Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GCP][CDR] Add actor.entity.id and target.entity.id fields to audit logs #11983

Merged
merged 19 commits into from
Dec 19, 2024
Merged

[GCP][CDR] Add actor.entity.id and target.entity.id fields to audit logs #11983

merged 19 commits into from
Dec 19, 2024

Conversation

kubasobon
Copy link
Member

@kubasobon kubasobon commented Dec 3, 2024
edited
Loading

Proposed commit message

Add actor.entity.id and target.entity.id fields to properly identify events' origins and targets. It is a requirement for https://github.com/elastic/security-team/issues/9352.

Warning

To be merged after #11762. Please remember to change the base to main.
Merged. The base is now main.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@kubasobon kubasobon added enhancement New feature or request Integration:gcp Google Cloud Platform Team:Cloud Security Label for the Cloud Security team [elastic/cloud-security-posture] Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Dec 3, 2024
@kubasobon kubasobon self-assigned this Dec 3, 2024
@kubasobon kubasobon changed the base branch from main to gcp-related-entity December 3, 2024 12:18
@kubasobon kubasobon marked this pull request as ready for review December 3, 2024 12:20
@kubasobon kubasobon requested review from a team as code owners December 3, 2024 12:20
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@kubasobon kubasobon requested a review from a team December 4, 2024 13:24
@kubasobon
Copy link
Member Author

@romulets The issue stated origin.id and target.id, but I've seen actor and target.ENTITY.id formats elsewhere. Can you confirm what is the one we're going with?

@efd6
Copy link
Contributor

efd6 commented Dec 8, 2024

Can you confirm what is the one we're going with?

This is the kind of question that emphasises why we want to be working from accepted specifications. Decisions should already have been made and be publicly visible so that we know that we are all on the same page and so that our users know what behaviour they can expect.

Base automatically changed from gcp-related-entity to main December 11, 2024 16:42
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @kubasobon

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
96.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@kubasobon kubasobon requested a review from ishleenk17 December 16, 2024 15:26
@kubasobon
Copy link
Member Author

@elastic/obs-service-integrations & @elastic/security-service-integrations I would appreciate someone taking a look here :)

ishleenk17
ishleenk17 approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@ishleenk17 ishleenk17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had some Nits and those are addressed. Thanks.
The changes mainly pertain to GCP audit logs owned by Security Service Integrations. I am providing code owner approval from obs-infraobs side.
Please get the code reviewed from security team before merging.

chrisberkhout
chrisberkhout approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor question and comment.
Already fine.

packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Comment on lines +231 to +235
boolean isKubernetes = false;
if (ctx.json?.resource?.type != null) {
String typ = ctx.json.resource.type;
isKubernetes = (typ == "k8s_cluster" || typ == "gke_cluster" || typ == "kubernetes");
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine as is, but here's an alternative:

Suggested change
boolean isKubernetes = false;
if (ctx.json?.resource?.type != null) {
String typ = ctx.json.resource.type;
isKubernetes = (typ == "k8s_cluster" || typ == "gke_cluster" || typ == "kubernetes");
}
boolean isKubernetes = ["k8s_cluster", "gke_cluster", "kubernetes"].contains(ctx.json?.resource?.type);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a nice, concise way of setting the flag. I'll keep it in mind for the future.

packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Comment on lines +260 to +300
String serviceName = ctx.json?.protoPayload?.serviceName ?: '';
if (serviceName == "compute.googleapis.com") {
if (ctx.json?.protoPayload?.request?.networkInterfaces instanceof List) {
for (def e: ctx.json.protoPayload.request.networkInterfaces) {
addValue(entities, e.network);
}
}
if (ctx.json?.protoPayload?.request?.serviceAccounts instanceof List) {
for (def e: ctx.json.protoPayload.request.serviceAccounts) {
addValue(entities, e.email);
}
}
if (ctx.json?.protoPayload?.request?.disks instanceof List) {
for (def e: ctx.json.protoPayload.request.disks) {
addValue(entities, e.source);
}
}
} else if (serviceName == "cloudresourcemanager.googleapis.com") {
if (ctx.json?.protoPayload?.request?.policy?.bindings instanceof List) {
for (def e: ctx.json.protoPayload.request.policy.bindings) {
addValue(entities, e.role);
for (def m: e.members) {
addValue(entities, m);
}
}
}
if (ctx.json?.protoPayload?.response?.bindings instanceof List) {
for (def e: ctx.json.protoPayload.response.bindings) {
addValue(entities, e.role);
for (def m: e.members) {
addValue(entities, m);
}
}
}
} else if (serviceName == "iamcredentials.googleapis.com") {
if (ctx.json?.protoPayload?.metadata?.identityDelegationChain instanceof List) {
for (def e: ctx.json.protoPayload.metadata.identityDelegationChain) {
addValue(entities, e);
}
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the outer ifs necessary here? is it okay to just collect entities from any of these locations if they exist?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could potentially be reduced to something closer to a short list of locations by using Streams, similar to this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We were using streams for similar PRs, but we got pointed toward this approach in #11762.
I agree that nested if clauses are an overkill and we could just try to grab everything. However this way we get a nice readability bump, I think. It tells a story of where each value originates from, and lays solid groundwork for any future PRs.

@chrisberkhout chrisberkhout changed the title [GCP][CDR] Add origin.id and target.id fields to audit logs [GCP][CDR] Add actor.entity.id and target.entity.id fields to audit logs Dec 17, 2024
@kubasobon kubasobon merged commit a5c586f into main Dec 19, 2024
5 checks passed
@kubasobon kubasobon deleted the gcp-origin-and-target branch December 19, 2024 08:27
@elastic-vault-github-plugin-prod
Copy link

Package gcp - 2.40.0 containing this change is available at https://epr.elastic.co/package/gcp/2.40.0/

harnish-elastic pushed a commit to harnish-elastic/integrations that referenced this pull request Feb 4, 2025
@kubasobon
[GCP][CDR] Add actor.entity.id and target.entity.id fields to audit l…
704c017 
…ogs (elastic#11983)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

@ishleenk17 ishleenk17 ishleenk17 approved these changes

Assignees

@kubasobon kubasobon

Labels
enhancement New feature or request Integration:gcp Google Cloud Platform Team:Cloud Security Label for the Cloud Security team [elastic/cloud-security-posture] Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kubasobon @elasticmachine @efd6 @chrisberkhout @ishleenk17