Update filters: GCP, Sophos XG, Windows

[JocLRojas]

Three independent filter updates, one commit per filter:

• feat(filters/gcp) — Add support for Cloud Audit Logs. Bumps GCP filter to 2.2.0. Maps protoPayload fields (user, IP, method, service, resource, status) and derives actionResult from the audit status. Without this, GCP audit events were not being normalized.
• fix(filters/sophos-xg) — Bumps Sophos XG filter to 3.0.6. Adds existence guards so the pipeline doesn't fail when statusCode is absent. Also derives actionResult from log.subType (Denied / Accepted / Allowed).
• chore(filters/windows) — Maps log.data.SubStatus to extend the existing event-data field set.

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.23
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.22
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.1
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.41.12
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.23
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.22
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.1
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

[github-actions]

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

✅ architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Updates to log parsing filters for GCP, Sophos, and Windows; no architectural or agent-breaking changes detected.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Typo in documentation comment and potential logic error in Sophos filter condition

• medium filters/google/gcp.yml:4 — Typo: 'Documentations' should be 'Documentation'.
• high filters/sophos/sophos_xg_firewall.yml:717 — Operator precedence issue: 'exists("statusCode") && (A || B)' is likely intended, but the current expression 'exists("statusCode") && A || B' will evaluate to true if B is true, regardless of whether 'statusCode' exists.

⚠️ security (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Potential information disclosure via mapping of sensitive PII fields (principalEmail) to global origin.user field.

• medium filters/google/gcp.yml:264 — Mapping log.protoPayload.authenticationInfo.principalEmail to origin.user may cause PII (email addresses) to be stored in non-PII indexed fields, potentially violating privacy policies or exposing user identities in logs.

[utmstackprapprover]

Changes requested — see approver comments above.