Reference Library for GCP Audit Logs Falco Threat Detection Rules

Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment. This topic provides all the fields and events that apply to Falco rules for GCP Audit Logs.

Fields

Field Class: JSON

NameTypeDescription
json.valueCHARBUFExtracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901)
json.objCHARBUFThe full json message as a text string.
json.rawtimeCHARBUFThe time of the event, identical to evt.rawtime.
jevt.valueCHARBUFAlias for json.value, provided for backwards compatibility.
jevt.objCHARBUFAlias for json.obj, provided for backwards compatibility.
jevt.rawtimeCHARBUFAlias for json.rawtime, provided for backwards compatibility.

Field Class: GCP Audit Logs

NameTypeDescription
gcp.userCHARBUFGCP principal, actor of the action
gcp.callerIPCHARBUFActor’s IP
gcp.userAgentCHARBUFActor’s User agent
gcp.authorizationInfoCHARBUFGCP authorization (JSON)
gcp.serviceNameCHARBUFGCP API service name
gcp.policyDeltaCHARBUFGCP service resource access control policy delta
gcp.requestCHARBUFGCP API raw request (JSON)
gcp.methodNameCHARBUFGCP API service method executed
gcp.cloudfunctions.functionCHARBUFGCF name
gcp.cloudsql.databaseIdCHARBUFGCP SQL database ID
gcp.compute.instanceIdCHARBUFGCE instance ID
gcp.compute.networkIdCHARBUFGCP network ID
gcp.compute.subnetworkCHARBUFGCP subnetwork name
gcp.compute.subnetworkIdCHARBUFGCP subnetwork ID
gcp.dns.zoneCHARBUFGCP DNS zone
gcp.iam.serviceAccountCHARBUFGCP service account
gcp.iam.serviceAccountIdCHARBUFGCP IAM unique ID
gcp.locationCHARBUFGCP region
gcp.logging.sinkCHARBUFGCP logging sink
gcp.projectIdCHARBUFGCP project ID
gcp.resourceNameCHARBUFGCP resource name
gcp.resourceTypeCHARBUFGCP resource type
gcp.resourceLabelsCHARBUFGCP resource labels (JSON)
gcp.storage.bucketCHARBUFGCP bucket name
gcp.timeCHARBUFTimestamp of the event in RFC3339 format