Skip to content

[gcp.audit]: parse sensitive action notifications #14225

New issue
New issue
Closed
#15619
Closed
[gcp.audit]: parse sensitive action notifications#14225
#15619
Assignees
mohitjha-elastic
Labels
Integration:gcpGoogle Cloud PlatformTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request
@aarju

Description

@aarju
aarju
opened on Jun 16, 2025

Integration Name

Google Cloud Platform [gcp]

Dataset Name

gcp.audit

Integration Version

2.41.0

Agent Version

9.0.1

OS Version and Architecture

GKE

User Goal

Google Cloud will send notifications of sensitive actions to tenant owners, and those events are also added to the GCP audit logs but they are not currently parsed. We would like to see these events parsed on ingest so we can create SIEM notifications using these events.

https://cloud.google.com/advisory-notifications/docs/sensitive-actions-logs

This is the schema for these log events: https://github.com/googleapis/googleapis/blob/master/google/cloud/sensitiveaction/logging/v1/sensitive_action_payload.proto

Existing Features

These logs are not currently parsed by the integration

What did you see?

Currently the only way to find these events is to query the GCP audit logs for log.logger:projects/*/logs/sensitiveaction.googleapis.com%2Faction, and the data is unparsed in the event.original field like this:

  "event.original": [
     "{\"insertId\":\"veqbqlc5a2\",\"jsonPayload\":{\"access\":{\"callerIp\":\"XX.XX.XX.XX\",\"callerIpGeo\":{\"regionCode\":\"DE\"},\"methodName\":\"v1.compute.projects.setCommonInstanceMetadata\",\"principalEmail\":\"example.user@elastic\",\"principalSubject\":\"user:example.user@elastic\",\"serviceName\":\"compute.googleapis.com\",\"userAgent\":\"google-cloud-sdk gcloud/525.0.0 command/gcloud.compute.ssh invocation-id/881a0585a52e4ff68bbaf3efb4f2da2c environment/None environment-version/None client-os/MACOSX client-os-ver/24.5.0 client-pltf-arch/arm interactive/True from-script/False python/3.13.4 term/xterm-256color (Macintosh; Intel Mac OS X 24.5.0),gzip(gfe)\"},\"actionTime\":\"2025-06-13T13:42:47.922290Z\",\"actionType\":\"add_ssh_key\",\"affectedResources\":[\"//compute.googleapis.com/projects/10594\"],\"learnMoreUri\":\"https://cloud.google.com/security-command-center/docs/concepts-sensitive-actions-overview\",\"sourceLogIds\":[{\"insertId\":\"3czf3od3\",\"logTime\":\"2025-06-13T13:42:46.293601Z\",\"queryUri\":\"https://console.cloud.google.com/logs/query;query=timestamp%3D%222025-06-13T13:42:46.293601Z%22%0AinsertId%3D%223czf3od3k16%22?project=elastic-sa\",\"resourceContainer\":\"projects/elastic-sa\"}]},\"logName\":\"projects/elastic-sa/logs/sensitiveaction.googleapis.com%2Faction\",\"receiveTimestamp\":\"2025-06-13T13:42:49.295214268Z\",\"resource\":{\"labels\":{\"location\":\"global\",\"resource_container\":\"//compute.googleapis.com/projects/10594\"},\"type\":\"sensitiveaction.googleapis.com/Location\"},\"severity\":\"NOTICE\",\"timestamp\":\"2025-06-13T13:42:47.92229Z\"}"
   ]

Anything else?

No response

Metadata

Metadata

Assignees

Labels

Integration:gcpGoogle Cloud PlatformTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]Team:Sit-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions