Audit

@timestamp

Event timestamp.

date

cloud.image.id

Image ID for the cloud instance.

keyword

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset

constant_keyword

event.module

Event module

constant_keyword

gcp.audit.authentication_info.authority_selector

The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority.

keyword

gcp.audit.authentication_info.principal_email

The email address of the authenticated user making the request.

keyword

gcp.audit.authentication_info.principal_subject

String representation of identity of requesting party. Populated for both first and third party identities. Only present for APIs that support third-party identities.

keyword

gcp.audit.authentication_info.service_account_delegation_info

Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.

flattened

gcp.audit.authentication_info.service_account_key_name

The service account key that was used to request the OAuth 2.0 access token. This field identifies the service account key by its full resource name.

keyword

gcp.audit.authentication_info.third_party_principal

The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the @type property.

flattened

gcp.audit.authorization_info

Authorization information for the operation.

nested

gcp.audit.authorization_info.granted

Whether or not authorization for resource and permission was granted.

boolean

gcp.audit.authorization_info.permission

The required IAM permission.

keyword

gcp.audit.authorization_info.resource

The resource being accessed, as a REST-style string.

keyword

gcp.audit.authorization_info.resource_attributes.name

The name of the resource.

keyword

gcp.audit.authorization_info.resource_attributes.service

The name of the service.

keyword

gcp.audit.authorization_info.resource_attributes.type

The type of the resource.

keyword

gcp.audit.flattened

Contains the full audit document as sent by GCP.

flattened

gcp.audit.labels

A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined.

flattened

gcp.audit.logentry_operation.first

Optional. Set this to True if this is the first log entry in the operation.

boolean

gcp.audit.logentry_operation.id

Optional. An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation.

keyword

gcp.audit.logentry_operation.last

Optional. Set this to True if this is the last log entry in the operation.

boolean

gcp.audit.logentry_operation.producer

Optional. An arbitrary producer identifier. The combination of id and producer must be globally unique.

keyword

gcp.audit.metadata

Service-specific data about the request, response, and other information associated with the current audited event.

flattened

gcp.audit.method_name

The name of the service method or operation. For API calls, this should be the name of the API method. For example, google.datastore.v1.Datastore.RunQuery.

keyword

gcp.audit.num_response_items

The number of items returned from a List or Query API method, if applicable.

long

gcp.audit.policy_violation_info.payload

Resource payload that is currently in scope and is subjected to orgpolicy conditions.

flattened

gcp.audit.policy_violation_info.resource_tags

Tags referenced on the resource at the time of evaluation.

flattened

gcp.audit.policy_violation_info.resource_type

Resource type that the orgpolicy is checked against.

keyword

gcp.audit.policy_violation_info.violations.checkedValue

Value that is being checked for the policy.

keyword

gcp.audit.policy_violation_info.violations.constraint

Constraint name.

keyword

gcp.audit.policy_violation_info.violations.errorMessage

Error message that policy is indicating.

keyword

gcp.audit.policy_violation_info.violations.policyType

Indicates the type of the policy.

keyword

gcp.audit.request

flattened

gcp.audit.request_metadata.caller_ip

The IP address of the caller.

ip

gcp.audit.request_metadata.caller_supplied_user_agent

The user agent of the caller. This information is not authenticated and should be treated accordingly.

keyword

gcp.audit.request_metadata.raw.caller_ip

The raw IP address of the caller.

keyword

gcp.audit.resource_location.current_locations

Current locations of the resource.

keyword

gcp.audit.resource_name

The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example, shelves/SHELF_ID/books.

keyword

gcp.audit.response

flattened

gcp.audit.service_name

The name of the API service performing the operation. For example, datastore.googleapis.com.

keyword

gcp.audit.status.code

The status code, which should be an enum value of google.rpc.Code.

integer

gcp.audit.status.details

A list of messages that carry the error details.

flattened

gcp.audit.status.message

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client.

keyword

gcp.audit.type

Type property.

keyword

gcp.destination.instance.project_id

ID of the project containing the VM.

keyword

gcp.destination.instance.region

Region of the VM.

keyword

gcp.destination.instance.zone

Zone of the VM.

keyword

gcp.destination.vpc.project_id

ID of the project containing the VM.

keyword

gcp.destination.vpc.subnetwork_name

Subnetwork on which the VM is operating.

keyword

gcp.destination.vpc.vpc_name

VPC on which the VM is operating.

keyword

gcp.source.instance.project_id

ID of the project containing the VM.

keyword

gcp.source.instance.region

Region of the VM.

keyword

gcp.source.instance.zone

Zone of the VM.

keyword

gcp.source.vpc.project_id

ID of the project containing the VM.

keyword

gcp.source.vpc.subnetwork_name

Subnetwork on which the VM is operating.

keyword

gcp.source.vpc.vpc_name

VPC on which the VM is operating.

keyword

host.containerized

If the host is a container.

boolean

host.os.build

OS build information.

keyword

host.os.codename

OS codename, if any.

keyword

input.type

Input type

keyword

log.offset

Log offset

long

related.entity

A collection of all entity identifiers associated with the document. If the document contains multiple entities, identifiers for each will be included. Example identifiers include (but not limited to) cloud resource IDs, email addresses, and hostnames.

keyword

2.39.0

Enhancement (View pull request)
Add related.entity field to audit logs.

8.13.0 or higher

2.38.0

Enhancement (View pull request)
Add policy_violation_info, metadata and related fields to audit logs.

Bug fix (View pull request)
Update GCP audit log dashboard to use correct email field.

8.13.0 or higher

2.37.2

Bug fix (View pull request)
Fix definition of subfields of nested objects

8.13.0 or higher

2.37.1

Enhancement (View pull request)
Improve GCP Billing documentation.

8.13.0 or higher

2.37.0

Enhancement (View pull request)
Retain authenticationInfo.serviceAccountKeyName data.

8.13.0 or higher

2.36.0

Enhancement (View pull request)
Add global dataset filter for dashboards to improve performance.

8.13.0 or higher

2.35.0

Enhancement (View pull request)
ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.34.1

Bug fix (View pull request)
Fix Redis metric type for persistence.rdb.bgsave_in_progress. Metric type should be boolean instead of long.

8.12.0 or higher

2.34.0

Enhancement (View pull request)
Add tags and processors to GCP Compute, Firestore, PostgreSQL.

8.12.0 or higher

2.33.2

Enhancement (View pull request)
Add tags and processors to GCP Storage

8.12.0 or higher

2.33.1

Enhancement (View pull request)
Update Legacy metric visualization to new metric in GCP Billing overview dashboard.

8.12.0 or higher

2.33.0

Enhancement (View pull request)
Enable time series data for metrics data streams. This dramatically reduces storage for metrics and is expected to progressively improve query [performance](https://www.elastic.co/blog/70-percent-storage-savings-for-metrics-with-elastic-observability). For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.

8.12.0 or higher

2.32.1

Enhancement (View pull request)
Add dimensions mappings and the metrics_fingerprint field across all metrics data streams.

8.12.0 or higher

2.32.0

Enhancement (View pull request)
Add new billing data stream fields.

8.12.0 or higher

2.31.2

Bug fix (View pull request)
Fix pipeline error parsing DNS logs with empty rdata field.

8.7.1 or higher

2.31.1

Enhancement (View pull request)
Add Cloud Run docs and fix policy template name to allow adding Cloud Run logs to the policy.

8.7.1 or higher

2.31.0

Enhancement (View pull request)
Allow users to retain otherwised discarded fields.

8.7.1 or higher

2.30.1

Bug fix (View pull request)
Fix mappings of group fields

8.7.1 or higher

2.30.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

Enhancement (View pull request)
Upgrade package spec to 3.0.0.

Bug fix (View pull request)
Fix orphan dashboard references.

Bug fix (View pull request)
Add missing dashboard filters.

8.7.1 or higher

2.29.1

Bug fix (View pull request)
Add null checks and ignore_missing checks to the rename processor

8.7.1 or higher

2.29.0

Bug fix (View pull request)
Remove GCP CloudSQL deprecated, alpha or beta metrics and fix field types.

8.7.1 or higher

2.28.5

Enhancement (View pull request)
Set metric type for GKE, Load Balancing, PubSub, Redis and Storage data streams.

8.7.1 or higher

2.28.4

Enhancement (View pull request)
Migrate GCP Load Balancing HTTPS Overview dashboard to lens.

8.7.1 or higher

2.28.3

Enhancement (View pull request)
Set metric type for Cloud Run, Compute, Dataproc and Firestore data streams.

8.7.1 or higher

2.28.2

Enhancement (View pull request)
Migrate GCP Load Balancing TCP SSL Proxy Overview dashboard to lens.

8.7.1 or higher

2.28.1

Enhancement (View pull request)
Set metric type for CloudSQL data streams.

8.7.1 or higher

2.28.0

Enhancement (View pull request)
Migrate GCP Load Balancing L3 Overview dashboard to lens.

8.7.1 or higher

2.27.0

Enhancement (View pull request)
Add GCP CloudSQL MySQL, SQL Server and PostgreSQL dashboards.

8.7.1 or higher

2.26.0

Bug fix (View pull request)
Fix GCP loadbalancing_metrics fields prefix.

8.7.1 or higher

2.25.1

Bug fix (View pull request)
Fix check on gcp.audit.authorization_info[].granted.

8.7.1 or higher

2.25.0

Enhancement (View pull request)
Migrate GCP Billing input control to new control panel.

8.7.1 or higher

2.24.0

Enhancement (View pull request)
Add GCP CloudSQL MySQL, Postgres, SQLServer data streams

8.7.1 or higher

2.23.0

Enhancement (View pull request)
Convert security dashboards to lens.

8.7.1 or higher

2.22.1

Enhancement (View pull request)
Change ownership in manifest.

8.6.0 or higher

2.22.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

8.6.0 or higher

2.21.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

8.6.0 or higher

2.20.1

Bug fix (View pull request)
Fix invalid TSDS metric type for persistence.rdb.bgsave_in_progress field

8.6.0 or higher

2.20.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

8.6.0 or higher

2.19.1

Enhancement (View pull request)
Migrate compute dashboard to lens and add datastream filter.

8.6.0 or higher

2.19.0

Enhancement (View pull request)
Add Cloud Run metrics datastream.

8.6.0 or higher

2.18.0

Enhancement (View pull request)
Support subscription_num_goroutines and subscription_max_outstanding_messages for GCP PubSub input

8.6.0 or higher

2.17.2

Bug fix (View pull request)
Fix IP Convert processor in Audit ingest pipeline.

8.6.0 or higher

2.17.1

Enhancement (View pull request)
Added categories and/or subcategories.

8.6.0 or higher

2.17.0

Enhancement (View pull request)
Add Audit Log Overview dashboard

Enhancement (View pull request)
Add GKE Overview dashboard

Enhancement (View pull request)
Add PubSub Overview dashboard

Enhancement (View pull request)
Add Storage Overview dashboard

8.6.0 or higher

2.16.2

Bug fix (View pull request)
Add logic to handle scalar request.policy values on audit

8.5.0 or higher

2.16.1

Bug fix (View pull request)
Replace missing input control panel with new-style control.

8.5.0 or higher

2.16.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

8.5.0 or higher

2.15.2

Enhancement (View pull request)
Update documentation.

8.5.0 or higher

2.15.1

Enhancement (View pull request)
Add GCP Compute pipeline test.

8.5.0 or higher

2.15.0

Enhancement (View pull request)
Remove support for Kibana 7.17.x

Enhancement (View pull request)
Support multiple regions for metrics data streams

8.5.0 or higher

2.14.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

8.3.0 or higher

2.13.0

Enhancement (View pull request)
Migrate dashboard by values

8.3.0 or higher

2.12.1

Bug fix (View pull request)
Remove duplicate fields.

