: keyword + description: > + Unique ID for the related webinar + - name: webinar.join_url + type: keyword + description: > + The URL configured to join the webinar + - name: webinar.uuid + type: keyword + description: > + UUID for the related webinar + - name: webinar.host_id + type: keyword + description: > + UserID for the configured host of the webinar + - name: webinar.topic + type: keyword + description: > + Meeting topic of the related webinar + - name: webinar.type + type: keyword + description: > + Type of webinar created. Can be either 5(Webinar), 6(Recurring webinar without fixed time) or 9(Recurring webinar with fixed time) + - name: webinar.start_time + type: date + description: > + The date and time when the webinar started + - name: webinar.timezone + type: keyword + description: > + Timezone used for the dates related to the webinar + - name: webinar.duration + type: long + description: > + Duration of the webinar in minutes + - name: webinar.agenda + type: keyword + description: > + The configured agenda of the webinar + - name: webinar.password + type: keyword + description: > + Password configured to access the webinar + - name: webinar.issues + type: keyword + description: > + Any reported issues about a webinar is reported in this field + - name: zoomroom.id + type: keyword + description: > + Unique ID of the Zoom room + - name: zoomroom.room_name + type: keyword + description: > + The configured name of the Zoom room + - name: zoomroom.calendar_name + type: keyword + description: > + Calendar name of the Zoom room + - name: zoomroom.calendar_id + type: keyword + description: > + Unique ID of the calendar used by the Zoom room + - name: zoomroom.event_id + type: keyword + description: > + Unique ID of the calendar event associated with the Zoom Room + - name: zoomroom.change_key + type: keyword + description: > + Key used by Microsoft products integration that represents a specific version of a calendar + - name: zoomroom.resource_email + type: keyword + description: > + Email address associated with the calendar in use by the Zoom room + - name: zoomroom.email + type: keyword + description: > + Email address associated with the Zoom room itself + - name: zoomroom.issue + type: keyword + description: > + Any reported alerts or issues related to the Zoom room or its equipment + - name: zoomroom.alert_type + type: keyword + description: > + An integer value representing the type of alert. The list of alert types can be found in the Zoom documentation + - name: zoomroom.component + type: keyword + description: > + An integer value representing the type of equipment or component, The list of component types can be found in the Zoom documentation + - name: zoomroom.alert_kind + type: keyword + description: > + An integer value showing if the Zoom room alert has been either 1(Triggered) or 2(Cleared) + - name: registrant.id + type: keyword + description: > + Unique ID of the user registering to a meeting or webinar + - name: registrant.status + type: keyword + description: > + Status of the specific user registration + - name: registrant.email + type: keyword + description: > + Email of the user registering to a meeting or webinar + - name: registrant.first_name + type: keyword + description: > + First name of the user registering to a meeting or webinar + - name: registrant.last_name + type: keyword + description: > + Last name of the user registering to a meeting or webinar + - name: registrant.address + type: keyword + description: > + Address of the user registering to a meeting or webinar + - name: registrant.city + type: keyword + description: > + City of the user registering to a meeting or webinar + - name: registrant.country + type: keyword + description: > + Country of the user registering to a meeting or webinar + - name: registrant.zip + type: keyword + description: > + Zip code of the user registering to a meeting or webinar + - name: registrant.state + type: keyword + description: > + State of the user registering to a meeting or webinar + - name: registrant.phone + type: keyword + description: > + Phone number of the user registering to a meeting or webinar + - name: registrant.industry + type: keyword + description: > + Related industry of the user registering to a meeting or webinar + - name: registrant.org + type: keyword + description: > + Organization related to the user registering to a meeting or webinar + - name: registrant.job_title + type: keyword + description: > + Job title of the user registering to a meeting or webinar + - name: registrant.purchasing_time_frame + type: keyword + description: > + Choosen purchase timeframe of the user registering to a meeting or webinar + - name: registrant.role_in_purchase_process + type: keyword + description: > + Choosen role in a purchase process related to the user registering to a meeting or webinar + - name: registrant.no_of_employees + type: keyword + description: > + Number of employees choosen by the user registering to a meeting or webinar + - name: registrant.comments + type: keyword + description: > + Comments left by the user registering to a meeting or webinar + - name: registrant.join_url + type: keyword + description: > + The URL that the registrant can use to join the webinar + - name: participant.id + type: keyword + description: > + Unique ID of the participant related to a meeting + - name: participant.user_id + type: keyword + description: > + UserID of the participant related to a meeting + - name: participant.user_name + type: keyword + description: > + Username of the participant related to a meeting + - name: participant.join_time + type: date + description: > + The date and time a participant joined a meeting + - name: participant.leave_time + type: date + description: > + The date and time a participant left a meeting + - name: participant.sharing_details.link_source + type: keyword + description: > + Method of sharing with dropbox integration + - name: participant.sharing_details.content + type: keyword + description: > + Type of content that was shared + - name: participant.sharing_details.file_link + type: keyword + description: > + The file link that was shared + - name: participant.sharing_details.date_time + type: keyword + description: > + Timestamp the sharing started + - name: participant.sharing_details.source + type: keyword + description: > + The file source that was share + - name: old_values + type: flattened + description: > + Includes the old values when updating a object like user, meeting, account or webinar + - name: settings + type: flattened + description: > + The current active settings related to a object like user, meeting, account or webinar diff --git a/x-pack/filebeat/module/zoom/webhook/config/webhook.yml b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml new file mode 100644 index 000000000000..207da5447e13 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/config/webhook.yml @@ -0,0 +1,36 @@ +{{ if eq .input "http_endpoint" }} + +type: http_endpoint +listen_address: {{ .listen_address }} +listen_port: {{ .listen_port }} +prefix: {{ .prefix }} +basic_auth: {{ .basic_auth }} +username: {{ .username }} +username: {{ .password }} +content_type: "{{ .content_type }}" +secret: {{ .secret | tojson }} +ssl: {{ .ssl | tojson }} + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - decode_json_fields: + fields: [message] + target: zoom + - add_locale: ~ + - add_fields: + target: '' + fields: + ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/account.yml b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml new file mode 100644 index 000000000000..a873c6ae62c0 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/account.yml @@ -0,0 +1,46 @@ +description: Pipeline for parsing Zoom account webhooks +processors: +- append: + field: event.category + value: iam +- append: + field: event.type + value: user +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'account.created' +- append: + field: event.type + value: change + if: "['account.updated', 'account.settings_updated', 'account.disassociated'].contains(ctx?.event?.action)" +- rename: + field: zoom.account_id + target_field: zoom.master_account_id + ignore_missing: true +- rename: + field: zoom.object.id + target_field: zoom.sub_account_id + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.time_stamp != null + ignore_failure: true +- rename: + field: zoom.object + target_field: zoom.account + ignore_missing: true +- append: + field: related.user + value: "{{zoom.account.owner_id}}" + if: ctx?.zoom?.account?.owner_id != null +- remove: + field: zoom.time_stamp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml new file mode 100644 index 000000000000..8f3140d2799b --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/chat_channel.yml @@ -0,0 +1,58 @@ +description: Pipeline for parsing Zoom chat_channel webhooks +processors: +- append: + field: event.type + value: user + if: "['chat_channel.member_invited', 'chat_channel.member_joined', 'chat_channel.member_left'].contains(ctx?.event?.action)" +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'chat_channel.created' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'chat_channel.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'chat_channel.updated' +- rename: + field: zoom.object + target_field: zoom.chat_channel + ignore_missing: true +- date: + field: zoom.chat_channel.timestamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.chat_channel?.timestamp != null + ignore_failure: true +- remove: + field: zoom.chat_channel.date_time + ignore_missing: true + if: ctx?.zoom?.chat_channel?.timestamp != null +- date: + field: zoom.chat_channel.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.chat_channel?.date_time != null && ctx?.zoom?.chat_channel?.timestamp == null" + ignore_failure: true +- remove: + field: zoom.chat_channel.timestamp + ignore_missing: true + if: ctx?.zoom?.chat_channel?.timestamp != null +- foreach: + field: zoom.chat_channel.members + processor: + append: + field: related.user + value: "{{_ingest._value.id}}" +# Removing to prevent nested values, added to related.user above +- remove: + field: zoom.chat_channel.members + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml b/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml new file mode 100644 index 000000000000..0e6860802941 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/chat_message.yml @@ -0,0 +1,50 @@ +description: Pipeline for parsing Zoom chat_message webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'chat_message.sent' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'chat_message.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'chat_message.updated' +- rename: + field: zoom.object + target_field: zoom.chat_message + ignore_missing: true +- append: + field: related.user + value: "{{zoom.chat_message.contact_id}}" + if: "ctx?.zoom?.chat_message?.contact_id != null" +- date: + field: zoom.chat_message.timestamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.zoom?.chat_message?.timestamp != null + ignore_failure: true +- remove: + field: zoom.chat_message.date_time + ignore_missing: true + if: ctx?.zoom?.chat_message?.timestamp != null +- date: + field: zoom.chat_message.