Skip to main content
Question

Default GCP Cloud Audit parsing goes wrong

  • November 19, 2025
  • 1 reply
  • 31 views
HusHusHus
Forum|alt.badge.img+2

Hello, 

 

I am using the latest version of the Default GCP Cloud Audit parser of 2025-11-05.

But unfortunately, when I go through the Audit Logs, I get to see values in the UDM which are absolutely not there in the raw json. 

event fields:
 

 

I don’t expect this behavior to happen. Why does the parser add more values to the principal object when my other colleague is not mentioned once in the raw json.

Of course I have tried to find other way around this, but other objects like which IAM roles are being added or removed are also getting mixed up within the principal object. So when I want to create a window with IAM policy changes, then it gets mixed up with principal fields:

 

1 reply

vaskenh
Staff
Forum|alt.badge.img+13
  • vaskenh
  • Staff
  • November 19, 2025

Hi ​@HusHusHus.  In this scenario, the values shown that have a green ‘E’ next to the field name are ‘Enriched’ fields.  These are fields that the platform ‘stitches’ together across the entity graph and from other sources.  These fields are not part of the original raw log itself, they exist after the raw log has been parsed and after enrichment has occurred.

 

Take a look at this page for more information about the technical details about how enrichment takes place:

https://docs.cloud.google.com/chronicle/docs/event-processing/data-enrichment

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.