Change log for GCP_CLOUDAUDIT

Date Changes
2024-12-16 - Added mapping for the raw log fields "protoPayload.request.serialConsoleOptions", "protoPayload.request.username" and "protoPayload.response.duration"
2024-10-15 - Added mapping for these fields: "protoPayload.metadata.jobInsertion.reason", "protoPayload.metadata.jobInsertion.job.jobConfig.queryConfig.statementType" and "protoPayload.metadata.jobInsertion.job.jobStatus.jobState"
- Added support for the raw log fields "protoPayload.response.state" and "protoPayload.request.metadata.state".
2024-10-11 - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
2024-10-11 - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
2024-10-11 - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
2024-10-11 - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
2024-10-11 - Added support for the raw log fields under "protoPayload.metadata.jobChange" and "protoPayload.metadata.jobInsertion" objects.
2024-10-01 - Set "metadata.event_type" UDM field as "USER_LOGIN" if the value of "protoPayload.request.cmd" raw field is "connect".
2024-09-17 - Updated mapping of metadata.event_type UDM field.
2024-09-13 - Updated the GCP_CLOUDAUDIT Gold parser to update mandatory UDM field for event_type "USER_UNCATEGORIZED".
2024-09-13 - Updated the GCP_CLOUDAUDIT Gold parser to update mandatory UDM field for event_type "USER_UNCATEGORIZED".
2024-09-03 - Added mapping for "protoPayload.request.spec.template.spec.shareProcessNamespace" log field.
- Added mapping for "protoPayload.response.spec.type" log field.
- Updated the logic of "target.resource.resource_type" UDM field.
- Extracted and mapped organization ids.
- Added mapping for "protoPayload.metadata.event.parameter.boolValue" log field.
- Added mapping for "protoPayload.response.vulnerability.shortDescription", "protoPayload.response.vulnerability.effectiveSeverity" and "protoPayload.response.resourceUri" log fields.
2024-08-30 - Added mapping for protoPayload.request.permissions raw log field.
2024-08-14 - Added mapping for protoPayload.response.roleRef.name raw log field.
- Added mapping for protoPayload.authorizationInfo.permissionType raw log field.
- Set the security_result.action as BLOCK for every error blob.
- Added mapping for protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys raw log field.
- Added mapping for protoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail raw log field.
2024-07-19 - Updated mapping for "security_result.action" based on the "protoPayload.response.status" log field.
- Added mapping for "protoPayload.response.reason" log field.
- Update mapping for "protoPayload.response.code" log field.
- Removed mapping of "protoPayload.metadata.event" raw log field form "target.resource_ancestors".
- Updated mapping for "metadata.description" based on the "protoPayload.status.message" log field.
- Updated mapping for "protoPayload.request.policy.bindings.members" raw log field.
2024-07-03 - Mapped "protoPayload.response.bindings" to "additional.fields".
- Mapped "protoPayload.request.bindings" to "additional.fields".
2024-06-20 - Added mappings for the following fields:
- "protoPayload.request.projection"
- "protoPayload.response.items.metageneration"
- "protoPayload.response.items.labels.created_date"
- "protoPayload.response.items.labels.team_email"
- "protoPayload.response.items.labels.team_name"
- "protoPayload.response.items.labels.office_number"
- "protoPayload.response.items.labels.department"
- "protoPayload.response.items.labels.business_project_number"
- "protoPayload.response.items.labels.owner_email"
- "protoPayload.response.items.labels.purchase_order_number"
- "protoPayload.response.items.labels.office_name"
- "protoPayload.response.items.labels.environment"
- "protoPayload.response.items.labels.created_by"
- "protoPayload.response.items.labels.project_name"
- "protoPayload.response.items.labels.finops_tag"
- "protoPayload.response.items.labels.owner_role"
- "protoPayload.response.items.versioning.enabled"
- "protoPayload.response.items.iamConfiguration.publicAccessPrevention"
- "protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.lockedTime"
- "protoPayload.response.items.iamConfiguration.uniformBucketLevelAccess.enabled"
- "protoPayload.response.items.id"
- "protoPayload.response.items.updated"
- "protoPayload.response.items.storageClass"
- "protoPayload.response.items.timeCreated"
- "protoPayload.response.items.location"
- "protoPayload.response.items.locationType"
- "protoPayload.response.items.projectNumber"
- "protoPayload.response.items.name"
- "protoPayload.response.items.softDeletePolicy.effectiveTime"
- "protoPayload.response.items.softDeletePolicy.retentionDurationSeconds"
- "protoPayload.response.items.etag"
2024-06-19 - Added mappings for the following raw log fields: "protoPayload.response.displayName", "protoPayload.request.referenceList.displayName".
- Extracted values from the following raw log fields: "protoPayload.authenticationInfo.principalSubject", "protoPayload.resourceName".
2024-05-29 - Removed mapping of the "protoPayload.authenticationInfo.principalEmail" raw log field from the "target.user.userid" UDM field.
