Skip to content

[gcp] Add Parsing for Sensitive Action Notifications Event in Audit Dataset #15619

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 14, 2025
Merged

[gcp] Add Parsing for Sensitive Action Notifications Event in Audit Dataset #15619

merged 4 commits into from
Oct 14, 2025
+529 −53

Conversation

@mohitjha-elastic
Copy link
Collaborator

@mohitjha-elastic mohitjha-elastic commented Oct 9, 2025
edited
Loading

Proposed commit message

gcp: add support for parsing sensitive action notifications event in audit dataset.

This enables ingestion and processing of sensitive audit events[1], improving
visibility and tracking of critical actions in the system.

Test samples have been derived from the issue[2].

[1] https://cloud.google.com/advisory-notifications/docs/sensitive-actions-overview
[2] https://github.com/elastic/integrations/issues/14225

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/gcp directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issue

@mohitjha-elastic mohitjha-elastic self-assigned this Oct 9, 2025
@mohitjha-elastic mohitjha-elastic requested review from a team as code owners October 9, 2025 12:58
@mohitjha-elastic mohitjha-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:gcp Google Cloud Platform Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Oct 9, 2025
@elasticmachine
Copy link

elasticmachine commented Oct 9, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Oct 9, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include in the commit message links to the documentation and schema in the origin of the test sample that's added here.

packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Comment on lines 194 to 201
ctx.related = ctx.related ?: [:];
ctx.related.entity = entities;
if (entities.size() > 0) {
ctx.related.entity = entities;
}
Copy link
Contributor

@efd6 efd6 Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest putting the ctx.related = ctx.related ?: [:]; in the conditional.

packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Comment on lines 309 to 311
if (entities.size() > 0) {
ctx.related.entity = entities;
}
Copy link
Contributor

@efd6 efd6 Oct 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

@mohitjha-elastic
Resolve review comments
7532f82 
Put the ctx.related = ctx.related ?: [:]; in the conditional.
@mohitjha-elastic
Copy link
Collaborator Author

mohitjha-elastic commented Oct 10, 2025

Please include in the commit message links to the documentation and schema in the origin of the test sample that's added here.

@efd6 I couldn’t find a complete official schema definition. The available samples were taken directly from the issue. I’ve updated the commit body accordingly.

@mohitjha-elastic mohitjha-elastic requested a review from efd6 October 10, 2025 09:28
@elasticmachine
Copy link

elasticmachine commented Oct 10, 2025

💚 Build Succeeded

History

cc @mohitjha-elastic

@mohitjha-elastic mohitjha-elastic merged commit ffc8802 into elastic:main Oct 14, 2025
7 checks passed
@mohitjha-elastic mohitjha-elastic deleted the gcp-2.43.0 branch October 14, 2025 09:13
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 14, 2025

Package gcp - 2.44.0 containing this change is available at https://epr.elastic.co/package/gcp/2.44.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@mohitjha-elastic mohitjha-elastic

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:gcp Google Cloud Platform Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[gcp.audit]: parse sensitive action notifications

3 participants

@mohitjha-elastic @elasticmachine @efd6