Skip to main content

I'm trying to create a custom parser for events that contain the "callerIsGceClient":  true

For all events that contain it I want it to be a part of the UDM.

Any advice on how I can create a custom parser for this? The custom parser language doesn't seem intuitive nor does the docs.

Event example:

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {
"code": 7
},
"authenticationInfo": {
"principalEmail": "111111-compute@developer.gserviceaccount.com"
},
"requestMetadata": {
"callerIp": "35.211.1.1",
"callerSuppliedUserAgent": "apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/ls google-cloud-sdk/502.0.0,gzip(gfe)",
"callerIsGceClient": true,
"requestAttributes": {

You'll want to use a parser extension for this, which will allow you to extend the existing parser and pull out the fields you're interested in. I had to do something similar recently, so you can use my extension as a reference. Just choose the field you want and map it to the appropriate UDM field: https://github.com/pilot006/google-secops-parser-extension-gcp-artifact-registry


-mike


You'll want to use a parser extension for this, which will allow you to extend the existing parser and pull out the fields you're interested in. I had to do something similar recently, so you can use my extension as a reference. Just choose the field you want and map it to the appropriate UDM field: https://github.com/pilot006/google-secops-parser-extension-gcp-artifact-registry


-mike


Internal State (label=):

{
"@createTimestamp": {
"nanos": 0,
"seconds": 1733753381
},
"@enableCbnForLoop": true,
"@onErrorCount": 0,
"@output": [],
"@timezone": "",
"event": {
"idm": {
"read_only_udm": {
"extensions": {
"isGceClient": {
"value": "protoPayload.requestMetadata.callerIsGceClient"
}
}
}
}
},
"insertId": "gzj9ule4iqxi",
"logName": "projects/rm-threat-detection-sandbox/logs/cloudaudit.googleapis.com%2Fdata_access",
"message": "{\\"protoPayload\\":{\\"@type\\":\\"type.googleapis.com/google.cloud.audit.AuditLog\\",\\"status\\":{\\"code\\":7},\\"authenticationInfo\\":{\\"principalEmail\\":\\"119897644061-compute@developer.gserviceaccount.com\\"},\\"requestMetadata\\":{\\"callerIp\\":\\"34.82.161.136\\",\\"callerSuppliedUserAgent\\":\\"apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/cp google-cloud-sdk/502.0.0,gzip(gfe)\\",\\"callerIsGceClient\\":true,\\"requestAttributes\\":{\\"time\\":\\"2024-12-09T07:49:41.770704032Z\\",\\"auth\\":{}},\\"destinationAttributes\\":{},\\"callerLocation\\":\\"us-west1\\"},\\"serviceName\\":\\"storage.googleapis.com\\",\\"methodName\\":\\"storage.objects.get\\",\\"authorizationInfo\\":[{\\"resource\\":\\"projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz\\",\\"permission\\":\\"storage.objects.get\\",\\"resourceAttributes\\":{}}],\\"resourceName\\":\\"projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz\\",\\"resourceLocation\\":{\\"currentLocations\\":[\\"us\\"]}},\\"insertId\\":\\"gzj9ule4iqxi\\",\\"resource\\":{\\"type\\":\\"gcs_bucket\\",\\"labels\\":{\\"location\\":\\"us\\",\\"project_id\\":\\"rm-threat-detection-sandbox\\",\\"bucket_name\\":\\"rm-threat-detection-sandbox_cloudbuild\\"}},\\"timestamp\\":\\"2024-12-09T07:49:41.762672213Z\\",\\"severity\\":\\"ERROR\\",\\"logName\\":\\"projects/rm-threat-detection-sandbox/logs/cloudaudit.googleapis.com%2Fdata_access\\",\\"receiveTimestamp\\":\\"2024-12-09T07:49:42.615926474Z\\"}",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "119897644061-compute@developer.gserviceaccount.com"
},
"authorizationInfo": [
{
"permission": "storage.objects.get",
"resource": "projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz",
"resourceAttributes": {}
}
],
"methodName": "storage.objects.get",
"requestMetadata": {
"callerIp": "34.82.161.136",
"callerIsGceClient": true,
"callerLocation": "us-west1",
"callerSuppliedUserAgent": "apitools Python/3.11.9 gsutil/5.31 (linux) analytics/disabled interactive/False command/cp google-cloud-sdk/502.0.0,gzip(gfe)",
"requestAttributes": {
"time": "2024-12-09T07:49:41.770704032Z"
}
},
"resourceLocation": {
"currentLocations": [
"us"
]
},
"resourceName": "projects/_/buckets/rm-threat-detection-sandbox_cloudbuild/objects/source/1733730572.727364-591aa3337c05473eb63805ba07062f30.tgz",
"serviceName": "storage.googleapis.com",
"status": {
"code": 7
}
},
"receiveTimestamp": "2024-12-09T07:49:42.615926474Z",
"resource": {
"labels": {
"bucket_name": "rm-threat-detection-sandbox_cloudbuild",
"location": "us",
"project_id": "rm-threat-detection-sandbox"
},
"type": "gcs_bucket"
},
"severity": "ERROR",
"timestamp": "2024-12-09T07:49:41.762672213Z"
}

filter {

mutate {
replace => {
"protoPayload.requestMetadata.callerIsGceClient" => ""
}
}
json {
source => "message"
}

if [protoPayload][requestMetadata][callerIsGceClient] != "" {
mutate {
replace => {
"event.idm.read_only_udm.extensions.isGceClient.value" => "protoPayload.requestMetadata.callerIsGceClient"
}
}
}
 
mutate {
append => {
"@output" => "event"
}
}
statedump{}

}


Seems to directly interpret the field I am passing. 

Reply