Skip to main content

I'm trying to create a custom parser for events that contain the "callerIsGceClient":  true

For all events that contain it I want it to be a part of the UDM.

Any advice on how I can create a custom parser for this? The custom parser language doesn't seem intuitive nor does the docs.

Event example:

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7
},
"authenticationInfo": {
"principalEmail": "111111-compute@developer.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "35.211.1.1",
"callerSuppliedUserAgent": "apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/ls google-cloud-sdk/502.0.0,gzip(gfe)",
"callerIsGceClient": true,
"requestAttributes": {

You'll want to use a parser extension for this, which will allow you to extend the existing parser and pull out the fields you're interested in. I had to do something similar recently, so you can use my extension as a reference. Just choose the field you want and map it to the appropriate UDM field: https://github.com/pilot006/google-secops-parser-extension-gcp-artifact-registry

-mike

You'll want to use a parser extension for this, which will allow you to extend the existing parser and pull out the fields you're interested in. I had to do something similar recently, so you can use my extension as a reference. Just choose the field you want and map it to the appropriate UDM field: https://github.com/pilot006/google-secops-parser-extension-gcp-artifact-registry

-mike


Internal State (label=):

{
  "@createTimestamp": {
    "nanos": 0,
    "seconds": 1733753381
  },
  "@enableCbnForLoop": true,
  "@onErrorCount": 0,
  "@output": [],
  "@timezone": "",
  "event": {
    "idm": {
      "read_only_udm": {
        "extensions": {
          "isGceClient": {
            "value": "protoPayload.requestMetadata.callerIsGceClient"
          }
        }
      }
    }
  },
  "insertId": "gzj9ule4iqxi",
  "logName": "projects/rm-threat-detection-sandbox/logs/cloudaudit.googleapis.com%2Fdata_access",
  "message": "{\\"protoPayload\\":{\\"@type\\":\\"type.googleapis.com/google.cloud.audit.AuditLog\\",\\"status\\":{\\"code\\":7},\\"authenticationInfo\\":{\\"principalEmail\\":\\"119897644061-compute@developer.gserviceaccount.com\\"},\\"requestMetadata\\":{\\"callerIp\\":\\"34.82.161.136\\",\\"callerSuppliedUserAgent\\":\\"apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/cp google-cloud-sdk/502.0.0,gzip(gfe)\\",\\"callerIsGceClient\\":true,\\"requestAttributes\\":{\\"time\\":\\"2024-12-09T07:49:41.770704032Z\\",\\"auth\\":{}},\\"destinationAttributes\\":{},\\"callerLocation\\":\\"us-west1\\"},\\"serviceName\\":\\"storage.googleapis.com\\",\\"methodName\\":\\"storage.objects.get\\",\\"authorizationInfo\\":[{\\"resource\\":\\"projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz\\",\\"permission\\":\\"storage.objects.get\\",\\"resourceAttributes\\":{}}],\\"resourceName\\":\\"projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz\\",\\"resourceLocation\\":{\\"currentLocations\\":[\\"us\\"]}},\\"insertId\\":\\"gzj9ule4iqxi\\",\\"resource\\":{\\"type\\":\\"gcs_bucket\\",\\"labels\\":{\\"location\\":\\"us\\",\\"project_id\\":\\"rm-threat-detection-sandbox\\",\\"bucket_name\\":\\"rm-threat-detection-sandbox_cloudbuild\\"}},\\"timestamp\\":\\"2024-12-09T07:49:41.762672213Z\\",\\"severity\\":\\"ERROR\\",\\"logName\\":\\"projects/rm-threat-detection-sandbox/logs/cloudaudit.googleapis.com%2Fdata_access\\",\\"receiveTimestamp\\":\\"2024-12-09T07:49:42.615926474Z\\"}",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "119897644061-compute@developer.gserviceaccount.com"
    },
    "authorizationInfo": [
      {
        "permission": "storage.objects.get",
        "resource": "projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz",
        "resourceAttributes": {}
      }
    ],
    "methodName": "storage.objects.get",
    "requestMetadata": {
      "callerIp": "34.82.161.136",
      "callerIsGceClient": true,
      "callerLocation": "us-west1",
      "callerSuppliedUserAgent": "apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/cp google-cloud-sdk/502.0.0,gzip(gfe)",
      "requestAttributes": {
        "time": "2024-12-09T07:49:41.770704032Z"
      }
    },
    "resourceLocation": {
      "currentLocations": [
        "us"
      ]
    },
    "resourceName": "projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz",
    "serviceName": "storage.googleapis.com",
    "status": {
      "code": 7
    }
  },
  "receiveTimestamp": "2024-12-09T07:49:42.615926474Z",
  "resource": {
    "labels": {
      "bucket_name": "rm-threat-detection-sandbox_cloudbuild",
      "location": "us",
      "project_id": "rm-threat-detection-sandbox"
    },
    "type": "gcs_bucket"
  },
  "severity": "ERROR",
  "timestamp": "2024-12-09T07:49:41.762672213Z"
}
filter {

mutate {
replace => {
"protoPayload.requestMetadata.callerIsGceClient" => ""
}
}
json {
source => "message"
}

if [protoPayload][requestMetadata][callerIsGceClient] != "" {
mutate {
replace => {
"event.idm.read_only_udm.extensions.isGceClient.value" => "protoPayload.requestMetadata.callerIsGceClient"
}
}
}
 
mutate {
append => {
"@output" => "event"
}
}
statedump{}

}


Seems to directly interpret the field I am passing. 
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.