Google Security Command Center
Collect logs from Google Security Command Center with Elastic Agent.
Beta feature
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
Overview
The Google Security Command Center integration allows users to monitor finding, audit, asset, and source. Security Command Center Premium provides comprehensive threat detection for Google Cloud that includes Event Threat Detection, Container Threat Detection, and Virtual Machine Threat Detection as built-in services.
Use the Google SCC integration to collect and parse data from the Google SCC REST API (finding, asset, and source) or GCP Pub/Sub (finding, asset, and audit). Then visualize that data through search, correlation, and visualization within Elastic Security.
Data streams
The Google SCC integration collects four types of data: finding, audit, asset, and source.
Finding is a record of assessment data like security, risk, health, or privacy, that is ingested into Security Command Center for presentation, notification, analysis, policy testing, and enforcement. For example, a cross-site scripting (XSS) vulnerability in an App Engine application is a finding.
Audit logs created by Security Command Center as part of Cloud Audit Logs.
Asset lists assets with time and resource types and returns paged results in response.
Source is an entity or a mechanism that can produce a finding. A source is like a container of findings that come from the same scanner, logger, monitor, and other tools.
Compatibility
This module has been tested against the latest Google SCC API version v1.
Requirements
- Elastic Agent must be installed.
- You can install only one Elastic Agent per host.
- Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
Installing and managing an Elastic Agent:
You have a few options for installing and managing an Elastic Agent:
Install a Fleet-managed Elastic Agent (recommended):
With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier.
Install Elastic Agent in standalone mode (advanced users):
With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only.
Install Elastic Agent in a containerized environment:
You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry and we provide deployment manifests for running on Kubernetes.
There are some minimum requirements for running Elastic Agent and for more information, refer to the link here.
The minimum kibana.version required is 8.8.0.
Prerequisites
- Create Google SCC service account Steps to create.
- Permissions required for Service Account:
- Cloud Asset Viewer at Organization Level
- Pub/Sub Subscriber at Project Level
- Security Center Admin Editor at Organization Level
- Security Command Center API and Cloud Asset API must be enabled.
This integration will make use of the following oauth2 scope:
https://www.googleapis.com/auth/cloud-platform
Once Service Account credentials are downloaded as a JSON file, then the integration can be setup to collect data.
If installing in GCP-Cloud Environment, No need to provide any credentials and make sure the account linked with the VM has all the required IAM permissions. Steps to Set up Application Default Credentials.
Setup
To create GCP Pub/Sub, follow the below steps:
To collect data from GCP Pub/Sub, follow the below steps:
- Configure to export finding to GCP Pub/Sub.
- Configure to export asset to GCP Pub/Sub.
- Configure to export audit to GCP Pub/Sub.
NOTE:
- Sink destination must be Pub/Sub topic while exporting audit logs to GCP Pub/Sub.
- Create unique Pub/Sub topic per data-stream.
Enabling the integration in Elastic:
-
In Kibana go to Management > Integrations.
-
In "Search for integrations" search bar, type Google Security Command Center.
-
Click on the Google Security Command Center integration from the search results.
-
Click on the Add Google Security Command Center Integration button to add the integration.
-
While adding the integration, if you want to collect logs via Rest API, turn on the toggle and then put the following details:
- credentials type
- credentials JSON/file
- parent type
- id
- To collect asset logs, put the following details:
- content type
or if you want to collect logs via GCP Pub/Sub, turn on the toggle and then put the following details:
- credentials type
- credentials JSON/file
- project id
- To collect asset, audit, or finding logs, put the following details:
- topic
- subscription name
Logs reference
Asset
This is the Asset
dataset.
Example
An example event for asset
looks as following:
{
"@timestamp": "2023-07-03T06:24:10.638Z",
"agent": {
"ephemeral_id": "7ab58b6a-e33a-470d-b529-80d7f867ce64",
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.0"
},
"data_stream": {
"dataset": "google_scc.asset",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.10.0"
},
"elastic_agent": {
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"snapshot": false,
"version": "8.8.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"host"
],
"created": "2023-07-03T06:24:26.934Z",
"dataset": "google_scc.asset",
"id": "f14c38ac40-2",
"ingested": "2023-07-03T06:24:30Z",
"kind": "event",
"type": [
"info"
]
},
"google_scc": {
"asset": {
"ancestors": [
"projects/123456987522",
"folders/123456987520",
"organizations/523456987520"
],
"prior": {
"ancestors": [
"projects/123456987522",
"folders/123456987520",
"organizations/523456987520"
],
"name": "//logging.googleapis.com/projects/123456987522/locations/global/buckets/_Default",
"resource": {
"data": {
"analyticsEnabled": true,
"description": "Default bucket",
"lifecycleState": "ACTIVE",
"name": "projects/123456987522/locations/global/buckets/_Default",
"retentionDays": 30
},
"discovery": {
"document_uri": "https://logging.googleapis.com/$discovery/rest",
"name": "LogBucket"
},
"location": "global",
"parent": "//cloudresourcemanager.googleapis.com/projects/123456987522",
"version": "v2"
},
"type": "logging.googleapis.com/LogBucket",
"update_time": "2023-05-27T18:53:48.843Z"
},
"prior_asset_state": "PRESENT",
"resource": {
"data": {
"description": "Default bucket",
"lifecycleState": "ACTIVE",
"name": "projects/123456987522/locations/global/buckets/_Default",
"retentionDays": 30
},
"discovery": {
"document_uri": "https://logging.googleapis.com/$discovery/rest",
"name": "LogBucket"
},
"location": "global",
"parent": "//cloudresourcemanager.googleapis.com/projects/123456987522",
"version": "v2"
},
"update_time": "2023-05-28T06:59:48.052Z",
"window": {
"start_time": "2023-05-28T06:59:48.052Z"
}
}
},
"host": {
"name": "//logging.googleapis.com/projects/123456987522/locations/global/buckets/_Default",
"type": "logging.googleapis.com/LogBucket"
},
"input": {
"type": "gcp-pubsub"
},
"related": {
"hosts": [
"//logging.googleapis.com/projects/123456987522/locations/global/buckets/_Default"
]
},
"tags": [
"forwarded",
"google_scc-asset"
]
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset. | constant_keyword |
event.module | Event module. | constant_keyword |
google_scc.asset.access_level.basic.combining_function | How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition in conditions must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition in conditions must be satisfied for the AccessLevel to be applied. Default behavior is AND. | keyword |
google_scc.asset.access_level.basic.conditions.device_policy.allowed_device_management_levels | Allowed device management levels, an empty list allows all management levels. | keyword |
google_scc.asset.access_level.basic.conditions.device_policy.allowed_encryption_statuses | Allowed encryptions statuses, an empty list allows all statuses. | keyword |
google_scc.asset.access_level.basic.conditions.device_policy.os_constraints.minimum_version | The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: "major.minor.patch". Examples: "10.5.301", "9.2.1". | keyword |
google_scc.asset.access_level.basic.conditions.device_policy.os_constraints.os_type | Required. The allowed OS type. | keyword |
google_scc.asset.access_level.basic.conditions.device_policy.os_constraints.require_verified_chrome_os | Only allows requests from devices with a verified Chrome OS. Verifications includes requirements that the device is enterprise-managed, conformant to domain policies, and the caller has permission to call the API targeted by the request. | boolean |
google_scc.asset.access_level.basic.conditions.device_policy.require_admin_approval | Whether the device needs to be approved by the customer admin. | boolean |
google_scc.asset.access_level.basic.conditions.device_policy.require_corp_owned | Whether the device needs to be corp owned. | boolean |
google_scc.asset.access_level.basic.conditions.device_policy.require_screenlock | Whether or not screenlock is required for the DevicePolicy to be true. Defaults to false. | boolean |
google_scc.asset.access_level.basic.conditions.members | The request must be made by one of the provided user or service accounts. Groups are not supported. Syntax: user:{emailid} serviceAccount:{emailid} If not specified, a request may come from any user. | keyword |
google_scc.asset.access_level.basic.conditions.negate | Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false. | boolean |
google_scc.asset.access_level.basic.conditions.regions | The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes. | keyword |
google_scc.asset.access_level.basic.conditions.required_access_levels | A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME". | keyword |
google_scc.asset.access_level.custom.expression.description | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | keyword |
google_scc.asset.access_level.custom.expression.location | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | keyword |
google_scc.asset.access_level.custom.expression.text | Textual representation of an expression in Common Expression Language syntax. | keyword |
google_scc.asset.access_level.custom.expression.title | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | keyword |
google_scc.asset.access_level.description | Description of the AccessLevel and its use. Does not affect behavior. | keyword |
google_scc.asset.access_level.name | Required. Resource name for the Access Level. The shortName component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{accessPolicy}/accessLevels/{accessLevel}. The maximum length of the accessLevel component is 50 characters. | keyword |
google_scc.asset.access_level.title | Human readable title. Must be unique within the Policy. | keyword |
google_scc.asset.access_policy.etag | Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Polices will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format. | keyword |
google_scc.asset.access_policy.name | Output only. Resource name of the AccessPolicy. Format: accessPolicies/{accessPolicy}. | keyword |
google_scc.asset.access_policy.parent | Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id}. | keyword |
google_scc.asset.access_policy.scopes | The scopes of a policy define which resources an ACM policy can restrict, and where ACM resources can be referenced. For example, a policy with scopes=["folders/123"] has the following behavior: - vpcsc perimeters can only restrict projects within folders/123 - access levels can only be referenced by resources within folders/123. If empty, there are no limitations on which resources can be restricted by an ACM policy, and there are no limitations on where ACM resources can be referenced. Only one policy can include a given scope (attempting to create a second policy which includes "folders/123" will result in an error). Currently, scopes cannot be modified after a policy is created. Currently, policies can only have a single scope. Format: list of folders/{folder_number} or projects/{project_number}. | keyword |
google_scc.asset.access_policy.title | Required. Human readable title. Does not affect behavior. | keyword |
google_scc.asset.ancestors | The ancestry path of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. If the asset is a project, folder, or organization, the ancestry path starts from the asset itself. Example: ["projects/123456789", "folders/5432", "organizations/1234"]. | keyword |
google_scc.asset.iam_policy.audit_configs.audit_log_configs.exemted_members | Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members. | keyword |
google_scc.asset.iam_policy.audit_configs.audit_log_configs.log_type | The log type that this config enables. | keyword |
google_scc.asset.iam_policy.audit_configs.service | Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services. | keyword |
google_scc.asset.iam_policy.bindings.condition | The condition that is associated with this binding. If the condition evaluates to true, then this binding applies to the current request. If the condition evaluates to false, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the IAM documentation. | flattened |
google_scc.asset.iam_policy.bindings.members | Specifies the principals requesting access for a Google Cloud resource. members can have the following values: allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. user:{emailid}: An email address that represents a specific Google account. For example, alice@example.com . serviceAccount:{emailid}: An email address that represents a Google service account. For example, my-other-app@appspot.gserviceaccount.com. serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]: An identifier for a Kubernetes service account. For example, my-project.svc.id.goog[my-namespace/my-kubernetes-sa]. group:{emailid}: An email address that represents a Google group. For example, admins@example.com. deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com. | keyword |
google_scc.asset.iam_policy.bindings.role | Role that is assigned to the list of members, or principals. For example, roles/viewer, roles/editor, or roles/owner. | keyword |
google_scc.asset.iam_policy.etag | etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy. Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost. A base64-encoded string. | keyword |
google_scc.asset.iam_policy.version | Specifies the format of the policy. Valid values are 0, 1, and 3. Requests that specify an invalid value are rejected. Any operation that affects conditional role bindings must specify version 3. This requirement applies to the following operations: Getting a policy that includes a conditional role binding.Adding a conditional role binding to a policy.Changing a conditional role binding in a policy.Removing any role binding, with or without a condition, from a policy that includes conditions.Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost. If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation. | keyword |
google_scc.asset.name | The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Resource names for more information. | keyword |
google_scc.asset.organization_policy.boolean_policy.enforced | If true, then the Policy is enforced. If false, then any configuration is acceptable. | boolean |
google_scc.asset.organization_policy.constraint | The name of the Constraint the Policy is configuring, for example, constraints/serviceuser.services. A list of available constraints is available. Immutable after creation. | keyword |
