From 3f345b6468f8f22316e01913c6ca651aba9b2db8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Francesco=20Pirro=CC=80?= Date: Wed, 20 Nov 2024 14:21:26 +0100 Subject: [PATCH 1/3] feat(plugins/gcpaudit): add gcp.resourceLabels field MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Francesco Pirrò --- plugins/gcpaudit/pkg/gcpaudit/extract.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/plugins/gcpaudit/pkg/gcpaudit/extract.go b/plugins/gcpaudit/pkg/gcpaudit/extract.go index 99b59fbe..e4fc9e24 100644 --- a/plugins/gcpaudit/pkg/gcpaudit/extract.go +++ b/plugins/gcpaudit/pkg/gcpaudit/extract.go @@ -48,6 +48,7 @@ func (p *Plugin) Fields() []sdk.FieldEntry { {Type: "string", Name: "gcp.projectId", Display: "Project ID", Desc: "GCP project ID"}, {Type: "string", Name: "gcp.resourceName", Display: "Resource Name", Desc: "GCP resource name"}, {Type: "string", Name: "gcp.resourceType", Display: "Resource Type", Desc: "GCP resource type"}, + {Type: "string", Name: "gcp.resourceLabels", Display: "Resource Labels", Desc: "GCP resource labels"}, {Type: "string", Name: "gcp.storage.bucket", Display: "Bucket Name", Desc: "GCP bucket name"}, } } @@ -225,6 +226,12 @@ func (p *Plugin) Extract(req sdk.ExtractRequest, evt sdk.EventReader) error { req.SetValue(string(resourceType)) } + case "gcp.resourceLabels": + resourceLabels := p.jdata.Get("resource").Get("labels").MarshalTo(nil) + if resourceLabels != nil && len(resourceLabels) > 0 { + req.SetValue(string(resourceLabels)) + } + case "gcp.storage.bucket": bucket := p.jdata.Get("resource").Get("labels").GetStringBytes("bucket_name") if bucket != nil { From 931f0688edbe90f1d571bfcb200dd5ecb553903c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Francesco=20Pirro=CC=80?= Date: Wed, 20 Nov 2024 15:48:14 +0100 Subject: [PATCH 2/3] chore(plugins/gcpaudit): update readme with new field MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Francesco Pirrò --- plugins/gcpaudit/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/gcpaudit/README.md b/plugins/gcpaudit/README.md index c9366023..79470a6b 100644 --- a/plugins/gcpaudit/README.md +++ b/plugins/gcpaudit/README.md @@ -111,6 +111,7 @@ For more details about what Cloud logging log queries, see the [GCP official doc | `gcp.projectId` | `string` | None | GCP project ID | | `gcp.resourceName` | `string` | None | GCP resource name | | `gcp.resourceType` | `string` | None | GCP resource type | +| `gcp.resourceLabels` | `string` | None | GCP resource labels | | `gcp.storage.bucket` | `string` | None | GCP bucket name | From 7b0fdac41655ae89cbfb8f5e18e76f852d8ced5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Francesco=20Pirro=CC=80?= Date: Wed, 20 Nov 2024 15:49:40 +0100 Subject: [PATCH 3/3] update(plugins/gcpaudit): bump plugin version to 0.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Francesco Pirrò --- plugins/gcpaudit/pkg/gcpaudit/gcpaudit.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/gcpaudit/pkg/gcpaudit/gcpaudit.go b/plugins/gcpaudit/pkg/gcpaudit/gcpaudit.go index 993aee9d..1d4bfa73 100644 --- a/plugins/gcpaudit/pkg/gcpaudit/gcpaudit.go +++ b/plugins/gcpaudit/pkg/gcpaudit/gcpaudit.go @@ -30,7 +30,7 @@ const ( PluginName = "gcpaudit" PluginDescription = "Read GCP Audit Logs" PluginContact = "github.com/falcosecurity/plugins" - PluginVersion = "0.4.0" + PluginVersion = "0.5.0" PluginEventSource = "gcp_auditlog" )