turbot
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎dashboards/activity_dashboard.pp‎
Lines changed: 45 additions & 10 deletions b/‎dashboards/activity_dashboard.pp‎
Lines changed: 45 additions & 10 deletions
diff --git a/‎detections/access_context_manager.pp‎
Lines changed: 11 additions & 2 deletions b/‎detections/access_context_manager.pp‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎detections/apigee.pp‎
Lines changed: 6 additions & 1 deletion b/‎detections/apigee.pp‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎detections/app_engine.pp‎
Lines changed: 16 additions & 3 deletions b/‎detections/app_engine.pp‎
Lines changed: 16 additions & 3 deletions
diff --git a/‎detections/artifact_registry.pp‎
Lines changed: 11 additions & 2 deletions b/‎detections/artifact_registry.pp‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎detections/cloud_run.pp‎
Lines changed: 6 additions & 1 deletion b/‎detections/cloud_run.pp‎
Lines changed: 6 additions & 1 deletion
@@ -1,3 +1,11 @@
+## v0.3.0 [2025-03-03]
+
+_Enhancements_
+
+- Added `title`, `description`, and `folder = "Project"` tag to `Activity Dashboard` queries for improved organization and clarity. ([#7](https://github.com/turbot/tailpipe-mod-gcp-audit-log-detections/pull/7))
+- Added `folder = "<service>"` tag to `service common tag locals` for better query categorization. ([#7](https://github.com/turbot/tailpipe-mod-gcp-audit-log-detections/pull/7))
+- Standardized all queries to use `service common tags`, ensuring consistency across detection queries. ([#7](https://github.com/turbot/tailpipe-mod-gcp-audit-log-detections/pull/7))
+
 ## v0.3.0 [2025-02-14]
 
 _Enhancements_
 
@@ -68,18 +68,24 @@
 # -----------------------------
 
 query "activity_dashboard_total_logs" {
-  title = "Log Count"
+  title       = "Log Count"
+  description = "Count the total log entries."
 
   sql = <<-EOQ
     select
       count(*) as "Total Logs"
     from
       gcp_audit_log;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_project" {
-  title = "Logs by Project"
+  title       = "Logs by Project"
+  description = "Count the total log entries grouped by project."
 
   sql = <<-EOQ
     select
@@ -95,29 +101,39 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_type" {
-  title = "Logs by Type"
+  title       = "Logs by Type"
+  description = "Count the total log entries grouped by type."
 
   sql = <<-EOQ
     select
-      split_part(log_name, '%2F', 2) as "Type",
+      split_part(replace(log_name, '%2F', '/'),'/', 5) as "Type",
       count(*) as "Logs"
     from
       gcp_audit_log
     where
-      split_part(log_name, '%2F', 2) is not null
+      split_part(replace(log_name, '%2F', '/'),'/', 5) is not null
     group by
-      split_part(log_name, '%2F', 2)
+      split_part(replace(log_name, '%2F', '/'),'/', 5)
     order by
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_service" {
-  title = "Logs by Service"
+  title       = "Top 10 Services"
+  description = "List the top 10 services by frequency."
 
   sql = <<-EOQ
     select
@@ -133,10 +149,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_event" {
-  title = "Top 10 Events"
+  title       = "Top 10 Events"
+  description = "List the 10 most frequently called events."
 
   sql = <<-EOQ
     select
@@ -152,10 +173,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_actor" {
-  title = "Top 10 Actors"
+  title       = "Top 10 Actors"
+  description = "List the 10 most active actors."
 
   sql = <<-EOQ
     select
@@ -171,10 +197,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_source_ip" {
-  title = "Top 10 Source IPs"
+  title       = "Top 10 Source IPs (Excluding GCP Internal)"
+  description = "List the 10 most active source IPs, excluding events from GCP internal."
 
   sql = <<-EOQ
     select
@@ -191,4 +222,8 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
@@ -1,5 +1,6 @@
 locals {
   access_context_manager_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Access Context Manager"
     service = "GCP/AccessContextManager"
   })
 
@@ -27,7 +28,9 @@
   query           = query.access_context_manager_policy_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.access_context_manager_common_tags
+  tags = merge(local.access_context_manager_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "access_context_manager_access_level_deleted" {
@@ -38,7 +41,9 @@
   query           = query.access_context_manager_access_level_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.access_context_manager_common_tags
+  tags = merge(local.access_context_manager_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 query "access_context_manager_policy_deleted" {
@@ -53,6 +58,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.access_context_manager_common_tags
 }
 
 query "access_context_manager_access_level_deleted" {
@@ -67,4 +74,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.access_context_manager_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   apigee_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Apigee"
     service = "GCP/Apigee"
   })
 }
@@ -25,7 +26,9 @@
   query           = query.apigee_security_action_disabled
   display_columns = local.detection_display_columns
 
-  tags = local.apigee_common_tags
+  tags = merge(local.apigee_common_tags, {
+    mitre_attack_ids = "TA0005:T1562.001"
+  })
 }
 
 query "apigee_security_action_disabled" {
@@ -40,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.apigee_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   app_engine_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "App Engine"
     service = "GCP/AppEngine"
   })
 }
@@ -27,7 +28,9 @@
   query           = query.app_engine_firewall_ingress_rule_created
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "app_engine_firewall_ingress_rule_updated" {
@@ -38,7 +41,9 @@
   query           = query.app_engine_firewall_ingress_rule_updated
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 detection "app_engine_firewall_ingress_rule_deleted" {
@@ -49,7 +54,9 @@
   query           = query.app_engine_firewall_ingress_rule_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.app_engine_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.005"
+  })
 }
 
 query "app_engine_firewall_ingress_rule_created" {
@@ -64,6 +71,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.app_engine_common_tags
 }
 
 query "app_engine_firewall_ingress_rule_updated" {
@@ -78,6 +87,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.app_engine_common_tags
 }
 
 query "app_engine_firewall_ingress_rule_deleted" {
@@ -92,4 +103,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.app_engine_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   artifact_registry_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Artifact Registry"
     service = "GCP/ArtifactRegistry"
   })
 }
@@ -26,7 +27,9 @@
   query           = query.artifact_registry_repository_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.artifact_registry_common_tags
+  tags = merge(local.artifact_registry_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.003"
+  })
 }
 
 detection "artifact_registry_package_deleted" {
@@ -36,7 +39,9 @@
   severity      = "low"
   query         = query.artifact_registry_package_deleted
 
-  tags = local.artifact_registry_common_tags
+  tags = merge(local.app_engine_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.003"
+  })
 }
 
 query "artifact_registry_package_deleted" {
@@ -51,6 +56,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.artifact_registry_common_tags
 }
 
 query "artifact_registry_repository_deleted" {
@@ -65,4 +72,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.artifact_registry_common_tags
 }
@@ -1,5 +1,6 @@
 locals {
   cloud_run_function_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Cloud Run Function"
     service = "GCP/CloudRunFunction"
   })
 }
@@ -25,7 +26,9 @@
   query           = query.cloud_run_function_deleted
   display_columns = local.detection_display_columns
 
-  tags = local.cloud_run_function_common_tags
+  tags = merge(local.cloud_run_function_common_tags, {
+    mitre_attack_ids = "TA0005:T1578.004"
+  })
 }
 
 query "cloud_run_function_deleted" {
@@ -40,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.cloud_run_function_common_tags
 }