Skip to content

refactor(rules/google): update GCP correlation rules#2194

Open
JocLRojas wants to merge 1 commit into
release/v11.2.9from
feature/google-rules-update
Open

refactor(rules/google): update GCP correlation rules#2194
JocLRojas wants to merge 1 commit into
release/v11.2.9from
feature/google-rules-update

Conversation

@JocLRojas

@JocLRojas JocLRojas commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Changes

Updated 35 GCP correlation rules.

Rules (GCP)

Updated all 35 GCP cloud correlation rules under rules/cloud/google/ to improve detection accuracy and alignment with current filter output fields.

Reasoning

These changes keep the GCP correlation rules synchronized with the current filter field mappings and improve overall detection coverage for Google Cloud Platform security events.

Issue

N/A — maintenance update.

@JocLRojas JocLRojas requested a review from a team June 10, 2026 13:38
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output 
🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

🛑 AI review — Engineer review required

This PR touches critical paths or introduces changes the model cannot judge with sufficient confidence. @Kbayero @osmontero please review.

🛑 architecture (gemini-3-flash-lite) — Tier 3 — engineer review required

Summary: Breaking change to log schema field names; requires coordinated update of ingestion pipeline and rule engine.

  • high rules/cloud/google/anthos_security_events.yml:28 — Renaming log fields (e.g., protoPayload.serviceName to protoPayloadServiceName) is a breaking change. This requires a corresponding update to the log ingestion/parsing logic in the Go services and potentially the agent, as existing indexed data and incoming logs will no longer match these rules.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Renaming log fields to non-standard flattened versions will cause these rules to stop matching existing log data, effectively breaking all detection logic.

  • high rules/cloud/google/anthos_security_events.yml:28 — Field 'log.protoPayload.serviceName' changed to 'log.protoPayloadServiceName'. This schema change is likely incompatible with the underlying log ingestion pipeline, causing the rule to fail to trigger.
  • high rules/cloud/google/gcp_audit_log_disabling.yml:30 — Field 'log.protoPayload.methodName' changed to 'log.protoPayloadMethodName'. This will break existing rule matching logic.
  • high rules/cloud/google/gcp_bigquery_exfiltration.yml:35 — Field 'log.protoPayload.authenticationInfo.principalEmail' changed to 'origin.user'. If the log indexer does not map these fields, this rule will stop functioning.
  • high rules/cloud/google/gcp_privilege_escalation_kubernetes_rolebindings_created_or_patched.yml:25 — Field 'log.protoPayload.authenticationInfo.principalEmail' changed to 'origin.user'. This breaks the exclusion logic for 'system:addon-manager'.

security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Refactoring of GCP detection rules to use flattened log field names; no security vulnerabilities or information disclosures introduced.

No findings.

utmstackprapprover[bot]
utmstackprapprover Bot suggested changes Jun 10, 2026
View reviewed changes

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — see approver comments above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@utmstackprapprover utmstackprapprover[bot] utmstackprapprover[bot] requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JocLRojas