Update filters: GCP, Sophos XG, Windows#2175
Merged
Kbayero merged 4 commits intoJun 15, 2026
Merged
Conversation
❌ Go dependencies check failedThere are outdated Go dependencies, or modules that could not be inspected. Script output |
|
![utmstackprapprover[bot]](https://avatars.githubusercontent.com/u/144401876?s=60&v=4){kind=small}
Kbayero
approved these changes
Jun 15, 2026
Kbayero
added a commit
that referenced
this pull request
Jun 17, 2026
* update actions workflow * fix(workflows): unblock PR checks on large diffs + private go modules * fix(approver): use english in sticky PR comments * Feature/cleanup rules and filters (#2091) * refactor(filters): update macOS filter configuration * chore(rules): remove Office365 brute force detection rule * chore(rules): remove PowerShell Empire detection rule * chore(rules): remove RDP brute force attacks rule * fix[frontend](soar/create-rule): added fixed create/edit rule undefin… (#2087) * fix[frontend](soar/create-rule): added fixed create/edit rule undefined id error * chore[](): updated go packages * fix[frontend](environment):environments on gitignore and removed the actual local dev environment * chore[](): updated go packages * feat[backed](elasticSearchService): added batch processing of request… (#2090) * feat[backed](elasticSearchService): added batch processing of requests and auto rebuild on IO errors * chore[backend](): updated go dependencies * fix[backend](elastic-service): sanitized csv before exportation and changed error messages * fix[frontend](socai): added default template for empty previous socai… (#2095) * fix[frontend](build): added environment.ts (#2099) * fix[backend](visualizations): removed utm-geoip legacy index references on region map visualizations (#2098) Co-authored-by: Osmany Montero <osmontero@icloud.com> * Hotfix/socai custom header (#2101) * fix[frontend](socai): added default template for empty previous socai config (#2092) * fix[frontend](socai): added default template for empty previous socai configuration * fix[frontend](socai): setted customHeaders as password key type * fix[frontend](socai): dont let empty description on modules * fix[backend](socai): generate the modulegroup with new keys if no other exists on db * fix[backend](changeset): added customHeader entries as password type * fix(frontend): update nginx from 1.19.5 to 1.30.1 Remediate 22 known CVEs including CVE-2026-42945 (actively exploited in the wild for RCE). nginx:1.19.5 (Oct 2020) was affected by buffer overflows, memory disclosure, HTTP/2 injection, SSL session reuse, and multiple other vulnerabilities patched in the 1.30.1 stable release. * Backlog/fix/socai module disabled (#2102) * fix[backend](socai): changed socai default module keys * fix[backend](modules): added default keys on module creation response * fix[frontend](socai): handled empty (disabled) module configuration * Backlog/fix/tag rules (#2106) * fix[frontend](rules): improved post event count validation * fix[frontend](tag_rules): added events related fields on tag rule creation --------- Co-authored-by: Osmany Montero <osmontero@icloud.com> * fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement (#2107) * fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement * chore[](): updated go packages * fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 medium) (#2103) - google.golang.org/grpc: 1.78.0 -> 1.79.3 (GHSA-p77j-4mvh-x3m3, critical) - github.com/jackc/pgx/v5: 5.8.0 -> 5.9.2 (GHSA-9jj7-4m8r-rfcm critical, GHSA-j88v-2chj-qfwx low) - go.opentelemetry.io/otel: 1.39.0 -> 1.41.0 (GHSA-mh2q-q3fh-2475, high) - com.itextpdf:itext7-core: 7.1.7 -> 7.2.0 (GHSA-hhh6-cm2m-3fhc, GHSA-8c9h-4q7g-fp7h, GHSA-c32g-2mgr-cfq7, medium x3) - org.postgresql:postgresql: 42.7.2 -> 42.7.11 (GHSA-98qh-xjc8-98pq, high) Signed-off-by: Osmany Montero <osmontero@icloud.com> * fix(deps): upgrade golang.org/x/sys from v0.44.0 to v0.45.0 * fix[frontend](alerts-view): add a duplication avoid on alert filter fields count (#2127) * refactor(rules): drop "now-" prefix from within field (#2176) * fix[backend](tags): removed false positive alerts from releaseToOpen schedule (#2178) * fix[installer](setup): added lock on installer final phase (#2180) * fix[frontend](alerts): properly handle update alerts errors (#2193) * feat(rules/o365): add Inbox Forward Rule with Email Exfiltration detection rule (#2221) * feat(rules/o365): add Audit Log Purge detection rule (#2220) * feat(rules/o365): add Admin Role/Permission Granted detection rule (#2219) * feat(rules/o365): add Admin Role Assignment detection rule (#2218) * refactor(rules/google): update GCP correlation rules (#2194) * feature(rules/google): add rule GCS Sensitive Data Access (#2187) * feature(rules/google): add rule GCS Bucket Deleted (#2186) * Tune bruteforce correlation and drop unreliable PTH rule (#2192) * fix(rules/windows): tighten bruteforce_attack correlation scope * fix(rules/windows): scope multi-failure-then-success rule by source * chore(rules/windows): remove pass_the_hash_detection rule * fix(rules/windows): fix of the redundant field 'origin.host' that appears twice in the deduplicateBy array. * feature(rules/google): add rule Privileged Role Granted - Owner or Editor (#2190) * feature(rules/google): add rule Cloud Logging Sink Modified (#2189) * feature(rules/google): add rule Firewall Open Ingress (#2182) * Update filters: GCP, Sophos XG, Windows (#2175) * feat(filters/gcp): add Cloud Audit Logs (protoPayload) support * fix(filters/sophos-xg): guard renames and actionResult against missing fields * chore(filters/windows): rename log.data.SubStatus field * fix(filters/sophos-xg): correct operator precedence in actionResult guard * feature(rules/google): add rule Audit Logging Configuration Changed (#2181) * Add GCP rule: IAM Policy Changed - Privilege Escalation (#2188) * feature(rules/google): add rule IAM Policy Changed - Privilege Escalation * fix(rule/google): changing 'exists(log.protoPayload.request.policy.auditConfigs)' to 'exists(log.protoPayload.request.policy.bindings) to improve detection logic * feature(rules/google): add rule Firewall Rule Deleted (#2183) * feature(rules/google): add rule GCS Bucket Created (#2185) * fix(rules/google): rebalance CIA impact scores for GCP rules (#2227) * feat[ci](pr-review): severity-based merge gate; exclude rules/filters/definitions from AI review * fix[ci](pr-review): don't gate routine go.mod/go.sum bumps as Tier 3 * fix[backend](alert_responses): reduces schedule time to executeResponse se from 5mins to 15 seconds (#2230) * fix[backend](alert_responses): reduces schedule time to executeResponse from 5mins to 15 seconds * fix[backend](go_deps): updated go dependencies * fix[backend](alert_responses): fixed powershell commands syntax errors (#2228) * fix[backend](alert_responses): fixed powershell commands syntax errors * fix[backend](go_deps): updated go dependencies * fix[backend](incident_response_audit): enabled filters on agents-with command query (#2226) * fix[backend](incident_response_audit): enabled filters on agents-with-command query * fix[backend](go_deps): updated go dependencies --------- Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Co-authored-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> * fix[backend](compilance_reports): migrated compilance reports from ol… (#2232) * fix[backend](compilance_reports): migrated compilance reports from old table to new one * fix[backend](compilance_reports): added rollback marker robustness and unconditional sentinel deletion * chore: update golang dependencies --------- Signed-off-by: Osmany Montero <osmontero@icloud.com> Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Co-authored-by: Jose L Quiñones Rojas <73146718+JocLRojas@users.noreply.github.com> Co-authored-by: Alex Sánchez <alex.sanchez@utmstack.com> Co-authored-by: Osmany Montero <osmontero@icloud.com> Co-authored-by: developutm <development@utmstack.com>
Kbayero
added a commit
that referenced
this pull request
Jun 17, 2026
