Google Cloud Module Additional Field Extraction Request #15651

ghost · 2020-01-17T18:41:50Z

The current Google Cloud module doesn't extract "insertId" field from the VPC flow logs in GCP. According to GCP documentation, this is a unique identifier for the log entry.

Optional. A unique identifier for the log entry. If you provide a value, then Logging considers other log entries in the same project, with the same timestamp, and with the same insertId to be duplicates which can be removed. If omitted in new log entries, then Logging assigns its own unique identifier. The insertId is also used to order log entries that have the same timestamp value.
ref: https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry

Extracting the field with the Google Cloud module would help to find the exact log event in Stackdriver. Right now, it's a bit harder to do it.

elasticmachine · 2020-01-18T14:03:44Z

Pinging @elastic/siem (Team:SIEM)

andrewkroh · 2020-01-18T14:41:30Z

For the vpcflow dataset I think it would be just one change at:

beats/x-pack/filebeat/module/googlecloud/vpcflow/config/pipeline.js

Line 60 in 9ece104

{from: "json.jsonPayload", to: "json"},

to add {from: "json.insertId", to: "label.insert_id"},.

And it would be a very similar change to the audit and firewall datasets.

+ audit - event.id - event.action - event.kind + firewall - event.kind - event.category - event.type - event.action - event.id - rule.name + vpcflow - event.kind - event.category - event.type - event.id Closes elastic#16030 Closes elastic#15651

…odule (elastic#16500) + audit - event.id - event.action - event.kind + firewall - event.kind - event.category - event.type - event.action - event.id - rule.name + vpcflow - event.kind - event.category - event.type - event.id Closes elastic#16030 Closes elastic#15651 (cherry picked from commit e1fa198)

…odule (#16500) (#16528) + audit - event.id - event.action - event.kind + firewall - event.kind - event.category - event.type - event.action - event.id - rule.name + vpcflow - event.kind - event.category - event.type - event.id Closes #16030 Closes #15651 (cherry picked from commit e1fa198)

ycombinator added enhancement Team:Integrations Label for the Integrations team labels Jan 17, 2020

adriansr added the Team:SIEM label Jan 18, 2020

andrewkroh added the good first issue Indicates a good issue for first-time contributors label Jan 18, 2020

andresrc added the [zube]: Old-Inbox label Jan 27, 2020

leehinman closed this as completed in e1fa198 Feb 24, 2020

zube bot added [zube]: Done and removed [zube]: Old-Inbox labels Feb 24, 2020

andresrc removed the [zube]: Done label Feb 25, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Google Cloud Module Additional Field Extraction Request #15651

Google Cloud Module Additional Field Extraction Request #15651

ghost commented Jan 17, 2020 •

edited by ghost

Loading

elasticmachine commented Jan 18, 2020

andrewkroh commented Jan 18, 2020

Google Cloud Module Additional Field Extraction Request #15651

Google Cloud Module Additional Field Extraction Request #15651

Comments

ghost commented Jan 17, 2020 • edited by ghost Loading

elasticmachine commented Jan 18, 2020

andrewkroh commented Jan 18, 2020

ghost commented Jan 17, 2020 •

edited by ghost

Loading