google_scc.asset.organization_policy.etag | An opaque tag indicating the current version of the Policy, used for concurrency control. When the Policy is returned from either a policies.get or a ListOrgPolicy request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a policies.getEffectivePolicy request, the etag will be unset. When the Policy is used in a SetOrgPolicy method, use the etag value that was returned from a GetOrgPolicy request as part of a read-modify-write loop for concurrency control. Not setting the etagin a SetOrgPolicy request will result in an unconditional write of the Policy. A base64-encoded string. | keyword |
google_scc.asset.organization_policy.list_policy.all_values | The policy allValues state. | keyword |
google_scc.asset.organization_policy.list_policy.allowed_values | List of values allowed at this resource. Can only be set if allValues is set to ALL_VALUES_UNSPECIFIED. | keyword |
google_scc.asset.organization_policy.list_policy.denied_values | List of values denied at this resource. Can only be set if allValues is set to ALL_VALUES_UNSPECIFIED. | keyword |
google_scc.asset.organization_policy.list_policy.inherit_from_parent | Determines the inheritance behavior for this Policy. | boolean |
google_scc.asset.organization_policy.list_policy.suggested_value | Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this Policy. If suggestedValue is not set, it will inherit the value specified higher in the hierarchy, unless inheritFromParent is false. | keyword |
google_scc.asset.organization_policy.restore_default.etag | Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Polices will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format. | keyword |
google_scc.asset.organization_policy.restore_default.name | Output only. Resource name of the AccessPolicy. Format: accessPolicies/{accessPolicy}. | keyword |
google_scc.asset.organization_policy.restore_default.parent | Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id}. | keyword |
google_scc.asset.organization_policy.restore_default.scopes | The scopes of a policy define which resources an ACM policy can restrict, and where ACM resources can be referenced. For example, a policy with scopes=["folders/123"] has the following behavior: - vpcsc perimeters can only restrict projects within folders/123 - access levels can only be referenced by resources within folders/123. If empty, there are no limitations on which resources can be restricted by an ACM policy, and there are no limitations on where ACM resources can be referenced. Only one policy can include a given scope (attempting to create a second policy which includes "folders/123" will result in an error). Currently, scopes cannot be modified after a policy is created. Currently, policies can only have a single scope. Format: list of folders/{folder_number} or projects/{project_number}. | keyword |
google_scc.asset.organization_policy.restore_default.title | Required. Human readable title. Does not affect behavior. | keyword |
google_scc.asset.organization_policy.update_time | The time stamp the Policy was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to SetOrgPolicy was made for that Policy. Any value set by the client will be ignored. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". | date |
google_scc.asset.organization_policy.version | Version of the Policy. Default version is 0. | keyword |
google_scc.asset.os_inventory.items | flattened | |
google_scc.asset.os_inventory.name | Output only. The Inventory API resource name. Format: projects/{project_number}/locations/{location}/instances/{instance_id}/inventory. | keyword |
google_scc.asset.os_inventory.os_info.architecture | The system architecture of the operating system. | keyword |
google_scc.asset.os_inventory.os_info.hostname | The VM hostname. | keyword |
google_scc.asset.os_inventory.os_info.kernel.release | The kernel release of the operating system. | keyword |
google_scc.asset.os_inventory.os_info.kernel.version | The kernel version of the operating system. | keyword |
google_scc.asset.os_inventory.os_info.long_name | The operating system long name. For example 'Debian GNU/Linux 9' or 'Microsoft Window Server 2019 Datacenter'. | keyword |
google_scc.asset.os_inventory.os_info.os_config_agent_version | The current version of the OS Config agent running on the VM. | keyword |
google_scc.asset.os_inventory.os_info.short_name | The operating system short name. For example, 'windows' or 'debian'. | keyword |
google_scc.asset.os_inventory.os_info.version | The version of the operating system. | keyword |
google_scc.asset.os_inventory.update_time | Output only. Timestamp of the last reported inventory for the VM. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". | date |
google_scc.asset.prior.access_level.basic.combining_function | How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition in conditions must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition in conditions must be satisfied for the AccessLevel to be applied. Default behavior is AND. | keyword |
google_scc.asset.prior.access_level.basic.conditions.device_policy.allowed_device_management_levels | Allowed device management levels, an empty list allows all management levels. | keyword |
google_scc.asset.prior.access_level.basic.conditions.device_policy.allowed_encryption_statuses | Allowed encryptions statuses, an empty list allows all statuses. | keyword |
google_scc.asset.prior.access_level.basic.conditions.device_policy.os_constraints.minimum_version | The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: "major.minor.patch". Examples: "10.5.301", "9.2.1". | keyword |
google_scc.asset.prior.access_level.basic.conditions.device_policy.os_constraints.os_type | Required. The allowed OS type. | keyword |
google_scc.asset.prior.access_level.basic.conditions.device_policy.os_constraints.require_verified_chrome_os | Only allows requests from devices with a verified Chrome OS. Verifications includes requirements that the device is enterprise-managed, conformant to domain policies, and the caller has permission to call the API targeted by the request. | boolean |
google_scc.asset.prior.access_level.basic.conditions.device_policy.require_admin_approval | Whether the device needs to be approved by the customer admin. | boolean |
google_scc.asset.prior.access_level.basic.conditions.device_policy.require_corp_owned | Whether the device needs to be corp owned. | boolean |
google_scc.asset.prior.access_level.basic.conditions.device_policy.require_screenlock | Whether or not screenlock is required for the DevicePolicy to be true. Defaults to false. | boolean |
google_scc.asset.prior.access_level.basic.conditions.members | The request must be made by one of the provided user or service accounts. Groups are not supported. Syntax: user:{emailid} serviceAccount:{emailid} If not specified, a request may come from any user. | keyword |
google_scc.asset.prior.access_level.basic.conditions.negate | Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false. | boolean |
google_scc.asset.prior.access_level.basic.conditions.regions | The request must originate from one of the provided countries/regions. Must be valid ISO 3166-1 alpha-2 codes. | keyword |
google_scc.asset.prior.access_level.basic.conditions.required_access_levels | A list of other access levels defined in the same Policy, referenced by resource name. Referencing an AccessLevel which does not exist is an error. All access levels listed must be granted for the Condition to be true. Example: "accessPolicies/MY_POLICY/accessLevels/LEVEL_NAME". | keyword |
google_scc.asset.prior.access_level.basic.conditions.sub_networks | CIDR block IP subnetwork specification. May be IPv4 or IPv6. Note that for a CIDR IP address block, the specified IP address portion must be properly truncated (i.e. all the host bits must be zero) or the input is considered malformed. For example, "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly, for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32" is not. The originating IP of a request must be in one of the listed subnets in order for this Condition to be true. If empty, all IP addresses are allowed. | keyword |
google_scc.asset.prior.access_level.custom.expression.description | Optional. Description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI. | keyword |
google_scc.asset.prior.access_level.custom.expression.location | Optional. String indicating the location of the expression for error reporting, e.g. a file name and a position in the file. | keyword |
google_scc.asset.prior.access_level.custom.expression.text | Textual representation of an expression in Common Expression Language syntax. | keyword |
google_scc.asset.prior.access_level.custom.expression.title | Optional. Title for the expression, i.e. a short string describing its purpose. This can be used e.g. in UIs which allow to enter the expression. | keyword |
google_scc.asset.prior.access_level.description | Description of the AccessLevel and its use. Does not affect behavior. | keyword |
google_scc.asset.prior.access_level.name | Required. Resource name for the Access Level. The shortName component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{accessPolicy}/accessLevels/{accessLevel}. The maximum length of the accessLevel component is 50 characters. | keyword |
google_scc.asset.prior.access_level.title | Human readable title. Must be unique within the Policy. | keyword |
google_scc.asset.prior.access_policy.etag | Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Polices will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format. | keyword |
google_scc.asset.prior.access_policy.name | Output only. Resource name of the AccessPolicy. Format: accessPolicies/{accessPolicy}. | keyword |
google_scc.asset.prior.access_policy.parent | Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id} | keyword |
google_scc.asset.prior.access_policy.scopes | The scopes of a policy define which resources an ACM policy can restrict, and where ACM resources can be referenced. For example, a policy with scopes=["folders/123"] has the following behavior: - vpcsc perimeters can only restrict projects within folders/123 - access levels can only be referenced by resources within folders/123. If empty, there are no limitations on which resources can be restricted by an ACM policy, and there are no limitations on where ACM resources can be referenced. Only one policy can include a given scope (attempting to create a second policy which includes "folders/123" will result in an error). Currently, scopes cannot be modified after a policy is created. Currently, policies can only have a single scope. Format: list of folders/{folder_number} or projects/{project_number}. | keyword |
google_scc.asset.prior.access_policy.title | Required. Human readable title. Does not affect behavior. | keyword |
google_scc.asset.prior.ancestors | The ancestry path of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. If the asset is a project, folder, or organization, the ancestry path starts from the asset itself. Example: ["projects/123456789", "folders/5432", "organizations/1234"]. | keyword |
google_scc.asset.prior.iam_policy.audit_configs.audit_log_configs.exemted_members | Specifies the identities that do not cause logging for this type of permission. Follows the same format of Binding.members. | keyword |
google_scc.asset.prior.iam_policy.audit_configs.audit_log_configs.log_type | The log type that this config enables. | keyword |
google_scc.asset.prior.iam_policy.audit_configs.service | Specifies a service that will be enabled for audit logging. For example, storage.googleapis.com, cloudsql.googleapis.com. allServices is a special value that covers all services. | keyword |
google_scc.asset.prior.iam_policy.bindings.condition | The condition that is associated with this binding. If the condition evaluates to true, then this binding applies to the current request. If the condition evaluates to false, then this binding does not apply to the current request. However, a different role binding might grant the same role to one or more of the principals in this binding. To learn which resources support conditions in their IAM policies, see the IAM documentation. | flattened |
google_scc.asset.prior.iam_policy.bindings.members | Specifies the principals requesting access for a Google Cloud resource. members can have the following values: allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account. allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account. user:{emailid}: An email address that represents a specific Google account. For example, alice@example.com . serviceAccount:{emailid}: An email address that represents a Google service account. For example, my-other-app@appspot.gserviceaccount.com. serviceAccount:{projectid}.svc.id.goog[{namespace}/{kubernetes-sa}]: An identifier for a Kubernetes service account. For example, my-project.svc.id.goog[my-namespace/my-kubernetes-sa]. group:{emailid}: An email address that represents a Google group. For example, admins@example.com. deleted:user:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a user that has been recently deleted. For example, alice@example.com?uid=123456789012345678901. If the user is recovered, this value reverts to user:{emailid} and the recovered user retains the role in the binding. deleted:serviceAccount:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a service account that has been recently deleted. For example, my-other-app@appspot.gserviceaccount.com?uid=123456789012345678901. If the service account is undeleted, this value reverts to serviceAccount:{emailid} and the undeleted service account retains the role in the binding. deleted:group:{emailid}?uid={uniqueid}: An email address (plus unique identifier) representing a Google group that has been recently deleted. For example, admins@example.com?uid=123456789012345678901. If the group is recovered, this value reverts to group:{emailid} and the recovered group retains the role in the binding. domain:{domain}: The G Suite domain (primary) that represents all the users of that domain. For example, google.com or example.com. | keyword |
google_scc.asset.prior.iam_policy.bindings.role | Role that is assigned to the list of members, or principals. For example, roles/viewer, roles/editor, or roles/owner. | keyword |
google_scc.asset.prior.iam_policy.etag | etag is used for optimistic concurrency control as a way to help prevent simultaneous updates of a policy from overwriting each other. It is strongly suggested that systems make use of the etag in the read-modify-write cycle to perform policy updates in order to avoid race conditions: An etag is returned in the response to getIamPolicy, and systems are expected to put that etag in the request to setIamPolicy to ensure that their change will be applied to the same version of the policy. Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost. A base64-encoded string. | keyword |
google_scc.asset.prior.iam_policy.version | Specifies the format of the policy. Valid values are 0, 1, and 3. Requests that specify an invalid value are rejected. Any operation that affects conditional role bindings must specify version 3. This requirement applies to the following operations: Getting a policy that includes a conditional role binding.Adding a conditional role binding to a policy.Changing a conditional role binding in a policy.Removing any role binding, with or without a condition, from a policy that includes conditions.Important: If you use IAM Conditions, you must include the etag field whenever you call setIamPolicy. If you omit this field, then IAM allows you to overwrite a version 3 policy with a version 1 policy, and all of the conditions in the version 3 policy are lost. If a policy does not include any conditions, operations on that policy may specify any valid version or leave the field unset. To learn which resources support conditions in their IAM policies, see the IAM documentation. | keyword |
google_scc.asset.prior.name | The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Resource names for more information. | keyword |
google_scc.asset.prior.organization_policy.boolean_policy.enforced | If true, then the Policy is enforced. If false, then any configuration is acceptable. | boolean |
google_scc.asset.prior.organization_policy.constraint | The name of the Constraint the Policy is configuring, for example, constraints/serviceuser.services. A list of available constraints is available. Immutable after creation. | keyword |
google_scc.asset.prior.organization_policy.etag | An opaque tag indicating the current version of the Policy, used for concurrency control. When the Policy is returned from either a policies.get or a ListOrgPolicy request, this etag indicates the version of the current Policy to use when executing a read-modify-write loop. When the Policy is returned from a policies.getEffectivePolicy request, the etag will be unset. When the Policy is used in a SetOrgPolicy method, use the etag value that was returned from a GetOrgPolicy request as part of a read-modify-write loop for concurrency control. Not setting the etagin a SetOrgPolicy request will result in an unconditional write of the Policy. A base64-encoded string. | keyword |
google_scc.asset.prior.organization_policy.list_policy.all_values | The policy allValues state. | keyword |
google_scc.asset.prior.organization_policy.list_policy.allowed_values | List of values allowed at this resource. Can only be set if allValues is set to ALL_VALUES_UNSPECIFIED. | keyword |
google_scc.asset.prior.organization_policy.list_policy.denied_values | List of values denied at this resource. Can only be set if allValues is set to ALL_VALUES_UNSPECIFIED. | keyword |
google_scc.asset.prior.organization_policy.list_policy.inherit_from_parent | Determines the inheritance behavior for this Policy. | boolean |
google_scc.asset.prior.organization_policy.list_policy.suggested_value | Optional. The Google Cloud Console will try to default to a configuration that matches the value specified in this Policy. If suggestedValue is not set, it will inherit the value specified higher in the hierarchy, unless inheritFromParent is false. | keyword |
google_scc.asset.prior.organization_policy.restore_default.etag | Output only. An opaque identifier for the current version of the AccessPolicy. This will always be a strongly validated etag, meaning that two Access Polices will be identical if and only if their etags are identical. Clients should not expect this to be in any specific format. | keyword |
google_scc.asset.prior.organization_policy.restore_default.name | Output only. Resource name of the AccessPolicy. Format: accessPolicies/{accessPolicy}. | keyword |
google_scc.asset.prior.organization_policy.restore_default.parent | Required. The parent of this AccessPolicy in the Cloud Resource Hierarchy. Currently immutable once created. Format: organizations/{organization_id}. | keyword |
google_scc.asset.prior.organization_policy.restore_default.scopes | The scopes of a policy define which resources an ACM policy can restrict, and where ACM resources can be referenced. For example, a policy with scopes=["folders/123"] has the following behavior: - vpcsc perimeters can only restrict projects within folders/123 - access levels can only be referenced by resources within folders/123. If empty, there are no limitations on which resources can be restricted by an ACM policy, and there are no limitations on where ACM resources can be referenced. Only one policy can include a given scope (attempting to create a second policy which includes "folders/123" will result in an error). Currently, scopes cannot be modified after a policy is created. Currently, policies can only have a single scope. Format: list of folders/{folder_number} or projects/{project_number} | keyword |
google_scc.asset.prior.organization_policy.restore_default.title | Required. Human readable title. Does not affect behavior. | keyword |
google_scc.asset.prior.organization_policy.update_time | The time stamp the Policy was previously updated. This is set by the server, not specified by the caller, and represents the last time a call to SetOrgPolicy was made for that Policy. Any value set by the client will be ignored. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". | date |
google_scc.asset.prior.organization_policy.version | Version of the Policy. Default version is 0. | keyword |
google_scc.asset.prior.os_inventory.items | flattened | |
google_scc.asset.prior.os_inventory.name | Output only. The Inventory API resource name. Format: projects/{project_number}/locations/{location}/instances/{instance_id}/inventory. | keyword |
google_scc.asset.prior.os_inventory.os_info.architecture | The system architecture of the operating system. | keyword |
google_scc.asset.prior.os_inventory.os_info.hostname | The VM hostname. | keyword |
google_scc.asset.prior.os_inventory.os_info.kernel.release | The kernel release of the operating system. | keyword |
google_scc.asset.prior.os_inventory.os_info.kernel.version | The kernel version of the operating system. | keyword |
google_scc.asset.prior.os_inventory.os_info.long_name | The operating system long name. For example 'Debian GNU/Linux 9' or 'Microsoft Window Server 2019 Datacenter'. | keyword |
google_scc.asset.prior.os_inventory.os_info.os_config_agent_version | The current version of the OS Config agent running on the VM. | keyword |
google_scc.asset.prior.os_inventory.os_info.short_name | The operating system short name. For example, 'windows' or 'debian'. | keyword |
google_scc.asset.prior.os_inventory.os_info.version | The version of the operating system. | keyword |
google_scc.asset.prior.os_inventory.update_time | Output only. Timestamp of the last reported inventory for the VM. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". | date |
google_scc.asset.prior.related_asset.ancestors | The ancestors of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. Example: ["projects/123456789", "folders/5432", "organizations/1234"]. | keyword |
google_scc.asset.prior.related_asset.name | The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Resource names for more information. | keyword |
google_scc.asset.prior.related_asset.relationship_type | The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP | keyword |
google_scc.asset.prior.related_asset.type | The type of the asset. Example: compute.googleapis.com/Disk. See Supported asset types for more information. | keyword |
google_scc.asset.prior.related_assets.assets.ancestors | The ancestors of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. Example: ["projects/123456789", "folders/5432", "organizations/1234"]. | keyword |
google_scc.asset.prior.related_assets.assets.name | The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Resource names for more information. | keyword |
google_scc.asset.prior.related_assets.assets.relationship_type | The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP | keyword |
google_scc.asset.prior.related_assets.assets.type | The type of the asset. Example: compute.googleapis.com/Disk. See Supported asset types for more information. | keyword |
google_scc.asset.prior.related_assets.relationship_attributes.action | The detail of the relationship, e.g. contains, attaches. | keyword |
google_scc.asset.prior.related_assets.relationship_attributes.source_resource_type | The source asset type. Example: compute.googleapis.com/Instance. | keyword |
google_scc.asset.prior.related_assets.relationship_attributes.target_resource_type | The target asset type. Example: compute.googleapis.com/Disk. | keyword |
google_scc.asset.prior.related_assets.relationship_attributes.type | The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP. | keyword |
google_scc.asset.prior.resource.data | The content of the resource, in which some sensitive fields are removed and may not be present. | flattened |
google_scc.asset.prior.resource.discovery.document_uri | The URL of the discovery document containing the resource's JSON schema. Example: https://www.googleapis.com/discovery/v1/apis/compute/v1/rest This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable. | keyword |
google_scc.asset.prior.resource.discovery.name | The JSON schema name listed in the discovery document. Example: Project This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable. | keyword |
google_scc.asset.prior.resource.location | The location of the resource in Google Cloud, such as its zone and region. For more information, see https://cloud.google.com/about/locations/. | keyword |
google_scc.asset.prior.resource.parent | The full name of the immediate parent of this resource. See Resource Names for more information. For Google Cloud assets, this value is the parent resource defined in the Cloud IAM policy hierarchy. Example: //cloudresourcemanager.googleapis.com/projects/my_project_123 For third-party assets, this field may be set differently. | keyword |
google_scc.asset.prior.resource.url | The REST URL for accessing the resource. An HTTP GET request using this URL returns the resource itself. Example:https://cloudresourcemanager.googleapis.com/v1/projects/my-project-1233 This value is unspecified for resources without a REST API. | keyword |
google_scc.asset.prior.resource.version | The API version. Example: v1. | keyword |
google_scc.asset.prior.service_perimeter.description | Description of the ServicePerimeter and its use. Does not affect behavior. | keyword |
google_scc.asset.prior.service_perimeter.name | Required. Resource name for the ServicePerimeter. The shortName component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{accessPolicy}/servicePerimeters/{servicePerimeter}. | keyword |
google_scc.asset.prior.service_perimeter.spec.access_levels | A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty. | keyword |
google_scc.asset.prior.service_perimeter.spec.egress_policies.egress_from.identities | A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.prior.service_perimeter.spec.egress_policies.egress_from.identity_type | Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.prior.service_perimeter.spec.egress_policies.egress_to.external_resources | A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed. | keyword |
google_scc.asset.prior.service_perimeter.spec.egress_policies.egress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.prior.service_perimeter.spec.egress_policies.egress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.prior.service_perimeter.spec.egress_policies.egress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.prior.service_perimeter.spec.egress_policies.egress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_from.identities | A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_from.identity_type | Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_from.sources.access_level | An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for accessLevel, then all IngressSources will be allowed. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_from.sources.resource | A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format: projects/{project_number} The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.prior.service_perimeter.spec.ingress_policies.ingress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed. | keyword |
google_scc.asset.prior.service_perimeter.spec.resources | A list of Google Cloud resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}. | keyword |
google_scc.asset.prior.service_perimeter.spec.restricted_services | Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | keyword |
google_scc.asset.prior.service_perimeter.spec.vpc_accessible_services.allowed_services | The list of APIs usable within the Service Perimeter. Must be empty unless 'enableRestriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter. | keyword |
google_scc.asset.prior.service_perimeter.spec.vpc_accessible_services.enable_restriction | Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'. | boolean |
google_scc.asset.prior.service_perimeter.status.access_levels | A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty. | keyword |
google_scc.asset.prior.service_perimeter.status.egress_policies.egress_from.identities | A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.prior.service_perimeter.status.egress_policies.egress_from.identity_type | Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.prior.service_perimeter.status.egress_policies.egress_to.external_resources | A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed. | keyword |
google_scc.asset.prior.service_perimeter.status.egress_policies.egress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.prior.service_perimeter.status.egress_policies.egress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.prior.service_perimeter.status.egress_policies.egress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.prior.service_perimeter.status.egress_policies.egress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_from.identities | A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_from.identity_type | Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_from.sources.access_level | An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for accessLevel, then all IngressSources will be allowed. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_from.sources.resource | A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format: projects/{project_number} The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.prior.service_perimeter.status.ingress_policies.ingress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed. | keyword |
google_scc.asset.prior.service_perimeter.status.resources | A list of Google Cloud resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}. | keyword |
google_scc.asset.prior.service_perimeter.status.restricted_services | Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | keyword |