* update actions workflow * fix(workflows): unblock PR checks on large diffs + private go modules * fix(approver): use english in sticky PR comments * Feature/cleanup rules and filters (#2091) * refactor(filters): update macOS filter configuration * chore(rules): remove Office365 brute force detection rule * chore(rules): remove PowerShell Empire detection rule * chore(rules): remove RDP brute force attacks rule * fix[frontend](soar/create-rule): added fixed create/edit rule undefin… (#2087) * fix[frontend](soar/create-rule): added fixed create/edit rule undefined id error * chore[](): updated go packages * fix[frontend](environment):environments on gitignore and removed the actual local dev environment * chore[](): updated go packages * feat[backed](elasticSearchService): added batch processing of request… (#2090) * feat[backed](elasticSearchService): added batch processing of requests and auto rebuild on IO errors * chore[backend](): updated go dependencies * fix[backend](elastic-service): sanitized csv before exportation and changed error messages * fix[frontend](socai): added default template for empty previous socai… (#2095) * fix[frontend](build): added environment.ts (#2099) * fix[backend](visualizations): removed utm-geoip legacy index references on region map visualizations (#2098) Co-authored-by: Osmany Montero <osmontero@icloud.com> * Hotfix/socai custom header (#2101) * fix[frontend](socai): added default template for empty previous socai config (#2092) * fix[frontend](socai): added default template for empty previous socai configuration * fix[frontend](socai): setted customHeaders as password key type * fix[frontend](socai): dont let empty description on modules * fix[backend](socai): generate the modulegroup with new keys if no other exists on db * fix[backend](changeset): added customHeader entries as password type * fix(frontend): update nginx from 1.19.5 to 1.30.1 Remediate 22 known CVEs including CVE-2026-42945 (actively exploited in the wild for RCE). nginx:1.19.5 (Oct 2020) was affected by buffer overflows, memory disclosure, HTTP/2 injection, SSL session reuse, and multiple other vulnerabilities patched in the 1.30.1 stable release. * Backlog/fix/socai module disabled (#2102) * fix[backend](socai): changed socai default module keys * fix[backend](modules): added default keys on module creation response * fix[frontend](socai): handled empty (disabled) module configuration * Backlog/fix/tag rules (#2106) * fix[frontend](rules): improved post event count validation * fix[frontend](tag_rules): added events related fields on tag rule creation --------- Co-authored-by: Osmany Montero <osmontero@icloud.com> * fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement (#2107) * fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement * chore[](): updated go packages * fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 medium) (#2103) - google.golang.org/grpc: 1.78.0 -> 1.79.3 (GHSA-p77j-4mvh-x3m3, critical) - github.com/jackc/pgx/v5: 5.8.0 -> 5.9.2 (GHSA-9jj7-4m8r-rfcm critical, GHSA-j88v-2chj-qfwx low) - go.opentelemetry.io/otel: 1.39.0 -> 1.41.0 (GHSA-mh2q-q3fh-2475, high) - com.itextpdf:itext7-core: 7.1.7 -> 7.2.0 (GHSA-hhh6-cm2m-3fhc, GHSA-8c9h-4q7g-fp7h, GHSA-c32g-2mgr-cfq7, medium x3) - org.postgresql:postgresql: 42.7.2 -> 42.7.11 (GHSA-98qh-xjc8-98pq, high) Signed-off-by: Osmany Montero <osmontero@icloud.com> * fix(deps): upgrade golang.org/x/sys from v0.44.0 to v0.45.0 * fix[frontend](alerts-view): add a duplication avoid on alert filter fields count (#2127) * refactor(rules): drop "now-" prefix from within field (#2176) * fix[backend](tags): removed false positive alerts from releaseToOpen schedule (#2178) * fix[installer](setup): added lock on installer final phase (#2180) * fix[frontend](alerts): properly handle update alerts errors (#2193) * feat(rules/o365): add Inbox Forward Rule with Email Exfiltration detection rule (#2221) * feat(rules/o365): add Audit Log Purge detection rule (#2220) * feat(rules/o365): add Admin Role/Permission