Change log for GCP_CLOUDAUDIT
Date | Changes |
---|---|
2024-12-16 | - Added mapping for the raw log fields "protoPayload.request.serialConsoleOptions", "protoPayload.request.username" and "protoPayload.response.duration"
|
2024-10-15 | - Added mapping for these fields: "protoPayload.metadata.jobInsertion.reason", "protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType" and "protoPayload.metadata.jobInsertion.job.jobStatus.jobState"
- Added support for the raw log fields "protoPayload.response.state" and "protoPayload.request.metadata.state". |
2024-10-11 | - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
|
2024-10-11 | - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
|
2024-10-11 | - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
|
2024-10-11 | - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
|
2024-10-11 | - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
|
2024-10-01 | - Set "metadata.event_type" UDM field as "USER_LOGIN" if the value of "protoPayload.request.cmd" raw field is "connect".
|
2024-09-17 | - Updated mapping of metadata.event_type UDM field.
|
2024-09-13 | - Updated the GCP_CLOUDAUDIT Gold parser to update mandatory UDM field for event_type "USER_UNCATEGORIZED".
|
2024-09-13 | - Updated the GCP_CLOUDAUDIT Gold parser to update mandatory UDM field for event_type "USER_UNCATEGORIZED".
|
2024-09-03 | - Added mapping for "protoPayload.request.spec.template.spec.shareProcessNamespace" log field.
- Added mapping for "protoPayload.response.spec.type" log field. - Updated the logic of "target.resource.resource_type" UDM field. - Extracted and mapped organization ids. - Added mapping for "protoPayload.metadata.event.parameter.boolValue" log field. - Added mapping for "protoPayload.response.vulnerability.shortDescription", "protoPayload.response.vulnerability.effectiveSeverity" and "protoPayload.response.resourceUri" log fields. |
2024-08-30 | - Added mapping for protoPayload.request.permissions raw log field.
|
2024-08-14 | - Added mapping for protoPayload.response.roleRef.name raw log field.
- Added mapping for protoPayload.authorizationInfo.permissionType raw log field. - Set the security_result.action as BLOCK for every error blob. - Added mapping for protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys raw log field. - Added mapping for protoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail raw log field. |
2024-07-19 | - Updated mapping for "security_result.action" based on the "protoPayload.response.status" log field.
- Added mapping for "protoPayload.response.reason" log field. - Update mapping for "protoPayload.response.code" log field. - Removed mapping of "protoPayload.metadata.event" raw log field form "target.resource_ancestors". - Updated mapping for "metadata.description" based on the "protoPayload.status.message" log field. - Updated mapping for "protoPayload.request.policy.bindings.members" raw log field. |
2024-07-03 | - Mapped "protoPayload.response.bindings" to "additional.fields".
- Mapped "protoPayload.request.bindings" to "additional.fields". |
2024-06-20 | - Added mappings for the following fields:
- "protoPayload.request.projection" - "protoPayload.response.items.metageneration" - "protoPayload.response.items.labels.created_date" - "protoPayload.response.items.labels.team_email" - "protoPayload.response.items.labels.team_name" - "protoPayload.response.items.labels.office_number" - "protoPayload.response.items.labels.department" - "protoPayload.response.items.labels.business_project_number" - "protoPayload.response.items.labels.owner_email" - "protoPayload.response.items.labels.purchase_order_number" - "protoPayload.response.items.labels.office_name" - "protoPayload.response.items.labels.environment" - "protoPayload.response.items.labels.created_by" - "protoPayload.response.items.labels.project_name" - "protoPayload.response.items.labels.finops_tag" - "protoPayload.response.items.labels.owner_role" - "protoPayload.response.items.versioning.enabled" - "protoPayload.response.items.iamConfiguration.publicAccessPrevention" - "protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime" - "protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled" - "protoPayload.response.items.id" - "protoPayload.response.items.updated" - "protoPayload.response.items.storageClass" - "protoPayload.response.items.timeCreated" - "protoPayload.response.items.location" - "protoPayload.response.items.locationType" - "protoPayload.response.items.projectNumber" - "protoPayload.response.items.name" - "protoPayload.response.items.softDeletePolicy.effectiveTime" - "protoPayload.response.items.softDeletePolicy.retentionDurationSeconds" - "protoPayload.response.items.etag" |
2024-06-19 | - Added mappings for the following raw log fields: "protoPayload.response.displayName", "protoPayload.request.referenceList.displayName".
- Extracted values from the following raw log fields: "protoPayload.authenticationInfo.principalSubject", "protoPayload.resourceName". |
2024-05-29 | - Removed mapping of the "protoPayload.authenticationInfo.principalEmail" raw log field from the "target.user.userid" UDM field.
- Updated the Grok pattern to support multiple values of the "protoPayload.metadata.membershipDelta.member" raw log field. - Added mappings of the "protoPayload.metadata.updatedGrant.state", "protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource", "protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType", "protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role", "protoPayload.metadata.updatedGrant.justification.unstructuredJustification", "protoPayload.metadata.updatedGrant.requestedDuration", "protoPayload.metadata.updatedGrant.requester", "protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id", "protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor" and protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id" raw log fields. |
2024-05-22 | - Added mappings for the following fields: "protoPayload.metadata.tableChange.table.policy.bindings.members, protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members, protoPayload.request.bindings.members, protoPayload.metadata.tableChange.bindingDeltas.member"
|
2024-05-15 | - Added mapping for fields: "protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id, protoPayload.metadata.jobChange.job.jobConfig.labels.requestor and protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id"
|
2024-05-01 | - Added a mapping for the "protoPayload.response.serviceConfig.timeoutSeconds" raw log field.
|
2024-04-24 | - Added mapping for fields: "protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor", "protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id", "protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id" and "protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query".
- Added support for "protoPayload.response.overrideValue" and "protoPayload.request.override.overrideValue" log fields. |
2024-04-17 | - Add mapping for protoPayload.request.timestampRange,
protoPayload.request.regexSearch, protoPayload.request.productSources, protoPayload.request.query, protoPayload.request.caseSensitive raw log fields. |
2024-03-27 | - Handled the jumpcloud function audit logs in the parser.
|
2024-03-06 | - Added mapping of "protoPayload.request.New Data" and "protoPayload.request.Original Data" raw log fields.
- Added mapping for fields of "protoPayload.request.service.metadata.annotations" and "protoPayload.request.service.spec.template.metadata.annotations" object. - Added mapping for fields of "protoPayload.response.spec.template" object. |
2024-02-28 | - Added mapping of "protoPayload.request.metadata.resourceVersion" raw log field.
- Change mapping of "protoPayload.metadata.projectMetadataDelta" and "protoPayload.request.action" raw log field. |
2024-01-31 | - Added additional field mapping for "GroupsService.UpdateGroup" MethodName.
|
2024-01-17 | - Added mapping of "protoPayload.metadata.datasetChange.bindingDeltas" raw log field block.
- Added additional field mapping of "io.k8s.certificates.v1.certificatesigningrequest", "UpdateCryptoKeyVersion", "google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy", "UpdateEventThreatDetectionSettings", "SetIamPolicy" and "beta.compute.images.setIamPolicy" MethodName. - Removed duplicate mapping of "security_result.action" UDM field. |
2023-12-13 | - Changed mapping of "target.application" UDM field for Kubernetes Engine events.
|
2023-11-29 | - Added mapping of "securityContext.capabilities.add", "securityContext.seccompProfile.type" and "spec.Containers.shareProcessNamespace" raw log fields.
- Added mapping of "membershipDelta" raw log block. - Added support of "SelfSubjectAccessReviews" MethodName. - Added mappings of the raw log fields which were mapped to the deprecated field "noun.labels". |
2023-11-09 | - Added mapping of "request.roleRef.name" log field.
- Added support for the "clusterroles.create" MethodName. - Added support for the "daemonsets.create" MethodName. - Align 'principal/target.hostname' and 'principal/target.asset.hostname' mapping. |
2023-10-18 | - Added mapping of "labels.imagepolicywebhook.image-policy.k8s.io/dry-run" log field.
|
2023-08-28 | - Updated "metadata.event_type" for "DisableServiceAccount" and "EnableServiceAccount" MethodName.
|
2023-07-26 | - Updated "metadata.event_type" for "v1.compute.disks.insert" MethodName.
- Updated mapping of "protoPayload.status.code" log field. |
2023-07-12 | Added support for the "io.k8s.batch.v1.jobs.create" MethodName. |
2023-06-14 | Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent". |
2023-05-02 | Added mapping for "protoPayload.request.action" log field of methodName "v1.compute.securityPolicies.patchRule" and set value of "security_result.action" UDM field based on the "protoPayload.request.action" log field. |
2023-04-12 | Promoted GCP_CLOUDAUDIT parser to default. For the field mapping reference, see https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-audit-logs#field-mapping. |