Closed SpencerLN closed 1 month ago
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
It looks like that field is the only field in the group that is documented to exist that we do not currently retain. Do you know of any others?
I believe the thirdPartyPrincipal
and serviceAccountDelegationInfo
fields are also missing.
{
"principalEmail": string,
"authoritySelector": string,
"thirdPartyPrincipal": {
object
},
"serviceAccountKeyName": string,
"serviceAccountDelegationInfo": [
{
object ([ServiceAccountDelegationInfo](https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ServiceAccountDelegationInfo))
}
],
"principalSubject": string
}
Currently some info in the authenticationInfo field is being dropped by the GCP audit pipeline. We should ensure that this data is preserved to enable efficient investigation and auditing. For example, the
serviceAccountKeyName
field is not preserved and we would like to be able to identify which key is being used to make a request.https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts#auth-service-account-key