[google_workspace] Enable agentless integration (#12921)

Enable agentless integration for google_workspace, and make some required updates to ingest pipelines to work with the updated package spec.

packages/google_workspace/_dev/build/docs/README.md

@@ -123,6 +123,12 @@ Once Service Account credentials are downloaded as a JSON file, then the integra
 
 >  NOTE: The default value of the "Page Size" is set to 1000. This option is available under 'Alert' Advance options. Set the parameter "Page Size" according to the requirement. For Alert Data Stream, The default value of "Alert Center API Host" is `https://alertcenter.googleapis.com`. The Alert Center API Host will be used for collecting alert logs only.
 
+## Agentless Enabled Integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments.  This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
 ## Logs
 
 ### Google Workspace Reports ECS fields

packages/google_workspace/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.32.0"
+  changes:
+    - description: Enable Agentless deployment.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12921
 - version: "2.31.0"
   changes:
     - description: Update Kibana constraint to support 9.0.0.

packages/google_workspace/data_stream/access_transparency/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/alert/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/context_aware_access/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/device/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml

@@ -15,6 +15,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/gcp/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/group_enterprise/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml

@@ -18,6 +18,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/rules/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml

@@ -21,6 +21,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/token/elasticsearch/ingest_pipeline/default.yml

@@ -9,6 +9,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml

@@ -21,6 +21,11 @@ processors:
       target_field: event.original
       ignore_missing: true
       if: ctx.event?.original == null
+  - remove:
+      field: message
+      ignore_missing: true
+      if: 'ctx.event?.original != null'
+      description: 'The `message` field is no longer required if the document has an `event.original` field.'
   - json:
       field: event.original
       target_field: json

packages/google_workspace/docs/README.md

@@ -123,6 +123,12 @@ Once Service Account credentials are downloaded as a JSON file, then the integra
 
 >  NOTE: The default value of the "Page Size" is set to 1000. This option is available under 'Alert' Advance options. Set the parameter "Page Size" according to the requirement. For Alert Data Stream, The default value of "Alert Center API Host" is `https://alertcenter.googleapis.com`. The Alert Center API Host will be used for collecting alert logs only.
 
+## Agentless Enabled Integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments.  This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
 ## Logs
 
 ### Google Workspace Reports ECS fields

packages/google_workspace/manifest.yml

@@ -1,17 +1,17 @@
 name: google_workspace
 title: Google Workspace
-version: "2.31.0"
+version: "2.32.0"
 source:
   license: Elastic-2.0
 description: Collect logs from Google Workspace with Elastic Agent.
 type: integration
-format_version: "3.0.3"
+format_version: "3.2.3"
 categories:
   - security
   - productivity_security
 conditions:
   kibana:
-    version: "^8.16.0 || ^9.0.0"
+    version: "^8.18.0 || ^9.0.0"
   elastic:
     subscription: basic
 screenshots:
@@ -56,6 +56,14 @@ policy_templates:
   - name: google_workspace
     title: Google Workspace logs
     description: Collect logs from Google Workspace APIs
+    deployment_modes: 
+      default:
+        enabled: true 
+      agentless:
+        enabled: true
+        organization: security
+        division: engineering
+        team: security-service-integrations
     inputs:
       - type: httpjson
         vars:

packages/google_workspace/validation.yml

@@ -3,4 +3,3 @@ errors:
     - SVR00001 # Saved query, but no filter.
     - SVR00002 # Mandatory filters in dashboards.
     - SVR00004 # References in dashboards.
-    - SVR00005 # Kibana version for saved tags.