From ce344fbe35fadf45971c76800b34a36b07961034 Mon Sep 17 00:00:00 2001 From: Shuhei Kanamori <47746464+MoneyForest@users.noreply.github.com> Date: Thu, 28 Aug 2025 23:57:22 +0900 Subject: [PATCH 1/3] Fix innodb buffer pool utilization metrics collection for Aurora MySQL reader instances by ensuring `process_innodb_stats` runs even when `SHOW ENGINE INNODB STATUS` is skipped (#21190) * Fix buffer pool utilization metrics collection for Aurora MySQL reader instances by ensuring process_innodb_stats runs even when SHOW ENGINE INNODB STATUS is skipped * Update 21190.fixed --- mysql/changelog.d/21190.fixed | 1 + mysql/datadog_checks/mysql/mysql.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 mysql/changelog.d/21190.fixed diff --git a/mysql/changelog.d/21190.fixed b/mysql/changelog.d/21190.fixed new file mode 100644 index 0000000000000..9fdf05908b0fc --- /dev/null +++ b/mysql/changelog.d/21190.fixed @@ -0,0 +1 @@ +Fix innodb buffer pool utilization metrics collection for Aurora MySQL reader instances by ensuring `process_innodb_stats` runs even when `SHOW ENGINE INNODB STATUS` is skipped diff --git a/mysql/datadog_checks/mysql/mysql.py b/mysql/datadog_checks/mysql/mysql.py index 101d5f21592cd..89b5f916ada47 100644 --- a/mysql/datadog_checks/mysql/mysql.py +++ b/mysql/datadog_checks/mysql/mysql.py @@ -587,7 +587,7 @@ def _collect_metrics(self, db, tags): else: with tracked_query(self, operation="innodb_metrics"): results.update(self.innodb_stats.get_stats_from_innodb_status(db)) - self.innodb_stats.process_innodb_stats(results, self._config.options, metrics) + self.innodb_stats.process_innodb_stats(results, self._config.options, metrics) # Binary log statistics if self._get_variable_enabled(results, 'log_bin'): From 8d1b2a579c20893cd553e0cd81f28649be1de2e8 Mon Sep 17 00:00:00 2001 From: Steven Zou Date: Thu, 28 Aug 2025 12:40:19 -0400 Subject: [PATCH 2/3] CAP-2761 Add recommended ecs_fargate monitors (#21015) * Add ecs_fargate monitors * address validation issues * shorten monitor description * Link back to ecs explorer --- .../monitors/ecs_fargate_cpu_usage.json | 26 +++++++++++++++++++ .../ecs_fargate_ephemeral_storage.json | 26 +++++++++++++++++++ .../monitors/ecs_fargate_mem_usage.json | 26 +++++++++++++++++++ .../assets/monitors/ecs_fargate_net_rcvd.json | 26 +++++++++++++++++++ .../assets/monitors/ecs_fargate_net_sent.json | 26 +++++++++++++++++++ ecs_fargate/manifest.json | 7 +++++ 6 files changed, 137 insertions(+) create mode 100644 ecs_fargate/assets/monitors/ecs_fargate_cpu_usage.json create mode 100644 ecs_fargate/assets/monitors/ecs_fargate_ephemeral_storage.json create mode 100644 ecs_fargate/assets/monitors/ecs_fargate_mem_usage.json create mode 100644 ecs_fargate/assets/monitors/ecs_fargate_net_rcvd.json create mode 100644 ecs_fargate/assets/monitors/ecs_fargate_net_sent.json diff --git a/ecs_fargate/assets/monitors/ecs_fargate_cpu_usage.json b/ecs_fargate/assets/monitors/ecs_fargate_cpu_usage.json new file mode 100644 index 0000000000000..35d8a778f9008 --- /dev/null +++ b/ecs_fargate/assets/monitors/ecs_fargate_cpu_usage.json @@ -0,0 +1,26 @@ +{ + "version": 2, + "created_at": "2025-08-08", + "last_updated_at": "2025-08-08", + "title": "ECS Fargate CPU utilization exceeds threshold", + "description": "CPU usage represents the percentage of CPU resources consumed by an ECS Fargate task relative to its allocated limit. This monitor tracks when CPU utilization exceeds the configured threshold to identify performance bottlenecks that could lead to increased response