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.zoom?.chat_message?.timestamp == null + ignore_failure: true +- remove: + field: zoom.chat_message.timestamp + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml new file mode 100644 index 000000000000..e0012edf8e4d --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml @@ -0,0 +1,130 @@ +description: Pipeline for parsing Zoom meeting webhooks +processors: +- append: + field: event.type + value: info + if: ctx?.event?.action != 'meeting.alert' +- append: + field: event.type + value: error + if: ctx?.event?.action == 'meeting.alert' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'meeting.registration_approved' +- append: + field: event.type + value: creation + if: "['meeting.registration_created', 'meeting.created'].contains(ctx?.event?.action)" +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'meeting.deleted' +- append: + field: event.type + value: change + if: ctx?.event?.action == 'meeting.updated' +- append: + field: event.type + value: start + if: "['meeting.started', 'meeting.sharing_started'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['meeting.ended', 'meeting.sharing_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.meeting + ignore_missing: true +- rename: + field: zoom.meeting.join_url + target_field: url.full + ignore_missing: true +- rename: + field: zoom.registrant.join_url + target_field: url.full + ignore_missing: true + if: ctx?.url?.full == null +- append: + field: related.user + value: "{{zoom.meeting.host_id}}" + if: ctx?.zoom?.meeting?.host_id != null +- date: + field: zoom.meeting.start_time + target_field: event.start + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.started' + ignore_failure: true +- date: + field: zoom.participant.sharing_details.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.sharing_started' + ignore_failure: true +- date: + field: zoom.participant.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.participant.join_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.participant_joined' + ignore_failure: true +- date: + field: zoom.participant.leave_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.participant_left' + ignore_failure: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'meeting.updated' + ignore_failure: true +- script: + lang: painless + if: ctx?.zoom?.meeting?.duration != null + source: >- + ctx.event.duration = ctx.zoom.meeting.duration * 60L * 1000000000L; +- remove: + field: zoom.meeting.start_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.started' +- remove: + field: zoom.meeting.duration + ignore_missing: true + if: ctx?.event?.duration != null +- remove: + field: zoom.participant.sharing_details.date_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.sharing_started' +- remove: + field: zoom.participant.date_time + ignore_missing: true + if: "['meeting.participant_put_in_waiting_room', 'meeting.participant_joined_waiting_room', 'meeting.participant_left_waiting_room'].contains(ctx?.event?.action)" +- remove: + field: zoom.participant.join_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.participant_joined' +- remove: + field: zoom.participant.leave_time + ignore_missing: true + if: ctx?.event?.action == 'meeting.participant_left' +- remove: + field: zoom.time_stamp + ignore_missing: true + if: ctx?.event?.action == 'meeting.updated' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml new file mode 100644 index 000000000000..2e363e3da422 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/phone.yml @@ -0,0 +1,159 @@ +description: Pipeline for parsing Zoom phone webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: "['phone.caller_ringing', 'phone.callee_ringing'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: "['phone.callee_answered', 'phone.caller_connected'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.phone + ignore_missing: true +- rename: + field: zoom.phone.download_url + target_field: url.full + ignore_missing: true +- date: + field: zoom.phone.ringing_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['phone.callee_ringing', 'phone.caller_ringing', 'phone.caller_ended'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.phone.connected_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'phone.caller_connected' + ignore_failure: true +- date: + field: zoom.phone.answer_start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.phone.answer_start_time != null && ctx?.event?.action == 'phone.callee_answered'" + ignore_failure: true +- date: + field: zoom.phone.call_end_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['phone.callee_missed', 'phone.callee_ended', 'phone.caller_ended', 'phone.callee_rejected'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.phone.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'phone.voicemail_received' + ignore_failure: true +# Calculates duration when duration is unknown but start and end time is known (with ringing_start_time) +- script: + lang: painless + if: "ctx?.zoom?.phone?.ringing_start_time != null && ctx?.zoom?.phone?.answer_start_time == null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.duration == null" + source: >- + ctx.event.start = ctx.zoom.phone.ringing_start_time; + ctx.event.end = ctx.zoom.phone.call_end_time; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + +# Calculates duration when duration is unknown but start and end time is known (with answer_start_time) +- script: + lang: painless + if: "ctx?.zoom?.phone?.ringing_start_time == null && ctx?.zoom?.phone?.answer_start_time != null && ctx?.zoom?.phone?.call_end_time != null && ctx?.zoom?.duration == null" + source: >- + ctx.event.start = ctx.zoom.phone.answer_start_time; + ctx.event.end = ctx.zoom.phone.call_end_time; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); + +# Duration is in minutes, so multiply by seconds and then multiply again to convert seconds to nano +- script: + lang: painless + if: ctx?.zoom?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.zoom.duration) * 60L * 1000000000L; + +# Moving all voicemail related fields to their proper nested fields +# that already exists for all other phone webhooks +- rename: + field: zoom.phone.callee_user_id + target_field: zoom.phone.callee.user_id + ignore_missing: true +- rename: + field: zoom.phone.callee_extension_type + target_field: zoom.phone.callee.extension_type + ignore_missing: true +- rename: + field: zoom.phone.callee_id + target_field: zoom.phone.callee.id + ignore_missing: true +- rename: + field: zoom.phone.callee_name + target_field: zoom.phone.callee.name + ignore_missing: true +- rename: + field: zoom.phone.callee_number + target_field: zoom.phone.callee.phone_number + ignore_missing: true +- rename: + field: zoom.phone.callee_number_type + target_field: zoom.phone.callee.number_type + ignore_missing: true +- rename: + field: zoom.phone.callee_user_id + target_field: zoom.phone.callee.user_id + ignore_missing: true +- rename: + field: zoom.phone.callee_extension_type + target_field: zoom.phone.callee.extension_type + ignore_missing: true +- rename: + field: zoom.phone.caller_id + target_field: zoom.phone.caller.id + ignore_missing: true +- rename: + field: zoom.phone.caller_name + target_field: zoom.phone.caller.name + ignore_missing: true +- rename: + field: zoom.phone.caller_number + target_field: zoom.phone.caller.phone_number + ignore_missing: true +- rename: + field: zoom.phone.caller_number_type + target_field: zoom.phone.caller.number_type + ignore_missing: true +- append: + field: related.user + value: "{{zoom.phone.callee.user_id}}" + if: ctx?.zoom?.phone?.callee?.user_id != null +- append: + field: related.user + value: "{{zoom.phone.callee_user_id}}" + if: ctx?.zoom?.phone?.callee_user_id != null +- append: + field: related.user + value: "{{zoom.phone.caller.user_id}}" + if: ctx?.zoom?.phone?.caller?.user_id != null +- remove: + field: zoom.phone.date_time + ignore_missing: true + if: ctx?.event?.action == 'phone.voicemail_received' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml new file mode 100644 index 000000000000..95c95cba215e --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/pipeline.yml @@ -0,0 +1,96 @@ +description: Initial pipeline for parsing Zoom webhooks +processors: +- set: + field: observer.vendor + value: Zoom +- set: + field: observer.product + value: Webhook +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- append: + field: event.kind + value: event +- rename: + field: zoom.event + target_field: event.action + ignore_missing: true +- rename: + field: zoom.payload + target_field: _temp_.payload +- remove: + field: zoom +- rename: + field: _temp_.payload + target_field: zoom +- rename: + field: zoom.old_object + target_field: zoom.old_values + ignore_missing: true +- rename: + field: zoom.object.participant + target_field: zoom.participant + ignore_missing: true +- rename: + field: zoom.object.settings + target_field: zoom.settings + ignore_missing: true +- rename: + field: zoom.object.registrant + target_field: zoom.registrant + ignore_missing: true +- append: + field: related.user + value: "{{zoom.operator_id}}" + if: "ctx?.zoom?.operator_id != null" +# Removing some fields that have complex nested arrays that might impact performance +- remove: + field: + - message + - _temp_ + - zoom.object.occurrences + - zoom.old_values.occurrences + - zoom.object.recurrence + - zoom.old_values.recurrence + - zoom.object.managed_domains + - zoom.old_values.managed_domains + - zoom.registrant.custom_questions + - zoom.old_values.registrant.custom_questions + - zoom.object.call_logs + - zoom.old_values.call_logs + - zoom.object.recording_files + - zoom.old_values.recording_files + - zoom.object.call_logs + ignore_missing: true +- pipeline: + name: '{< IngestPipeline "meeting" >}' + if: "ctx?.event?.action.startsWith('meeting')" +- pipeline: + name: '{< IngestPipeline "account" >}' + if: "ctx?.event?.action.startsWith('account')" +- pipeline: + name: '{< IngestPipeline "chat_message" >}' + if: "ctx?.event?.action.startsWith('chat_message')" +- pipeline: + name: '{< IngestPipeline "chat_channel" >}' + if: "ctx?.event?.action.startsWith('chat_channel')" +- pipeline: + name: '{< IngestPipeline "phone" >}' + if: "ctx?.event?.action.startsWith('phone')" +- pipeline: + name: '{< IngestPipeline "recording" >}' + if: "ctx?.event?.action.startsWith('recording')" +- pipeline: + name: '{< IngestPipeline "user" >}' + if: "ctx?.event?.action.startsWith('user')" +- pipeline: + name: '{< IngestPipeline "webinar" >}' + if: "ctx?.event?.action.startsWith('webinar')" +- pipeline: + name: '{< IngestPipeline "zoomroom" >}' + if: "ctx?.event?.action.startsWith('zoomroom')" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml new file mode 100644 index 000000000000..9e5ba923b129 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/recording.yml @@ -0,0 +1,86 @@ +description: Pipeline for parsing Zoom recording webhooks +processors: +- append: + field: event.type + value: info +- append: + field: event.type + value: creation + if: ctx?.event?.action == 'recording.registration_created' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'recording.registration_approved' +- append: + field: event.type + value: denied + if: ctx?.event?.action == 'recording.registration_denied' +- append: + field: event.type + value: deletion + if: "['recording.deleted', 'recording.trashed'].contains(ctx?.event?.action)" +- append: + field: event.type + value: change + if: "['recording.paused', 'recording.resumed', 'recording.renamed', 'recording.recovered'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'recording.started' +- append: + field: event.type + value: end + if: "['recording.stopped', 'recording.completed', 'recording.transcript_completed'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.recording + ignore_missing: true +- rename: + field: zoom.recording.share_url + target_field: url.full + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.event?.action == 'recording.renamed' + ignore_failure: true +- set: + field: event.start + value: '{{ zoom.recording.recording_file.recording_start }}' + if: ctx?.event?.action == 'recording.started' +- set: + field: event.end + value: '{{ zoom.recording.recording_file.recording_end }}' + if: ctx?.event?.action == 'recording.stopped' +- script: + lang: painless + if: "ctx?.event?.end != null && ctx?.event?.start != null && ctx?.event?.action == 'recording.stopped'" + source: >- + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ZonedDateTime end = ZonedDateTime.parse(ctx.event.end); + ctx.event.duration = ChronoUnit.NANOS.between(start, end); +- date: + field: zoom.recording.recording_file.recording_start + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "ctx?.zoom?.recording?.recording_file?.recording_start != null && ctx?.event?.action == 'recording.started'" + ignore_failure: true +- append: + field: related.user + value: "{{zoom.recording.host_id}}" + if: "ctx?.zoom?.recording?.host_id != null" +- append: + field: related.user + value: "{{zoom.recording.registrant.id}}" + if: "ctx?.zoom?.recording?.registrant?.id != null" +- remove: + field: zoom.time_stamp + ignore_missing: true + if: ctx?.event?.action == 'recording.renamed' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/user.yml b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml new file mode 100644 index 000000000000..02afc6d66362 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/user.yml @@ -0,0 +1,61 @@ +description: Pipeline for parsing Zoom user webhooks +processors: +- append: + field: event.type + value: iam + if: "!['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: authentication + if: "['user.signed_in', 'user.signed_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: creation + if: ctx?.event?.action != 'user.created' +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'user.deleted' +- append: + field: event.type + value: change + if: "['user.updated', 'user.settings_updated', 'user.deactivated', 'user.activated', 'user.disassociated', 'user.presence_status_updated', 'user.personal_notes_updated'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'user.signed_in' +- append: + field: event.type + value: end + if: ctx?.event?.action == 'user.signed_out' +- rename: + field: zoom.object + target_field: zoom.user + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: "['user.updated', 'user.settings_updated'].contains(ctx?.event?.action)" + ignore_failure: true +- date: + field: zoom.user.date_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: "['user.signed_in', 'user.signed_out', 'user.personal_notes_updated', 'user.presence_status_updated'].contains(ctx?.event?.action)" + ignore_failure: true +- append: + field: related.user + value: "{{zoom.user.id}}" + if: "ctx?.zoom?.user?.id != null" +- remove: + field: + - zoom.time_stamp + - zoom.user.date_time + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml new file mode 100644 index 000000000000..f136fab304e5 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/webinar.yml @@ -0,0 +1,82 @@ +description: Pipeline for parsing Zoom webinar webhooks +processors: +- append: + field: event.type + value: info + if: ctx?.event?.action != 'webinar.alert' +- append: + field: event.type + value: error + if: ctx?.event?.action == 'webinar.alert' +- append: + field: event.type + value: creation + if: "['webinar.created', 'webinar.registration_created'].contains(ctx?.event?.action)" +- append: + field: event.type + value: deletion + if: ctx?.event?.action == 'webinar.deleted' +- append: + field: event.type + value: allowed + if: ctx?.event?.action == 'webinar.registration_approved' +- append: + field: event.type + value: denied + if: ctx?.event?.action == 'webinar.registration_denied' +- append: + field: event.type + value: change + if: "['webinar.updated', 'webinar.registration_approved', 'webinar.registration_denied', 'webinar.registration_cancelled'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: "['webinar.started', 'webinar.sharing_started'].contains(ctx?.event?.action)" +- append: + field: event.type + value: end + if: "['webinar.ended', 'webinar.sharing_ended'].contains(ctx?.event?.action)" +- rename: + field: zoom.object + target_field: zoom.webinar + ignore_missing: true +- date: + field: zoom.time_stamp + target_field: '@timestamp' + formats: + - UNIX_MS + if: ctx?.event?.action == 'webinar.updated' + ignore_failure: true +- date: + field: zoom.webinar.start_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.started' + ignore_failure: true +- date: + field: zoom.participant.join_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.participant_joined' + ignore_failure: true +- date: + field: zoom.participant.leave_time + target_field: '@timestamp' + formats: + - ISO_INSTANT + if: ctx?.event?.action == 'webinar.participant_left' + ignore_failure: true +- append: + field: related.user + value: "{{zoom.webinar.host_id}}" + if: "ctx?.zoom?.webinar?.host_id != null" +- append: + field: related.user + value: "{{zoom.webinar.participant.user_id}}" + if: "ctx?.zoom?.webinar?.participant?.user_id != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml new file mode 100644 index 000000000000..5c464b8ddd50 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/ingest/zoomroom.yml @@ -0,0 +1,26 @@ +description: Pipeline for parsing Zoom zoom_room webhooks +processors: +- append: + field: event.type + value: info + if: "['zoomroom.checked_in', 'zoomroom.checked_out'].contains(ctx?.event?.action)" +- append: + field: event.type + value: start + if: ctx?.event?.action == 'zoomroom.checked_in' +- append: + field: event.type + value: end + if: ctx?.event?.action == 'zoomroom.checked_out' +- rename: + field: zoom.object + target_field: zoom.zoomroom + ignore_missing: true +- append: + field: related.user + value: "{{zoom.user.id}}" + if: "ctx?.zoom?.user?.id != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zoom/webhook/manifest.yml b/x-pack/filebeat/module/zoom/webhook/manifest.yml new file mode 100644 index 000000000000..31f78e24e251 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/manifest.yml @@ -0,0 +1,43 @@ +module_version: 1.0 + +var: + - name: listen_address + default: localhost + - name: listen_port + default: 80 + - name: input + default: http_endpoint + - name: content_type + default: "" + - name: response_code + - name: response_body + - name: url + - name: prefix + default: zoom + - name: basic_auth + default: false + - name: username + default: "" + - name: password + default: "" + - name: secret + default: + header: Authorization + value: "" + + - name: tags + default: [zoom-webhook, forwarded] + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/account.yml + - ingest/chat_channel.yml + - ingest/chat_message.yml + - ingest/meeting.yml + - ingest/phone.yml + - ingest/recording.yml + - ingest/user.yml + - ingest/webinar.yml + - ingest/zoomroom.yml + +input: config/webhook.yml diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log new file mode 100644 index 000000000000..b71f418e22ce --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log @@ -0,0 +1,3 @@ +{"event":"account.created","payload":{"account_id":"lq8KK_EoRCq6ByEyA73qCA","operator":"youramazingemailhere@somemail.com","operator_id":"uLohghhRgfgrbTayCX6r2Q_qQsQ","object":{"id":"aIxE1yiRR8WghhUIO6eu9L","owner_id":"e2ZHO5RSGqyfrmFnElxw","owner_email":"thesubaccountowneremail@somemail.com"}}} +{"event":"account.updated","payload":{"account_id":"abKKcd_IGRCq63yEy673lCA","operator":"theoperatoremail@someemail.com","operator_id":"iKoRgfbaTazDX6r2Q_eQsQL","object":{"id":"eFs_EGRCq6ByEyA73qCA","account_name":"Michael Harris","account_alias":"MH"},"old_object":{"id":"eFs_EGRCq6ByEyA73qCA","account_name":"Mike Harris","account_alias":""},"time_stamp":1562000584527}} +{"event":"account.disassociated","payload":{"account_id":"aBcd_dgfoeq6ByEyA73qCA","operator":"youremail@someemail.com","operator_id":"gdjfdhjLsuhfvhjd","object":{"id":"LdjkfxE1yiRR8Wdfggeu9LfBQ","owner_id":"eZbcHO5RSGqyKAUmFnElxw","owner_email":"theowneremail@someemail.com"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json new file mode 100644 index 000000000000..34d5e7363e7e --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/account.ndjson.log-expected.json @@ -0,0 +1,112 @@ +[ + { + "event.action": "account.created", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLohghhRgfgrbTayCX6r2Q_qQsQ", + "e2ZHO5RSGqyfrmFnElxw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.owner_email": "thesubaccountowneremail@somemail.com", + "zoom.account.owner_id": "e2ZHO5RSGqyfrmFnElxw", + "zoom.master_account_id": "lq8KK_EoRCq6ByEyA73qCA", + "zoom.operator": "youramazingemailhere@somemail.com", + "zoom.operator_id": "uLohghhRgfgrbTayCX6r2Q_qQsQ", + "zoom.sub_account_id": "aIxE1yiRR8WghhUIO6eu9L" + }, + { + "event.action": "account.updated", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 297, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "iKoRgfbaTazDX6r2Q_eQsQL" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.account_alias": "MH", + "zoom.account.account_name": "Michael Harris", + "zoom.master_account_id": "abKKcd_IGRCq63yEy673lCA", + "zoom.old_values.account_alias": "", + "zoom.old_values.account_name": "Mike Harris", + "zoom.old_values.id": "eFs_EGRCq6ByEyA73qCA", + "zoom.operator": "theoperatoremail@someemail.com", + "zoom.operator_id": "iKoRgfbaTazDX6r2Q_eQsQL", + "zoom.sub_account_id": "eFs_EGRCq6ByEyA73qCA" + }, + { + "event.action": "account.disassociated", + "event.category": [ + "iam" + ], + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 670, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "gdjfdhjLsuhfvhjd", + "eZbcHO5RSGqyKAUmFnElxw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account.owner_email": "theowneremail@someemail.com", + "zoom.account.owner_id": "eZbcHO5RSGqyKAUmFnElxw", + "zoom.master_account_id": "aBcd_dgfoeq6ByEyA73qCA", + "zoom.operator": "youremail@someemail.com", + "zoom.operator_id": "gdjfdhjLsuhfvhjd", + "zoom.sub_account_id": "LdjkfxE1yiRR8Wdfggeu9LfBQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log new file mode 100644 index 000000000000..3da7af8f760b --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log @@ -0,0 +1,6 @@ +{"event":"chat_channel.created","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388,"members":[{"id":"z8dfgdfguQrdfgdf","display_name":"Maya Jung"},{"id":"sdfdsfdsKIrrCYw","display_name":"Matt Yank"}]}}} +{"event":"chat_channel.updated","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Building Happy","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:59:05Z","timestamp":1581371945584}}} +{"event":"chat_channel.deleted","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Building Happy","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:59:05Z","timestamp":1581371945584}}} +{"event":"chat_channel.member_invited","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388,"members":[{"id":"s0hhFOCYw","display_name":"Matt Y"}]}}} +{"event":"chat_channel.member_joined","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388}}} +{"event":"chat_channel.member_left","payload":{"account_id":"vbbvnvAdsfe","operator":"somememai@gmtsffjdfhail.com","operator_id":"z8dfgdfguQrdfgdf","object":{"name":"Delivering Happiness","id":"6dfgdfgdg444447b0egga","type":1,"date_time":"2020-02-10T21:39:50Z","timestamp":1581370790388}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json new file mode 100644 index 000000000000..100d3fbeea94 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_channel.ndjson.log-expected.json @@ -0,0 +1,67 @@ +[ + { + "event.action": "chat_channel.