Custom Parser for GCP Audit Logs

Forum|Forum|1 year ago
December 7, 2024
2 replies
80 views

+2

kkxajkdfjndw
New Member

I'm trying to create a custom parser for events that contain the "callerIsGceClient": true

For all events that contain it I want it to be a part of the UDM.

Any advice on how I can create a custom parser for this? The custom parser language doesn't seem intuitive nor does the docs.

Event example:

{

"protoPayload": {

"@type": "type.googleapis.com/google.cloud.audit.AuditLog",

"status": {

"code": 7

},

"authenticationInfo": {

"principalEmail": "111111-compute@developer.gserviceaccount.com"

},

"requestMetadata": {

"callerIp": "35.211.1.1",

"callerSuppliedUserAgent": "apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/ls google-cloud-sdk/502.0.0,gzip(gfe)",

"callerIsGceClient": true,

"requestAttributes": {

+10

mikewilusz
Staff
Forum|Forum|1 year ago
December 9, 2024

You'll want to use a parser extension for this, which will allow you to extend the existing parser and pull out the fields you're interested in. I had to do something similar recently, so you can use my extension as a reference. Just choose the field you want and map it to the appropriate UDM field: https://github.com/pilot006/google-secops-parser-extension-gcp-artifact-registry

-mike

Like

K

+2

kkxajkdfjndw
Author
New Member
Forum|Forum|1 year ago
December 9, 2024

You'll want to use a parser extension for this, which will allow you to extend the existing parser and pull out the fields you're interested in. I had to do something similar recently, so you can use my extension as a reference. Just choose the field you want and map it to the appropriate UDM field: https://github.com/pilot006/google-secops-parser-extension-gcp-artifact-registry

-mike

Internal State (label=):

{
  "@createTimestamp": {
    "nanos": 0,
    "seconds": 1733753381
  },
  "@enableCbnForLoop": true,
  "@onErrorCount": 0,
  "@output": [],
  "@timezone": "",
  "event": {
    "idm": {
      "read_only_udm": {
        "extensions": {
          "isGceClient": {
            "value": "protoPayload.requestMetadata.callerIsGceClient"
          }
        }
      }
    }
  },
  "insertId": "gzj9ule4iqxi",
  "logName": "projects/rm-threat-detection-sandbox/logs/cloudaudit.googleapis.com%2Fdata_access",
  "message": "{\\"protoPayload\\":{\\"@type\\":\\"type.googleapis.com/google.cloud.audit.AuditLog\\",\\"status\\":{\\"code\\":7},\\"authenticationInfo\\":{\\"principalEmail\\":\\"119897644061-compute@developer.gserviceaccount.com\\"},\\"requestMetadata\\":{\\"callerIp\\":\\"34.82.161.136\\",\\"callerSuppliedUserAgent\\":\\"apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/cp google-cloud-sdk/502.0.0,gzip(gfe)\\",\\"callerIsGceClient\\":true,\\"requestAttributes\\":{\\"time\\":\\"2024-12-09T07:49:41.770704032Z\\",\\"auth\\":{}},\\"destinationAttributes\\":{},\\"callerLocation\\":\\"us-west1\\"},\\"serviceName\\":\\"storage.googleapis.com\\",\\"methodName\\":\\"storage.objects.get\\",\\"authorizationInfo\\":[{\\"resource\\":\\"projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz\\",\\"permission\\":\\"storage.objects.get\\",\\"resourceAttributes\\":{}}],\\"resourceName\\":\\"projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz\\",\\"resourceLocation\\":{\\"currentLocations\\":[\\"us\\"]}},\\"insertId\\":\\"gzj9ule4iqxi\\",\\"resource\\":{\\"type\\":\\"gcs_bucket\\",\\"labels\\":{\\"location\\":\\"us\\",\\"project_id\\":\\"rm-threat-detection-sandbox\\",\\"bucket_name\\":\\"rm-threat-detection-sandbox_cloudbuild\\"}},\\"timestamp\\":\\"2024-12-09T07:49:41.762672213Z\\",\\"severity\\":\\"ERROR\\",\\"logName\\":\\"projects/rm-threat-detection-sandbox/logs/cloudaudit.googleapis.com%2Fdata_access\\",\\"receiveTimestamp\\":\\"2024-12-09T07:49:42.615926474Z\\"}",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "119897644061-compute@developer.gserviceaccount.com"
    },
    "authorizationInfo": [
      {
        "permission": "storage.objects.get",
        "resource": "projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz",
        "resourceAttributes": {}
      }
    ],
    "methodName": "storage.objects.get",
    "requestMetadata": {
      "callerIp": "34.82.161.136",
      "callerIsGceClient": true,
      "callerLocation": "us-west1",
      "callerSuppliedUserAgent": "apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/cp google-cloud-sdk/502.0.0,gzip(gfe)",
      "requestAttributes": {
        "time": "2024-12-09T07:49:41.770704032Z"
      }
    },
    "resourceLocation": {
      "currentLocations": [
        "us"
      ]
    },
    "resourceName": "projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz",
    "serviceName": "storage.googleapis.com",
    "status": {
      "code": 7
    }
  },
  "receiveTimestamp": "2024-12-09T07:49:42.615926474Z",
  "resource": {
    "labels": {
      "bucket_name": "rm-threat-detection-sandbox_cloudbuild",
      "location": "us",
      "project_id": "rm-threat-detection-sandbox"
    },
    "type": "gcs_bucket"
  },
  "severity": "ERROR",
  "timestamp": "2024-12-09T07:49:41.762672213Z"
}

filter {

mutate {

replace => {

"protoPayload.requestMetadata.callerIsGceClient" => ""

}

json {

source => "message"

}

if [protoPayload][requestMetadata][callerIsGceClient] != "" {

mutate {

replace => {

"event.idm.read_only_udm.extensions.isGceClient.value" => "protoPayload.requestMetadata.callerIsGceClient"

}

mutate {

append => {

"@output" => "event"

}

statedump{}

}

Seems to directly interpret the field I am passing.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded