Update Google Cloud Log parser plugin

[roshanmaskey]

Google Cloud audit logs parser update

Description:

Updating Google Cloud audit log parser plugin (gcp_log.py) to extract attributes useful for investigation.

Some of the attributes extracted by the plugin are listed below:

• principal_email: Email address of the user making the request.
• permissions: IAM permissions required for GCP operation.
• service_account_delegations: Service account delegation.
• dcsa_emails: Default service account attached to a compute instance.
• dcsa_scopes: OAuth scopes granted to the default service account attached to a compute instance.

Notes:

All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

• Automated checks (GitHub Actions, AppVeyor) pass
• No new new dependencies are required or l2tdevtools has been updated
• Reviewer assigned

[sydp]

one additional comment but otherwise lgtm.

[codecov]

Codecov Report

Attention: Patch coverage is 91.53846% with 11 lines in your changes missing coverage. Please review.

Project coverage is 85.08%. Comparing base (9d4e13c) to head (a333753).

Files with missing lines	Patch %	Lines
plaso/parsers/jsonl_plugins/gcp_log.py	91.53%	11 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4923      +/-   ##
==========================================
+ Coverage   85.05%   85.08%   +0.02%     
==========================================
  Files         431      431              
  Lines       38648    38765     +117     
==========================================
+ Hits        32873    32982     +109     
- Misses       5775     5783       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[joachimmetz]

why the sudden argument name change?

[roshanmaskey]

This method only processes information in the request field i.e. protoPayload.request. To add clarity, I renamed the method to _ParseComputeRequest.

[joachimmetz]

Why an empty string and not None?

[roshanmaskey]

Attributes with value None are ignored by Timesketch. An empty string is assigned to ensure it appears in Timesketch, and Timesketch analyzers (in future) can utilize the field for successful operation filtering.

[joachimmetz]

Why the explicit call to str() ?

[roshanmaskey]

It is done to avoid type issues in OpenSearch. The value protoPayload.status.code is of type integer or empty.

[joachimmetz]

nit: comment add no value to explain the code.

[roshanmaskey]

Updated to explain the variable.

[joachimmetz]

@sydp were things remaining that should be changed from your perspective?

[sydp]

@sydp were things remaining that should be changed from your perspective?

Nothing further from me, thanks.