[island_browser][audit] Add island_browser audit datastream (#15319)

The release includes audit data stream, associated dashboards and
visualizations.

Island Browser fields are mapped to their corresponding ECS fields where
possible.

Test samples were derived from documentation and live data samples,
which were subsequently sanitized.

Author: janvi-elastic

packages/island_browser/_dev/build/docs/README.md

@@ -12,17 +12,23 @@ The Island Browser integration is compatible with `v1` version of Island Browser
 
 ### How it works
 
-This integration periodically queries the Island Browser API to retrieve users and devices.
+This integration periodically queries the Island Browser API to retrieve details for devices and users, and audit events.
 
 ## What data does this integration collect?
 
 This integration collects log messages of the following types:
 
-- `User`: Collects all the users from the Island Browser via [User API endpoint](https://documentation.island.io/apidocs/get-all-browser-users-that-match-the-specified-simple-filter).
+- `Audit`: Collects all timeline audits from the Island Browser via [Audit API endpoint](https://documentation.island.io/apidocs/get-all-timeline-audits-that-match-the-specified-simple-filter).
 - `Device`: Collects a list of all devices from the Island Browser via [Device API endpoint](https://documentation.island.io/apidocs/get-a-list-of-all-devices-1).
+- `User`: Collects all the users from the Island Browser via [User API endpoint](https://documentation.island.io/apidocs/get-all-browser-users-that-match-the-specified-simple-filter).
 
 ### Supported use cases
-Integrating Island Browser User and Device endpoint data with Elastic SIEM provides comprehensive visibility into account activity and device posture. Kibana dashboards track total and active users, login trends, and group distributions alongside device activity, including active, archived, and jailbroken states. Breakdowns by user source, type, and status, as well as device OS platform, policy updates, browser update status, and compliance indicators, highlight key usage and risk patterns. Saved searches and tables surface essential context—such as verified emails, IDs, IPs, MACs, and associated users—enabling analysts to detect anomalies, investigate efficiently, and strengthen both identity and endpoint oversight.
+
+Integrating Island Browser User, Device, and Audit endpoint data with Elastic SIEM provides unified visibility into identity activity, device posture, and security events across the environment.
+
+Dashboards track total and active users, login trends, and group distributions, alongside device insights such as active, archived, and jailbroken states, OS platform distribution, policy updates, browser update status, Windows license status, and MDM provider compliance.
+
+Audit visualizations further enhance oversight by showing event activity over time, verdicts and reasons, top rules, users, source IPs, event types, geographic distributions, and compatibility modes. Saved searches and tables consolidate essential attributes—including verified emails, device and host IDs, IPs, MACs, users, and organizations—adding valuable investigative context. Together, these insights enable analysts to monitor user behavior, track device health, analyze audit activity, detect anomalies, and strengthen compliance, identity management, and endpoint security oversight.
 
 ## What do I need to use this integration?
 
@@ -107,6 +113,14 @@ For more information on architectures that can be used for scaling this integrat
 
 {{fields "user"}}
 
+#### Device
+
+{{fields "device"}}
+
+#### Audit
+
+{{fields "audit"}}
+
 ### Example event
 
 #### User
@@ -115,13 +129,11 @@ For more information on architectures that can be used for scaling this integrat
 
 #### Device
 
-{{fields "device"}}
-
-### Example event
+{{event "device"}}
 
-#### Device
+#### Audit
 
-{{event "device"}}
+{{event "audit"}}
 
 ### Inputs used
 
@@ -135,6 +147,7 @@ This integration dataset uses the following APIs:
 
 - `User`: [Island Browser API](https://documentation.island.io/apidocs/get-all-browser-users-that-match-the-specified-simple-filter).
 - `Device`: [Island Browser API](https://documentation.island.io/apidocs/get-a-list-of-all-devices-1).
+- `Audit`: [Island Browser API](https://documentation.island.io/apidocs/get-all-timeline-audits-that-match-the-specified-simple-filter).
 
