Skip to content

gcp: remove never-successful violation field renames #13777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

gcp: remove never-successful violation field renames #13777

wants to merge 2 commits into from

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented May 4, 2025

Proposed commit message

The rename refers to fields that do not exist in the type, and appears to
have been incorrectly added to the block handling PolicyViolationInfo.

The alternative would have been to add the following, but we already
document the current behaviour, so leaving this as is as unfortunate.

  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.errorMessage
          target_field: _ingest._value.error_message
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List
  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.checkedValue
          target_field: _ingest._value.checked_value
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List
  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.policyType
          target_field: _ingest._value.policy_type
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List

[1]https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ViolationInfo

Thanks to @ishleenk17 for identifying this.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 added Integration:gcp Google Cloud Platform bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 4, 2025
@efd6 efd6 self-assigned this May 4, 2025
@efd6
gcp: remove never-successful violation field renames
2050049 
The rename refers to fields that do not exist in the type, and appears to
have been incorrectly added to the block handling PolicyViolationInfo.

The alternative would have been to add the following, but we already
document the current behaviour, so leaving this as is as unfortunate.

  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.errorMessage
          target_field: _ingest._value.error_message
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List
  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.checkedValue
          target_field: _ingest._value.checked_value
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List
  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.policyType
          target_field: _ingest._value.policy_type
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List

[1]https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ViolationInfo
@efd6 efd6 force-pushed the gcp_audit_renames branch from 7ab7e6c to 2050049 Compare May 4, 2025 21:45
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@efd6 efd6 marked this pull request as ready for review May 4, 2025 22:11
@efd6 efd6 requested review from a team as code owners May 4, 2025 22:11
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@efd6 efd6

Labels
bugfix Pull request that fixes a bug issue Integration:gcp Google Cloud Platform Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@efd6 @elasticmachine