diff --git a/plugins/gcpaudit/pkg/gcpaudit/extract.go b/plugins/gcpaudit/pkg/gcpaudit/extract.go index 02260956..338b63b5 100644 --- a/plugins/gcpaudit/pkg/gcpaudit/extract.go +++ b/plugins/gcpaudit/pkg/gcpaudit/extract.go @@ -16,7 +16,23 @@ func (p *Plugin) Fields() []sdk.FieldEntry { {Type: "string", Name: "gcp.serviceName", Desc: "GCP API service name"}, {Type: "string", Name: "gcp.policyDelta", Desc: "GCP service resource access policy"}, {Type: "string", Name: "gcp.request", Desc: "GCP API raw request"}, - {Type: "string", Name: "gcp.methodName", Desc: "GCP API service method executed"}, + {Type: "string", Name: "gcp.methodName", Desc: "GCP API service method executed"}, + {Type: "string", Name: "gcp.cloudfunctions.function", Desc: "GCF name"}, + {Type: "string", Name: "gcp.cloudsql.databaseId", Desc: "GCP SQL database ID"}, + {Type: "string", Name: "gcp.compute.instanceId", Desc: "GCE instance ID"}, + {Type: "string", Name: "gcp.compute.networkId", Desc: "GCP network ID"}, + {Type: "string", Name: "gcp.compute.subnetwork", Desc: "GCP subnetwork name"}, + {Type: "string", Name: "gcp.compute.subnetworkId", Desc: "GCP subnetwork ID"}, + {Type: "string", Name: "gcp.dns.zone", Desc: "GCP DNS zoned"}, + {Type: "string", Name: "gcp.iam.serviceAccount", Desc: "GCP service account"}, + {Type: "string", Name: "gcp.iam.serviceAccountId", Desc: "GCP IAM unique ID"}, + {Type: "string", Name: "gcp.location", Desc: "GCP region"}, + {Type: "string", Name: "gcp.logging.sink", Desc: "GCP logging sink"}, + {Type: "string", Name: "gcp.projectId", Desc: "GCP project ID"}, + {Type: "string", Name: "gcp.resourceName", Desc: "GCP resource name"}, + {Type: "string", Name: "gcp.storage.bucket", Desc: "GCP bucket name"}, + {Type: "string", Name: "resourceCategory", Desc: "Resource Category"}, + {Type: "string", Name: "resourceType", Desc: "Resource Type"}, } } @@ -78,8 +94,108 @@ func (p *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) error { } case "gcp.methodName": - serviceName := string(p.jdata.Get("protoPayload").Get("methodName").GetStringBytes()) - req.SetValue(serviceName) + methodName := string(p.jdata.Get("protoPayload").Get("methodName").GetStringBytes()) + req.SetValue(methodName) + + case "gcp.cloudfunctions.function": + functionName := p.jdata.Get("resource").Get("labels").Get("function_name") + if functionName.Exists() { + req.SetValue(functionName) + } + + case "gcp.cloudsql.databaseId": + databaseId := p.jdata.Get("resource").Get("labels").Get("database_id") + if databaseId.Exists() { + req.SetValue(databaseId) + } + + case "gcp.compute.instanceId": + instanceId := p.jdata.Get("resource").Get("labels").Get("instance_id") + if instanceId.Exists() { + req.SetValue(instanceId) + } + + case "gcp.compute.networkId": + networkId := p.jdata.Get("resource").Get("labels").Get("network_id") + if networkId.Exists() { + req.SetValue(networkId) + } + + case "gcp.compute.subnetwork": + subnetwork := p.jdata.Get("resource").Get("labels").Get("subnetwork_name") + if subnetwork.Exists() { + req.SetValue(subnetwork) + } + + case "gcp.compute.subnetworkId": + subnetworkId := p.jdata.Get("resource").Get("labels").Get("subnetwork_id") + if subnetworkId.Exists() { + req.SetValue(subnetworkId) + } + + case "gcp.dns.zone": + zone := p.jdata.Get("resource").Get("labels").Get("zone_name") + if zone.Exists() { + req.SetValue(zone) + } + + case "gcp.iam.serviceAccount": + serviceAccount := p.jdata.Get("resource").Get("labels").Get("email_id") + if serviceAccount.Exists() { + req.SetValue(serviceAccount) + } + + case "gcp.iam.serviceAccountId": + serviceAccountId := p.jdata.Get("resource").Get("labels").Get("unique_id") + if serviceAccountId.Exists() { + req.SetValue(serviceAccountId) + } + + case "gcp.location": + location := p.jdata.Get("resource").Get("labels").Get("location") + if location.Exists() { + req.SetValue(location) + } + + case "gcp.logging.sink": + resource := string(p.jdata.Get("resource").Get("type").GetStringBytes()) + + if resource == "logging_sink" { + loggingSink := p.jdata.Get("resource").Get("labels").Get("name") + if loggingSink.Exists() { + req.SetValue(loggingSink) + } + } + + case "gcp.projectId": + projectId := p.jdata.Get("resource").Get("labels").Get("project_id") + if projectId.Exists() { + req.SetValue(projectId) + } + + case "gcp.resourceName": + resourceName := p.jdata.Get("protoPayload").Get("resourceName") + if resourceName.Exists() { + req.SetValue(resourceName) + } + + case "gcp.storage.bucket": + bucket := p.jdata.Get("resource").Get("labels").Get("bucket_name") + if bucket.Exists() { + req.SetValue(bucket) + } + + case "resourceType": + resourceType := p.jdata.Get("resource").Get("type") + if resourceType.Exists() { + req.SetValue(resourceType) + } + + case "resourceCategory": + resourceCategory := p.jdata.Get("resource").Get("type") + if resourceCategory.Exists() { + req.SetValue(resourceCategory) + } default: return fmt.Errorf("unknown field: %s", req.Field())