7.17.6 or higher
8.3.0 or higher

2.12.0

Enhancement (View pull request)
Add GCP Redis

7.17.6 or higher
8.3.0 or higher

2.11.12

Bug fix (View pull request)
Add GKE ingest pipeline.

7.17.6 or higher
8.3.0 or higher

2.11.11

Bug fix (View pull request)
Fix type of dns.answers.ttl.

7.17.6 or higher
8.3.0 or higher

2.11.10

Enhancement (View pull request)
Add ingest pipeline for dataproc.

Enhancement (View pull request)
Add GCP loadbalancing ingest pipeline

Enhancement (View pull request)
Add GCP PubSub ingest pipeline

Enhancement (View pull request)
Add GCP Storage ingest pipeline

Enhancement (View pull request)
Add GCP Firestore ingest pipeline

Enhancement (View pull request)
Add GCP Compute ingest pipeline

7.17.6 or higher
8.3.0 or higher

2.11.10-beta.6

Enhancement (View pull request)
Add ingest pipeline for dataproc.

—

2.11.10-beta.5

Enhancement (View pull request)
Add GCP loadbalancing ingest pipeline

—

2.11.10-beta.4

Enhancement (View pull request)
Add GCP PubSub ingest pipeline

—

2.11.10-beta.3

Enhancement (View pull request)
Add GCP Storage ingest pipeline

—

2.11.10-beta.2

Enhancement (View pull request)
Add GCP Firestore ingest pipeline

—

2.11.10-beta.1

Enhancement (View pull request)
Add GCP Compute ingest pipeline

—

2.11.9

Bug fix (View pull request)
Fix GKE kubernetes.io indentation.

7.17.6 or higher
8.3.0 or higher

2.11.8

Enhancement (View pull request)
Remove duplicate fields.

7.17.6 or higher
8.3.0 or higher

2.11.7

Enhancement (View pull request)
Move Dataproc lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.6

Enhancement (View pull request)
Move LoadBalancing lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.5

Enhancement (View pull request)
Move Storage lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.4

Enhancement (View pull request)
Move PubSub lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.3

Enhancement (View pull request)
Move GKE lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.2

Enhancement (View pull request)
Move Firestore lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.1

Enhancement (View pull request)
Use ECS geo.location definition.

7.17.6 or higher
8.3.0 or higher

2.11.0

Enhancement (View pull request)
Move Compute lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.10.0

Enhancement (View pull request)
Add GCP PubSub Data stream

7.17.6 or higher
8.3.0 or higher

2.9.0

Enhancement (View pull request)
Add GCP Dataproc Data stream

7.17.6 or higher
8.3.0 or higher

2.8.0

Enhancement (View pull request)
Add GCP GKE Data Stream

7.17.6 or higher
8.3.0 or higher

2.7.0

Enhancement (View pull request)
Add GCP Storage Data Stream

7.17.6 or higher
8.3.0 or higher

2.6.0

Enhancement (View pull request)
Add Load Balancing logs datastream

7.17.6 or higher
8.3.0 or higher

2.5.0

Enhancement (View pull request)
Add GCP Load Balancing Metricset

Bug fix (View pull request)
Fix credentials_json escaping in loadbalancing_metrics

Bug fix (View pull request)
Update loadbalancing_metrics default period to 60s

Bug fix (View pull request)
Fix event.dataset for loadbalancing_metrics

Enhancement (View pull request)
Add loadbalancing_metrics distribution fields

7.17.6 or higher
8.3.0 or higher

2.4.0

Enhancement (View pull request)
Update package to ECS 8.4.0

7.17.6 or higher
8.3.0 or higher

2.3.0

Enhancement (View pull request)
Add additional parsing for DNS Public Zone Query Logs

7.17.6 or higher
8.3.0 or higher

2.2.1

Enhancement (View pull request)
Fix Billing policy template title and default period for gcp.compute

7.17.6 or higher
8.3.0 or higher

2.2.0

Enhancement (View pull request)
Remove fields duplicated in ECS fields

7.17.6 or higher
8.3.0 or higher

2.1.0

Enhancement (foobar[View pull request])
restore compatibility with 7.17 release track

7.17.6 or higher
8.3.0 or higher

2.0.0

Breaking change (View pull request)
Move configurations to support metrics. This change is breaking, as it moves some configuration from the top level variables to data stream variables.

This change involves project_id, credentials_file and credentials_json variables that are moved from input level configuration to package level configuration (as those variables are reused across all inputs/data streams).

Users with GCP integration enabled will need to input values for these variables again when upgrading the policies to this version.

Enhancement (View pull request)
Add GCP Billing Data Stream

Enhancement (View pull request)
Add GCP Compute Data Stream

Enhancement (View pull request)
Add GCP Firestore Data stream

8.3.0 or higher

1.10.0

Enhancement (View pull request)
Update package to ECS 8.3.0.

7.17.0 or higher
8.0.0 or higher

1.9.2

Bug fix (View pull request)
Fix GCP auditlog parsing issue on response status

7.17.0 or higher
8.0.0 or higher

1.9.1

Enhancement (View pull request)
Update readme

7.17.0 or higher
8.0.0 or higher

1.9.0

Enhancement (View pull request)
Preserve request and response in flattened fields.

7.17.0 or higher
8.0.0 or higher

1.8.0

Enhancement (View pull request)
Add missing cloud.provider field.

7.17.0 or higher
8.0.0 or higher

1.7.0

Enhancement (View pull request)
Add dashboards for firewall and vpc flow logs.

Bug fix (View pull request)
Add missing mappings for several event.* fields.

—

1.6.1

Enhancement (View pull request)
Clarify the GCP privileges required by the Pub/Sub input.

7.16.3 or higher
8.0.0 or higher

1.6.0

Enhancement (View pull request)
Update to ECS 8.2

—

1.5.1

Enhancement (View pull request)
Add documentation for multi-fields

7.16.3 or higher
8.0.0 or higher

1.5.0

Enhancement (View pull request)
Improve Google Cloud Platform docs.

7.16.3 or higher
8.0.0 or higher

1.4.2

Bug fix (View pull request)
Remove emtpy values, names with only dots, and invalid client IPs.

7.16.3 or higher
8.0.0 or higher

1.4.1

Bug fix (View pull request)
Fix quoting of the credentials_json value in policy templates.

7.16.3 or higher
8.0.0 or higher

1.4.0

Enhancement (View pull request)
Add gcp.dns integration

—

1.3.1

Bug fix (View pull request)
Add Ingest Pipeline script to map IANA Protocol Numbers

7.15.0 or higher
8.0.0 or higher

1.3.0

Enhancement (View pull request)
Update to ECS 8.0

7.15.0 or higher
8.0.0 or higher

1.2.2

Bug fix (View pull request)
Regenerate test files using the new GeoIP database

7.15.0 or higher
8.0.0 or higher

1.2.1

Bug fix (View pull request)
Change test public IPs to the supported subset

—

1.2.0

Enhancement (View pull request)
Add 8.0.0 version constraint

7.15.0 or higher
8.0.0 or higher

1.1.2

Enhancement (View pull request)
Update Title and Description.

7.15.0 or higher

1.1.1

Bug fix (View pull request)
Fix logic that checks for the forwarded tag

—

1.1.0

Enhancement (View pull request)
Update to ECS 1.12.0

7.15.0 or higher

1.0.0

Enhancement (View pull request)
Move from experimental to GA

Enhancement (View pull request)
remove experimental from data_sets

—

0.3.3

Enhancement (View pull request)
Convert to generated ECS fields

—

0.3.2

Enhancement (View pull request)
update to ECS 1.11.0

—

0.3.1

Enhancement (View pull request)
Escape special characters in docs

—

0.3.0

Enhancement (View pull request)
Update integration description

—

0.2.0

Enhancement (View pull request)
Set "event.module" and "event.dataset"

—

0.1.0

Enhancement (View pull request)
update to ECS 1.10.0 and adding event.original options

—

0.0.2

Enhancement (View pull request)
update to ECS 1.9.0

—

0.0.1

Enhancement (View pull request)
initial release

—