From dc87e2fa291378ae45aac01cb308cf1517d6b4aa Mon Sep 17 00:00:00 2001
From: Wajih Yassine <54372074+wajihyassine@users.noreply.github.com>
Date: Sun, 30 Jun 2024 08:06:55 -0700
Subject: [PATCH] Add workspace device logs (#888)

---
 data/recipes/workspace_user_device_ts.json | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 data/recipes/workspace_user_device_ts.json

diff --git a/data/recipes/workspace_user_device_ts.json b/data/recipes/workspace_user_device_ts.json
new file mode 100644
index 000000000..68fedc2a6
--- /dev/null
+++ b/data/recipes/workspace_user_device_ts.json
@@ -0,0 +1,51 @@
+{
+  "name": "workspace_user_device_ts",
+  "description": "Collects mobile (Device Audit activity) records for a Workspace user and adds them to Timesketch.",
+  "short_description": "Collects mobile records and adds to Timesketch",
+  "preflights": [],
+  "modules": [
+    {
+      "wants": [],
+      "name": "WorkspaceAuditCollector",
+      "args": {
+        "application_name": "mobile",
+        "user_key": "@user",
+        "filter_expression": "@filter_expression",
+        "start_time": "@start_time",
+        "end_time": "@end_time"
+      }
+    },
+    {
+      "wants": ["WorkspaceAuditCollector"],
+      "name": "WorkspaceAuditTimesketch",
+      "args": {}
+    },
+    {
+      "wants": ["WorkspaceAuditTimesketch"],
+      "name": "TimesketchExporter",
+      "args": {
+        "incident_id": "@incident_id",
+        "token_password": "@token_password",
+        "endpoint": "@timesketch_endpoint",
+        "username": "@timesketch_username",
+        "password": "@timesketch_password",
+        "sketch_id": "@sketch_id",
+        "analyzers": null,
+        "wait_for_timelines": "@wait_for_timelines"
+      }
+    }
+  ],
+  "args": [
+    ["user", "email address of the user to query logs for",""],
+    ["--start_time", "Start time.", null, {"format": "datetime", "before": "@end_time"}],
+    ["--end_time", "End time.", null, {"format": "datetime_end", "after": "@start_time"}],
+    ["--filter_expression", "Filter expression to use to query Workspace logs. See https://developers.google.com/admin-sdk/reports/reference/rest/v1/activities/list",""],
+    ["--incident_id", "Incident ID (used for Timesketch description).", null],
+    ["--sketch_id", "Timesketch sketch to which the timeline should be added.", null, {"format": "regex", "regex": "^\\d+$"}],
+    ["--timesketch_endpoint", "Timesketch endpoint", "http://localhost:5000/"],
+    ["--timesketch_username", "Username for Timesketch server.", null],
+    ["--timesketch_password", "Password for Timesketch server.", null],
+    ["--token_password", "Optional custom password to decrypt Timesketch credential file with.", ""],
+    ["--wait_for_timelines", "Whether to wait for Timesketch to finish processing all timelines.", true]
+  ]
+}
\ No newline at end of file