- Updated the Grok pattern to support multiple values of the "protoPayload.metadata.membershipDelta.member" raw log field.
- Added mappings of the "protoPayload.metadata.updatedGrant.state", "protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resource",
"protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.resourceType", "protoPayload.metadata.updatedGrant.privilegedAccess.gcpIamAccess.roleBindings.role",
"protoPayload.metadata.updatedGrant.justification.unstructuredJustification", "protoPayload.metadata.updatedGrant.requestedDuration",
"protoPayload.metadata.updatedGrant.requester", "protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_report_id",
"protoPayload.metadata.jobInsertion.job.jobConfig.labels.requestor" and protoPayload.metadata.jobInsertion.job.jobConfig.labels.looker_studio_datasource_id" raw log fields.
2024-05-22 - Added mappings for the following fields: "protoPayload.metadata.tableChange.table.policy.bindings.members, protoPayload.metadata.datasetChange.dataset.acl.policy.bindings.members, protoPayload.request.bindings.members, protoPayload.metadata.tableChange.bindingDeltas.member"
2024-05-15 - Added mapping for fields: "protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_report_id, protoPayload.metadata.jobChange.job.jobConfig.labels.requestor and protoPayload.metadata.jobChange.job.jobConfig.labels.looker_studio_datasource_id"
2024-05-01 - Added a mapping for the "protoPayload.response.serviceConfig.timeoutSeconds" raw log field.
2024-04-24 - Added mapping for fields: "protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.requestor", "protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_datasource_id", "protoPayload.serviceData.jobCompletedEvent.job.jobConfiguration.labels.looker_studio_report_id" and "protoPayload.metadata.jobChange.job.jobConfig.queryConfig.query".
- Added support for "protoPayload.response.overrideValue" and "protoPayload.request.override.overrideValue" log fields.
2024-04-17 - Add mapping for protoPayload.request.timestampRange,
protoPayload.request.regexSearch, protoPayload.request.productSources,
protoPayload.request.query, protoPayload.request.caseSensitive raw log fields.
2024-03-27 - Handled the jumpcloud function audit logs in the parser.
2024-03-06 - Added mapping of "protoPayload.request.New Data" and "protoPayload.request.Original Data" raw log fields.
- Added mapping for fields of "protoPayload.request.service.metadata.annotations" and "protoPayload.request.service.spec.template.metadata.annotations" object.
- Added mapping for fields of "protoPayload.response.spec.template" object.
2024-02-28 - Added mapping of "protoPayload.request.metadata.resourceVersion" raw log field.
- Change mapping of "protoPayload.metadata.projectMetadataDelta" and "protoPayload.request.action" raw log field.
2024-01-31 - Added additional field mapping for "GroupsService.UpdateGroup" MethodName.
2024-01-17 - Added mapping of "protoPayload.metadata.datasetChange.bindingDeltas" raw log field block.
- Added additional field mapping of "io.k8s.certificates.v1.certificatesigningrequest", "UpdateCryptoKeyVersion", "google.cloud.orgpolicy.v2.OrgPolicy.DeletePolicy", "UpdateEventThreatDetectionSettings", "SetIamPolicy" and "beta.compute.images.setIamPolicy" MethodName.
- Removed duplicate mapping of "security_result.action" UDM field.
2023-12-13 - Changed mapping of "target.application" UDM field for Kubernetes Engine events.
2023-11-29 - Added mapping of "securityContext.capabilities.add", "securityContext.seccompProfile.type" and "spec.Containers.shareProcessNamespace" raw log fields.
- Added mapping of "membershipDelta" raw log block.
- Added support of "SelfSubjectAccessReviews" MethodName.
- Added mappings of the raw log fields which were mapped to the deprecated field "noun.labels".
2023-11-09 - Added mapping of "request.roleRef.name" log field.
- Added support for the "clusterroles.create" MethodName.
- Added support for the "daemonsets.create" MethodName.
- Align 'principal/target.hostname' and 'principal/target.asset.hostname' mapping.
2023-10-18 - Added mapping of "labels.imagepolicywebhook.image-policy.k8s.io/dry-run" log field.
2023-08-28 - Updated "metadata.event_type" for "DisableServiceAccount" and "EnableServiceAccount" MethodName.
2023-07-26 - Updated "metadata.event_type" for "v1.compute.disks.insert" MethodName.
- Updated mapping of "protoPayload.status.code" log field.
2023-07-12 Added support for the "io.k8s.batch.v1.jobs.create" MethodName.
2023-06-14 Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent".
2023-05-02 Added mapping for "protoPayload.request.action" log field of
methodName "v1.compute.securityPolicies.patchRule" and set value of
"security_result.action" UDM field based on the "protoPayload.request.action"
log field.
2023-04-12 Promoted GCP_CLOUDAUDIT parser to default.
For the field mapping reference, see https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-audit-logs#field-mapping.