Granted detection rule (#2219) * feat(rules/o365): add Admin Role Assignment detection rule (#2218) * refactor(rules/google): update GCP correlation rules (#2194) * feature(rules/google): add rule GCS Sensitive Data Access (#2187) * feature(rules/google): add rule GCS Bucket Deleted (#2186) * Tune bruteforce correlation and drop unreliable PTH rule (#2192) * fix(rules/windows): tighten bruteforce_attack correlation scope * fix(rules/windows): scope multi-failure-then-success rule by source * chore(rules/windows): remove pass_the_hash_detection rule * fix(rules/windows): fix of the redundant field 'origin.host' that appears twice in the deduplicateBy array. * feature(rules/google): add rule Privileged Role Granted - Owner or Editor (#2190) * feature(rules/google): add rule Cloud Logging Sink Modified (#2189) * feature(rules/google): add rule Firewall Open Ingress (#2182) * Update filters: GCP, Sophos XG, Windows (#2175) * feat(filters/gcp): add Cloud Audit Logs (protoPayload) support * fix(filters/sophos-xg): guard renames and actionResult against missing fields * chore(filters/windows): rename log.data.SubStatus field * fix(filters/sophos-xg): correct operator precedence in actionResult guard * feature(rules/google): add rule Audit Logging Configuration Changed (#2181) * Add GCP rule: IAM Policy Changed - Privilege Escalation (#2188) * feature(rules/google): add rule IAM Policy Changed - Privilege Escalation * fix(rule/google): changing 'exists(log.protoPayload.request.policy.auditConfigs)' to 'exists(log.protoPayload.request.policy.bindings) to improve detection logic * feature(rules/google): add rule Firewall Rule Deleted (#2183) * feature(rules/google): add rule GCS Bucket Created (#2185) * fix(rules/google): rebalance CIA impact scores for GCP rules (#2227) * feat[ci](pr-review): severity-based merge gate; exclude rules/filters/definitions from AI review * fix[ci](pr-review): don't gate routine go.mod/go.sum bumps as Tier 3 * fix[backend](alert_responses): reduces schedule time to executeResponse se from 5mins to 15 seconds (#2230) * fix[backend](alert_responses): reduces schedule time to executeResponse from 5mins to 15 seconds * fix[backend](go_deps): updated go dependencies * fix[backend](alert_responses): fixed powershell commands syntax errors (#2228) * fix[backend](alert_responses): fixed powershell commands syntax errors * fix[backend](go_deps): updated go dependencies * fix[backend](incident_response_audit): enabled filters on agents-with command query (#2226) * fix[backend](incident_response_audit): enabled filters on agents-with-command query * fix[backend](go_deps): updated go dependencies --------- Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Co-authored-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> * fix[backend](compilance_reports): migrated compilance reports from ol… (#2232) * fix[backend](compilance_reports): migrated compilance reports from old table to new one * fix[backend](compilance_reports): added rollback marker robustness and unconditional sentinel deletion * chore: update golang dependencies * fix[ci]: fix changelog script failing when tag doesn't exist yet and unblock installer on changelog failure --------- Signed-off-by: Osmany Montero <osmontero@icloud.com> Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Co-authored-by: Jose L Quiñones Rojas <73146718+JocLRojas@users.noreply.github.com> Co-authored-by: Alex Sánchez <alex.sanchez@utmstack.com> Co-authored-by: Osmany Montero <osmontero@icloud.com> Co-authored-by: developutm <development@utmstack.com>
Kbayero
added a commit
that referenced
this pull request
Jun 17, 2026