times and service disruptions.", + "definition": { + "name": "[ECS Fargate] AWS ECS Task CPU utilization is high", + "type": "query alert", + "query": "avg(last_15m):sum:ecs.fargate.cpu.usage{*} by {ecs_cluster,task_arn,ecs_service} / sum:ecs.fargate.cpu.task.limit{*} by {ecs_cluster,task_arn,ecs_service} * 100 > 80", + "message": "{{#is_warning}}\nAWS ECS Task {{task_arn.name}} in service {{ecs_service.name}} (cluster {{ecs_cluster.name}}) is approaching CPU Utilization threshold\n{{/is_warning}}\n\n{{#is_alert}}\nAWS ECS Task {{task_arn.name}} in service {{ecs_service.name}} (cluster {{ecs_cluster.name}}) has crossed CPU Utilization threshold\n{{/is_alert}}\n\nTo investigate further, view the affected task in the [ECS Explorer](/orchestration/explorer/ecsTask?inspect={{task_arn.name}})", + "tags": ["integration:ecs_fargate"], + "options": { + "thresholds": { + "critical": 80 + }, + "notify_audit": false, + "on_missing_data": "default", + "include_tags": true, + "new_group_delay": 300 + } + }, + "tags": [ + "integration:aws-fargate" + ] +} diff --git a/ecs_fargate/assets/monitors/ecs_fargate_ephemeral_storage.json b/ecs_fargate/assets/monitors/ecs_fargate_ephemeral_storage.json new file mode 100644 index 0000000000000..e3afc569c5591 --- /dev/null +++ b/ecs_fargate/assets/monitors/ecs_fargate_ephemeral_storage.json @@ -0,0 +1,26 @@ +{ + "version": 2, + "created_at": "2025-08-08", + "last_updated_at": "2025-08-08", + "title": "ECS Fargate ephemeral storage utilization exceeds threshold", + "description": "Ephemeral storage utilization represents the percentage of temporary storage space consumed by an ECS Fargate task relative to its allocated limit. This monitor tracks when storage utilization exceeds the threshold to prevent storage exhaustion that could lead to task failures and data loss.", + "definition": { + "name": "[ECS Fargate] Ephemeral storage utilization is high for task {{task_arn.name}} in service {{ecs_service.name}} (cluster {{ecs_cluster.name}})", + "type": "query alert", + "query": "avg(last_15m):sum:ecs.fargate.ephemeral_storage.utilized{*} by {ecs_cluster,task_arn,ecs_service} / sum:ecs.fargate.ephemeral_storage.reserved{*} by {ecs_cluster,task_arn,ecs_service} * 100 > 80", + "message": "{{#is_warning}}\nAWS ECS Fargate task {{task_arn.name}} in service {{ecs_service.name}} (cluster {{ecs_cluster.name}}) is approaching ephemeral storage utilization threshold\n\nCurrent Usage: {{value}}%\n{{/is_warning}}\n\n{{#is_alert}}\nAWS ECS Fargate task {{task_arn.name}} in service {{ecs_service.name}} (cluster {{ecs_cluster.name}}) has exceeded ephemeral storage utilization threshold\n\nCurrent Usage: {{value}}%\n{{/is_alert}}\n\nTo investigate further, view the affected task in the [ECS Explorer](/orchestration/explorer/ecsTask?inspect={{task_arn.name}})", + "tags": ["integration:ecs_fargate"], + "options": { + "thresholds": { + "critical": 80 + }, + "notify_audit": false, + "on_missing_data": "default", + "include_tags": true, + "new_group_delay": 300 + } + }, + "tags": [ + "integration:aws-fargate" + ] +} diff --git a/ecs_fargate/assets/monitors/ecs_fargate_mem_usage.json b/ecs_fargate/assets/monitors/ecs_fargate_mem_usage.json new file mode 100644 index 0000000000000..03bcd49e62597 --- /dev/null +++ b/ecs_fargate/assets/monitors/ecs_fargate_mem_usage.json @@ -0,0 +1,26 @@ +{ + "version": 2, + "created_at": "2025-08-08", + "last_updated_at": "2025-08-08", + "title": "ECS Fargate memory utilization exceeds threshold", + "description": "Memory usage represents the percentage