Skip to content

Commit e19d2b4

Browse files
kubasobonkubasobon
authored
[CDR][GCP] Add related.entity to GCP Audit Logs (elastic#11762)
1 parent d597992 commit e19d2b4

14 files changed

+745
-11
lines changed

packages/gcp/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "2.39.0"
3+
changes:
4+
- description: Add `related.entity` field to audit logs.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/11762
27
- version: "2.38.0"
38
changes:
49
- description: Add `policy_violation_info`, `metadata` and `related` fields to audit logs.

packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json

Lines changed: 72 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,10 @@
5959
],
6060
"user": [
6161
"[email protected]"
62+
],
63+
"entity": [
64+
"projects/elastic-beats",
65+
"[email protected]"
6266
]
6367
},
6468
"service": {
@@ -139,6 +143,10 @@
139143
],
140144
"user": [
141145
"[email protected]"
146+
],
147+
"entity": [
148+
"projects/elastic-beats/global/machineTypes",
149+
"[email protected]"
142150
]
143151
},
144152
"service": {
@@ -244,6 +252,10 @@
244252
],
245253
"user": [
246254
"[email protected]"
255+
],
256+
"entity": [
257+
"projects/elastic-beats/global/instances",
258+
"[email protected]"
247259
]
248260
},
249261
"service": {
@@ -336,6 +348,10 @@
336348
],
337349
"user": [
338350
"[email protected]"
351+
],
352+
"entity": [
353+
"projects/elastic-beats/global/instances",
354+
"[email protected]"
339355
]
340356
},
341357
"service": {
@@ -475,7 +491,8 @@
475491
],
476492
"user": [
477493
"system:serviceaccount:cert-manager:cert-manager-webhook"
478-
]
494+
],
495+
"entity": []
479496
},
480497
"service": {
481498
"name": "k8s.io"
@@ -598,6 +615,10 @@
598615
],
599616
"user": [
600617
"[email protected]"
618+
],
619+
"entity": [
620+
"projects/foo/global/images/windows-server-2016-v20200805",
621+
"[email protected]"
601622
]
602623
},
603624
"service": {
@@ -689,6 +710,10 @@
689710
],
690711
"user": [
691712
"[email protected]"
713+
],
714+
"entity": [
715+
"projects/foo/zones/us-central1-a/instances/win10-test",
716+
"[email protected]"
692717
]
693718
},
694719
"service": {
@@ -792,7 +817,8 @@
792817
],
793818
"user": [
794819
"[email protected]"
795-
]
820+
],
821+
"entity": []
796822
},
797823
"service": {
798824
"name": "k8s.io"
@@ -880,7 +906,8 @@
880906
],
881907
"user": [
882908
"[email protected]"
883-
]
909+
],
910+
"entity": []
884911
},
885912
"service": {
886913
"name": "k8s.io"
@@ -965,7 +992,8 @@
965992
],
966993
"user": [
967994
"system:anonymous"
968-
]
995+
],
996+
"entity": []
969997
},
970998
"service": {
971999
"name": "k8s.io"
@@ -1048,7 +1076,8 @@
10481076
],
10491077
"user": [
10501078
"system:serviceaccount:kube-system:generic-garbage-collector"
1051-
]
1079+
],
1080+
"entity": []
10521081
},
10531082
"service": {
10541083
"name": "k8s.io"
@@ -1131,6 +1160,12 @@
11311160
"related": {
11321161
"user": [
11331162
"[email protected]"
1163+
],
1164+
"entity": [
1165+
"projects/project",
1166+
"sub",
1167+
"[email protected]",
1168+
"//xxx@xxx"
11341169
]
11351170
},
11361171
"service": {
@@ -1266,6 +1301,7 @@
12661301
"type": "kubernetes"
12671302
},
12681303
"related": {
1304+
"entity": [],
12691305
"ip": [
12701306
"67.43.156.13"
12711307
],
@@ -1656,6 +1692,7 @@
16561692
"type": "kubernetes"
16571693
},
16581694
"related": {
1695+
"entity": [],
16591696
"ip": [
16601697
"10.142.0.152"
16611698
],
@@ -1747,6 +1784,9 @@
17471784
"type": "kubernetes"
17481785
},
17491786
"related": {
1787+
"entity": [
1788+
"serviceAccount:[email protected]"
1789+
],
17501790
"ip": [
17511791
"192.168.1.1"
17521792
],
@@ -1826,6 +1866,10 @@
18261866
"logger": "projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access"
18271867
},
18281868
"related": {
1869+
"entity": [
1870+
"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/jfxrt-xxx.jar",
1871+
"[email protected]"
1872+
],
18291873
"user": [
18301874
"[email protected]"
18311875
]
@@ -1909,6 +1953,9 @@
19091953
"type": "kubernetes"
19101954
},
19111955
"related": {
1956+
"entity": [
1957+
"serviceAccount:[email protected]"
1958+
],
19121959
"ip": [
19131960
"192.168.1.1"
19141961
],
@@ -1992,6 +2039,12 @@
19922039
"logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access"
19932040
},
19942041
"related": {
2042+
"entity": [
2043+
"projects/project",
2044+
"sub",
2045+
"[email protected]",
2046+
"//xxx@xxx"
2047+
],
19952048
"user": [
19962049
"[email protected]"
19972050
]
@@ -2060,6 +2113,10 @@
20602113
"logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fsystem_event"
20612114
},
20622115
"related": {
2116+
"entity": [
2117+
"projects/elastic-siem/zones/us-central1-c/instances/sep-perf-debian-11-155",
2118+
"[email protected]"
2119+
],
20632120
"user": [
20642121
"[email protected]"
20652122
]
@@ -2138,6 +2195,9 @@
21382195
"logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fpolicy"
21392196
},
21402197
"related": {
2198+
"entity": [
2199+
"projects/elastic-siem"
2200+
],
21412201
"ip": [
21422202
"192.168.1.1"
21432203
]
@@ -2236,6 +2296,9 @@
22362296
"type": "kubernetes"
22372297
},
22382298
"related": {
2299+
"entity": [
2300+
"serviceAccount:[email protected]"
2301+
],
22392302
"ip": [
22402303
"192.168.1.1"
22412304
],
@@ -2311,6 +2374,9 @@
23112374
},
23122375
"type": "kubernetes"
23132376
},
2377+
"related": {
2378+
"entity": []
2379+
},
23142380
"service": {
23152381
"name": "container.googleapis.com"
23162382
},
@@ -2319,4 +2385,4 @@
23192385
]
23202386
}
23212387
]
2322-
}
2388+
}

packages/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{"insertId":"-30102re2sad8","logName":"projects/project-id/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"[email protected]","principalSubject":"serviceAccount:[email protected]","serviceAccountDelegationInfo":[{"principalSubject":"principal://iam.googleapis.com/projects/project-id/locations/global/workloadIdentityPools/..."}]},"authorizationInfo":[{"granted":true,"permission":"resourcemanager.projects.setIamPolicy","permissionType":"ADMIN_WRITE","resource":"projects/project-id","resourceAttributes":{"name":"projects/project-id","service":"cloudresourcemanager.googleapis.com","type":"cloudresourcemanager.googleapis.com/Project"}},{"granted":true,"permission":"resourcemanager.projects.setIamPolicy","permissionType":"ADMIN_WRITE","resource":"projects/project-id","resourceAttributes":{"name":"projects/project-id","service":"cloudresourcemanager.googleapis.com","type":"cloudresourcemanager.googleapis.com/Project"}}],"methodName":"SetIamPolicy","request":{"@type":"type.googleapis.com/google.iam.v1.SetIamPolicyRequest","policy":{"bindings":[{"members":["serviceAccount:[email protected]"],"role":"projects/project-id/roles/ThatRoleToo"},{"members":["serviceAccount:[email protected]"],"role":"projects/project-id/roles/x"},{"members":["serviceAccount:[email protected]"],"role":"projects/project-id/roles/this_role_as_well"},{"members":["serviceAccount:[email protected]","serviceAccount:[email protected]","serviceAccount:[email protected]"],"role":"roles/browser"},{"members":["serviceAccount:[email protected]","serviceAccount:[email protected]","serviceAccount:[email protected]"],"role":"roles/cloudasset.viewer"},{"members":["user:[email protected]"],"role":"roles/cloudkms.admin"},{"members":["group:[email protected]"],"role":"roles/owner"}],"etag":"BwYnObHBOBA="},"resource":"project-id"},"requestMetadata":{"callerIp":"192.168.0.1","callerSuppliedUserAgent":"google-cloud-sdk gcloud/501.0.0 command/gcloud.projects.add-iam-policy-binding invocation-id/e9e9e4b6f9294a7da9a2247dc101225a environment/None environment-version/None client-os/LINUX client-os-ver/5.15.0 client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.4 term/ (Linux 5.15.0-1074-azure),gzip(gfe)","destinationAttributes":{},"requestAttributes":{}},"resourceName":"projects/project-id","response":{"@type":"type.googleapis.com/google.iam.v1.Policy","bindings":[{"members":["serviceAccount:[email protected]"],"role":"projects/project-id/roles/ThatRoleToo"},{"members":["serviceAccount:[email protected]"],"role":"projects/project-id/roles/random"}],"etag":"BwYnQ8iRtu0="},"serviceData":{"@type":"type.googleapis.com/google.iam.v1.logging.AuditData","policyDelta":{"bindingDeltas":[{"action":"ADD","member":"serviceAccount:[email protected]","role":"roles/resourcemanager.projectIamAdmin"}]}},"serviceName":"cloudresourcemanager.googleapis.com","status":{}},"receiveTimestamp":"2024-11-19T13:12:21.785498724Z","resource":{"labels":{"project_id":"project-id"},"type":"project"},"severity":"NOTICE","timestamp":"2024-11-19T13:12:20.942393Z"}

0 commit comments

Comments
 (0)