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf", + "z8dfgdfguQrdfgdf", + "sdfdsfdsKIrrCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + }, + { + "event.action": "chat_channel.member_invited", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "user" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 963, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8dfgdfguQrdfgdf", + "s0hhFOCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vbbvnvAdsfe", + "zoom.chat_channel.id": "6dfgdfgdg444447b0egga", + "zoom.chat_channel.name": "Delivering Happiness", + "zoom.chat_channel.type": 1, + "zoom.operator": "somememai@gmtsffjdfhail.com", + "zoom.operator_id": "z8dfgdfguQrdfgdf" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log new file mode 100644 index 000000000000..45c38b08004a --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log @@ -0,0 +1,3 @@ +{"event":"chat_message.sent","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"EwwwwA-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":"asd","channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581458531930}}} +{"event":"chat_message.updated","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"Ell123-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":"gfd","channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581462008594}}} +{"event":"chat_message.updated","payload":{"account_id":"EPsdvdsgfdgxHMA","operator":"someoperatoremail@somekindofmailservice123.com","operator_id":"zfdgdfgdfgfp8uQ","object":{"channel_name":"AlwaysBeCodingChannel","date_time":"2020-02-11T22:02:11Z","session_id":"fcffdgfgffghfghgfhghgb10","id":"Ell123-87F4-222222-8CD9-FA00000E6B9","type":"to_channel","message":null,"channel_id":"fsdgdgdgdfgdfgdfgdfgb10","timestamp":1581462008594}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json new file mode 100644 index 000000000000..86cf03b64238 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/chat_message.ndjson.log-expected.json @@ -0,0 +1,107 @@ +[ + { + "event.action": "chat_message.sent", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "EwwwwA-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": "asd", + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + }, + { + "event.action": "chat_message.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 434, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "Ell123-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": "gfd", + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + }, + { + "event.action": "chat_message.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 871, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zfdgdfgdfgfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsdvdsgfdgxHMA", + "zoom.chat_message.channel_id": "fsdgdgdgdfgdfgdfgdfgb10", + "zoom.chat_message.channel_name": "AlwaysBeCodingChannel", + "zoom.chat_message.id": "Ell123-87F4-222222-8CD9-FA00000E6B9", + "zoom.chat_message.message": null, + "zoom.chat_message.session_id": "fcffdgfgffghfghgfhghgb10", + "zoom.chat_message.type": "to_channel", + "zoom.operator": "someoperatoremail@somekindofmailservice123.com", + "zoom.operator_id": "zfdgdfgdfgfp8uQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log new file mode 100644 index 000000000000..5215e8579721 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log @@ -0,0 +1,15 @@ +{"event":"meeting.alert","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","issues":"Unstable audio quality"}},"account_id":"EPeQtiABC000VYxHMA"} +{"event":"meeting.created","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.updated","payload":{"account_id":"AAAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"id":155184668,"type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"join_url":"https://zoom.us/j/00000000","settings":{"participant_video":false,"join_before_host":false,"use_pmi":true}},"old_object":{"id":155184668,"type":8,"join_url":"https://zoom.us/j/00000000","occurrences":[{"occurrence_id":"1562875200000","start_time":"2019-07-11T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1563480000000","start_time":"2019-07-18T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564084800000","start_time":"2019-07-25T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564689600000","start_time":"2019-08-01T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565294400000","start_time":"2019-08-08T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565899200000","start_time":"2019-08-15T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1566504000000","start_time":"2019-08-22T20:00:00Z","duration":120,"status":"available"}],"settings":{"participant_video":true,"join_before_host":true,"use_pmi":false},"recurrence":{"type":2,"repeat_interval":1,"weekly_days":"5","end_date_time":"2019-08-23T06:59:00Z"}},"time_stamp":1562791953209}} +{"event":"meeting.deleted","payload":{"account_id":"AAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"uuid":"KJpz1gbpTC8ke68xXmQa0==","id":809321987,"host_id":"BBBBBBBBBB","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.started","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.ended","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":10,"timezone":"America/Los_Angeles"}}} +{"event":"meeting.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com","address":"","city":"","country":"","zip":"","state":"","phone":"","industry":"","org":"","job_title":"","purchasing_time_frame":"","role_in_purchase_process":"","no_of_employees":"","comments":"","custom_questions":[],"status":"approved","join_url":"https://zoom.us/w/someendpointhere"}}}} +{"event":"meeting.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"somemail@email.com","operator_id":"Lobbbbbbbbbb_qQsQ","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":60,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"meeting.registration_cancelled","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"meeting.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"meeting.sharing_ended","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"meeting.participant_jbh_waiting","payload":{"account_id":"EPeQti9EQsiyO30GVYxHMA","object":{"duration":60,"timezone":"America/Los_Angeles","topic":"Mytestmeeting","id":"5590000000","type":2,"uuid":"WnxYNY9mQu6aSa/kYLu1lA==","host_id":"z8yCxjjyTAAAA2QgCfp8uQ","participant":{"user_name":"Shrijana Shrijana"}}}} +{"event":"meeting.participant_jbh_joined","payload":{"account_id":"APeeQti9ErttQsiyO30GVYxHMA","object":{"duration":60,"timezone":"America/Los_Angeles","topic":"Mytestmeeting","id":"5594913504","type":2,"uuid":"WnxYNryyY9mQu6aSa/kYLu1lA==","host_id":"zf8yCxjjyTSdteriw02QgCfp8uQ","participant":{"user_name":"Tom Harry"}}}} +{"event":"meeting.participant_joined","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"167782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","join_time":"2019-07-16T17:13:13Z"}}}} +{"event":"meeting.participant_left","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"167782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","leave_time":"2019-07-16T17:13:13Z"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json new file mode 100644 index 000000000000..858f739d55a4 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/meeting.ndjson.log-expected.json @@ -0,0 +1,586 @@ +[ + { + "event.action": "meeting.alert", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.issues": "Unstable audio quality", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "meeting.created", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 317, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": 111111111, + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ" + }, + { + "event.action": "meeting.updated", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 674, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/j/00000000", + "zoom.account_id": "AAAAAAAAAAA", + "zoom.meeting.id": 155184668, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.type": 2, + "zoom.old_values.id": 155184668, + "zoom.old_values.join_url": "https://zoom.us/j/00000000", + "zoom.old_values.settings.join_before_host": true, + "zoom.old_values.settings.participant_video": true, + "zoom.old_values.settings.use_pmi": false, + "zoom.old_values.type": 8, + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB", + "zoom.settings.join_before_host": false, + "zoom.settings.participant_video": false, + "zoom.settings.use_pmi": true + }, + { + "event.action": "meeting.deleted", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2049, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB", + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAAAAAA", + "zoom.meeting.host_id": "BBBBBBBBBB", + "zoom.meeting.id": 809321987, + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "KJpz1gbpTC8ke68xXmQa0==", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB" + }, + { + "event.action": "meeting.started", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2370, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "meeting.ended", + "event.dataset": "zoom.webhook", + "event.duration": 600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2657, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "meeting.registration_created", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2942, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/w/someendpointhere", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.address": "", + "zoom.registrant.city": "", + "zoom.registrant.comments": "", + "zoom.registrant.country": "", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.industry": "", + "zoom.registrant.job_title": "", + "zoom.registrant.last_name": "Person", + "zoom.registrant.no_of_employees": "", + "zoom.registrant.org": "", + "zoom.registrant.phone": "", + "zoom.registrant.purchasing_time_frame": "", + "zoom.registrant.role_in_purchase_process": "", + "zoom.registrant.state": "", + "zoom.registrant.status": "approved", + "zoom.registrant.zip": "" + }, + { + "event.action": "meeting.registration_approved", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3634, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "Lobbbbbbbbbb_qQsQ", + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.operator": "somemail@email.com", + "zoom.operator_id": "Lobbbbbbbbbb_qQsQ", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "meeting.registration_cancelled", + "event.dataset": "zoom.webhook", + "event.duration": 7200000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4105, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.meeting.