 #### ILM Policy
 

packages/island_browser/_dev/deploy/docker/files/config.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: 0.3.0
+  changes:
+    - description: Add audit data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15319
 - version: 0.2.0
   changes:
     - description: Add support of User Data Stream.

packages/island_browser/changelog.yml

@@ -0,0 +1,6 @@
+{"id":"0554e3ab-618a-4171-a5d7-33555ac4476b","createdDate":"2025-09-09T09:24:36.278692Z","updatedDate":"2025-09-09T09:24:36.278693Z","tenantId":"elastic-testing","userId":"auth0|cbbf1398-e567-4e6f-8929-5a786ffc2486","deviceId":"7748cf6a-1a23-4572-b5ee-129962616b25","clientEventId":"d14e7489-e627-4cf8-bf89-daeb6c4b6a55","userName":"John Doe","email":"[email protected]","type":"Navigation","verdict":"Allowed","verdictReason":"Navigation allowed by policy","timestamp":"2025-09-09T13:29:38.000Z","processedDate":"2025-09-09T13:29:39.123456Z","topLevelUrl":"https://example.com","country":"India","region":"Asia","urlWebCategories":["Business","Technology"],"saasApplicationName":"Microsoft 365","saasApplicationCategory":"Productivity","urlWebReputation":85,"tabId":935959881,"ruleId":"rule-12345","ruleName":"Standard Navigation Policy","screenshotFileName":"screenshot_20250909_132938.png","keystrokes":"example search query","details":"{\n  \"navigation_details\": {\n    \"referrer\": \"https://google.com\",\n    \"user_agent\": \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36\"\n  },\n  \"policy_version_details\": {\n    \"application_access_policy_version\": \"1\",\n    \"browser_access_policy_version\": \"1\",\n    \"browser_policy_version\": \"1\",\n    \"dlp_policy_version\": \"1\",\n    \"pam_policy_version\": \"1\"\n  }\n}","incognito":false,"submittedUrl":"https://example.com/page","sourceIp":"10.50.6.126","publicIp":"89.160.20.112","machineName":"ub22-50-6-126.manage.local","matchedDevicePosture":"Compliant","devicePostureMatchingDetails":"Device meets all security requirements","matchedUserGroup":"Standard Users","countryCode":"IN","origin":"Island","windowId":12345,"frameId":67890,"isIslandPrivateAccess":false,"shortTopLevelUrl":"example.com","websiteTopLevelUrl":"https://example.com","frameUrl":"https://example.com/iframe","compatibilityMode":"None","osUserName":"serviceuser","machineId":"iNUa5F_2xgH0L51ZW5_YCFI7b7U","osPlatform":"Linux","saasApplicationId":"a1b2c3d4-e5f6-7890-abcd-ef1234567890","domainOrTenant":"example.com"}
+{"id":"1a2b3c4d-5e6f-7890-abcd-ef1234567890","createdDate":"2025-09-09T10:15:22.456789Z","updatedDate":"2025-09-09T10:15:22.456790Z","tenantId":"elastic-testing","userId":"auth0|f9e8d7c6-b5a4-3210-9876-543210fedcba","deviceId":"8859df7b-2b34-5683-c6ff-230073727c36","clientEventId":"e25f8590-f738-5df9-cf90-ebfc7d5c7b66","userName":"Sarah Smith","email":"[email protected]","type":"FileDownload","verdict":"Blocked","verdictReason":"File download blocked due to DLP policy violation","timestamp":"2025-09-09T14:45:12.000Z","processedDate":"2025-09-09T14:45:13.789012Z","topLevelUrl":"https://sharepoint.company.com","country":"United States","region":"North America","urlWebCategories":["Business","Cloud Storage"],"saasApplicationName":"SharePoint Online","saasApplicationCategory":"Collaboration","urlWebReputation":95,"tabId":246813579,"ruleId":"rule-67890","ruleName":"DLP