Change log for GCP_SECURITYCENTER_THREAT
Date | Changes |
---|---|
2024-11-25 | Mapped "access.callerIp" with "additional.fields" UDM field if the "access.callerIp" raw log field has value "gce-internal-ip". |
2024-11-21 | - Added support for the v2 version of the SCC API, and the following fields are included as part of the update
- resource.gcpMetadata.project - resource.gcpMetadata.projectDisplayName - resource.gcpMetadata.parent - resource.gcpMetadata.parentDisplayName - resource.gcpMetadata.folders.resourceFolder - resource.gcpMetadata.folders.resourceFolderDisplayName - resource.gcpMetadata.organization |
2024-10-08 | Mapped the "access.principalEmail" raw log field to "principal.user.userid" UDM field if there is a non-email value in the "access.principalEmail" raw log field. |
2024-10-08 | Mapped the "access.principalEmail" raw log field to "principal.user.userid" UDM field if there is a non-email value in the "access.principalEmail" raw log field. |
2024-08-13 | Added mappings for the "finding.access.userAgent" raw log field. |
2024-04-24 | - Added support for mapping values to "principal.hostname" UDM field.
|
2024-03-20 | - Added support for the following categories:
- "Configurable Bad IP" - "Unexpected Compute Engine instance type" - "Unexpected Compute Engine source image" - "Unexpected Compute Engine region" - "Custom role with prohibited permission" - "Unexpected Cloud API Call" |
2024-02-28 | - Added support for additional findings.
|
2024-02-14 | 1. Added support for the following categories:
- Defense Evasion: Unexpected ftrace handler - Defense Evasion: Unexpected interrupt handler - Defense Evasion: Unexpected kernel code modification - Defense Evasion: Unexpected kernel modules - Defense Evasion: Unexpected kernel read-only data modification - Defense Evasion: Unexpected kprobe handler |
2024-01-31 | - Added support for "Initial Access: Dormant Service Account Key Created", "Unexpected Child Shell" and "Process Tree" categories.
|
2024-01-03 | - Added logic to merge multiple "security_result" blocks into one.
|
2023-12-13 | - Changed the mapping of "security_result.action" UDM field.
|
2023-11-29 | - Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping.
|
2023-08-23 | Extracted "projectName" from the "resourceName" log field. |
2023-07-26 | Updated mapping of the "canonicalName" log field. |
2023-07-09 | Fixed principal_user_emailaddresses mapping. |
2023-06-28 | Added support for category "account_has_leaked_credentials". |
2023-06-14 | 1. Updated the parser to include "parse_network_http_user_agent" to use "Parsed User Agent" and "User Agent".
2. Added support for below mentioned categories: - Defense Evasion: Unexpected ftrace handler - Defense Evasion: Unexpected interrupt handler - Defense Evasion: Unexpected kernel code modification - Defense Evasion: Unexpected kernel modules - Defense Evasion: Unexpected kernel read-only data modification - Defense Evasion: Unexpected kprobe handler - Defense Evasion: Unexpected processes in runqueue - Defense Evasion: Unexpected system call handler - Reverse Shell |
2023-05-31 | Added support for category "Application DDoS Attack Attempt".
|
2023-05-17 | 1. Added support for category "Initial Access: Excessive Permission Denied Actions".
2. Handled UDM event type validation error. |
2023-05-02 | Created a valid url for the "security_result.url_back_to_product" field. |
2023-05-01 | Added additional mappings for deprecated labels. |
2023-04-12 | Promoted GCP_SECURITYCENTER_THREAT parser to default. For the field mapping reference, see: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-security-command-center-findings#field-mapping. |