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.meeting.id": 150000008, + "zoom.meeting.start_time": "2019-07-11T20:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "A test meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "meeting.sharing_started", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4545, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya" + }, + { + "event.action": "meeting.sharing_ended", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5067, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.meeting.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.meeting.id": "6962400003", + "zoom.meeting.start_time": "2019-07-16T17:14:39Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "4118UHIiRCAAAtBlDkcVyw==", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya" + }, + { + "event.action": "meeting.participant_jbh_waiting", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5587, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjjyTAAAA2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQti9EQsiyO30GVYxHMA", + "zoom.meeting.host_id": "z8yCxjjyTAAAA2QgCfp8uQ", + "zoom.meeting.id": "5590000000", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "Mytestmeeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "WnxYNY9mQu6aSa/kYLu1lA==", + "zoom.participant.user_name": "Shrijana Shrijana" + }, + { + "event.action": "meeting.participant_jbh_joined", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5907, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zf8yCxjjyTSdteriw02QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "APeeQti9ErttQsiyO30GVYxHMA", + "zoom.meeting.host_id": "zf8yCxjjyTSdteriw02QgCfp8uQ", + "zoom.meeting.id": "5594913504", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "Mytestmeeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "WnxYNryyY9mQu6aSa/kYLu1lA==", + "zoom.participant.user_name": "Tom Harry" + }, + { + "event.action": "meeting.participant_joined", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6230, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.user_id": "167782040", + "zoom.participant.user_name": "shree" + }, + { + "event.action": "meeting.participant_left", + "event.dataset": "zoom.webhook", + "event.duration": 3600000000000, + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6650, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.meeting.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.meeting.id": "111111111", + "zoom.meeting.start_time": "2019-07-09T17:00:00Z", + "zoom.meeting.timezone": "America/Los_Angeles", + "zoom.meeting.topic": "My Meeting", + "zoom.meeting.type": 2, + "zoom.meeting.uuid": "czLF6FFFoQOKgAB99DlDb9g==", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.user_id": "167782040", + "zoom.participant.user_name": "shree" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log new file mode 100644 index 000000000000..30931c4b742a --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log @@ -0,0 +1,11 @@ +{"event":"phone.caller_ringing","payload":{"account_id":"EPeQ33fdf34YxHMA","object":{"call_id":"ddd5540","caller":{"extension_number":10803,"phone_number":"10803","user_id":"cadsd32wA","timezone":"America/Los_Angeles","device_type":"Android_Phone(5.1.2)"},"callee":{"extension_number":10800,"phone_number":"10800"},"ringing_start_time":"2020-07-22T01:41:55Z"}}} +{"event":"phone.caller_connected","payload":{"account_id":"EPeQdfg34VYxHMA","object":{"call_id":"684445540","caller":{"extension_number":10803,"phone_number":"10803","user_id":"cajhdsf3wA","timezone":"America/Los_Angeles","device_type":"Android_Phone"},"callee":{"extension_number":10800,"phone_number":"10800"},"ringing_start_time":"2020-07-22T01:41:55Z","connected_start_time":"2020-07-22T01:42:04Z"}}} +{"event":"phone.caller_ringing","payload":{"account_id":"cbvxnYyO30GVYxHMA","object":{"call_id":"68sdsasdda7","caller":{"extension_number":10800,"phone_number":"+1200000001","user_id":"z8yCxjgjsuyd58uQ","timezone":"America/Los_Angeles","device_type":"MAC_Client(5.1.2856436)"},"callee":{"phone_number":"16654444444444446"},"ringing_start_time":"2020-07-22T01:38:40Z"}}} +{"event":"phone.callee_answered","payload":{"account_id":"EPsjdhgffgHMA","object":{"call_id":"685dfvhzsza5540","caller":{"extension_number":10803,"phone_number":"10803"},"callee":{"extension_number":10800,"phone_number":"10800","user_id":"z8yCDSSQWSSWuQ","timezone":"America/Los_Angeles","device_type":"MAC_Client"},"ringing_start_time":"2020-07-22T01:41:56Z","answer_start_time":"2020-07-22T01:42:04Z"}}} +{"event":"phone.callee_missed","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.callee_ended","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","answer_start_time":"2020-07-22T21:09:20Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.caller_ended","payload":{"object":{"caller":{"phone_number":"+1000000"},"callee":{"user_id":"z66jfgjdg2QgCfp8uQ","extension_number":"10800","timezone":"America/Los_Angeles"},"call_id":"6dfdg07-22T21:09:17Z","answer_start_time":"2020-07-22T21:09:20Z","call_end_time":"2020-07-22T21:09:24Z"},"account_id":"EPeQjuh6768MA"}} +{"event":"phone.callee_rejected","payload":{"object":{"caller":{"phone_number":"+12044444444"},"callee":{"user_id":"sfcg43FOCYw","extension_number":"9001","timezone":"America/Los_Angeles"},"call_id":"6dfhggtrh93","ringing_start_time":"2020-07-22T21:06:33Z","call_end_time":"2020-07-22T21:06:39Z"},"account_id":"MKDRWo34535wow"}} +{"event":"phone.voicemail_received","payload":{"account_id":"test","object":{"id":"235435","date_time":"2020-07-22T21:06:39Z","download_url":"https://testurl.com/file.mp4","duration":"1235","caller_number":"+12044444444","caller_number_type":"3","caller_name":"Testaccount","callee_user_id":"543234","callee_number":"+12044444444","callee_number_type":"2","callee_name":"Testaccount2","callee_extension_type":"2","callee_id":"1234"}}} +{"event":"phone.caller_call_log_completed","payload":{"account_id":"EPebnxvbdn342MA","object":{"call_logs":[{"id":"02dfdfsd9e33","caller_number":"10803","caller_number_type":1,"caller_name":"Shree","callee_number":"10800","callee_number_type":1,"callee_name":"Maya","direction":"outbound","duration":44,"result":"Call connected","date_time":"2020-07-22T01:41:55Z"}],"user_id":"caddsfsdfv_VaHE53wA"}}} +{"event":"phone.callee_call_log_completed","payload":{"account_id":"EPeQt3543hvxzc","object":{"call_logs":[{"id":"1585adsfsdfec39404b","caller_number":"10803","caller_number_type":1,"caller_name":"Shrye","callee_number":"10800","callee_number_type":1,"callee_name":"Ryhee","direction":"inbound","duration":44,"result":"Call connected","date_time":"2020-07-22T01:41:56Z"}],"user_id":"z8sdfsdfds3uQ"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json new file mode 100644 index 000000000000..c5ef97dac473 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/phone.ndjson.log-expected.json @@ -0,0 +1,376 @@ +[ + { + "event.action": "phone.caller_ringing", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "cadsd32wA" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQ33fdf34YxHMA", + "zoom.phone.call_id": "ddd5540", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.caller.device_type": "Android_Phone(5.1.2)", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "cadsd32wA", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:55Z" + }, + { + "event.action": "phone.caller_connected", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 362, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "cajhdsf3wA" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQdfg34VYxHMA", + "zoom.phone.call_id": "684445540", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.caller.device_type": "Android_Phone", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "cajhdsf3wA", + "zoom.phone.connected_start_time": "2020-07-22T01:42:04Z", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:55Z" + }, + { + "event.action": "phone.caller_ringing", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 767, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjgjsuyd58uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "cbvxnYyO30GVYxHMA", + "zoom.phone.call_id": "68sdsasdda7", + "zoom.phone.callee.phone_number": "16654444444444446", + "zoom.phone.caller.device_type": "MAC_Client(5.1.2856436)", + "zoom.phone.caller.extension_number": 10800, + "zoom.phone.caller.phone_number": "+1200000001", + "zoom.phone.caller.timezone": "America/Los_Angeles", + "zoom.phone.caller.user_id": "z8yCxjgjsuyd58uQ", + "zoom.phone.ringing_start_time": "2020-07-22T01:38:40Z" + }, + { + "event.action": "phone.callee_answered", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1137, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCDSSQWSSWuQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPsjdhgffgHMA", + "zoom.phone.answer_start_time": "2020-07-22T01:42:04Z", + "zoom.phone.call_id": "685dfvhzsza5540", + "zoom.phone.callee.device_type": "MAC_Client", + "zoom.phone.callee.extension_number": 10800, + "zoom.phone.callee.phone_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z8yCDSSQWSSWuQ", + "zoom.phone.caller.extension_number": 10803, + "zoom.phone.caller.phone_number": "10803", + "zoom.phone.ringing_start_time": "2020-07-22T01:41:56Z" + }, + { + "event.action": "phone.callee_missed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1543, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.callee_ended", + "event.dataset": "zoom.webhook", + "event.duration": 4000000000, + "event.end": "2020-07-22T21:09:24Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:09:20Z", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1838, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.caller_ended", + "event.dataset": "zoom.webhook", + "event.duration": 4000000000, + "event.end": "2020-07-22T21:09:24Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:09:20Z", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2175, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z66jfgjdg2QgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQjuh6768MA", + "zoom.phone.answer_start_time": "2020-07-22T21:09:20Z", + "zoom.phone.call_end_time": "2020-07-22T21:09:24Z", + "zoom.phone.call_id": "6dfdg07-22T21:09:17Z", + "zoom.phone.callee.extension_number": "10800", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "z66jfgjdg2QgCfp8uQ", + "zoom.phone.caller.phone_number": "+1000000" + }, + { + "event.action": "phone.callee_rejected", + "event.dataset": "zoom.webhook", + "event.duration": 