[GCP] Fix check on gcp.audit.authorization_info[].granted (#7308)

* Fix check on gcp.audit.authorization_info[].granted When `gcp.audit.authorization_info[]` objects do not contain the `granted` attribute, the `if` statement fails. The updated `if` checks for null values and uses the `granted == true` syntax to avoid another error when there the `==` operator is not used: ``` Cannot invoke "Object.getClass()" because "value" is null ``` * Use `override` to avoid using a script expression * Add changelog
elastic · Sep 5, 2023 · 0c13343 · 0c13343
1 parent 4a92cd0
commit 0c13343
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 4 deletions.
diff --git a/packages/gcp/changelog.yml b/packages/gcp/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.25.1"
+  changes:
+    - description: Fix check on gcp.audit.authorization_info[].granted.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/7308
 - version: "2.25.0"
   changes:
     - description: Migrate GCP Billing input control to new control panel.

diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log
@@ -0,0 +1 @@
+{"insertId":"-abcdef","logName":"organizations/123456789098/logs/cloudaudit.googleapis.com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"joel.miller@contoso.com"},"authorizationInfo":[{"resourceAttributes":{}}],"methodName":"CloudResourceManagerOrganizationsV3Service-SearchOrganizations","request":{"@type":"type.googleapis.com/google.cloud.resourcemanager.v3.SearchOrganizationsRequest","pageSize":100},"requestMetadata":{"callerIp":"private","destinationAttributes":{},"requestAttributes":{}},"resourceName":"organizations/123456789098","serviceName":"cloudresourcemanager.googleapis.com","status":{}},"receiveTimestamp":"2023-08-02T11:20:31.13521906Z","resource":{"labels":{"organization_id":"123456789098"},"type":"organization"},"severity":"INFO","timestamp":"2023-08-02T11:20:30.734968Z"}
diff --git a/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json b/packages/gcp/data_stream/audit/_dev/test/pipeline/test-sdh-3695.log-expected.json
@@ -0,0 +1,50 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2023-08-02T11:20:30.734Z",
+            "client": {
+                "user": {
+                    "email": "joel.miller@contoso.com"
+                }
+            },
+            "cloud": {
+                "provider": "gcp"
+            },
+            "ecs": {
+                "version": "8.8.0"
+            },
+            "event": {
+                "action": "CloudResourceManagerOrganizationsV3Service-SearchOrganizations",
+                "category": [
+                    "network",
+                    "configuration"
+                ],
+                "id": "-abcdef",
+                "kind": "event",
+                "original": "{\"insertId\":\"-abcdef\",\"logName\":\"organizations/123456789098/logs/cloudaudit.googleapis.com%2Fdata_access\",\"protoPayload\":{\"@type\":\"type.googleapis.com/google.cloud.audit.AuditLog\",\"authenticationInfo\":{\"principalEmail\":\"joel.miller@contoso.com\"},\"authorizationInfo\":[{\"resourceAttributes\":{}}],\"methodName\":\"CloudResourceManagerOrganizationsV3Service-SearchOrganizations\",\"request\":{\"@type\":\"type.googleapis.com/google.cloud.resourcemanager.v3.SearchOrganizationsRequest\",\"pageSize\":100},\"requestMetadata\":{\"callerIp\":\"private\",\"destinationAttributes\":{},\"requestAttributes\":{}},\"resourceName\":\"organizations/123456789098\",\"serviceName\":\"cloudresourcemanager.googleapis.com\",\"status\":{}},\"receiveTimestamp\":\"2023-08-02T11:20:31.13521906Z\",\"resource\":{\"labels\":{\"organization_id\":\"123456789098\"},\"type\":\"organization\"},\"severity\":\"INFO\",\"timestamp\":\"2023-08-02T11:20:30.734968Z\"}",
+                "outcome": "unknown",
+                "provider": "data_access"
+            },
+            "gcp": {
+                "audit": {
+                    "request": {
+                        "@type": "type.googleapis.com/google.cloud.resourcemanager.v3.SearchOrganizationsRequest",
+                        "pageSize": 100
+                    },
+                    "resource_name": "organizations/123456789098",
+                    "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+                }
+            },
+            "log": {
+                "level": "INFO",
+                "logger": "organizations/123456789098/logs/cloudaudit.googleapis.com%2Fdata_access"
+            },
+            "service": {
+                "name": "cloudresourcemanager.googleapis.com"
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
diff --git a/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -305,15 +305,15 @@ processors:
   - set:
       field: event.outcome
       value: success
-      if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0].granted
+      if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted == true
   - set:
       field: event.outcome
       value: failure
-      if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && !ctx?.gcp?.audit?.authorization_info[0].granted
+      if: ctx?.gcp?.audit?.status?.code == null && ctx?.gcp?.audit?.authorization_info != null && ctx?.gcp?.audit?.authorization_info instanceof List && ctx?.gcp?.audit?.authorization_info.size() == 1 && ctx?.gcp?.audit?.authorization_info[0]?.granted == false
   - set:
       field: event.outcome
       value: unknown
-      if: ctx?.event?.outcome == null
+      override: false
 
 ##
 # if gcp.audit.authorization_info.[0].granted is true then

diff --git a/packages/gcp/manifest.yml b/packages/gcp/manifest.yml
@@ -1,6 +1,6 @@
 name: gcp
 title: Google Cloud Platform
-version: "2.25.0"
+version: "2.25.1"
 description: Collect logs and metrics from Google Cloud Platform with Elastic Agent.
 type: integration
 icons: