Skip to content

Commit

Permalink
[CDR][GCP] Add related.entity to GCP Audit Logs (elastic#11762)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kubasobon
kubasobon authored Dec 11, 2024
1 parent d597992 commit e19d2b4
Show file tree
Hide file tree
Showing 14 changed files with 745 additions and 11 deletions.
5 changes: 5 additions & 0 deletions packages/gcp/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.39.0"
changes:
- description: Add `related.entity` field to audit logs.
type: enhancement
link: https://github.com/elastic/integrations/pull/11762
- version: "2.38.0"
changes:
- description: Add `policy_violation_info`, `metadata` and `related` fields to audit logs.
Expand Down
78 changes: 72 additions & 6 deletions packages/gcp/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,10 @@
],
"user": [
"xxx@xxx.xxx"
],
"entity": [
"projects/elastic-beats",
"xxx@xxx.xxx"
]
},
"service": {
Expand Down Expand Up @@ -139,6 +143,10 @@
],
"user": [
"xxx@xxx.xxx"
],
"entity": [
"projects/elastic-beats/global/machineTypes",
"xxx@xxx.xxx"
]
},
"service": {
Expand Down Expand Up @@ -244,6 +252,10 @@
],
"user": [
"xxx@xxx.xxx"
],
"entity": [
"projects/elastic-beats/global/instances",
"xxx@xxx.xxx"
]
},
"service": {
Expand Down Expand Up @@ -336,6 +348,10 @@
],
"user": [
"xxx@xxx.xxx"
],
"entity": [
"projects/elastic-beats/global/instances",
"xxx@xxx.xxx"
]
},
"service": {
Expand Down Expand Up @@ -475,7 +491,8 @@
],
"user": [
"system:serviceaccount:cert-manager:cert-manager-webhook"
]
],
"entity": []
},
"service": {
"name": "k8s.io"
Expand Down Expand Up @@ -598,6 +615,10 @@
],
"user": [
"user@mycompany.com"
],
"entity": [
"projects/foo/global/images/windows-server-2016-v20200805",
"user@mycompany.com"
]
},
"service": {
Expand Down Expand Up @@ -689,6 +710,10 @@
],
"user": [
"user@mycompany.com"
],
"entity": [
"projects/foo/zones/us-central1-a/instances/win10-test",
"user@mycompany.com"
]
},
"service": {
Expand Down Expand Up @@ -792,7 +817,8 @@
],
"user": [
"xxx@xxx.xxx"
]
],
"entity": []
},
"service": {
"name": "k8s.io"
Expand Down Expand Up @@ -880,7 +906,8 @@
],
"user": [
"xxx@xxx.xxx"
]
],
"entity": []
},
"service": {
"name": "k8s.io"
Expand Down Expand Up @@ -965,7 +992,8 @@
],
"user": [
"system:anonymous"
]
],
"entity": []
},
"service": {
"name": "k8s.io"
Expand Down Expand Up @@ -1048,7 +1076,8 @@
],
"user": [
"system:serviceaccount:kube-system:generic-garbage-collector"
]
],
"entity": []
},
"service": {
"name": "k8s.io"
Expand Down Expand Up @@ -1131,6 +1160,12 @@
"related": {
"user": [
"xxx@xxx.xxx"
],
"entity": [
"projects/project",
"sub",
"xxx@xxx.xxx",
"//xxx@xxx"
]
},
"service": {
Expand Down Expand Up @@ -1266,6 +1301,7 @@
"type": "kubernetes"
},
"related": {
"entity": [],
"ip": [
"67.43.156.13"
],
Expand Down Expand Up @@ -1656,6 +1692,7 @@
"type": "kubernetes"
},
"related": {
"entity": [],
"ip": [
"10.142.0.152"
],
Expand Down Expand Up @@ -1747,6 +1784,9 @@
"type": "kubernetes"
},
"related": {
"entity": [
"serviceAccount:service-xxxx@developer.gserviceaccount.com"
],
"ip": [
"192.168.1.1"
],
Expand Down Expand Up @@ -1826,6 +1866,10 @@
"logger": "projects/elastic/logs/cloudaudit.googleapis.com%2Fdata_access"
},
"related": {
"entity": [
"projects/_/buckets/dataflow-staging-us-central1-xxx/objects/staging/jfxrt-xxx.jar",
"xxx-compute@developer.gserviceaccount.com"
],
"user": [
"xxx-compute@developer.gserviceaccount.com"
]
Expand Down Expand Up @@ -1909,6 +1953,9 @@
"type": "kubernetes"
},
"related": {
"entity": [
"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"
],
"ip": [
"192.168.1.1"
],
Expand Down Expand Up @@ -1992,6 +2039,12 @@
"logger": "projects/elastic-beats/logs/cloudaudit.googleapis.com%2Fdata_access"
},
"related": {
"entity": [
"projects/project",
"sub",
"xxx@xxx.xxx",
"//xxx@xxx"
],
"user": [
"xxx@xxx.xxx"
]
Expand Down Expand Up @@ -2060,6 +2113,10 @@
"logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fsystem_event"
},
"related": {
"entity": [
"projects/elastic-siem/zones/us-central1-c/instances/sep-perf-debian-11-155",
"system@google.com"
],
"user": [
"system@google.com"
]
Expand Down Expand Up @@ -2138,6 +2195,9 @@