of memory resources consumed by an ECS Fargate task relative to its allocated limit. This monitor tracks when memory utilization exceeds the configured threshold to prevent out-of-memory errors that could lead to task crashes and service unavailability.", + "definition": { + "name": "[ECS Fargate] AWS ECS Task Memory utilization is high", + "type": "query alert", + "query": "avg(last_15m):sum:ecs.fargate.mem.usage{*} by {ecs_cluster,task_arn,ecs_service} / sum:ecs.fargate.mem.task.limit{*} by {ecs_cluster,task_arn,ecs_service} * 100 > 80", + "message": "{{#is_warning}}\nAWS ECS Task {{task_arn.name}} in service {{ecs_service.name}} (cluster {{ecs_cluster.name}}) is approaching Memory Utilization threshold\n{{/is_warning}}\n\n{{#is_alert}}\nAWS ECS Task {{task_arn.name}} in service {{ecs_service.name}} (cluster {{ecs_cluster.name}}) has crossed Memory Utilization threshold\n{{/is_alert}}\n\nTo investigate further, view the affected task in the [ECS Explorer](/orchestration/explorer/ecsTask?inspect={{task_arn.name}})", + "tags": ["integration:ecs_fargate"], + "options": { + "thresholds": { + "critical": 80 + }, + "notify_audit": false, + "on_missing_data": "default", + "include_tags": true, + "new_group_delay": 300 + } + }, + "tags": [ + "integration:aws-fargate" + ] +} diff --git a/ecs_fargate/assets/monitors/ecs_fargate_net_rcvd.json b/ecs_fargate/assets/monitors/ecs_fargate_net_rcvd.json new file mode 100644 index 0000000000000..031bb3dbe4c0b --- /dev/null +++ b/ecs_fargate/assets/monitors/ecs_fargate_net_rcvd.json @@ -0,0 +1,26 @@ +{ + "version": 2, + "created_at": "2025-08-08", + "last_updated_at": "2025-08-08", + "title": "ECS Fargate network received error rate exceeds threshold", + "description": "Network received error rate represents the percentage of network packets that failed to be received successfully. This monitor tracks when the error rate exceeds the configured threshold to identify network connectivity issues that could lead to data transmission failures and service degradation.", + "definition": { + "name": "[ECS Fargate] Network received error rate is high for service: {{ecs_service.name}} in cluster: {{ecs_cluster.name}}", + "type": "query alert", + "query": "sum(last_5m):sum:ecs.fargate.net.rcvd_errors{*} by {ecs_service,ecs_cluster} / sum:ecs.fargate.net.bytes_rcvd{*} by {ecs_service,ecs_cluster} * 100 > 5", + "message": "ECS Fargate service {{ecs_service.name}} in cluster {{ecs_cluster.name}} has a network received error rate of {{value}}%, which exceeds the 5% threshold.\n\nThis indicates potential network connectivity issues. To investigate further, view the affected service in the [ECS Explorer](/orchestration/explorer/ecsService?query=ecs_service:{{ecs_service.name}}+ecs_cluster:{{ecs_cluster.name}})", + "tags": ["integration:ecs_fargate"], + "options": { + "thresholds": { + "critical": 5 + }, + "notify_audit": false, + "on_missing_data": "default", + "include_tags": true, + "new_group_delay": 60 + } + }, + "tags": [ + "integration:aws-fargate" + ] +} diff --git a/ecs_fargate/assets/monitors/ecs_fargate_net_sent.json b/ecs_fargate/assets/monitors/ecs_fargate_net_sent.json new file mode 100644 index 0000000000000..6ebc52ba8ee67 --- /dev/null +++ b/ecs_fargate/assets/monitors/ecs_fargate_net_sent.json @@ -0,0 +1,26 @@ +{ + "version": 2, + "created_at": "2025-08-08", + "last_updated_at": "2025-08-08", + "title": "ECS Fargate network sent error rate exceeds threshold", + "description": "Network sent error rate represents the percentage of network packets