* update actions workflow * fix(workflows): unblock PR checks on large diffs + private go modules * fix(approver): use english in sticky PR comments * Feature/cleanup rules and filters (#2091) * refactor(filters): update macOS filter configuration * chore(rules): remove Office365 brute force detection rule * chore(rules): remove PowerShell Empire detection rule * chore(rules): remove RDP brute force attacks rule * fix[frontend](soar/create-rule): added fixed create/edit rule undefin… (#2087) * fix[frontend](soar/create-rule): added fixed create/edit rule undefined id error * chore[](): updated go packages * fix[frontend](environment):environments on gitignore and removed the actual local dev environment * chore[](): updated go packages * feat[backed](elasticSearchService): added batch processing of request… (#2090) * feat[backed](elasticSearchService): added batch processing of requests and auto rebuild on IO errors * chore[backend](): updated go dependencies * fix[backend](elastic-service): sanitized csv before exportation and changed error messages * fix[frontend](socai): added default template for empty previous socai… (#2095) * fix[frontend](build): added environment.ts (#2099) * fix[backend](visualizations): removed utm-geoip legacy index references on region map visualizations (#2098) Co-authored-by: Osmany Montero <osmontero@icloud.com> * Hotfix/socai custom header (#2101) * fix[frontend](socai): added default template for empty previous socai config (#2092) * fix[frontend](socai): added default template for empty previous socai configuration * fix[frontend](socai): setted customHeaders as password key type * fix[frontend](socai): dont let empty description on modules * fix[backend](socai): generate the modulegroup with new keys if no other exists on db * fix[backend](changeset): added customHeader entries as password type * fix(frontend): update nginx from 1.19.5 to 1.30.1 Remediate 22 known CVEs including CVE-2026-42945 (actively exploited in the wild for RCE). nginx:1.19.5 (Oct 2020) was affected by buffer overflows, memory disclosure, HTTP/2 injection, SSL session reuse, and multiple other vulnerabilities patched in the 1.30.1 stable release. * Backlog/fix/socai module disabled (#2102) * fix[backend](socai): changed socai default module keys * fix[backend](modules): added default keys on module creation response * fix[frontend](socai): handled empty (disabled) module configuration * Backlog/fix/tag rules (#2106) * fix[frontend](rules): improved post event count validation * fix[frontend](tag_rules): added events related fields on tag rule creation --------- Co-authored-by: Osmany Montero <osmontero@icloud.com> * fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement (#2107) * fix[frontend](alerts-view): added a loading indicator and improved fast filtering reinforcement * chore[](): updated go packages * fix(deps): patch 5 Dependabot vulnerabilities (2 critical, 1 high, 2 medium) (#2103) - google.golang.org/grpc: 1.78.0 -> 1.79.3 (GHSA-p77j-4mvh-x3m3, critical) - github.com/jackc/pgx/v5: 5.8.0 -> 5.9.2 (GHSA-9jj7-4m8r-rfcm critical, GHSA-j88v-2chj-qfwx low) - go.opentelemetry.io/otel: 1.39.0 -> 1.41.0 (GHSA-mh2q-q3fh-2475, high) - com.itextpdf:itext7-core: 7.1.7 -> 7.2.0 (GHSA-hhh6-cm2m-3fhc, GHSA-8c9h-4q7g-fp7h, GHSA-c32g-2mgr-cfq7, medium x3) - org.postgresql:postgresql: 42.7.2 -> 42.7.11 (GHSA-98qh-xjc8-98pq, high) Signed-off-by: Osmany Montero <osmontero@icloud.com> * fix(deps): upgrade golang.org/x/sys from v0.44.0 to v0.45.0 * fix[frontend](alerts-view): add a duplication avoid on alert filter fields count (#2127) * refactor(rules): drop "now-" prefix from within field (#2176) * fix[backend](tags): removed false positive alerts from releaseToOpen schedule (#2178) * fix[installer](setup): added lock on installer final phase (#2180) * fix[frontend](alerts): properly handle update alerts errors (#2193) * feat(rules/o365): add Inbox Forward Rule with Email Exfiltration detection rule (#2221) * feat(rules/o365): add Audit Log Purge detection rule (#2220) * feat(rules/o365): add Admin Role/Permission Granted detection rule (#2219) * feat(rules/o365): add Admin Role Assignment detection rule (#2218) * refactor(rules/google): update GCP correlation rules (#2194) * feature(rules/google): add rule GCS Sensitive Data Access (#2187) * feature(rules/google): add rule GCS Bucket Deleted (#2186) * Tune bruteforce