google_scc.asset.prior.service_perimeter.status.vpc_accessible_services.allowed_services | The list of APIs usable within the Service Perimeter. Must be empty unless 'enableRestriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter. | keyword |
google_scc.asset.prior.service_perimeter.status.vpc_accessible_services.enable_restriction | Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'. | boolean |
google_scc.asset.prior.service_perimeter.title | Human readable title. Must be unique within the Policy. | keyword |
google_scc.asset.prior.service_perimeter.type | Perimeter type indicator. A single project is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. | keyword |
google_scc.asset.prior.service_perimeter.use_explicit_dry_run_spec | Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. useExplicitDryRunSpec must bet set to True if any of the fields in the spec are set to non-default values. | boolean |
google_scc.asset.prior.type | The type of the asset. Example: compute.googleapis.com/Disk.See Supported asset types for more information. | keyword |
google_scc.asset.prior.update_time | The last update timestamp of an asset. updateTime is updated when create/update/delete operation is performed. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". | date |
google_scc.asset.prior_asset_state | keyword | |
google_scc.asset.related_asset.ancestors | The ancestors of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. Example: ["projects/123456789", "folders/5432", "organizations/1234"]. | keyword |
google_scc.asset.related_asset.name | The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Resource names for more information. | keyword |
google_scc.asset.related_asset.relationship_type | The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP. | keyword |
google_scc.asset.related_asset.type | The type of the asset. Example: compute.googleapis.com/Disk. See Supported asset types for more information. | keyword |
google_scc.asset.related_assets.assets.ancestors | The ancestors of an asset in Google Cloud resource hierarchy, represented as a list of relative resource names. An ancestry path starts with the closest ancestor in the hierarchy and ends at root. Example: ["projects/123456789", "folders/5432", "organizations/1234"]. | keyword |
google_scc.asset.related_assets.assets.name | The full name of the asset. Example: //compute.googleapis.com/projects/my_project_123/zones/zone1/instances/instance1. See Resource names for more information. | keyword |
google_scc.asset.related_assets.assets.relationship_type | The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP. | keyword |
google_scc.asset.related_assets.assets.type | The type of the asset. Example: compute.googleapis.com/Disk. See Supported asset types for more information. | keyword |
google_scc.asset.related_assets.relationship_attributes.action | The detail of the relationship, e.g. contains, attaches. | keyword |
google_scc.asset.related_assets.relationship_attributes.source_resource_type | The source asset type. Example: compute.googleapis.com/Instance. | keyword |
google_scc.asset.related_assets.relationship_attributes.target_resource_type | The target asset type. Example: compute.googleapis.com/Disk. | keyword |
google_scc.asset.related_assets.relationship_attributes.type | The unique identifier of the relationship type. Example: INSTANCE_TO_INSTANCEGROUP. | keyword |
google_scc.asset.resource.data | The content of the resource, in which some sensitive fields are removed and may not be present. | flattened |
google_scc.asset.resource.discovery.document_uri | The URL of the discovery document containing the resource's JSON schema. Example: https://www.googleapis.com/discovery/v1/apis/compute/v1/rest This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable. | keyword |
google_scc.asset.resource.discovery.name | The JSON schema name listed in the discovery document. Example: Project This value is unspecified for resources that do not have an API based on a discovery document, such as Cloud Bigtable. | keyword |
google_scc.asset.resource.location | The location of the resource in Google Cloud, such as its zone and region. For more information, see https://cloud.google.com/about/locations/. | keyword |
google_scc.asset.resource.parent | The full name of the immediate parent of this resource. See Resource Names for more information. For Google Cloud assets, this value is the parent resource defined in the Cloud IAM policy hierarchy. Example: //cloudresourcemanager.googleapis.com/projects/my_project_123 For third-party assets, this field may be set differently. | keyword |
google_scc.asset.resource.url | The REST URL for accessing the resource. An HTTP GET request using this URL returns the resource itself. Example:https://cloudresourcemanager.googleapis.com/v1/projects/my-project-1233 This value is unspecified for resources without a REST API. | keyword |
google_scc.asset.resource.version | The API version. Example: v1. | keyword |
google_scc.asset.service_perimeter.description | Description of the ServicePerimeter and its use. Does not affect behavior. | keyword |
google_scc.asset.service_perimeter.name | Required. Resource name for the ServicePerimeter. The shortName component must begin with a letter and only include alphanumeric and '_'. Format: accessPolicies/{accessPolicy}/servicePerimeters/{servicePerimeter}. | keyword |
google_scc.asset.service_perimeter.spec.access_levels | A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty. | keyword |
google_scc.asset.service_perimeter.spec.egress_policies.egress_from.identities | A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.service_perimeter.spec.egress_policies.egress_from.identity_type | Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.service_perimeter.spec.egress_policies.egress_to.external_resources | A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed. | keyword |
google_scc.asset.service_perimeter.spec.egress_policies.egress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.service_perimeter.spec.egress_policies.egress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.service_perimeter.spec.egress_policies.egress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.service_perimeter.spec.egress_policies.egress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_from.identities | A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_from.identity_type | Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_from.sources.access_level | An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for accessLevel, then all IngressSources will be allowed. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_from.sources.resource | A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format: projects/{project_number} The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.service_perimeter.spec.ingress_policies.ingress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed. | keyword |
google_scc.asset.service_perimeter.spec.resources | A list of Google Cloud resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}. | keyword |
google_scc.asset.service_perimeter.spec.restricted_services | Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | keyword |
google_scc.asset.service_perimeter.spec.vpc_accessible_services.allowed_services | The list of APIs usable within the Service Perimeter. Must be empty unless 'enableRestriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter. | keyword |
google_scc.asset.service_perimeter.spec.vpc_accessible_services.enable_restriction | Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'. | boolean |
google_scc.asset.service_perimeter.status.access_levels | A list of AccessLevel resource names that allow resources within the ServicePerimeter to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel is a syntax error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: "accessPolicies/MY_POLICY/accessLevels/MY_LEVEL". For Service Perimeter Bridge, must be empty. | keyword |
google_scc.asset.service_perimeter.status.egress_policies.egress_from.identities | A list of identities that are allowed access through this [EgressPolicy]. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.service_perimeter.status.egress_policies.egress_from.identity_type | Specifies the type of identities that are allowed access to outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.service_perimeter.status.egress_policies.egress_to.external_resources | A list of external resources that are allowed to be accessed. Only AWS and Azure resources are supported. For Amazon S3, the supported format is s3://BUCKET_NAME. For Azure Storage, the supported format is azure://myaccount.blob.core.windows.net/CONTAINER_NAME. A request matches if it contains an external resource in this list (Example: s3://bucket/path). Currently '*' is not allowed. | keyword |
google_scc.asset.service_perimeter.status.egress_policies.egress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.service_perimeter.status.egress_policies.egress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.service_perimeter.status.egress_policies.egress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.service_perimeter.status.egress_policies.egress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, that are allowed to be accessed by sources defined in the corresponding EgressFrom. A request matches if it contains a resource in this list. If * is specified for resources, then this EgressTo rule will authorize access to all resources outside the perimeter. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_from.identities | A list of identities that are allowed access through this ingress policy. Should be in the format of email address. The email address should represent individual user or service account only. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_from.identity_type | Specifies the type of identities that are allowed access from outside the perimeter. If left unspecified, then members of identities field will be allowed access. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_from.sources.access_level | An AccessLevel resource name that allow resources within the ServicePerimeters to be accessed from the internet. AccessLevels listed must be in the same policy as this ServicePerimeter. Referencing a nonexistent AccessLevel will cause an error. If no AccessLevel names are listed, resources within the perimeter can only be accessed via Google Cloud calls with request origins within the perimeter. Example: accessPolicies/MY_POLICY/accessLevels/MY_LEVEL. If a single * is specified for accessLevel, then all IngressSources will be allowed. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_from.sources.resource | A Google Cloud resource that is allowed to ingress the perimeter. Requests from these resources will be allowed to access perimeter data. Currently only projects are allowed. Format: projects/{project_number} The project may be in any Google Cloud organization, not just the organization that the perimeter is defined in. * is not allowed, the case of allowing all Google Cloud resources only is not supported. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_to.operations.method_selectors.method | Value for method should be a valid method name for the corresponding serviceName in ApiOperation. If * used as value for method, then ALL methods and permissions are allowed. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_to.operations.method_selectors.permission | Value for permission should be a valid Cloud IAM permission for the corresponding serviceName in ApiOperation. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_to.operations.service_name | The name of the API whose methods or permissions the IngressPolicy or EgressPolicy want to allow. A single ApiOperation with serviceName field set to * will allow all methods AND permissions for all services. | keyword |
google_scc.asset.service_perimeter.status.ingress_policies.ingress_to.resources | A list of resources, currently only projects in the form projects/<projectnumber>, protected by this ServicePerimeter that are allowed to be accessed by sources defined in the corresponding IngressFrom. If a single * is specified, then access to all resources inside the perimeter are allowed. | keyword |
google_scc.asset.service_perimeter.status.resources | A list of Google Cloud resources that are inside of the service perimeter. Currently only projects are allowed. Format: projects/{project_number}. | keyword |
google_scc.asset.service_perimeter.status.restricted_services | Google Cloud services that are subject to the Service Perimeter restrictions. For example, if storage.googleapis.com is specified, access to the storage buckets inside the perimeter must meet the perimeter's access restrictions. | keyword |
google_scc.asset.service_perimeter.status.vpc_accessible_services.allowed_services | The list of APIs usable within the Service Perimeter. Must be empty unless 'enableRestriction' is True. You can specify a list of individual services, as well as include the 'RESTRICTED-SERVICES' value, which automatically includes all of the services protected by the perimeter. | keyword |
google_scc.asset.service_perimeter.status.vpc_accessible_services.enable_restriction | Whether to restrict API calls within the Service Perimeter to the list of APIs specified in 'allowedServices'. | boolean |
google_scc.asset.service_perimeter.title | Human readable title. Must be unique within the Policy. | keyword |
google_scc.asset.service_perimeter.type | Perimeter type indicator. A single project is allowed to be a member of single regular perimeter, but multiple service perimeter bridges. A project cannot be a included in a perimeter bridge without being included in regular perimeter. For perimeter bridges, the restricted service list as well as access level lists must be empty. | keyword |
google_scc.asset.service_perimeter.use_explicit_dry_run_spec | Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists for all Service Perimeters, and that spec is identical to the status for those Service Perimeters. When this flag is set, it inhibits the generation of the implicit spec, thereby allowing the user to explicitly provide a configuration ("spec") to use in a dry-run version of the Service Perimeter. This allows the user to test changes to the enforced config ("status") without actually enforcing them. This testing is done through analyzing the differences between currently enforced and suggested restrictions. useExplicitDryRunSpec must bet set to True if any of the fields in the spec are set to non-default values. | boolean |
google_scc.asset.type | The type of the asset. Example: compute.googleapis.com/Disk.See Supported asset types for more information. | keyword |
google_scc.asset.update_time | The last update timestamp of an asset. updateTime is updated when create/update/delete operation is performed. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". | date |
google_scc.asset.window.start_time | date | |
input.type | Type of Filebeat input. | keyword |
log.offset | Log offset. | long |
tags | User defined tags. | keyword |
Finding
This is the Finding
dataset.