6000000000, + "event.end": "2020-07-22T21:06:39Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.start": "2020-07-22T21:06:33Z", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2512, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "sfcg43FOCYw" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "MKDRWo34535wow", + "zoom.phone.call_end_time": "2020-07-22T21:06:39Z", + "zoom.phone.call_id": "6dfhggtrh93", + "zoom.phone.callee.extension_number": "9001", + "zoom.phone.callee.timezone": "America/Los_Angeles", + "zoom.phone.callee.user_id": "sfcg43FOCYw", + "zoom.phone.caller.phone_number": "+12044444444", + "zoom.phone.ringing_start_time": "2020-07-22T21:06:33Z" + }, + { + "event.action": "phone.voicemail_received", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2841, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "543234" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://testurl.com/file.mp4", + "zoom.account_id": "test", + "zoom.phone.callee.extension_type": "2", + "zoom.phone.callee.id": "1234", + "zoom.phone.callee.name": "Testaccount2", + "zoom.phone.callee.number_type": "2", + "zoom.phone.callee.phone_number": "+12044444444", + "zoom.phone.callee.user_id": "543234", + "zoom.phone.caller.name": "Testaccount", + "zoom.phone.caller.number_type": "3", + "zoom.phone.caller.phone_number": "+12044444444", + "zoom.phone.duration": "1235", + "zoom.phone.id": "235435" + }, + { + "event.action": "phone.caller_call_log_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3276, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPebnxvbdn342MA", + "zoom.phone.user_id": "caddsfsdfv_VaHE53wA" + }, + { + "event.action": "phone.callee_call_log_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3677, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQt3543hvxzc", + "zoom.phone.user_id": "z8sdfsdfds3uQ" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log new file mode 100644 index 000000000000..1b270331d00d --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log @@ -0,0 +1,13 @@ +{"event":"recording.started","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":""}}}} +{"event":"recording.paused","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":""}}}} +{"event":"recording.resumed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:45:02Z","recording_end":""}}}} +{"event":"recording.stopped","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":8,"timezone":"America/Los_Angeles","recording_file":{"recording_start":"2019-07-31T22:41:02Z","recording_end":"2019-07-31T22:43:29Z"}}}} +{"event":"recording.completed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","host_email":"somemeail@someemailservice.fjdjf","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.renamed","payload":{"account_id":"EPhgfhfghfYxHMA","operator":"shrifdfdh@kjdmail.com","operator_id":"zdhghgCfp8uQ","object":{"uuid":"9xxxkifpPUz+Ow==","id":7000000,"topic":"Edited Recording Title","type":1},"old_object":{"uuid":"9xxxkifpPUz+Ow==","id":7000000,"topic":"My Fancy Recording Title","type":1},"time_stamp":1575500457395}} +{"event":"recording.trashed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.deleted","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.recovered","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"8f88599d-19ca-4d2b-a965-1196e777cb3c","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"MP4","file_size":282825,"play_url":"https://zoom.us/recording/play/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","download_url":"https://zoom.us/recording/download/80ebRwsfjskf2H3vlSigX0gNlBBBBBBBBBBBBBB","status":"completed","recording_type":"shared_screen_with_speaker_view"},{"id":"a6b332f9-2246-49e5-913e-588adc7f0f5f","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"M4A","file_size":246560,"play_url":"https://zoom.us/recording/play/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","download_url":"https://zoom.us/recording/download/Oaevut8LSACCCCCCCCnnnnnnnnbbbb","status":"completed","recording_type":"audio_only"},{"meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TIMELINE","download_url":"https://zoom.us/recording/download/2dBBBBBccccDDDDeeee"},{"id":"97a4f7ca-e7e8-4e3b-b28a-27b42cd33c09","meeting_id":"bpKUheqtRLifLBcIYVJLZw==","recording_start":"2019-07-23T22:14:57Z","recording_end":"2019-07-23T22:15:41Z","file_type":"TRANSCRIPT","file_size":373,"play_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","download_url":"https://zoom.us/recording/play/7h0BBBBBBBchfhfhffh_0AAAAbbbbbeeSFcf209m","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.transcript_completed","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":1,"timezone":"America/Los_Angeles","total_size":529758,"recording_count":4,"share_url":"https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh","recording_files":[{"id":"296cdfgdfg-768a838","meeting_id":"Buyiz+Ow==","recording_start":"2019-11-23T01:56:08Z","recording_end":"2019-11-23T01:57:44Z","file_type":"TRANSCRIPT","file_size":142,"play_url":"https://zoom.us/recording/play/ytutuytuyu","download_url":"https://zoom.us/recording/download/ytutuytuyu","status":"completed","recording_type":"audio_transcript"}]}}} +{"event":"recording.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"recording.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"recording.registration_denied","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json new file mode 100644 index 000000000000..f7a97693de5e --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/recording.ndjson.log-expected.json @@ -0,0 +1,385 @@ +[ + { + "event.action": "recording.stopped", + "event.dataset": "zoom.webhook", + "event.end": "2019-07-31T22:43:29Z", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1076, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 8, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_file.recording_end": "2019-07-31T22:43:29Z", + "zoom.recording.recording_file.recording_start": "2019-07-31T22:41:02Z", + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1455, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_email": "somemeail@someemailservice.fjdjf", + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.renamed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3433, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "zdhghgCfp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPhgfhfghfYxHMA", + "zoom.old_values.id": 7000000, + "zoom.old_values.topic": "My Fancy Recording Title", + "zoom.old_values.type": 1, + "zoom.old_values.uuid": "9xxxkifpPUz+Ow==", + "zoom.operator": "shrifdfdh@kjdmail.com", + "zoom.operator_id": "zdhghgCfp8uQ", + "zoom.recording.id": 7000000, + "zoom.recording.topic": "Edited Recording Title", + "zoom.recording.type": 1, + "zoom.recording.uuid": "9xxxkifpPUz+Ow==" + }, + { + "event.action": "recording.trashed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3787, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5715, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.recovered", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 7643, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.transcript_completed", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 9573, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "url.full": "https://zoom.us/recording/share/aaaaaannnnnldglrkgmrmhh", + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 1, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.recording_count": 4, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.total_size": 529758, + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "recording.registration_created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 10346, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "recording.registration_approved", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 10753, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + }, + { + "event.action": "recording.registration_denied", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 11161, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.recording.duration": 120, + "zoom.recording.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.recording.id": 150000008, + "zoom.recording.start_time": "2019-07-11T20:00:00Z", + "zoom.recording.timezone": "America/Los_Angeles", + "zoom.recording.topic": "A test meeting", + "zoom.recording.type": 2, + "zoom.recording.uuid": "dj12vck6sdTn6yy7qdy3dQg==", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log new file mode 100644 index 000000000000..26aaee344d40 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log @@ -0,0 +1,13 @@ +{"event":"user.created","payload":{"account_id":"AAAAAA","operator":"anawesomeuser@email.com","creation_type":"create","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":"3"}}} +{"event":"user.invitation_accepted","payload":{"account_id":"EPjyjVYxHMA","object":{"id":"sbyjt3ODg","first_name":"Maria","last_name":"CoolPerson","email":"maria@maria.developer.dfgfdgf","type":1}}} +{"event":"user.updated","payload":{"account_id":"lAA_EBBBBBBB","operator":"shrija2016+dev_ma@gmail.com","operator_id":"uLobbbbbbbb_qQsQ","object":{"id":"uLobbbbbbbb_qQsQ","company":"Zoom"},"old_object":{"id":"uLobbbbbbbb_qQsQ","company":"NotZoom"},"time_stamp":1563559854861}} +{"event":"user.settings_updated","payload":{"account_id":"CAl6ByEyAq8KK_CCCCCC","operator":"iamtheoperator@gmail.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"id":"uL34AAbbbbAAAAAAQsQ","settings":{"in_meeting":{"private_chat":false}}},"old_object":{"id":"uL34AAbbbbAAAAAAQsQ","settings":{"in_meeting":{"private_chat":true}}},"time_stamp":1563572826929}} +{"event":"user.settings_updated","payload":{"account_id":"EPbbbbb@@@@@2sfdfdA","operator":"somememail@randommailer28.com","operator_id":"fdhjfdhsj536274gfd","object":{"id":"fdhjfdhsj536274gfd","settings":{"meeting_authentication":false}},"old_object":{"id":"fdhjfdhsj536274gfd","settings":{"meeting_authentication":true}},"time_stamp":1593451939427}} +{"event":"user.deactivated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":1}}} +{"event":"user.activated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":3}}} +{"event":"user.disassociated","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":3}}} +{"event":"user.deleted","payload":{"account_id":"AAAAAABBBB","operator":"anawesomeuser@email.com","operator_id":"z8yCxjabcdEFGHfp8uQ","object":{"id":"abcD3ojfdbjfg","first_name":"Henry","last_name":"Phan","email":"henrysemail@email.com","type":"3"}}} +{"event":"user.presence_status_updated","payload":{"account_id":"EPjfyjxHMA","object":{"date_time":"2019-11-26T20:13:57Z","email":"sfdhfghfgh@dkjdfd.com","id":"z8ycx1223fq","presence_status":"Available"}}} +{"event":"user.personal_notes_updated","payload":{"account_id":"EPfhhdrYxHMA","object":{"date_time":"2019-11-26T21:29:08Z","email":"sdfsgdfg@fjghg.ghm","id":"z8aggp8uq","personal_notes":"Out of Office until February 31"},"old_object":{"personal_notes":"this is the old note"}}} +{"event":"user.signed_in","payload":{"account_id":"dsjfosdfpdosgifdjg","object":{"id":"djkglfdgkjdflghfdpe","client_type":"android","date_time":"2019-09-10T14:36:10Z","version":"4.5.3308.0902","email":"awesomeuser@awesomemeail.ghkgf"}}} +{"event":"user.signed_out","payload":{"account_id":"dsjfosdfpdosgifdjg","object":{"id":"djkglfdgkjdflghfdpe","client_type":"android","date_time":"2019-09-10T14:36:10Z","version":"4.5.3308.0902","email":"awesomeuser@awesomemeail.ghkgf"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json new file mode 100644 index 000000000000..3ca08b077f0d --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/user.ndjson.log-expected.json @@ -0,0 +1,443 @@ +[ + { + "event.action": "user.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAA", + "zoom.creation_type": "create", + "zoom.operator": "anawesomeuser@email.com", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": "3" + }, + { + "event.action": "user.invitation_accepted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 236, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "sbyjt3ODg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPjyjVYxHMA", + "zoom.user.email": "maria@maria.developer.dfgfdgf", + "zoom.user.first_name": "Maria", + "zoom.user.id": "sbyjt3ODg", + "zoom.user.last_name": "CoolPerson", + "zoom.user.type": 1 + }, + { + "event.action": "user.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 435, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbb_qQsQ", + "uLobbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAA_EBBBBBBB", + "zoom.old_values.company": "NotZoom", + "zoom.old_values.id": "uLobbbbbbbb_qQsQ", + "zoom.operator": "shrija2016+dev_ma@gmail.com", + "zoom.operator_id": "uLobbbbbbbb_qQsQ", + "zoom.user.company": "Zoom", + "zoom.user.id": "uLobbbbbbbb_qQsQ" + }, + { + "event.action": "user.settings_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 712, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uL34AAbbbbAAAAAAQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "CAl6ByEyAq8KK_CCCCCC", + "zoom.old_values.id": "uL34AAbbbbAAAAAAQsQ", + "zoom.old_values.settings.in_meeting.private_chat": true, + "zoom.operator": "iamtheoperator@gmail.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.settings.in_meeting.private_chat": false, + "zoom.user.id": "uL34AAbbbbAAAAAAQsQ" + }, + { + "event.action": "user.settings_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1075, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "fdhjfdhsj536274gfd", + "fdhjfdhsj536274gfd" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPbbbbb@@@@@2sfdfdA", + "zoom.old_values.id": "fdhjfdhsj536274gfd", + "zoom.old_values.settings.meeting_authentication": true, + "zoom.operator": "somememail@randommailer28.com", + "zoom.operator_id": "fdhjfdhsj536274gfd", + "zoom.settings.meeting_authentication": false, + "zoom.user.id": "fdhjfdhsj536274gfd" + }, + { + "event.action": "user.deactivated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1426, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 1 + }, + { + "event.action": "user.activated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1679, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 3 + }, + { + "event.action": "user.disassociated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1930, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": 3 + }, + { + "event.action": "user.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2185, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxjabcdEFGHfp8uQ", + "abcD3ojfdbjfg" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAABBBB", + "zoom.operator": "anawesomeuser@email.com", + "zoom.operator_id": "z8yCxjabcdEFGHfp8uQ", + "zoom.user.email": "henrysemail@email.com", + "zoom.user.first_name": "Henry", + "zoom.user.id": "abcD3ojfdbjfg", + "zoom.user.last_name": "Phan", + "zoom.user.type": "3" + }, + { + "event.action": "user.presence_status_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2436, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8ycx1223fq" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPjfyjxHMA", + "zoom.user.email": "sfdhfghfgh@dkjdfd.com", + "zoom.user.id": "z8ycx1223fq", + "zoom.user.presence_status": "Available" + }, + { + "event.action": "user.personal_notes_updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "iam", + "creation", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2642, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8aggp8uq" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPfhhdrYxHMA", + "zoom.old_values.personal_notes": "this is the old note", + "zoom.user.email": "sdfsgdfg@fjghg.ghm", + "zoom.user.id": "z8aggp8uq", + "zoom.user.personal_notes": "Out of Office until February 31" + }, + { + "event.action": "user.signed_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "authentication", + "creation", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2920, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "djkglfdgkjdflghfdpe" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "dsjfosdfpdosgifdjg", + "zoom.user.client_type": "android", + "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", + "zoom.user.id": "djkglfdgkjdflghfdpe", + "zoom.user.version": "4.5.3308.0902" + }, + { + "event.action": "user.signed_out", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "authentication", + "creation", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3157, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "djkglfdgkjdflghfdpe" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "dsjfosdfpdosgifdjg", + "zoom.user.client_type": "android", + "zoom.user.email": "awesomeuser@awesomemeail.ghkgf", + "zoom.user.id": "djkglfdgkjdflghfdpe", + "zoom.user.version": "4.5.3308.0902" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log new file mode 100644 index 000000000000..41782df2405e --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log @@ -0,0 +1,14 @@ +{"event":"webinar.created","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.updated","payload":{"account_id":"AAAAAAAAAAA","operator":"someemail@email.com","operator_id":"BBBBBBBBBB","object":{"id":155184668,"type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"join_url":"https://zoom.us/j/00000000","settings":{"host_video":"false"}},"old_object":{"id":155184668,"type":9,"join_url":"https://zoom.us/j/00000000","occurrences":[{"occurrence_id":"1562875200000","start_time":"2019-07-11T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1563480000000","start_time":"2019-07-18T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564084800000","start_time":"2019-07-25T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1564689600000","start_time":"2019-08-01T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565294400000","start_time":"2019-08-08T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1565899200000","start_time":"2019-08-15T20:00:00Z","duration":120,"status":"available"},{"occurrence_id":"1566504000000","start_time":"2019-08-22T20:00:00Z","duration":120,"status":"available"}],"settings":{"participant_video":true,"join_before_host":true,"use_pmi":false}, "time_stamp": 1562791953209}}} +{"event":"webinar.deleted","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","operator_id":"uLoRgfbbTayCX6r2Q_qQsQ","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.started","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":0,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.ended","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":111111111,"host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":5,"start_time":"2019-07-09T17:00:00Z","duration":0,"timezone":"America/Los_Angeles"}}} +{"event":"webinar.alert","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Webinar","id":"6962400003","type":2,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","issues":"Unstable audio quality"}},"account_id":"EPeQtiABC000VYxHMA"} +{"event":"webinar.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":5,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"webinar.sharing_started","payload":{"object":{"duration":60,"start_time":"2019-07-16T17:14:39Z","timezone":"America/Los_Angeles","topic":"My Meeting","id":"6962400003","type":5,"uuid":"4118UHIiRCAAAtBlDkcVyw==","host_id":"z8yCxTTTTSiw02QgCAp8uQ","participant":{"id":"s0AAAASoSE1V8KIFOCYw","user_id":"16778000","user_name":"Arya Arya","sharing_details":{"link_source":"in_meeting","file_link":"","source":"dropbox","date_time":"2019-07-16T17:19:11Z","content":"application"}}},"account_id":"EPeQtiABC000VYxHMA"}} +{"event":"webinar.registration_created","payload":{"account_id":"lAAAAAAAAAAAAA","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com","address":"","city":"","country":"","zip":"","state":"","phone":"","industry":"","org":"","job_title":"","purchasing_time_frame":"","role_in_purchase_process":"","no_of_employees":"","comments":"","custom_questions":[],"status":"approved","join_url":"https://zoom.us/w/someendpointhere"}}}} +{"event":"webinar.registration_approved","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"somemail@email.com","operator_id":"Lobbbbbbbbbb_qQsQ","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":2,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.registration_denied","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.registration_cancelled","payload":{"account_id":"lAAAAAAAAAAAAA","operator":"coolemail@email.com","object":{"uuid":"dj12vck6sdTn6yy7qdy3dQg==","id":150000008,"host_id":"uLobbbbbbbbbb_qQsQ","topic":"A test meeting","type":5,"start_time":"2019-07-11T20:00:00Z","duration":120,"timezone":"America/Los_Angeles","registrant":{"id":"U0BBBBBBBBBBfrUz1Q","first_name":"Cool","last_name":"Person","email":"coolemail@email.com"}}}} +{"event":"webinar.participant_joined","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"16782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","join_time":"2019-07-16T17:13:13Z"}}}} +{"event":"webinar.participant_left","payload":{"account_id":"o8KK_AAACq6BBEyA70CA","operator":"someemail@email.com","object":{"uuid":"czLF6FFFoQOKgAB99DlDb9g==","id":"111111111","host_id":"uLoRgfbbTayCX6r2Q_qQsQ","topic":"My Meeting","type":2,"start_time":"2019-07-09T17:00:00Z","duration":60,"timezone":"America/Los_Angeles","participant":{"user_id":"16782040","user_name":"shree","id":"iFxeBPYun6SAiWUzBcEkX","leave_time":"2019-07-16T17:13:13Z"}}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json new file mode 100644 index 000000000000..1bef0aa4e152 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/webinar.ndjson.log-expected.json @@ -0,0 +1,568 @@ +[ + { + "event.action": "webinar.created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.updated", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 357, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "BBBBBBBBBB" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "AAAAAAAAAAA", + "zoom.old_values.id": 155184668, + "zoom.old_values.join_url": "https://zoom.us/j/00000000", + "zoom.old_values.settings.join_before_host": true, + "zoom.old_values.settings.participant_video": true, + "zoom.old_values.settings.use_pmi": false, + "zoom.old_values.time_stamp": 1562791953209, + "zoom.old_values.type": 9, + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "BBBBBBBBBB", + "zoom.settings.host_video": "false", + "zoom.webinar.duration": 120, + "zoom.webinar.id": 155184668, + "zoom.webinar.join_url": "https://zoom.us/j/00000000", + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.type": 5 + }, + { + "event.action": "webinar.deleted", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "deletion" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1588, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ", + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.operator_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1945, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.webinar.duration": 0, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.ended", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "end" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2262, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.webinar.duration": 0, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": 111111111, + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "error" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2577, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.issues": "Unstable audio quality", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Webinar", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.sharing_started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 2894, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.sharing_started", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3416, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "z8yCxTTTTSiw02QgCAp8uQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPeQtiABC000VYxHMA", + "zoom.participant.id": "s0AAAASoSE1V8KIFOCYw", + "zoom.participant.sharing_details.content": "application", + "zoom.participant.sharing_details.date_time": "2019-07-16T17:19:11Z", + "zoom.participant.sharing_details.file_link": "", + "zoom.participant.sharing_details.link_source": "in_meeting", + "zoom.participant.sharing_details.source": "dropbox", + "zoom.participant.user_id": "16778000", + "zoom.participant.user_name": "Arya Arya", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "z8yCxTTTTSiw02QgCAp8uQ", + "zoom.webinar.id": "6962400003", + "zoom.webinar.start_time": "2019-07-16T17:14:39Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "4118UHIiRCAAAtBlDkcVyw==" + }, + { + "event.action": "webinar.registration_created", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "creation" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 3938, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.registrant.address": "", + "zoom.registrant.city": "", + "zoom.registrant.comments": "", + "zoom.registrant.country": "", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.industry": "", + "zoom.registrant.job_title": "", + "zoom.registrant.join_url": "https://zoom.us/w/someendpointhere", + "zoom.registrant.last_name": "Person", + "zoom.registrant.no_of_employees": "", + "zoom.registrant.org": "", + "zoom.registrant.phone": "", + "zoom.registrant.purchasing_time_frame": "", + "zoom.registrant.role_in_purchase_process": "", + "zoom.registrant.state": "", + "zoom.registrant.status": "approved", + "zoom.registrant.zip": "", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_approved", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 4630, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "Lobbbbbbbbbb_qQsQ", + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "somemail@email.com", + "zoom.operator_id": "Lobbbbbbbbbb_qQsQ", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_denied", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5102, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.registration_cancelled", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "change" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5539, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLobbbbbbbbbb_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "lAAAAAAAAAAAAA", + "zoom.operator": "coolemail@email.com", + "zoom.registrant.email": "coolemail@email.com", + "zoom.registrant.first_name": "Cool", + "zoom.registrant.id": "U0BBBBBBBBBBfrUz1Q", + "zoom.registrant.last_name": "Person", + "zoom.webinar.duration": 120, + "zoom.webinar.host_id": "uLobbbbbbbbbb_qQsQ", + "zoom.webinar.id": 150000008, + "zoom.webinar.start_time": "2019-07-11T20:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "A test meeting", + "zoom.webinar.type": 5, + "zoom.webinar.uuid": "dj12vck6sdTn6yy7qdy3dQg==" + }, + { + "event.action": "webinar.participant_joined", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 5979, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.join_time": "2019-07-16T17:13:13Z", + "zoom.participant.user_id": "16782040", + "zoom.participant.user_name": "shree", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": "111111111", + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + }, + { + "event.action": "webinar.participant_left", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 6431, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "related.user": [ + "uLoRgfbbTayCX6r2Q_qQsQ" + ], + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "o8KK_AAACq6BBEyA70CA", + "zoom.operator": "someemail@email.com", + "zoom.participant.id": "iFxeBPYun6SAiWUzBcEkX", + "zoom.participant.leave_time": "2019-07-16T17:13:13Z", + "zoom.participant.user_id": "16782040", + "zoom.participant.user_name": "shree", + "zoom.webinar.duration": 60, + "zoom.webinar.host_id": "uLoRgfbbTayCX6r2Q_qQsQ", + "zoom.webinar.id": "111111111", + "zoom.webinar.start_time": "2019-07-09T17:00:00Z", + "zoom.webinar.timezone": "America/Los_Angeles", + "zoom.webinar.topic": "My Meeting", + "zoom.webinar.type": 2, + "zoom.webinar.uuid": "czLF6FFFoQOKgAB99DlDb9g==" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log new file mode 100644 index 000000000000..03fda8d1b28a --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log @@ -0,0 +1,4 @@ +{"event":"zoomroom.alert","payload":{"account_id":"EPAbcdefyZslakjflP","object":{"room_name":"MyFabulousZoomRoom","issue":"Room Controller disconnected","id":"EbY5jzz2R5KVPn6ZY9wh0A","calendar_name":"myemailforcalendarintegration@somedomain.com","email":"myemailforzoomroom@somedomain.com","alert_type":1,"component":2,"alert_kind":1}}} +{"event":"zoomroom.delayed_alert","payload":{"account_id":"EPAbcdefyZslakjflP","object":{"room_name":"MyFabulousZoomRoom","issue":"Room Controller disconnected","id":"EbY5jzz2R5KVPn6ZY9wh0A","calendar_name":"myemailforcalendarintegration@somedomain.com","email":"myemailforzoomroom@somedomain.com","alert_type":1,"component":2,"alert_kind":1}}} +{"event":"zoomroom.checked_in","payload":{"account_id":"vhdnmf673q2543rfhgsca","object":{"id":"365743fgshfh63","room_name":"Sharks Room","calendar_id":"mytestemailaddress123444@zoom.us","calendar_name":"zoom.us_abcd783r894v4nigh8@group.calendar.google.com","email":"jdfhdsk@dgjfh.sfgjgdf","event_id":"AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=","change_key":"DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw","resource_email":"public.test@testmail123gdgds.com"}}} +{"event":"zoomroom.checked_in","payload":{"account_id":"vhdnmf673q2543rfhgsca","object":{"id":"365743fgshfh63","room_name":"Sharks Room","calendar_id":"mytestemailaddress123444@zoom.us","calendar_name":"zoom.us_abcd783r894v4nigh8@group.calendar.google.com","email":"jdfhdsk@dgjfh.sfgjgdf","event_id":"AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=","change_key":"DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw","resource_email":"public.test@testmail123gdgds.com"}}} diff --git a/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json new file mode 100644 index 000000000000..0d567d8ccd63 --- /dev/null +++ b/x-pack/filebeat/module/zoom/webhook/test/zoomroom.ndjson.log-expected.json @@ -0,0 +1,122 @@ +[ + { + "event.action": "zoomroom.alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 0, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPAbcdefyZslakjflP", + "zoom.zoomroom.alert_kind": 1, + "zoom.zoomroom.alert_type": 1, + "zoom.zoomroom.calendar_name": "myemailforcalendarintegration@somedomain.com", + "zoom.zoomroom.component": 2, + "zoom.zoomroom.email": "myemailforzoomroom@somedomain.com", + "zoom.zoomroom.id": "EbY5jzz2R5KVPn6ZY9wh0A", + "zoom.zoomroom.issue": "Room Controller disconnected", + "zoom.zoomroom.room_name": "MyFabulousZoomRoom" + }, + { + "event.action": "zoomroom.delayed_alert", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 337, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "EPAbcdefyZslakjflP", + "zoom.zoomroom.alert_kind": 1, + "zoom.zoomroom.alert_type": 1, + "zoom.zoomroom.calendar_name": "myemailforcalendarintegration@somedomain.com", + "zoom.zoomroom.component": 2, + "zoom.zoomroom.email": "myemailforzoomroom@somedomain.com", + "zoom.zoomroom.id": "EbY5jzz2R5KVPn6ZY9wh0A", + "zoom.zoomroom.issue": "Room Controller disconnected", + "zoom.zoomroom.room_name": "MyFabulousZoomRoom" + }, + { + "event.action": "zoomroom.checked_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 682, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vhdnmf673q2543rfhgsca", + "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", + "zoom.zoomroom.calendar_name": "zoom.us_abcd783r894v4nigh8@group.calendar.google.com", + "zoom.zoomroom.change_key": "DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw", + "zoom.zoomroom.email": "jdfhdsk@dgjfh.sfgjgdf", + "zoom.zoomroom.event_id": "AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=", + "zoom.zoomroom.id": "365743fgshfh63", + "zoom.zoomroom.resource_email": "public.test@testmail123gdgds.com", + "zoom.zoomroom.room_name": "Sharks Room" + }, + { + "event.action": "zoomroom.checked_in", + "event.dataset": "zoom.webhook", + "event.kind": [ + "event" + ], + "event.module": "zoom", + "event.timezone": "-02:00", + "event.type": [ + "info", + "start" + ], + "fileset.name": "webhook", + "input.type": "log", + "log.offset": 1221, + "observer.product": "Webhook", + "observer.vendor": "Zoom", + "service.type": "zoom", + "tags": [ + "zoom-webhook", + "forwarded" + ], + "zoom.account_id": "vhdnmf673q2543rfhgsca", + "zoom.zoomroom.calendar_id": "mytestemailaddress123444@zoom.us", + "zoom.zoomroom.calendar_name": "zoom.us_abcd783r894v4nigh8@group.calendar.google.com", + "zoom.zoomroom.change_key": "DwAAABYAAABQ/N0JvB/FRqv5UT2rFfkVAAE2XqVw", + "zoom.zoomroom.email": "jdfhdsk@dgjfh.sfgjgdf", + "zoom.zoomroom.event_id": "AbbbbbGYxLTc3OTVkMzFmZDc0MwBGAAAAAAD48FI58voYSqDgJePOSZblBwBQ/N0JvB/FRqv5UT2rFfkVAAAAAAENAABQ/N0JvB/FRqv5UT2rFfkVAAE2YC8DAAA=", + "zoom.zoomroom.id": "365743fgshfh63", + "zoom.zoomroom.resource_email": "public.test@testmail123gdgds.com", + "zoom.zoomroom.room_name": "Sharks Room" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled new file mode 100644 index 000000000000..15fa9d4b23cf --- /dev/null +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -0,0 +1,22 @@ +# Module: zoom +# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-zoom.html + +- module: zoom + webhook: + enabled: true + + # The type of input to use + #var.input: http_endpoint + + # The interface to listen for incoming HTTP requests. Defaults to + # localhost. Set to 0.0.0.0 to bind to all available interfaces. + #var.listen_address: localhost + + # The port to bind to + #var.listen_port: 80 + + # The header Zoom uses to send its secret token, defaults to "Authorization" + #secret.header: Authorization + + # The secret token value created by Zoom + #secret.value: ZOOMTOKEN