correlation and drop unreliable PTH rule (#2192) * fix(rules/windows): tighten bruteforce_attack correlation scope * fix(rules/windows): scope multi-failure-then-success rule by source * chore(rules/windows): remove pass_the_hash_detection rule * fix(rules/windows): fix of the redundant field 'origin.host' that appears twice in the deduplicateBy array. * feature(rules/google): add rule Privileged Role Granted - Owner or Editor (#2190) * feature(rules/google): add rule Cloud Logging Sink Modified (#2189) * feature(rules/google): add rule Firewall Open Ingress (#2182) * Update filters: GCP, Sophos XG, Windows (#2175) * feat(filters/gcp): add Cloud Audit Logs (protoPayload) support * fix(filters/sophos-xg): guard renames and actionResult against missing fields * chore(filters/windows): rename log.data.SubStatus field * fix(filters/sophos-xg): correct operator precedence in actionResult guard * feature(rules/google): add rule Audit Logging Configuration Changed (#2181) * Add GCP rule: IAM Policy Changed - Privilege Escalation (#2188) * feature(rules/google): add rule IAM Policy Changed - Privilege Escalation * fix(rule/google): changing 'exists(log.protoPayload.request.policy.auditConfigs)' to 'exists(log.protoPayload.request.policy.bindings) to improve detection logic * feature(rules/google): add rule Firewall Rule Deleted (#2183) * feature(rules/google): add rule GCS Bucket Created (#2185) * fix(rules/google): rebalance CIA impact scores for GCP rules (#2227) * feat[ci](pr-review): severity-based merge gate; exclude rules/filters/definitions from AI review * fix[ci](pr-review): don't gate routine go.mod/go.sum bumps as Tier 3 * fix[backend](alert_responses): reduces schedule time to executeResponse se from 5mins to 15 seconds (#2230) * fix[backend](alert_responses): reduces schedule time to executeResponse from 5mins to 15 seconds * fix[backend](go_deps): updated go dependencies * fix[backend](alert_responses): fixed powershell commands syntax errors (#2228) * fix[backend](alert_responses): fixed powershell commands syntax errors * fix[backend](go_deps): updated go dependencies * fix[backend](incident_response_audit): enabled filters on agents-with command query (#2226) * fix[backend](incident_response_audit): enabled filters on agents-with-command query * fix[backend](go_deps): updated go dependencies --------- Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Co-authored-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> * fix[backend](compilance_reports): migrated compilance reports from ol… (#2232) * fix[backend](compilance_reports): migrated compilance reports from old table to new one * fix[backend](compilance_reports): added rollback marker robustness and unconditional sentinel deletion * chore: update golang dependencies * fix[ci]: fix changelog script failing when tag doesn't exist yet and unblock installer on changelog failure * ci: simplify v11 pipeline to trigger on release events instead of push to v11 --------- Signed-off-by: Osmany Montero <osmontero@icloud.com> Signed-off-by: Yorjander Hernandez Vergara <99102374+Kbayero@users.noreply.github.com> Co-authored-by: Jose L Quiñones Rojas <73146718+JocLRojas@users.noreply.github.com> Co-authored-by: Alex Sánchez <alex.sanchez@utmstack.com> Co-authored-by: Osmany Montero <osmontero@icloud.com> Co-authored-by: developutm <development@utmstack.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three independent filter updates, one commit per filter:
feat(filters/gcp)— Add support for Cloud Audit Logs. Bumps GCP filter to 2.2.0. MapsprotoPayloadfields (user, IP, method, service, resource, status) and derivesactionResultfrom the audit status. Without this, GCP audit events were not being normalized.fix(filters/sophos-xg)— Bumps Sophos XG filter to 3.0.6. Adds existence guards so the pipeline doesn't fail whenstatusCodeis absent. Also derivesactionResultfromlog.subType(Denied / Accepted / Allowed).chore(filters/windows)— Mapslog.data.SubStatusto extend the existing event-data field set.