Change log for GCP_SECURITYCENTER_THREAT

Date Changes
2024-11-25 Mapped "access.callerIp" with "additional.fields" UDM field if the "access.callerIp" raw log field has value "gce-internal-ip".
2024-11-21 - Added support for the v2 version of the SCC API, and the following fields are included as part of the update
- resource.gcpMetadata.project
- resource.gcpMetadata.projectDisplayName
- resource.gcpMetadata.parent
- resource.gcpMetadata.parentDisplayName
- resource.gcpMetadata.folders.resourceFolder
- resource.gcpMetadata.folders.resourceFolderDisplayName
- resource.gcpMetadata.organization
2024-10-08 Mapped the "access.principalEmail" raw log field to "principal.user.userid" UDM field if there is a non-email value in the "access.principalEmail" raw log field.
2024-10-08 Mapped the "access.principalEmail" raw log field to "principal.user.userid" UDM field if there is a non-email value in the "access.principalEmail" raw log field.
2024-08-13 Added mappings for the "finding.access.userAgent" raw log field.
2024-04-24 - Added support for mapping values to "principal.hostname" UDM field.
2024-03-20 - Added support for the following categories:
- "Configurable Bad IP"
- "Unexpected Compute Engine instance type"
- "Unexpected Compute Engine source image"
- "Unexpected Compute Engine region"
- "Custom role with prohibited permission"
- "Unexpected Cloud API Call"
2024-02-28 - Added support for additional findings.
2024-02-14 1. Added support for the following categories:
- Defense Evasion: Unexpected ftrace handler
- Defense Evasion: Unexpected interrupt handler
- Defense Evasion: Unexpected kernel code modification
- Defense Evasion: Unexpected kernel modules
- Defense Evasion: Unexpected kernel read-only data modification
- Defense Evasion: Unexpected kprobe handler
2024-01-31 - Added support for "Initial Access: Dormant Service Account Key Created", "Unexpected Child Shell" and "Process Tree" categories.
2024-01-03 - Added logic to merge multiple "security_result" blocks into one.
2023-12-13 - Changed the mapping of "security_result.action" UDM field.
2023-11-29 - Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping.
2023-08-23 Extracted "projectName" from the "resourceName" log field.
2023-07-26 Updated mapping of the "canonicalName" log field.
2023-07-09 Fixed principal_user_emailaddresses mapping.
2023-06-28 Added support for category "account_has_leaked_credentials".
2023-06-14 1. Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent".
2. Added support for below mentioned categories:
- Defense Evasion: Unexpected ftrace handler
- Defense Evasion: Unexpected interrupt handler
- Defense Evasion: Unexpected kernel code modification
- Defense Evasion: Unexpected kernel modules
- Defense Evasion: Unexpected kernel read-only data modification
- Defense Evasion: Unexpected kprobe handler
- Defense Evasion: Unexpected processes in runqueue
- Defense Evasion: Unexpected system call handler
- Reverse Shell
2023-05-31 Added support for category "Application DDoS Attack Attempt".
2023-05-17 1. Added support for category "Initial Access: Excessive Permission Denied Actions".
2. Handled UDM event type validation error.
2023-05-02 Created a valid url for the "security_result.url_back_to_product" field.
2023-05-01 Added additional mappings for deprecated labels.
2023-04-12 Promoted GCP_SECURITYCENTER_THREAT parser to default.
For the field mapping reference, see: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-security-command-center-findings#field-mapping.