[GCP Audit] Preserve all data from the authenticationInfo field

[SpencerLN]

Currently some info in the authenticationInfo field is being dropped by the GCP audit pipeline. We should ensure that this data is preserved to enable efficient investigation and auditing. For example, the serviceAccountKeyName field is not preserved and we would like to be able to identify which key is being used to make a request.

https://cloud.google.com/iam/docs/audit-logging/examples-service-accounts#auth-service-account-key

{
  "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "my-service-account@my-project.iam.gserviceaccount.com",
      "serviceAccountKeyName": "//iam.googleapis.com/projects/my-project/serviceAccounts/my-service-account@my-project.iam.gserviceaccount.com/keys/c71e040fb4b71d798ce4baca14e15ab62115aaef"
    },
    "methodName": "google.cloud.redis.v1.CloudRedis.CreateInstance",
    "request": {
      "@type": "type.googleapis.com/google.cloud.redis.v1.CreateInstanceRequest"
    }
  }
}

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

It looks like that field is the only field in the group that is documented to exist that we do not currently retain. Do you know of any others?

[SpencerLN]

I believe the thirdPartyPrincipal and serviceAccountDelegationInfo fields are also missing.

https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#AuthenticationInfo

{
  "principalEmail": string,
  "authoritySelector": string,
  "thirdPartyPrincipal": {
    object
  },
  "serviceAccountKeyName": string,
  "serviceAccountDelegationInfo": [
    {
      object ([ServiceAccountDelegationInfo](https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog#ServiceAccountDelegationInfo))
    }
  ],
  "principalSubject": string
}