feat(plugins/gcp): extract more gcp fields

Signed-off-by: Sanja Kosier <[email protected]>
falcosecurity · Sep 12, 2023 · f47edbb · f47edbb
1 parent 54e75bf
commit f47edbb
Showing 1 changed file with 128 additions and 3 deletions.
diff --git a/plugins/gcpaudit/pkg/gcpaudit/extract.go b/plugins/gcpaudit/pkg/gcpaudit/extract.go
@@ -16,7 +16,22 @@ func (p *Plugin) Fields() []sdk.FieldEntry {
 		{Type: "string", Name: "gcp.serviceName", Desc: "GCP API service name"},
 		{Type: "string", Name: "gcp.policyDelta", Desc: "GCP service resource access policy"},
 		{Type: "string", Name: "gcp.request", Desc: "GCP API raw request"},
-		{Type: "string", Name: "gcp.methodName", Desc: "GCP API service  method executed"},
+		{Type: "string", Name: "gcp.methodName", Desc: "GCP API service method executed"},
+		{Type: "string", Name: "gcp.cloudfunctions.function", Desc: "GCF name"},
+		{Type: "string", Name: "gcp.cloudsql.databaseId", Desc: "GCP SQL database ID"},
+		{Type: "string", Name: "gcp.compute.instanceId", Desc: "GCE instance ID"},
+		{Type: "string", Name: "gcp.compute.networkId", Desc: "GCP network ID"},
+		{Type: "string", Name: "gcp.compute.subnetwork", Desc: "GCP subnetwork name"},
+		{Type: "string", Name: "gcp.compute.subnetworkId", Desc: "GCP subnetwork ID"},
+		{Type: "string", Name: "gcp.dns.zone", Desc: "GCP DNS zoned"},
+		{Type: "string", Name: "gcp.iam.serviceAccount", Desc: "GCP service account"},
+		{Type: "string", Name: "gcp.iam.serviceAccountId", Desc: "GCP IAM unique ID"},
+		{Type: "string", Name: "gcp.location", Desc: "GCP region"},
+		{Type: "string", Name: "gcp.logging.sink", Desc: "GCP logging sink"},
+		{Type: "string", Name: "gcp.projectId", Desc: "GCP project ID"},
+		{Type: "string", Name: "gcp.resourceName", Desc: "GCP resource name"},
+		{Type: "string", Name: "gcp.resourceType", Desc: "GCP resource type"},
+		{Type: "string", Name: "gcp.storage.bucket", Desc: "GCP bucket name"},
 	}
 }
 
@@ -78,8 +93,118 @@ func (p *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) error {
 		}
 
 	case "gcp.methodName":
-		serviceName := string(p.jdata.Get("protoPayload").Get("methodName").GetStringBytes())
-		req.SetValue(serviceName)
+		methodName := string(p.jdata.Get("protoPayload").Get("methodName").GetStringBytes())
+		req.SetValue(methodName)
+
+	case "gcp.cloudfunctions.function":
+		functionName := p.jdata.Get("resource").Get("labels").Get("function_name")
+		if functionName.Exists() {
+			req.SetValue(functionName)
+		}
+
+	case "gcp.cloudsql.databaseId":
+		databaseId := p.jdata.Get("resource").Get("labels").Get("database_id")
+		if databaseId.Exists() {
+			req.SetValue(databaseId)
+		}
+
+	case "gcp.compute.instanceId":
+		instanceId := p.jdata.Get("resource").Get("labels").Get("instance_id")
+		if instanceId.Exists() {
+			req.SetValue(instanceId)
+		}
+
+	case "gcp.compute.networkId":
+		networkId := p.jdata.Get("resource").Get("labels").Get("network_id")
+		if networkId.Exists() {
+			req.SetValue(networkId)
+		}
+
+	case "gcp.compute.subnetwork":
+		subnetwork := p.jdata.Get("resource").Get("labels").Get("subnetwork_name")
+		if subnetwork.Exists() {
+			req.SetValue(subnetwork)
+		}
+
+	case "gcp.compute.subnetworkId":
+		subnetworkId := p.jdata.Get("resource").Get("labels").Get("subnetwork_id")
+		if subnetworkId.Exists() {
+			req.SetValue(subnetworkId)
+		}
+
+	case "gcp.dns.zone":
+		zone := p.jdata.Get("resource").Get("labels").Get("zone_name")
+		if zone.Exists() {
+			req.SetValue(zone)
+		}
+
+	case "gcp.iam.serviceAccount":
+		serviceAccount := p.jdata.Get("resource").Get("labels").Get("email_id")
+		if serviceAccount.Exists() {
+			req.SetValue(serviceAccount)
+		}
+
+	case "gcp.iam.serviceAccountId":
+		serviceAccountId := p.jdata.Get("resource").Get("labels").Get("unique_id")
+		if serviceAccountId.Exists() {
+			req.SetValue(serviceAccountId)
+		}
+
+	case "gcp.location":
+		location := p.jdata.Get("resource").Get("labels").Get("location")
+		if location.Exists() {
+			req.SetValue(location)
+			return nil
+		}
+		// if location is not present, check for region
+		region := p.jdata.Get("resource").Get("labels").Get("region")
+		if region.Exists() {
+			req.SetValue(region)
+			return nil
+		}
+		// if region is not present, check for zone
+		zone := p.jdata.Get("resource").Get("labels").Get("zone").String()
+		if zone != "" && len(zone) > 2 {
+			// if in format: "us-central1-a", remove last two chars
+			formattedZone := zone[:len(zone)-2]
+			req.SetValue(formattedZone)
+		} else if zone != "" {
+			req.SetValue(zone)
+		}
+
+	case "gcp.logging.sink":
+		resource := string(p.jdata.Get("resource").Get("type").GetStringBytes())
+
+		if resource == "logging_sink" {
+			loggingSink := p.jdata.Get("resource").Get("labels").Get("name")
+			if loggingSink.Exists() {
+				req.SetValue(loggingSink)
+			}
+		}
+
+	case "gcp.projectId":
+		projectId := p.jdata.Get("resource").Get("labels").Get("project_id")
+		if projectId.Exists() {
+			req.SetValue(projectId)
+		}
+
+	case "gcp.resourceName":
+		resourceName := p.jdata.Get("protoPayload").Get("resourceName")
+		if resourceName.Exists() {
+			req.SetValue(resourceName)
+		}
+
+	case "gcp.resourceType":
+		resourceType := p.jdata.Get("resource").Get("type")
+		if resourceType.Exists() {
+			req.SetValue(resourceType)
+		}
+
+	case "gcp.storage.bucket":
+		bucket := p.jdata.Get("resource").Get("labels").Get("bucket_name")
+		if bucket.Exists() {
+			req.SetValue(bucket)
+		}
 
 	default:
 		return fmt.Errorf("unknown field: %s", req.Field())