Example
An example event for finding
looks as following:
{
"@timestamp": "2023-06-02T05:17:41.936Z",
"agent": {
"ephemeral_id": "3595a791-e9ba-4a51-9eb2-18219952e440",
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.0"
},
"data_stream": {
"dataset": "google_scc.finding",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.10.0"
},
"elastic_agent": {
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"snapshot": false,
"version": "8.8.0"
},
"event": {
"agent_id_status": "verified",
"created": "2020-02-19T13:37:43.858Z",
"dataset": "google_scc.finding",
"id": "67d5908d21-1",
"ingested": "2023-07-03T06:30:14Z",
"kind": "event"
},
"google_scc": {
"finding": {
"canonical_name": "organizations/515665165161/sources/98481484454154454545/findings/414rfrhjebhrbhjbr444454hv54545",
"category": "application",
"external_systems": {
"test": {
"assignees": [
"primary"
],
"externalSystemUpdateTime": "2022-01-05T05:00:35.674Z",
"externalUid": "test_scc_finding_2",
"name": "organizations/515665165161/sources/98481484454154454545/findings/414rfrhjebhrbhjbr444454hv54545/externalSystems/test",
"status": "updated1"
}
},
"mute": {
"initiator": "Unmuted by john@gmail.com",
"state": "UNMUTED",
"update_time": "2022-03-23T05:50:21.804Z"
},
"name": "organizations/515665165161/sources/98481484454154454545/findings/414rfrhjebhrbhjbr444454hv54545",
"parent": "organizations/515665165161/sources/98481484454154454545",
"resource": {
"name": "//cloudresourcemanager.googleapis.com/projects/45455445554"
},
"resource_name": "//cloudresourcemanager.googleapis.com/projects/45455445554",
"security_marks": {
"name": "organizations/515665165161/sources/98481484454154454545/findings/414rfrhjebhrbhjbr444454hv54545/securityMarks"
},
"severity": "CRITICAL",
"source_id": "98481484454154454545",
"state": "ACTIVE"
}
},
"input": {
"type": "gcp-pubsub"
},
"organization": {
"id": "515665165161"
},
"tags": [
"forwarded",
"google_scc-finding"
],
"url": {
"domain": "www.adwait.com",
"original": "http://www.adwait.com",
"scheme": "http"
}
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset. | constant_keyword |
event.module | Event module. | constant_keyword |
google_scc.finding.access.caller_ip | Caller's IP address, such as "1.1.1.1". | ip |
google_scc.finding.access.caller_ip_geo.region_code | A CLDR. | keyword |
google_scc.finding.access.method_name | The method that the service account called, e.g. "SetIamPolicy". | keyword |
google_scc.finding.access.principal.email | Associated email, such as "foo@google.com". | keyword |
google_scc.finding.access.principal.subject | A string that represents the principalSubject that is associated with the identity. Unlike principalEmail, principalSubject supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format is principal://iam.googleapis.com/{identity pool name}/subject/{subject}. Some GKE identities, such as GKE_WORKLOAD, FREEFORM, and GKE_HUB_WORKLOAD, still use the legacy format serviceAccount:{identity pool name}[{subject}]. | keyword |
google_scc.finding.access.service_account.delegation_info.principal.email | The email address of a Google account. | keyword |
google_scc.finding.access.service_account.delegation_info.principal.subject | A string representing the principalSubject associated with the identity. As compared to principalEmail, supports principals that aren't associated with email addresses, such as third party principals. For most identities, the format will be principal://iam.googleapis.com/{identity pool name}/subject/{subject} except for some GKE identities (GKE_WORKLOAD, FREEFORM, GKE_HUB_WORKLOAD) that are still in the legacy format serviceAccount:{identity pool name}[{subject}]. | keyword |
google_scc.finding.access.service_account.key_name | The name of the service account key that was used to create or exchange credentials for authenticating the service account that made the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}". | keyword |
google_scc.finding.access.service_name | This is the API service that the service account made a call to, e.g. "iam.googleapis.com". | keyword |
google_scc.finding.access.user_agent_family | Type of user agent associated with the finding, for example, operating system shells and embedded or stand-alone applications. | keyword |
google_scc.finding.access.user_name | A string that represents a username. The username provided depends on the type of the finding and is likely not an IAM principal. For example, this can be a system username if the finding is related to a virtual machine, or it can be an application login username. | keyword |
google_scc.finding.canonical_name | The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}/findings/{findingId}", "folders/{folder_id}/sources/{source_id}/findings/{findingId}" or "projects/{project_number}/sources/{source_id}/findings/{findingId}", depending on the closest CRM ancestor of the resource associated with the finding. | keyword |
google_scc.finding.category | The additional taxonomy group within findings from a given source. This field is immutable after creation time. Example: "XSS_FLASH_INJECTION". | keyword |
google_scc.finding.class | The class of the finding. | keyword |
google_scc.finding.cloud_dlp.data_profile.value | Name of the data profile, for example, projects/123/locations/europe/tableProfiles/8383929. | keyword |
google_scc.finding.cloud_dlp.inspection.full_scan | Whether Cloud DLP scanned the complete resource or a sampled subset. | boolean |
google_scc.finding.cloud_dlp.inspection.info_type.count | The number of times Cloud DLP found this infoType within this job and resource. | long |
google_scc.finding.cloud_dlp.inspection.info_type.value | The type of information (or infoType) found, for example, EMAIL_ADDRESS or STREET_ADDRESS. | keyword |
google_scc.finding.cloud_dlp.inspection.inspect_job | Name of the inspection job, for example, projects/123/locations/europe/dlpJobs/i-8383929. | keyword |
google_scc.finding.compliances.ids | Policies within the standard or benchmark, for example, A.12.4.1. | keyword |
google_scc.finding.compliances.standard | Industry-wide compliance standards or benchmarks, such as "cis", "pci", and "owasp". | keyword |
google_scc.finding.compliances.version | Version of the standard or benchmark, for example, "1.1". | keyword |
google_scc.finding.connections.destination.ip | Destination IP address. Not present for sockets that are listening and not connected. | ip |
google_scc.finding.connections.destination.port | Destination port. Not present for sockets that are listening and not connected. | long |
google_scc.finding.connections.protocol | IANA Internet Protocol Number such as TCP(6) and UDP(17). | keyword |
google_scc.finding.connections.source.ip | Source IP address. | ip |
google_scc.finding.connections.source.port | Source port. | long |
google_scc.finding.contacts.all.email | keyword | |
google_scc.finding.contacts.billing.email | keyword | |
google_scc.finding.contacts.legal.email | keyword | |
google_scc.finding.contacts.product_updates.email | keyword | |
google_scc.finding.contacts.security.email | keyword | |
google_scc.finding.contacts.suspension.email | keyword | |
google_scc.finding.contacts.technical.email | keyword | |
google_scc.finding.contacts.technical_incidents.email | keyword | |
google_scc.finding.containers.image_id | Optional container image ID, if provided by the container runtime. Uniquely identifies the container image launched using a container image digest. | keyword |
google_scc.finding.containers.labels.name | Name of the label. | keyword |
google_scc.finding.containers.labels.value | Value that corresponds to the label's name. | keyword |
google_scc.finding.containers.name | Name of the container. | keyword |
google_scc.finding.containers.uri | Container image URI provided when configuring a pod or container. May identify a container image version using mutable tags. | keyword |
google_scc.finding.create_time | The time at which the finding was created in Security Command Center. | date |
google_scc.finding.database.display_name | The human-readable name of the database that the user connected to. | keyword |
google_scc.finding.database.grantees | The target usernames, roles, or groups of an SQL privilege grant, which is not an IAM policy change. | keyword |
google_scc.finding.database.name | The full resource name of the database that the user connected to, if it is supported by Cloud Asset Inventory. (https://google.aip.dev/122#full-resource-names) | keyword |
google_scc.finding.database.query | The SQL statement that is associated with the database access. | keyword |
google_scc.finding.database.user_name | The username used to connect to the database. The username might not be an IAM principal and does not have a set format. | keyword |
google_scc.finding.description | Contains more details about the finding. | keyword |
google_scc.finding.event_time | The time the finding was first detected. If an existing finding is updated, then this is the time the update occurred. For example, if the finding represents an open firewall, this property captures the time the detector believes the firewall became open. The accuracy is determined by the detector. If the finding is later resolved, then this time reflects when the finding was resolved. This must not be set to a value greater than the current timestamp. | date |
google_scc.finding.exfiltration.sources.components | Subcomponents of the asset that was exfiltrated, like URIs used during exfiltration, table names, databases, and filenames. For example, multiple tables might have been exfiltrated from the same CloudSQL instance, or multiple files might have been exfiltrated from the same Cloud Storage bucket. | keyword |
google_scc.finding.exfiltration.sources.name | The resource's full resource name. | keyword |
google_scc.finding.exfiltration.targets.components | Subcomponents of the asset that was exfiltrated, like URIs used during exfiltration, table names, databases, and filenames. For example, multiple tables might have been exfiltrated from the same CloudSQL instance, or multiple files might have been exfiltrated from the same Cloud Storage bucket. | keyword |
google_scc.finding.exfiltration.targets.name | The resource's full resource name. | keyword |
google_scc.finding.external_systems | Output only. Third party SIEM/SOAR fields within SCC, contains external system information and external system finding fields. | flattened |
google_scc.finding.external_uri | The URI that, if available, points to a web page outside of Security Command Center where additional information about the finding can be found. This field is guaranteed to be either empty or a well formed URL. | keyword |
google_scc.finding.files.contents | Prefix of the file contents as a JSON-encoded string. | keyword |
google_scc.finding.files.hashed_size | The length in bytes of the file prefix that was hashed. If hashedSize == size, any hashes reported represent the entire file. | long |
google_scc.finding.files.partially_hashed | True when the hash covers only a prefix of the file. | boolean |
google_scc.finding.files.path | Absolute path of the file as a JSON encoded string. | keyword |
google_scc.finding.files.sha256 | SHA256 hash of the first hashedSize bytes of the file encoded as a hex string. If hashedSize == size, sha256 represents the SHA256 hash of the entire file. | keyword |
google_scc.finding.files.size | Size of the file in bytes. | long |
google_scc.finding.iam_bindings.action | The action that was performed on a Binding. | keyword |
google_scc.finding.iam_bindings.member | A single identity requesting access for a Cloud Platform resource, for example, "foo@google.com". | keyword |
google_scc.finding.iam_bindings.role | Role that is assigned to "members". For example, "roles/viewer", "roles/editor", or "roles/owner". | keyword |
google_scc.finding.indicator.domains | List of domains associated with the finding. | keyword |
google_scc.finding.indicator.ip_addresses | List of IP addresses associated with the finding. | ip |
google_scc.finding.indicator.signatures.memory_hash_signature.binary_family | The binary family. | keyword |
google_scc.finding.indicator.signatures.memory_hash_signature.detections.binary | The name of the binary associated with the memory hash signature detection. | keyword |
google_scc.finding.indicator.signatures.memory_hash_signature.detections.percent_pages_matched | The percentage of memory page hashes in the signature that matched. | long |
google_scc.finding.indicator.signatures.yara.rule | The name of the YARA rule. | keyword |
google_scc.finding.indicator.uris | The list of URIs that are associated with a finding. | keyword |
google_scc.finding.kernel_root_kit.name | Rootkit name, when available. | keyword |
google_scc.finding.kernel_root_kit.unexpected.code_modification | True if unexpected modifications of kernel code memory are present. | boolean |
google_scc.finding.kernel_root_kit.unexpected.ftrace_handler | True if ftrace points are present with callbacks pointing to regions that are not in the expected kernel or module code range. | boolean |
google_scc.finding.kernel_root_kit.unexpected.interrupt_handler | True if interrupt handlers that are are not in the expected kernel or module code regions are present. | boolean |
google_scc.finding.kernel_root_kit.unexpected.kernel_code_pages | True if kernel code pages that are not in the expected kernel or module code regions are present. | boolean |
google_scc.finding.kernel_root_kit.unexpected.kprobe_handler | True if kprobe points are present with callbacks pointing to regions that are not in the expected kernel or module code range. | boolean |
google_scc.finding.kernel_root_kit.unexpected.processes_in_runqueue | True if unexpected processes in the scheduler run queue are present. Such processes are in the run queue, but not in the process task list. | boolean |
google_scc.finding.kernel_root_kit.unexpected.read_only_data_modification | True if unexpected modifications of kernel read-only data memory are present. | boolean |
google_scc.finding.kernel_root_kit.unexpected.system_call_handler | True if system call handlers that are are not in the expected kernel or module code regions are present. | boolean |
google_scc.finding.kubernetes.access_reviews.group | The API group of the resource. "*" means all. | keyword |
google_scc.finding.kubernetes.access_reviews.name | The name of the resource being requested. Empty means all. | keyword |
google_scc.finding.kubernetes.access_reviews.namespace | Namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces. Both are represented by "" (empty). | keyword |
google_scc.finding.kubernetes.access_reviews.resource | The optional resource type requested. "*" means all. | keyword |
google_scc.finding.kubernetes.access_reviews.subresource | The optional subresource type. | keyword |
google_scc.finding.kubernetes.access_reviews.verb | A Kubernetes resource API verb, like get, list, watch, create, update, delete, proxy. "*" means all. | keyword |
google_scc.finding.kubernetes.access_reviews.version | The API version of the resource. "*" means all. | keyword |
google_scc.finding.kubernetes.bindings.name | Name for the binding. | keyword |
google_scc.finding.kubernetes.bindings.namespace | Namespace for the binding. | keyword |
google_scc.finding.kubernetes.bindings.role.kind | Role type. | keyword |
google_scc.finding.kubernetes.bindings.role.name | Role name. | keyword |
google_scc.finding.kubernetes.bindings.role.namespace | Role namespace. | keyword |
google_scc.finding.kubernetes.bindings.subjects.kind | Authentication type for the subject. | keyword |
google_scc.finding.kubernetes.bindings.subjects.name | Name for the subject. | keyword |
google_scc.finding.kubernetes.bindings.subjects.namespace | Namespace for the subject. | keyword |
google_scc.finding.kubernetes.node_pools.name | Kubernetes node pool name. | keyword |
google_scc.finding.kubernetes.node_pools.nodes.name | Full resource name of the Compute Engine VM running the cluster node. | keyword |
google_scc.finding.kubernetes.nodes.name | Full resource name of the Compute Engine VM running the cluster node. | keyword |
google_scc.finding.kubernetes.pods.containers.image_id | Optional container image ID, if provided by the container runtime. Uniquely identifies the container image launched using a container image digest. | keyword |
google_scc.finding.kubernetes.pods.containers.labels.name | Name of the label. | keyword |
google_scc.finding.kubernetes.pods.containers.labels.value | Value that corresponds to the label's name. | keyword |
google_scc.finding.kubernetes.pods.containers.name | Name of the container. | keyword |
google_scc.finding.kubernetes.pods.containers.uri | Container image URI provided when configuring a pod or container. May identify a container image version using mutable tags. | keyword |
google_scc.finding.kubernetes.pods.labels.name | Name of the label. | keyword |
google_scc.finding.kubernetes.pods.labels.value | Value that corresponds to the label's name. | keyword |
google_scc.finding.kubernetes.pods.name | Kubernetes Pod name. | keyword |
google_scc.finding.kubernetes.pods.namespace | Kubernetes Pod namespace. | keyword |
google_scc.finding.kubernetes.roles.kind | Role type. | keyword |
google_scc.finding.kubernetes.roles.name | Role name. | keyword |
google_scc.finding.kubernetes.roles.namespace | Role namespace. | keyword |
google_scc.finding.mitre_attack.additional.tactics | Additional MITRE ATT&CK tactics related to this finding, if any. | keyword |
google_scc.finding.mitre_attack.additional.techniques | Additional MITRE ATT&CK techniques related to this finding, if any, along with any of their respective parent techniques. | keyword |
google_scc.finding.mitre_attack.primary.tactic | The MITRE ATT&CK tactic most closely represented by this finding, if any. | keyword |
google_scc.finding.mitre_attack.primary.techniques | The MITRE ATT&CK technique most closely represented by this finding, if any. primaryTechniques is a repeated field because there are multiple levels of MITRE ATT&CK techniques. If the technique most closely represented by this finding is a sub-technique (e.g. SCANNING_IP_BLOCKS), both the sub-technique and its parent technique(s) will be listed (e.g. SCANNING_IP_BLOCKS, ACTIVE_SCANNING). | keyword |
google_scc.finding.mitre_attack.version | The MITRE ATT&CK version referenced by the above fields. E.g. "8". | keyword |
google_scc.finding.module_name | Unique identifier of the module which generated the finding. Example: folders/598186756061/securityHealthAnalyticsSettings/customModules/56799441161885. | keyword |
google_scc.finding.mute.initiator | Records additional information about the mute operation, for example, the mute configuration that muted the finding and the user who muted the finding. | keyword |
google_scc.finding.mute.state | Indicates the mute state of a finding (either muted, unmuted or undefined). Unlike other attributes of a finding, a finding provider shouldn't set the value of mute. | keyword |
google_scc.finding.mute.update_time | Output only. The most recent time this finding was muted or unmuted. | date |
google_scc.finding.name | The relative resource name of this finding. See: https://cloud.google.com/apis/design/resource\_names#relative\_resource\_name Example: "organizations/{organization_id}/sources/{source_id}/findings/{findingId}". | keyword |
google_scc.finding.next_steps | Steps to address the finding. | keyword |
google_scc.finding.notification_config_name | keyword | |
google_scc.finding.parent | The relative resource name of the source the finding belongs to. See: https://cloud.google.com/apis/design/resource\_names#relative\_resource\_name This field is immutable after creation time. For example: "organizations/{organization_id}/sources/{source_id}". | keyword |
google_scc.finding.parent_display_name | Output only. The human readable display name of the finding source such as "Event Threat Detection" or "Security Health Analytics". | keyword |
google_scc.finding.processes.args | Process arguments as JSON encoded strings. | keyword |
google_scc.finding.processes.arguments_truncated | True if args is incomplete. | boolean |
google_scc.finding.processes.binary.contents | Prefix of the file contents as a JSON encoded string. | keyword |
google_scc.finding.processes.binary.hashed_size | The length in bytes of the file prefix that was hashed. If hashedSize == size, any hashes reported represent the entire file. | long |
google_scc.finding.processes.binary.partially_hashed | True when the hash covers only a prefix of the file. | boolean |
google_scc.finding.processes.binary.path | Absolute path of the file as a JSON encoded string. | keyword |
google_scc.finding.processes.binary.sha256 | SHA256 hash of the first hashedSize bytes of the file encoded as a hex string. If hashedSize == size, sha256 represents the SHA256 hash of the entire file. | keyword |
google_scc.finding.processes.binary.size | Size of the file in bytes. | long |
google_scc.finding.processes.environment_variables.name | Environment variable name as a JSON encoded string. | keyword |
google_scc.finding.processes.environment_variables.value | Environment variable value as a JSON encoded string. | keyword |
google_scc.finding.processes.environment_variables_truncated | True if envVariables is incomplete. | boolean |
google_scc.finding.processes.libraries.contents | Prefix of the file contents as a JSON encoded string. | keyword |
google_scc.finding.processes.libraries.hashed_size | The length in bytes of the file prefix that was hashed. If hashedSize == size, any hashes reported represent the entire file. | long |
google_scc.finding.processes.libraries.partially_hashed | True when the hash covers only a prefix of the file. | boolean |
google_scc.finding.processes.libraries.path | Absolute path of the file as a JSON encoded string. | keyword |
google_scc.finding.processes.libraries.sha256 | SHA256 hash of the first hashedSize bytes of the file encoded as a hex string. If hashedSize == size, sha256 represents the SHA256 hash of the entire file. | keyword |
google_scc.finding.processes.libraries.size | Size of the file in bytes. | long |
google_scc.finding.processes.name | The process name, as displayed in utilities like top and ps. This name can be accessed through /proc/[pid]/comm and changed with prctl(PR_SET_NAME). | keyword |
google_scc.finding.processes.parent.pid | The parent process ID. | long |
google_scc.finding.processes.pid | The process ID. | long |
google_scc.finding.processes.script.contents | Prefix of the file contents as a JSON encoded string. | keyword |
google_scc.finding.processes.script.hashed_size | The length in bytes of the file prefix that was hashed. If hashedSize == size, any hashes reported represent the entire file. | long |
google_scc.finding.processes.script.partially_hashed | True when the hash covers only a prefix of the file. | boolean |
google_scc.finding.processes.script.path | Absolute path of the file as a JSON encoded string. | keyword |
google_scc.finding.processes.script.sha256 | SHA256 hash of the first hashedSize bytes of the file encoded as a hex string. If hashedSize == size, sha256 represents the SHA256 hash of the entire file. | keyword |
google_scc.finding.processes.script.size | Size of the file in bytes. | long |
google_scc.finding.resource.display_name | The human readable name of the resource. | keyword |
google_scc.finding.resource.folders.display_name | The user defined display name for this folder. | keyword |
google_scc.finding.resource.folders.name | Full resource name of this folder. See: https://cloud.google.com/apis/design/resource\_names#full\_resource\_name | keyword |
google_scc.finding.resource.name | For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource\_names#full\_resource\_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. | keyword |
google_scc.finding.resource.parent.display_name | The human readable name of resource's parent. | keyword |
google_scc.finding.resource.parent.name | The full resource name of resource's parent. | keyword |
google_scc.finding.resource.project.display_name | The project ID that the resource belongs to. | keyword |
google_scc.finding.resource.project.name | The full resource name of project that the resource belongs to. | keyword |
google_scc.finding.resource.type | The full resource type of the resource. | keyword |
google_scc.finding.resource_name | For findings on Google Cloud resources, the full resource name of the Google Cloud resource this finding is for. See: https://cloud.google.com/apis/design/resource\_names#full\_resource\_name When the finding is for a non-Google Cloud resource, the resourceName can be a customer or partner defined string. This field is immutable after creation time. | keyword |
google_scc.finding.security_marks.canonical_name | The canonical name of the marks. Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "folders/{folder_id}/assets/{asset_id}/securityMarks" "projects/{project_number}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{findingId}/securityMarks" "folders/{folder_id}/sources/{source_id}/findings/{findingId}/securityMarks" "projects/{project_number}/sources/{source_id}/findings/{findingId}/securityMarks". | keyword |
google_scc.finding.security_marks.name | The relative resource name of the SecurityMarks. See: https://cloud.google.com/apis/design/resource\_names#relative\_resource\_name Examples: "organizations/{organization_id}/assets/{asset_id}/securityMarks" "organizations/{organization_id}/sources/{source_id}/findings/{findingId}/securityMarks". | keyword |
google_scc.finding.security_marks.value | Mutable user specified security marks belonging to the parent resource. Constraints are as follows:Keys and values are treated as case insensitive. Keys must be between 1 - 256 characters (inclusive). Keys must be letters, numbers, underscores, or dashes. Values have leading and trailing whitespace trimmed, remaining characters must be between 1 - 4096 characters (inclusive). | flattened |
google_scc.finding.severity | The severity of the finding. This field is managed by the source that writes the finding. | keyword |
google_scc.finding.source_id | keyword | |
google_scc.finding.source_properties | Source specific properties. These properties are managed by the source that writes the finding. The key names in the sourceProperties map must be between 1 and 255 characters, and must start with a letter and contain alphanumeric characters or underscores only. | flattened |
google_scc.finding.source_properties_supporting_data | keyword | |
google_scc.finding.state | The state of the finding. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.attack.complexity | This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.attack.vector | Base Metrics Represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. This metric reflects the context by which vulnerability exploitation is possible. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.availability_impact | This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.base_score | The base score is a function of the base metric scores. | long |
google_scc.finding.vulnerability.cve.cvssv3.confidentiality_impact | This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.integrity_impact | This metric measures the impact to integrity of a successfully exploited vulnerability. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.privileges_required | This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.scope | The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. | keyword |
google_scc.finding.vulnerability.cve.cvssv3.user_interaction | This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. | keyword |
google_scc.finding.vulnerability.cve.id | The unique identifier for the vulnerability, for example, CVE-2021-34527. | keyword |
google_scc.finding.vulnerability.cve.references.source | Source of the reference, for example, NVD. | keyword |
google_scc.finding.vulnerability.cve.references.uri | URI for the source, for example, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527. | keyword |
google_scc.finding.vulnerability.cve.upstream_fix_available | Whether upstream fix is available for the CVE. | boolean |
input.type | Type of Filebeat input. | keyword |
log.offset | Log offset. | long |
tags | User defined tags. | keyword |
Source
This is the Source
dataset.
Example
An example event for source
looks as following:
{
"@timestamp": "2023-07-03T06:32:03.193Z",
"agent": {
"ephemeral_id": "498f9d2e-09a7-4616-8ee1-8c60809852c3",
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.0"
},
"data_stream": {
"dataset": "google_scc.source",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.10.0"
},
"elastic_agent": {
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"snapshot": false,
"version": "8.8.0"
},
"event": {
"agent_id_status": "verified",
"created": "2023-07-03T06:32:03.193Z",
"dataset": "google_scc.source",
"ingested": "2023-07-03T06:32:06Z",
"kind": "event",
"original": "{\"canonicalName\":\"organizations/595779152576/sources/10134421585261057824\",\"description\":\"Extend your security view from the edge.\",\"displayName\":\"Cloudflare Security Events\",\"name\":\"organizations/595779152576/sources/10134421585261057824\"}"
},
"google_scc": {
"source": {
"canonical_name": "organizations/595779152576/sources/10134421585261057824",
"description": "Extend your security view from the edge.",
"display_name": "Cloudflare Security Events",
"id": "10134421585261057824",
"name": "organizations/595779152576/sources/10134421585261057824"
}
},
"input": {
"type": "httpjson"
},
"message": "Extend your security view from the edge.",
"organization": {
"id": "595779152576"
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"google_scc-source"
]
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset. | constant_keyword |
event.module | Event module. | constant_keyword |
google_scc.source.canonical_name | The canonical name of the finding. It's either "organizations/{organization_id}/sources/{source_id}", "folders/{folder_id}/sources/{source_id}" or "projects/{project_number}/sources/{source_id}", depending on the closest CRM ancestor of the resource associated with the finding. | keyword |
google_scc.source.description | The description of the source (max of 1024 characters). Example: "Web Security Scanner is a web security scanner for common vulnerabilities in App Engine applications. It can automatically scan and detect four common vulnerabilities, including cross-site-scripting (XSS), Flash injection, mixed content (HTTP in HTTPS), and outdated or insecure libraries." | keyword |
google_scc.source.display_name | The source's display name. A source's display name must be unique amongst its siblings, for example, two sources with the same parent can't share the same display name. The display name must have a length between 1 and 64 characters (inclusive). | keyword |
google_scc.source.id | keyword | |
google_scc.source.name | The relative resource name of this source. See: https://cloud.google.com/apis/design/resource\_names#relative\_resource\_name Example: "organizations/{organization_id}/sources/{source_id}". | keyword |
input.type | Type of Filebeat input. | keyword |
log.offset | Log offset. | long |
tags | User defined tags. | keyword |
Audit
This is the Audit
dataset.