File Download Protection","screenshotFileName":"screenshot_20250909_144512.png","keystrokes":"","details":"{\"download_details\":{\"filename\":\"confidential_report.pdf\",\"file_size\":2048576,\"mime_type\":\"application/pdf\",\"dlp_match\":\"SSN detected\"},\"policy_version_details\":{\"application_access_policy_version\":\"2\",\"browser_access_policy_version\":\"1\",\"browser_policy_version\":\"3\",\"dlp_policy_version\":\"4\",\"pam_policy_version\":\"1\"}}","incognito":false,"submittedUrl":"https://sharepoint.company.com/sites/hr/documents/confidential_report.pdf","sourceIp":"192.168.1.45","publicIp":"81.2.69.142","machineName":"WIN-DESKTOP-001","matchedDevicePosture":"Compliant","devicePostureMatchingDetails":"Device encryption verified, antivirus active","matchedUserGroup":"HR Department","countryCode":"US","origin":"Island","windowId":54321,"frameId":98765,"isIslandPrivateAccess":false,"shortTopLevelUrl":"sharepoint.company.com","websiteTopLevelUrl":"https://sharepoint.company.com","frameUrl":"https://sharepoint.company.com/sites/hr","compatibilityMode":"InternetExplorer","osUserName":"ssmith","machineId":"jOPb6G_3yhI1M62XZ6_ZDGJ8c8V","osPlatform":"Windows","saasApplicationId":"b2c3d4e5-f6g7-8901-bcde-fg2345678901","domainOrTenant":"company.com"}
+{"id":"2b3c4d5e-6f78-9012-cdef-gh3456789012","createdDate":"2025-09-09T11:30:45.123456Z","updatedDate":"2025-09-09T11:30:45.123457Z","tenantId":"elastic-testing","userId":"auth0|a1b2c3d4-e5f6-7890-abcd-ef1234567890","deviceId":"9960e08c-3c45-6794-d700-341184838d47","clientEventId":"f36g9601-g849-6eg0-dg01-fcgd8e6d8c77","userName":"Mike Johnson","email":"[email protected]","type":"Copy","verdict":"Warned","verdictReason":"Sensitive data copy operation - user warned","timestamp":"2025-09-09T16:00:30.000Z","processedDate":"2025-09-09T16:00:31.234567Z","topLevelUrl":"https://salesforce.com","country":"Canada","region":"North America","urlWebCategories":["Business","CRM"],"saasApplicationName":"Salesforce","saasApplicationCategory":"CRM","urlWebReputation":98,"tabId":357924680,"ruleId":"rule-11111","ruleName":"DLP Copy Protection Policy","screenshotFileName":"screenshot_20250909_160030.png","keystrokes":"Ctrl+C","details":"{\"copy_details\":{\"content_type\":\"text\",\"content_length\":156,\"dlp_matches\":[\"Credit Card Number\",\"Phone Number\"],\"clipboard_protection\":true},\"policy_version_details\":{\"application_access_policy_version\":\"1\",\"browser_access_policy_version\":\"2\",\"browser_policy_version\":\"1\",\"dlp_policy_version\":\"3\",\"pam_policy_version\":\"1\"}}","incognito":true,"submittedUrl":"https://salesforce.com/lightning/r/Account/0011234567890ABC/view","sourceIp":"172.16.0.100","publicIp":"81.2.69.143","machineName":"MAC-BOOK-PRO-001","matchedDevicePosture":"Non-Compliant","devicePostureMatchingDetails":"OS update required","matchedUserGroup":"Sales Team","countryCode":"CA","origin":"Island","windowId":11111,"frameId":22222,"isIslandPrivateAccess":true,"shortTopLevelUrl":"salesforce.com","websiteTopLevelUrl":"https://salesforce.com","frameUrl":"https://salesforce.com/lightning","compatibilityMode":"None","osUserName":"mjohnson","machineId":"kQRc7H_4ziJ2N73YA7_AEHK9d9W","osPlatform":"MacOs","saasApplicationId":"c3d4e5f6-g7h8-9012-defg-hi4567890123","domainOrTenant":"techcorp.com"}
+{"id":"3c4d5e6f-7890-1234-efgh-ij5678901234","createdDate":"2025-09-09T12:45:18.987654Z","updatedDate":"2025-09-09T12:45:18.987655Z","tenantId":"elastic-testing","userId":"auth0|b2c3d4e5-f6g7-8901-bcde-fg2345678901","deviceId":"aa71f19d-4d56-7805-e811-452295949e58","clientEventId":"g47h0712-h950-7fh1-eh12-gdhe9f7e9d88","userName":"Lisa Chen","email":"[email protected]","type":"Ssh","verdict":"Allowed","verdictReason":"SSH access granted to authorized server","timestamp":"2025-09-09T17:15:45.000Z","processedDate":"2025-09-09T17:15:46.345678Z","topLevelUrl":"https://terminal.startup.io","country":"Singapore","region":"Asia","urlWebCategories":["Technology","Development"],"saasApplicationName":"SSH Terminal","saasApplicationCategory":"Development Tools","urlWebReputation":75,"tabId":468035791,"ruleId":"rule-22222","ruleName":"SSH Access Control Policy","screenshotFileName":"screenshot_20250909_171545.png","keystrokes":"ssh user@prod-server-01","details":"{\"ssh_details\":{\"target_server\":\"prod-server-01.startup.io\",\"port\":22,\"protocol\":\"SSH-2.0\",\"authentication_method\":\"public_key\",\"session_duration\":3600},\"policy_version_details\":{\"application_access_policy_version\":\"3\",\"browser_access_policy_version\":\"1\",\"browser_policy_version\":\"2\",\"dlp_policy_version\":\"1\",\"pam_policy_version\":\"2\"}}","incognito":false,"submittedUrl":"https://terminal.startup.io/ssh/prod-server-01","sourceIp":"10.0.1.200","publicIp":"89.160.20.128","machineName":"DEV-LINUX-001","matchedDevicePosture":"Compliant","devicePostureMatchingDetails":"All security checks passed","matchedUserGroup":"DevOps Team","countryCode":"SG","origin":"Island","windowId":33333,"frameId":44444,"isIslandPrivateAccess":false,"shortTopLevelUrl":"terminal.startup.io","websiteTopLevelUrl":"https://terminal.startup.io","frameUrl":"https://terminal.startup.io/console","compatibilityMode":"None","osUserName":"lchen","machineId":"lSRd8I_5ajK3O84ZB8_BFIL0e0X","osPlatform":"Linux","saasApplicationId":"d4e5f6g7-h8i9-0123-fghi-jk6789012345","domainOrTenant":"startup.io"}
+{"id":"4d5e6f78-9012-3456-ghij-kl7890123456","createdDate":"2025-09-09T13:20:33.654321Z","updatedDate":"2025-09-09T13:20:33.654322Z","tenantId":"elastic-testing","userId":"auth0|c3d4e5f6-g7h8-9012-defg-hi4567890123","deviceId":"bb82g20e-5e67-8916-f922-563306060f69","clientEventId":"h58i1823-i061-8gi2-fi23-hejf0g8f0e99","userName":"David Wilson","email":"[email protected]","type":"Print","verdict":"WarnedContinue","verdictReason":"Print operation contains sensitive data - user acknowledged warning","timestamp":"2025-09-09T18:30:20.000Z","processedDate":"2025-09-09T18:30:21.456789Z","topLevelUrl":"https://quickbooks.intuit.com","country":"United Kingdom","region":"Europe","urlWebCategories":["Business","Finance","Accounting"],"saasApplicationName":"QuickBooks Online","saasApplicationCategory":"Accounting","urlWebReputation":92,"tabId":579146802,"ruleId":"rule-33333","ruleName":"Print DLP Protection Policy","screenshotFileName":"screenshot_20250909_183020.png","keystrokes":"Ctrl+P","details":"{\"print_details\":{\"document_title\":\"Q3_Financial_Report.pdf\",\"page_count\":15,\"printer_name\":\"HP_LaserJet_Pro\",\"dlp_matches\":[\"Financial Data\",\"Revenue Information\"],\"print_protection_bypassed\":false},\"policy_version_details\":{\"application_access_policy_version\":\"2\",\"browser_access_policy_version\":\"3\",\"browser_policy_version\":\"1\",\"dlp_policy_version\":\"5\",\"pam_policy_version\":\"1\"}}","incognito":false,"submittedUrl":"https://quickbooks.intuit.com/app/reports/profitandloss","sourceIp":"192.168.10.75","publicIp":"67.43.156.0","machineName":"WIN-FINANCE-002","matchedDevicePosture":"Compliant","devicePostureMatchingDetails":"Device meets corporate security standards","matchedUserGroup":"Finance Department","countryCode":"GB","origin":"Island","windowId":55555,"frameId":66666,"isIslandPrivateAccess":false,"shortTopLevelUrl":"quickbooks.intuit.com","websiteTopLevelUrl":"https://quickbooks.intuit.com","frameUrl":"https://quickbooks.intuit.com/app","compatibilityMode":"None","osUserName":"dwilson","machineId":"mTSe9J_6bkL4P95AC9_CGJM1f1Y","osPlatform":"Windows","saasApplicationId":"e5f6g7h8-i9j0-1234-hijk-lm8901234567","domainOrTenant":"finance.corp"}
+{"id":"5e6f7890-1234-5678-ijkl-mn9012345678","createdDate":"2025-09-09T14:05:27.321098Z","updatedDate":"2025-09-09T14:05:27.321099Z","tenantId":"elastic-testing","userId":"auth0|d4e5f6g7-h8i9-0123-fghi-jk6789012345","deviceId":"cc93h31f-6f78-9027-g033-674417171g70","clientEventId":"i69j2934-j172-9hj3-gj34-ifkg1h9g1f00","userName":"Emma Rodriguez","email":"[email protected]","type":"GenAiInteraction","verdict":"Isolated","verdictReason":"AI interaction isolated due to sensitive healthcare data context","timestamp":"2025-09-09T19:45:55.000Z","processedDate":"2025-09-09T19:45:56.567890Z","topLevelUrl":"https://chatgpt.com","country":"Australia","region":"Oceania","urlWebCategories":["Technology","AI","Productivity"],"saasApplicationName":"ChatGPT","saasApplicationCategory":"AI Assistant","urlWebReputation":88,"tabId":680257913,"ruleId":"rule-44444","ruleName":"AI Interaction Healthcare Policy","screenshotFileName":"screenshot_20250909_194555.png","keystrokes":"How can I analyze patient data trends for diabetes management?","details":"{\"ai_interaction_details\":{\"model\":\"GPT-4\",\"conversation_id\":\"conv_abc123def456\",\"message_length\":67,\"response_length\":0,\"dlp_matches\":[\"Healthcare Information\",\"Patient Data Reference\"],\"isolation_applied\":true,\"data_classification\":\"Sensitive\"},\"policy_version_details\":{\"application_access_policy_version\":\"1\",\"browser_access_policy_version\":\"1\",\"browser_policy_version\":\"4\",\"dlp_policy_version\":\"6\",\"pam_policy_version\":\"1\"}}","incognito":false,"submittedUrl":"https://chatgpt.com/c/abc123def456","sourceIp":"203.0.113.150","publicIp":"216.160.83.56","machineName":"MAC-HEALTHCARE-001","matchedDevicePosture":"Compliant","devicePostureMatchingDetails":"Healthcare compliance verified, encryption active","matchedUserGroup":"Medical Staff","countryCode":"AU","origin":"Island","windowId":77777,"frameId":88888,"isIslandPrivateAccess":false,"shortTopLevelUrl":"chatgpt.com","websiteTopLevelUrl":"https://chatgpt.com","frameUrl":"https://chatgpt.com/chat","compatibilityMode":"None","osUserName":"erodriguez","machineId":"nUTf0K_7clM5Q06BD0_DHKN2g2Z","osPlatform":"MacOs","saasApplicationId":"f6g7h8i9-j0k1-2345-jklm-no0123456789","domainOrTenant":"healthcare.org"}