gcp: remove never-successful violation field renames #13777

efd6 · 2025-05-04T21:44:29Z

Proposed commit message

The rename refers to fields that do not exist in the type, and appears to
have been incorrectly added to the block handling PolicyViolationInfo.

The alternative would have been to add the following, but we already
document the current behaviour, so leaving this as is as unfortunate.

  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.errorMessage
          target_field: _ingest._value.error_message
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List
  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.checkedValue
          target_field: _ingest._value.checked_value
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List
  - foreach:
      field: gcp.audit.policy_violation_info.violations
      ignore_missing: true
      ignore_failure: true
      processor:
        rename:
          field: _ingest._value.policyType
          target_field: _ingest._value.policy_type
      if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List

[1]https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ViolationInfo

Thanks to @ishleenk17 for identifying this.

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.
I have verified that Kibana version constraints are current according to guidelines.
I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

[ ]

How to test this PR locally

Related issues

Screenshots

elastic-vault-github-plugin-prod · 2025-05-04T22:10:35Z

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

elasticmachine · 2025-05-04T22:11:29Z

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

chrisberkhout

Not renames absent fields seems fine.

Not adding renames to change the case of actual fields seems fine since they're already provided and documented in the current form.

The rename refers to fields that do not exist in the type, and appears to have been incorrectly added to the block handling PolicyViolationInfo. The alternative would have been to add the following, but we already document the current behaviour, so leaving this as is as unfortunate. - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.errorMessage target_field: _ingest._value.error_message if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.checkedValue target_field: _ingest._value.checked_value if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.policyType target_field: _ingest._value.policy_type if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List [1]https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ViolationInfo

elasticmachine · 2025-05-21T21:42:30Z

💚 Build Succeeded

Buildkite Build
Commit: 3d74c6f

History

💚 Build #25479 succeeded 2050049

cc @efd6

elastic-sonarqube · 2025-05-21T21:42:35Z

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

elastic-vault-github-plugin-prod · 2025-05-21T21:58:41Z

Package gcp - 2.42.1 containing this change is available at https://epr.elastic.co/package/gcp/2.42.1/

The rename refers to fields that do not exist in the type, and appears to have been incorrectly added to the block handling PolicyViolationInfo. The alternative would have been to add the following, but we already document the current behaviour, so leaving this as is as unfortunate. - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.errorMessage target_field: _ingest._value.error_message if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.checkedValue target_field: _ingest._value.checked_value if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List - foreach: field: gcp.audit.policy_violation_info.violations ignore_missing: true ignore_failure: true processor: rename: field: _ingest._value.policyType target_field: _ingest._value.policy_type if: ctx.gcp?.audit?.policy_violation_info?.violations instanceof List [1]https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ViolationInfo

efd6 added Integration:gcp Google Cloud Platform bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels May 4, 2025

efd6 self-assigned this May 4, 2025

efd6 force-pushed the gcp_audit_renames branch from 7ab7e6c to 2050049 Compare May 4, 2025 21:45

efd6 marked this pull request as ready for review May 4, 2025 22:11

efd6 requested review from a team as code owners May 4, 2025 22:11

chrisberkhout approved these changes May 21, 2025

View reviewed changes

efd6 added 2 commits May 22, 2025 06:44

regenerate test expectations

97ce581

efd6 force-pushed the gcp_audit_renames branch from 2050049 to 3d74c6f Compare May 21, 2025 21:15

efd6 enabled auto-merge (squash) May 21, 2025 21:15

efd6 merged commit 739cf21 into elastic:main May 21, 2025
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

gcp: remove never-successful violation field renames #13777

gcp: remove never-successful violation field renames #13777

Uh oh!

efd6 commented May 4, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented May 4, 2025

Uh oh!

elasticmachine commented May 4, 2025

Uh oh!

chrisberkhout left a comment

Uh oh!

elasticmachine commented May 21, 2025

Uh oh!

Uh oh!

elastic-sonarqube bot commented May 21, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented May 21, 2025

Uh oh!

Uh oh!

gcp: remove never-successful violation field renames #13777

gcp: remove never-successful violation field renames #13777

Uh oh!

Conversation

efd6 commented May 4, 2025

Proposed commit message

Checklist

Author's Checklist

How to test this PR locally

Related issues

Screenshots

Uh oh!

elastic-vault-github-plugin-prod bot commented May 4, 2025

🚀 Benchmarks report

Uh oh!

elasticmachine commented May 4, 2025

Uh oh!

chrisberkhout left a comment

Choose a reason for hiding this comment

Uh oh!

elasticmachine commented May 21, 2025

💚 Build Succeeded

History

Uh oh!

Uh oh!

elastic-sonarqube bot commented May 21, 2025

Quality Gate passed

Uh oh!

elastic-vault-github-plugin-prod bot commented May 21, 2025

Uh oh!

Uh oh!