that failed to be transmitted successfully. This monitor tracks when the error rate exceeds the configured threshold to identify network connectivity issues that could lead to data transmission failures and service degradation.", + "definition": { + "name": "[ECS Fargate] Network sent error rate is high for service: {{ecs_service.name}} in cluster: {{ecs_cluster.name}}", + "type": "query alert", + "query": "sum(last_5m):sum:ecs.fargate.net.sent_errors{*} by {ecs_service,ecs_cluster} / sum:ecs.fargate.net.bytes_sent{*} by {ecs_service,ecs_cluster} * 100 > 5", + "message": "ECS Fargate service {{ecs_service.name}} in cluster {{ecs_cluster.name}} has a network sent error rate of {{value}}%, which exceeds the 5% threshold.\n\nThis indicates potential network connectivity issues. To investigate further, view the affected service in the [ECS Explorer](/orchestration/explorer/ecsService?query=ecs_service:{{ecs_service.name}}+ecs_cluster:{{ecs_cluster.name}})", + "tags": ["integration:ecs_fargate"], + "options": { + "thresholds": { + "critical": 5 + }, + "notify_audit": false, + "on_missing_data": "default", + "include_tags": true, + "new_group_delay": 60 + } + }, + "tags": [ + "integration:aws-fargate" + ] +} diff --git a/ecs_fargate/manifest.json b/ecs_fargate/manifest.json index cd5e5f76a216b..ddccd662cbe0d 100644 --- a/ecs_fargate/manifest.json +++ b/ecs_fargate/manifest.json @@ -79,6 +79,13 @@ }, "dashboards": { "Amazon Fargate": "assets/dashboards/amazon_fargate_overview.json" + }, + "monitors": { + "ECS Fargate CPU Usage": "assets/monitors/ecs_fargate_cpu_usage.json", + "ECS Fargate Memory Usage": "assets/monitors/ecs_fargate_mem_usage.json", + "ECS Fargate Ephemeral Storage Utilization": "assets/monitors/ecs_fargate_ephemeral_storage.json", + "ECS Fargate Network Received Error Rate": "assets/monitors/ecs_fargate_net_rcvd.json", + "ECS Fargate Network Sent Error Rate": "assets/monitors/ecs_fargate_net_sent.json" } } } From dae474b021054ae07d83a734e41f9ab2d92c9abc Mon Sep 17 00:00:00 2001 From: orenma-dd <163151202+orenma-dd@users.noreply.github.com> Date: Thu, 28 Aug 2025 21:54:10 +0300 Subject: [PATCH 3/3] Oren.margalit/loi 571 cisco duo preserve source ocsf (#21194) * preserve source for 2 fields * change test file * update test file --- cisco_duo/assets/logs/cisco-duo.yaml | 10 +- cisco_duo/assets/logs/cisco-duo_tests.yaml | 314 +++++++++++---------- 2 files changed, 168 insertions(+), 156 deletions(-) diff --git a/cisco_duo/assets/logs/cisco-duo.yaml b/cisco_duo/assets/logs/cisco-duo.yaml index a0421b802e0ac..0d580009852eb 100644 --- a/cisco_duo/assets/logs/cisco-duo.yaml +++ b/cisco_duo/assets/logs/cisco-duo.yaml @@ -320,7 +320,7 @@ pipeline: sourceType: attribute target: ocsf.metadata.event_code targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: false - type: attribute-remapper name: Map `isotimestamp`, `ts` to `ocsf.time` @@ -704,7 +704,7 @@ pipeline: sourceType: attribute target: ocsf.actor.app_uid targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: false - type: attribute-remapper name: Map `access_device.ip.address`, `access_device.ip` to `ocsf.src_endpoint.ip` @@ -797,7 +797,7 @@ pipeline: sourceType: attribute target: ocsf.user.email_addr targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: false - type: attribute-remapper name: Map `target.type` to `ocsf.user.type` @@ -939,7 +939,7 @@ pipeline: sourceType: attribute target: ocsf.actor.user.email_addr targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: false - type: attribute-remapper name: Map `actor.type` to `ocsf.actor.user.type` @@ -1210,7 +1210,7 @@ pipeline: sourceType: attribute target: ocsf.user.email_addr targetType: attribute - preserveSource: false + preserveSource: true overrideOnConflict: false - type: pipeline name: OCSF sub pipeline for auth factor device enrichment diff --git a/cisco_duo/assets/logs/cisco-duo_tests.yaml b/cisco_duo/assets/logs/cisco-duo_tests.yaml index 1fe92dbad4cf8..e083674dd2e7e 100644 --- a/cisco_duo/assets/logs/cisco-duo_tests.yaml +++ b/cisco_duo/assets/logs/cisco-duo_tests.yaml @@ -2,44 +2,44 @@ id: cisco-duo tests: - sample: |- { - "reason" : "user_marked_fraud", - "txid" : "some-txid", - "isotimestamp" : "2023-11-01T08:42:33.314482+00:00", - "trusted_endpoint_status" : "not trusted", - "result" : "fraud", - "access_device" : { - "epkey" : "SOMEKEY", - "ip" : "185.64.148.0", - "location" : { - "country" : "-", - "city" : "-", - "state" : "-" - } - }, - "event_type" : "authentication", - "application" : { - "name" : "Google Workspace Login", - "key" : "SOMEKEY" - }, - "alias" : "abc@example.com", - "factor" : "duo_push", - "auth_device" : { - "ip" : "185.64.148.0", - "name" : "+1 123 456 7890", - "location" : { - "country" : "-", - "city" : "-", - "state" : "-" - }, - "key" : "SOMEKEY" - }, - "user" : { - "name" : "abc", - "groups" : [ "AllUsers (from AD sync)" ], - "key" : "SOMEKEY" - }, - "email" : "abc@example.com", - "timestamp" : 1698828154 + "reason" : "user_marked_fraud", + "txid" : "some-txid", + "isotimestamp" : "2023-11-01T08:42:33.314482+00:00", + "trusted_endpoint_status" : "not trusted", + "result" : "fraud", + "access_device" : { + "epkey" : "SOMEKEY", + "ip" : "185.64.148.0", + "location" : { + "country" : "-", + "city" : "-", + "state" : "-" + } + }, + "event_type" : "authentication", + "application" : { + "name" : "Google Workspace Login", + "key" : "SOMEKEY" + }, + "alias" : "abc@example.com", + "factor" : "duo_push", + "auth_device" : { + "ip" : "185.64.148.0", + "name" : "+1 123 456 7890", + "location" : { + "country" : "-", + "city" : "-", + "state" : "-" + }, + "key" : "SOMEKEY" + }, + "user" : { + "name" : "abc", + "groups" : [ "AllUsers (from AD sync)" ], + "key" : "SOMEKEY" + }, + "email" : "abc@example.com", + "timestamp" : 1698828154 } service: "authentication" result: @@ -97,6 +97,8 @@ tests: country: "-" state: "-" name: "+1 123 456 7890" + email: "abc@example.com" + event_type: "authentication" evt: name: "authentication" outcome: "fraud" @@ -149,6 +151,7 @@ tests: time: 1698828153314 type_uid: 300201 user: + email_addr: "abc@example.com" name: "abc" uid: "SOMEKEY" reason: "user_marked_fraud" @@ -211,39 +214,39 @@ tests: timestamp: 1698828153314 - sample: |- { - "actor" : { - "name" : "abc", - "details" : "{\"created\": null, \"last_login\": \"2023-10-10T08:44:35.000000+00:00\", \"email\": \"abc@example.com\", \"status\": null, \"groups\": null}", - "type" : "admin", - "key" : "SOMEKEY" - }, - "access_device" : { - "os" : "Windows", - "browser" : "Chrome", - "ip" : { - "address" : "185.64.148.0" - }, - "os_version" : "10", - "location" : { - "country" : "-", - "city" : "-", - "state" : "-" - }, - "browser_version" : "117.0.0.0" - }, - "akey" : "SOMEKEY", - "activity_id" : "some-activity-id", - "action" : { - "name" : "phone_activation_code_regenerated" - }, - "target" : { - "name" : "+1 123 456 7890", - "details" : "{\"manufacturer\": \"-\", \"number\": \"+11234567890\", \"extension\": \"\", \"os_version\": \"13\", \"biometrics_status\": \"Configured\", \"os\": \"Android\", \"model\": \"-\", \"tampered_status\": \"Not tampered\", \"passcode_status\": \"Locked\", \"country_code\": \"1\"}", - "type" : "phone", - "key" : "SOMEKEY" - }, - "ts" : "2023-10-10T04:45:03.639784+00:00" - } + "actor" : { + "name" : "abc", + "details" : "{\"created\": null, \"last_login\": \"2023-10-10T08:44:35.000000+00:00\", \"email\": \"abc@example.com\", \"status\": null, \"groups\": null}", + "type" : "admin", + "key" : "SOMEKEY" + }, + "access_device" : { + "os" : "Windows", + "browser" : "Chrome", + "ip" : { + "address" : "185.64.148.0" + }, + "os_version" : "10", + "location" : { + "country" : "-", + "city" : "-", + "state" : "-" + }, + "browser_version" : "117.0.0.0" + }, + "akey" : "SOMEKEY", + "activity_id" : "some-activity-id", + "action" : { + "name" : "phone_activation_code_regenerated" + }, + "target" : { + "name" : "+1 123 456 7890", + "details" : "{\"manufacturer\": \"-\", \"number\": \"+11234567890\", \"extension\": \"\", \"os_version\": \"13\", \"biometrics_status\": \"Configured\", \"os\": \"Android\", \"model\": \"-\", \"tampered_status\": \"Not tampered\", \"passcode_status\": \"Locked\", \"country_code\": \"1\"}", + "type" : "phone", + "key" : "SOMEKEY" + }, + "ts" : "2023-10-10T04:45:03.639784+00:00" + } service: "activity" result: custom: @@ -275,6 +278,8 @@ tests: state: "-" os: "Windows" os_version: "10" + action: + name: "phone_activation_code_regenerated" activity_id: "some-activity-id" actor: details: @@ -390,16 +395,17 @@ tests: timestamp: 1696913103639 - sample: |- { - "action": "group_create", - "description": "{\"desc\": \"This is a group\", \"name\": \"Target Group\", \"device\": \"11111\"}", - "object": "Target Group", - "isotimestamp": "2025-07-23T13:12:00.314482+00:00", - "username": "testuser", - "timestamp": 1753276346 + "action" : "group_create", + "description" : "{\"desc\": \"This is a group\", \"name\": \"Target Group\", \"device\": \"11111\"}", + "isotimestamp" : "2025-07-23T13:12:00.314482+00:00", + "object" : "Target Group", + "username" : "testuser", + "timestamp" : 1753276346 } service: "administrator" result: custom: + action: "group_create" cisco: duo: action: "group_create" @@ -501,16 +507,17 @@ tests: timestamp: 1704791295097 - sample: |- { - "action" : "o2fa_user_provisioned", - "description" : "{\"user_agent\": \"DuoCredProv/4.2.2.1755 (Windows NT 10.0.1809.17763.4851; x64; Server)\", \"hostname\": \"HOST02\", \"factor\": \"duo_otp\"}", - "isotimestamp" : "2023-10-16T12:20:19+00:00", - "object" : "RDP-2 Login", - "timestamp" : 1697458819, - "username" : "abc" + "action" : "o2fa_user_provisioned", + "description" : "{\"user_agent\": \"DuoCredProv/4.2.2.1755 (Windows NT 10.0.1809.17763.4851; x64; Server)\", \"hostname\": \"HOST02\", \"factor\": \"duo_otp\"}", + "isotimestamp" : "2023-10-16T12:20:19+00:00", + "object" : "RDP-2 Login", + "timestamp" : 1697458819, + "username" : "abc" } service: "offline_enrollment" result: custom: + action: "o2fa_user_provisioned" cisco: duo: action: "o2fa_user_provisioned" @@ -555,42 +562,42 @@ tests: timestamp: 1697458819000 - sample: |- { - "actor": { - "name": "source_user", - "details": "{\"created\": null, \"last_login\": null, \"email\": \"test\", \"status\": null, \"groups\": null}", - "type": "admin_sync" - }, - "access_device": { - "os": "Mac OS X", - "browser": "Edge