FEED_name not populating for feed deleted events

Can you share the rule?  And also if feed id does come through - why not use that?  Seems like something that would happen very rarely.  

hello  dnehoda , thanks for the reply i have resolved the issue

Would you like to share the resolution for the community?  That would be helpful.  

"In my logs for feed deletion events, the GCP audit logs only contained the feed ID. To address this, I created an additional rule that populates a data table with both the feed ID and feed name at the time of feed creation. Later, during feed deletion events, I use this stored data to retrieve the corresponding feed name. This was necessary because my clients required both the feed name and the log type of the deleted feed. since if it was feed id they needed manually to check it again

rule secops_create_feeds {

meta:

author = " [removed by moderator] "

description = "Detect SecOps Feed created"

severity = "High"

environment = "Lab Admin"

events:

$e2.metadata.log_type = "GCP_CLOUDAUDIT"

$e2.metadata.event_type = "USER_RESOURCE_ACCESS"

$e2.metadata.product_event_type = /google.cloud.chronicle.v1alpha.FeedsService.CreateFeed/

$feedid = re.capture ($e2.target.resource.attribute.labels["res_name"], "locations/##/instances/###########/feeds/(.*)")

$e2.security_result.associations.name = $feed_names

match:

$feed_names,$feedid over 1h

outcome:

$target_resource = array_distinct($e2.target.resource.name)

$user_wif = array_distinct($e2.principal.user.userid)

$user_display_name = array_distinct($e2.principal.user.user_display_name)

$user_email_pwc = array_distinct($e2.principal.user.title)

$user_email_cloudsecurity = array_distinct($e2.principal.user.email_addresses)

$feed_name = array_distinct($e2.security_result.associations.name)

$feed_ids = array_distinct($feedid)

condition:

$e2

export:

%feed_id_vs_feed_name.write_row(

feed_id: $feedid,

feed_names: $feed_names,

//time: $event_time

)

}

rule secops_delete_feeds {

meta:

author = " [removed by moderator] & Mohamed Fazil"

description = "Detect for SecOps Feed deleted"

severity = "High"

environment = "Lab Admin"

events:

$e.metadata.log_type = "GCP_CLOUDAUDIT"

$e.metadata.event_type = "USER_RESOURCE_ACCESS"

$e.metadata.product_event_type = /google\.cloud\.chronicle\.v1alpha\.FeedsService\.DeleteFeed/

$e.security_result.action = "ALLOW"

$e.target.resource.name = $feedid

$feed_id = re.capture($e.target.resource.name , "locations/##/instances/######/feeds/(.*)")

$feed_id = %feed_id_vs_feed_name.feed_id

match:

$feedid over 1h

outcome:

$target_resource = array_distinct($e.target.resource.name)

$user_wif = array_distinct($e.principal.user.userid)

$user_display_name = array_distinct($e.principal.user.user_display_name)

$user_email_pwc = array_distinct($e.principal.user.title)

$user_email_cloudsecurity = array_distinct($e.principal.user.email_addresses)

$log_type = array_distinct($e.metadata.log_type)

$feed_ids = array_distinct($feed_id)

$feed_name = array_distinct(%feed_id_vs_feed_name.feed_names)

condition:

$e

}