Example
An example event for audit
looks as following:
{
"@timestamp": "2021-09-24T16:16:57.183Z",
"agent": {
"ephemeral_id": "1d64ed9e-03f2-4eea-9e8a-b9a630236e12",
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.0"
},
"cloud": {
"service": {
"name": "login.googleapis.com"
}
},
"data_stream": {
"dataset": "google_scc.audit",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.10.0"
},
"elastic_agent": {
"id": "4c00a899-0103-47cf-a91d-fa52a48711c8",
"snapshot": false,
"version": "8.8.0"
},
"event": {
"action": "google.login.LoginService.loginFailure",
"agent_id_status": "verified",
"created": "2023-07-03T06:26:31.858Z",
"dataset": "google_scc.audit",
"id": "-nahbepd4l1x",
"ingested": "2023-07-03T06:26:35Z",
"kind": "event",
"severity": 300
},
"google_scc": {
"audit": {
"http_request": {
"remote": {
"ip": "FE80::0202:B3FF:FE1E",
"port": 1010
}
},
"log_name": "organizations/123/logs/cloudaudit.googleapis.com%2Fdata_access",
"proto_payload": {
"resource_name": "organizations/123",
"type": "type.googleapis.com/google.cloud.audit.AuditLog"
},
"receive_timestamp": "2021-09-24T17:51:25.034Z",
"resource": {
"type": "audited_resource"
}
}
},
"input": {
"type": "gcp-pubsub"
},
"log": {
"level": "NOTICE"
},
"related": {
"ip": [
"175.16.199.1",
"FE80::0202:B3FF:FE1E"
],
"user": [
"test-user@example.net"
]
},
"source": {
"ip": "175.16.199.1",
"user": {
"email": "test-user@example.net"
}
},
"tags": [
"forwarded",
"google_scc-audit"
]
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset. | constant_keyword |
event.module | Event module. | constant_keyword |
google_scc.audit.http_request.cache.fill_bytes | The number of HTTP response bytes inserted into cache. Set only when a cache fill was attempted. | long |
google_scc.audit.http_request.cache.hit | Whether or not an entity was served from cache (with or without validation). | boolean |
google_scc.audit.http_request.cache.look_up | Whether or not a cache lookup was attempted. | boolean |
google_scc.audit.http_request.cache.validated_with_origin_server | Whether or not the response was validated with the origin server before being served from cache. This field is only meaningful if cacheHit is True. | boolean |
google_scc.audit.http_request.latency | The request processing latency on the server, from the time the request was received until the response was sent. | keyword |
google_scc.audit.http_request.protocol | Protocol used for the request. | keyword |
google_scc.audit.http_request.referer | The referer URL of the request. | keyword |
google_scc.audit.http_request.remote.ip | The IP address (IPv4 or IPv6) of the client that issued the HTTP request. | ip |
google_scc.audit.http_request.remote.port | The Port of the client that issued the HTTP request. | long |
google_scc.audit.http_request.request_method | The request method. | keyword |
google_scc.audit.http_request.request_size | The size of the HTTP request message in bytes, including the request headers and the request body. | long |
google_scc.audit.http_request.request_url | The scheme (http, https), the host name, the path and the query portion of the URL that was requested. | keyword |
google_scc.audit.http_request.response_size | The size of the HTTP response message sent back to the client, in bytes, including the response headers and the response body. | long |
google_scc.audit.http_request.server.ip | The IP address (IPv4 or IPv6) of the origin server that the request was sent to. This field can include port information. | ip |
google_scc.audit.http_request.server.port | The Port of the origin server that the request was sent to. | long |
google_scc.audit.http_request.status | The response code indicating the status of response. | long |
google_scc.audit.http_request.user_agent | The user agent sent by the client. | keyword |
google_scc.audit.insert_id | A unique identifier for the log entry. | keyword |
google_scc.audit.labels | A map of key, value pairs that provides additional information about the log entry. The labels can be user-defined or system-defined. | object |
google_scc.audit.log_name | The resource name of the log to which this log entry belongs. | keyword |
google_scc.audit.operation.first | Set this to True if this is the first log entry in the operation. | boolean |
google_scc.audit.operation.id | An arbitrary operation identifier. | keyword |
google_scc.audit.operation.last | Set this to True if this is the last log entry in the operation. | boolean |
google_scc.audit.operation.producer | An arbitrary producer identifier. | keyword |
google_scc.audit.proto_payload.authentication_info.authority_selector | The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority. | keyword |
google_scc.audit.proto_payload.authentication_info.principal_email | The email address of the authenticated user (or service account on behalf of third party principal) making the request. | keyword |
google_scc.audit.proto_payload.authentication_info.principal_subject | String representation of identity of requesting party. Populated for both first and third party identities. | keyword |
google_scc.audit.proto_payload.authentication_info.service_account_delegation_info.first_party_principal.email | The email address of a Google account. | keyword |
google_scc.audit.proto_payload.authentication_info.service_account_delegation_info.first_party_principal.service_metadata | Metadata about the service that uses the service account. | flattened |
google_scc.audit.proto_payload.authentication_info.service_account_delegation_info.principal_subject | A string representing the principalSubject associated with the identity. | keyword |
google_scc.audit.proto_payload.authentication_info.service_account_delegation_info.third_party_principal.claims | Metadata about third party identity. | flattened |
google_scc.audit.proto_payload.authentication_info.service_account_key_name | The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name. | keyword |
google_scc.audit.proto_payload.authentication_info.third_party_principal | The third party identification (if any) of the authenticated user making the request. | flattened |
google_scc.audit.proto_payload.authorization_info.granted | Whether or not authorization for resource and permission was granted. | boolean |
google_scc.audit.proto_payload.authorization_info.permission | The required IAM permission. | keyword |
google_scc.audit.proto_payload.authorization_info.resource | The resource being accessed, as a REST-style or cloud resource string. | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.annotations | Annotations is an unstructured key-value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. | flattened |
google_scc.audit.proto_payload.authorization_info.resource_attributes.create_time | The timestamp when the resource was created. | date |
google_scc.audit.proto_payload.authorization_info.resource_attributes.delete_time | The timestamp when the resource was last deleted. | date |
google_scc.audit.proto_payload.authorization_info.resource_attributes.display_name | The display name set by clients. | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.etag | An opaque value that uniquely identifies a version or generation of a resource. | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.labels | The labels or tags on the resource, such as AWS resource tags and Kubernetes resource labels. | object |
google_scc.audit.proto_payload.authorization_info.resource_attributes.location | The location of the resource. | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.name | The stable identifier (name) of a resource on the service. A resource can be logically identified as "//{resource.service}/{resource.name}". | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.service | The name of the service that this resource belongs to, such as pubsub.googleapis.com. The service may be different from the DNS hostname that actually serves the request. | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.type | The type of the resource. The syntax is platform-specific because different platforms define their resources differently. | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.uid | The unique identifier of the resource. | keyword |
google_scc.audit.proto_payload.authorization_info.resource_attributes.update_time | The timestamp when the resource was last updated. | date |
google_scc.audit.proto_payload.metadata | Other service-specific data about the request, response, and other information associated with the current audited event. | flattened |
google_scc.audit.proto_payload.method_name | The name of the service method or operation. For API calls, this should be the name of the API method. | keyword |
google_scc.audit.proto_payload.num_response_items | The number of items returned from a List or Query API method, if applicable. | long |
google_scc.audit.proto_payload.policy_violation_info.org_policy_violation_info.payload | Resource payload that is currently in scope and is subjected to orgpolicy conditions. | flattened |
google_scc.audit.proto_payload.policy_violation_info.org_policy_violation_info.resource.tags | Tags referenced on the resource at the time of evaluation. | flattened |
google_scc.audit.proto_payload.policy_violation_info.org_policy_violation_info.resource.type | Resource type that the orgpolicy is checked against. | keyword |
google_scc.audit.proto_payload.policy_violation_info.org_policy_violation_info.violation_info.checked_value | Value that is being checked for the policy. | keyword |
google_scc.audit.proto_payload.policy_violation_info.org_policy_violation_info.violation_info.constraint | Constraint name. | keyword |
google_scc.audit.proto_payload.policy_violation_info.org_policy_violation_info.violation_info.error_message | Error message that policy is indicating. | keyword |
google_scc.audit.proto_payload.policy_violation_info.org_policy_violation_info.violation_info.policy_type | Indicates the type of the policy. | keyword |
google_scc.audit.proto_payload.request | The operation request. | flattened |
google_scc.audit.proto_payload.request_metadata.caller.ip | The IP address of the caller. | ip |
google_scc.audit.proto_payload.request_metadata.caller.ip_value | keyword | |
google_scc.audit.proto_payload.request_metadata.caller.network | The network of the caller. | keyword |
google_scc.audit.proto_payload.request_metadata.caller.supplied_user_agent | The user agent of the caller. | keyword |
google_scc.audit.proto_payload.request_metadata.destination_attributes.ip | The IP address of the peer. | ip |
google_scc.audit.proto_payload.request_metadata.destination_attributes.labels | The labels associated with the peer. | object |
google_scc.audit.proto_payload.request_metadata.destination_attributes.port | The network port of the peer. | long |
google_scc.audit.proto_payload.request_metadata.destination_attributes.principal | The identity of this peer. | keyword |
google_scc.audit.proto_payload.request_metadata.destination_attributes.region_code | The CLDR country/region code associated with the above IP address. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.auth.access_levels | A list of access level resource names that allow resources to be accessed by authenticated requester. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.auth.audiences | The intended audience(s) for this authentication information. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.auth.claims | Structured claims presented with the credential. | flattened |
google_scc.audit.proto_payload.request_metadata.request_attributes.auth.presenter | The authorized presenter of the credential. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.auth.principal | The authenticated principal. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.headers | The HTTP request headers. | flattened |
google_scc.audit.proto_payload.request_metadata.request_attributes.host | The HTTP request Host header value. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.id | The unique ID for a request, which can be propagated to downstream systems. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.method | The HTTP request method, such as GET, POST. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.path | The HTTP URL path, excluding the query parameters. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.protocol | The network protocol used with the request, such as "http/1.1", "spdy/3", "h2", "h2c", "webrtc", "tcp", "udp", "quic". | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.query | The HTTP URL query in the format of name1=value1&name2=value2, as it appears in the first line of the HTTP request. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.reason | A special parameter for request reason. It is used by security systems to associate auditing information with a request. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.schema | The HTTP URL scheme, such as http and https. | keyword |
google_scc.audit.proto_payload.request_metadata.request_attributes.size | The HTTP request size in bytes. | long |
google_scc.audit.proto_payload.request_metadata.request_attributes.time | The timestamp when the destination service receives the last byte of the request. | date |
google_scc.audit.proto_payload.resource_location.current_locations | The locations of a resource after the execution of the operation. | keyword |
google_scc.audit.proto_payload.resource_location.original_locations | The locations of a resource prior to the execution of the operation. | keyword |
google_scc.audit.proto_payload.resource_name | The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. | keyword |
google_scc.audit.proto_payload.resource_original_state | The resource's original state before mutation. | flattened |
google_scc.audit.proto_payload.response | The operation response. | flattened |
google_scc.audit.proto_payload.service_data | Other service-specific data about the request, response, and other activities. | flattened |
google_scc.audit.proto_payload.service_name | The name of the API service performing the operation. | keyword |
google_scc.audit.proto_payload.status.code | The status code, which should be an enum value of google.rpc.Code. | long |
google_scc.audit.proto_payload.status.details | A list of messages that carry the error details. | nested |
google_scc.audit.proto_payload.status.message | A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. | keyword |
google_scc.audit.proto_payload.type | keyword | |
google_scc.audit.receive_timestamp | The time the log entry was received by Logging. | date |
google_scc.audit.resource.labels | Values for all of the labels listed in the associated monitored resource descriptor. | object |
google_scc.audit.resource.type | The monitored resource type. | keyword |
google_scc.audit.severity.code | The severity of the log entry. | long |
google_scc.audit.severity.value | The severity of the log entry. | keyword |
google_scc.audit.source_location.file | Source file name. Depending on the runtime environment, this might be a simple name or a fully-qualified name. | keyword |
google_scc.audit.source_location.function | Human-readable name of the function or method being invoked, with optional context such as the class or package name. | keyword |
google_scc.audit.source_location.line | Line within the source file. 1-based; 0 indicates no line number available. | long |
google_scc.audit.span_id | The ID of the Cloud Trace span associated with the current operation in which the log is being written. | keyword |
google_scc.audit.split.index | The index of this LogEntry in the sequence of split log entries. Log entries are given | index |
google_scc.audit.split.total_splits | The total number of log entries that the original LogEntry was split into. | long |
google_scc.audit.split.uid | A globally unique identifier for all log entries in a sequence of split log entries. All log entries with the same | LogSplit.uid |
google_scc.audit.timestamp | The time the event described by the log entry occurred. | date |
google_scc.audit.trace | The REST resource name of the trace being written to Cloud Trace in association with this log entry. | keyword |
google_scc.audit.trace_sampled | The sampling decision of the trace associated with the log entry. | boolean |
input.type | Type of Filebeat input. | keyword |
log.offset | Log offset. | long |
tags | User defined tags. | keyword |
Changelog
Version | Details |
---|---|
0.7.0 | Enhancement View pull request Improve 'event.original' check to avoid errors if set. |
0.6.1 | Bug fix View pull request Fix mapping of group fields |
0.6.0 | Enhancement View pull request ECS version updated to 8.10.0. |
0.5.0 | Enhancement View pull request The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest. |
0.4.0 | Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
0.3.0 | Enhancement View pull request Update package to ECS 8.9.0. |
0.2.0 | Enhancement View pull request Document duration units. |
0.1.1 | Bug fix View pull request Update field description. |
0.1.0 | Enhancement View pull request Initial release. |