Chromium", - "ip": { - "address": "1.1.1.1" - }, - "os_version": "10.15.7", - "location": { - "country": "TEST_COUNTRY", - "city": "TEST_CITY", - "state": "TEST_STATE" - }, - "browser_version": "TEST_BROWSER_VERSION" - }, - "akey": "111111", - "target": { - "key": "222222", - "name": "target_user", - "type": "user", - "details": "{\"created\": null, \"last_login\": null, \"email\": \"test\", \"status\": null, \"groups\": null" - }, - "application": { - "name": "TEST_APP", - "key": "111111" - }, - "service": "activity", - "activity_id": "111111", - "action": { - "name": "user_create" - }, - "ts": "2025-07-23T11:34:00.210770+00:00" + "actor" : { + "name" : "source_user", + "details" : "{\"created\": null, \"last_login\": null, \"email\": \"test\", \"status\": null, \"groups\": null}", + "type" : "admin_sync" + }, + "access_device" : { + "os" : "Mac OS X", + "browser" : "Edge Chromium", + "ip" : { + "address" : "1.1.1.1" + }, + "os_version" : "10.15.7", + "location" : { + "country" : "TEST_COUNTRY", + "city" : "TEST_CITY", + "state" : "TEST_STATE" + }, + "browser_version" : "TEST_BROWSER_VERSION" + }, + "akey" : "111111", + "application" : { + "name" : "TEST_APP", + "key" : "111111" + }, + "service" : "activity", + "activity_id" : "111111", + "action" : { + "name" : "user_create" + }, + "target" : { + "name" : "target_user", + "details" : "{\"created\": null, \"last_login\": null, \"email\": \"test\", \"status\": null, \"groups\": null", + "type" : "user", + "key" : "222222" + }, + "ts" : "2025-07-23T11:34:00.210770+00:00" } service: "activity" result: @@ -607,12 +614,15 @@ tests: state: "TEST_STATE" os: "Mac OS X" os_version: "10.15.7" + action: + name: "user_create" activity_id: "111111" actor: name: "source_user" type: "admin_sync" akey: "111111" application: + key: "111111" name: "TEST_APP" cisco: duo: @@ -716,38 +726,38 @@ tests: timestamp: 1753270440210 - sample: |- { - "actor": { - "name": "source_user", - "details": "{\"created\": null, \"last_login\": null, \"email\": null, \"status\": null, \"groups\": null}", - "type": "admin_sync" - }, - "access_device": { - "os": "Mac OS X", - "browser": "Edge Chromium", - "ip": { - "address": "1.1.1.1" - }, - "os_version": "10.15.7", - "location": { - "country": "TEST_COUNTRY", - "city": "TEST_CITY", - "state": "TEST_STATE" - }, - "browser_version": "TEST_BROWSER_VERSION" - }, - "akey": "111111", - "target": { - "name": "target_user", - "details": "{\"email\": \"tuser@test.com\", \"role\": \"User\", \"status\": \"Active\"}", - "type": "admin", - "key": "111111" - }, - "service": "activity", - "activity_id": "111111", - "action": { - "name": "admin_create" - }, - "ts": "2025-07-23T11:17:00.210770+00:00" + "actor" : { + "name" : "source_user", + "details" : "{\"created\": null, \"last_login\": null, \"email\": null, \"status\": null, \"groups\": null}", + "type" : "admin_sync" + }, + "access_device" : { + "os" : "Mac OS X", + "browser" : "Edge Chromium", + "ip" : { + "address" : "1.1.1.1" + }, + "os_version" : "10.15.7", + "location" : { + "country" : "TEST_COUNTRY", + "city" : "TEST_CITY", + "state" : "TEST_STATE" + }, + "browser_version" : "TEST_BROWSER_VERSION" + }, + "akey" : "111111", + "service" : "activity", + "activity_id" : "111111", + "action" : { + "name" : "admin_create" + }, + "target" : { + "name" : "target_user", + "details" : "{\"email\": \"tuser@test.com\", \"role\": \"User\", \"status\": \"Active\"}", + "type" : "admin", + "key" : "111111" + }, + "ts" : "2025-07-23T11:17:00.210770+00:00" } service: "activity" result: @@ -764,6 +774,8 @@ tests: state: "TEST_STATE" os: "Mac OS X" os_version: "10.15.7" + action: + name: "admin_create" activity_id: "111111" actor: details: '{"created": null, "last_login": null, "email": null, "status": null, "groups": null}'