"logger": "projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fpolicy"
},
"related": {
"entity": [
"projects/elastic-siem"
],
"ip": [
"192.168.1.1"
]
Expand Down Expand Up @@ -2236,6 +2296,9 @@
"type": "kubernetes"
},
"related": {
"entity": [
"serviceAccount:servoce-xxxx@developer.gserviceaccount.com"
],
"ip": [
"192.168.1.1"
],
Expand Down Expand Up @@ -2311,6 +2374,9 @@
},
"type": "kubernetes"
},
"related": {
"entity": []
},
"service": {
"name": "container.googleapis.com"
},
Expand All @@ -2319,4 +2385,4 @@
]
}
]
}
}
1 change: 1 addition & 0 deletions ...ges/gcp/data_stream/audit/_dev/test/pipeline/test-cloudresourcemanager-googleapis-com.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"insertId":"-30102re2sad8","logName":"projects/project-id/logs/cloudaudit.googleapis.com%2Factivity","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"made-up-ci-account@project-id.iam.gserviceaccount.com","principalSubject":"serviceAccount:madeupprincipal@project-id.iam.gserviceaccount.com","serviceAccountDelegationInfo":[{"principalSubject":"principal://iam.googleapis.com/projects/project-id/locations/global/workloadIdentityPools/..."}]},"authorizationInfo":[{"granted":true,"permission":"resourcemanager.projects.setIamPolicy","permissionType":"ADMIN_WRITE","resource":"projects/project-id","resourceAttributes":{"name":"projects/project-id","service":"cloudresourcemanager.googleapis.com","type":"cloudresourcemanager.googleapis.com/Project"}},{"granted":true,"permission":"resourcemanager.projects.setIamPolicy","permissionType":"ADMIN_WRITE","resource":"projects/project-id","resourceAttributes":{"name":"projects/project-id","service":"cloudresourcemanager.googleapis.com","type":"cloudresourcemanager.googleapis.com/Project"}}],"methodName":"SetIamPolicy","request":{"@type":"type.googleapis.com/google.iam.v1.SetIamPolicyRequest","policy":{"bindings":[{"members":["serviceAccount:member-sa@project-id.iam.gserviceaccount.com"],"role":"projects/project-id/roles/ThatRoleToo"},{"members":["serviceAccount:a@project-id.iam.gserviceaccount.com"],"role":"projects/project-id/roles/x"},{"members":["serviceAccount:b@project-id.iam.gserviceaccount.com"],"role":"projects/project-id/roles/this_role_as_well"},{"members":["serviceAccount:c@project-id.iam.gserviceaccount.com","serviceAccount:d@project-id.iam.gserviceaccount.com","serviceAccount:e@project-id.iam.gserviceaccount.com"],"role":"roles/browser"},{"members":["serviceAccount:f@project-id.iam.gserviceaccount.com","serviceAccount:g@project-id.iam.gserviceaccount.com","serviceAccount:c@project-id.iam.gserviceaccount.com"],"role":"roles/cloudasset.viewer"},{"members":["user:doesnotexist@elastic.co"],"role":"roles/cloudkms.admin"},{"members":["group:agroup@elastic.co"],"role":"roles/owner"}],"etag":"BwYnObHBOBA="},"resource":"project-id"},"requestMetadata":{"callerIp":"192.168.0.1","callerSuppliedUserAgent":"google-cloud-sdk gcloud/501.0.0 command/gcloud.projects.add-iam-policy-binding invocation-id/e9e9e4b6f9294a7da9a2247dc101225a environment/None environment-version/None client-os/LINUX client-os-ver/5.15.0 client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.4 term/ (Linux 5.15.0-1074-azure),gzip(gfe)","destinationAttributes":{},"requestAttributes":{}},"resourceName":"projects/project-id","response":{"@type":"type.googleapis.com/google.iam.v1.Policy","bindings":[{"members":["serviceAccount:first@project-id.iam.gserviceaccount.com"],"role":"projects/project-id/roles/ThatRoleToo"},{"members":["serviceAccount:second@project-id.iam.gserviceaccount.com"],"role":"projects/project-id/roles/random"}],"etag":"BwYnQ8iRtu0="},"serviceData":{"@type":"type.googleapis.com/google.iam.v1.logging.AuditData","policyDelta":{"bindingDeltas":[{"action":"ADD","member":"serviceAccount:project-id@cloudservices.gserviceaccount.com","role":"roles/resourcemanager.projectIamAdmin"}]}},"serviceName":"cloudresourcemanager.googleapis.com","status":{}},"receiveTimestamp":"2024-11-19T13:12:21.785498724Z","resource":{"labels":{"project_id":"project-id"},"type":"project"},"severity":"NOTICE","timestamp":"2024-11-19T13:12:20.942393Z"}
Loading

0 comments on commit e19d2b4

Please sign in to comment.