From e5806f61ef71c6351ca2f65157963042f06e2287 Mon Sep 17 00:00:00 2001
From: JocLRojas <joc.l.rojas02@gmail.com>
Date: Mon, 8 Jun 2026 18:28:43 +0300
Subject: [PATCH 1/3] feat(filters/gcp): add Cloud Audit Logs (protoPayload)
 support

---
 filters/google/gcp.yml | 107 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 105 insertions(+), 2 deletions(-)

diff --git a/filters/google/gcp.yml b/filters/google/gcp.yml
index b945ae337..b096faedb 100644
--- a/filters/google/gcp.yml
+++ b/filters/google/gcp.yml
@@ -1,7 +1,8 @@
-# GCP filter, version 2.1.2
-# 
+# GCP filter, version 2.2.0
+#
 # Documentations
 # 1- https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry
+# 2- https://cloud.google.com/logging/docs/audit (protoPayload / AuditLog)
 
 pipeline:
   - dataTypes:
@@ -251,6 +252,75 @@ pipeline:
             - log.resource.type
           to: log.resourceType
 
+      # .......................................................................#
+      # Renaming protoPayload fields (Cloud Audit Logs — AuditLog message)
+      # .......................................................................#
+      # NOTE: log.protoPayload.@type is NOT renamed here. The engine treats
+      # paths containing '@' as complex and the rename plugin errors with
+      # "cannot delete value from a complex path". The whole log.protoPayload
+      # subtree is dropped in the final delete step, so the field is cleaned
+      # up implicitly. We use log.protoPayloadMethodName (always present in
+      # AuditLog) as the discriminator for protoPayload-derived actionResult.
+      - rename:
+          from:
+            - log.protoPayload.authenticationInfo.principalEmail
+          to: origin.user
+
+      - rename:
+          from:
+            - log.protoPayload.authenticationInfo.principalSubject
+          to: log.protoPayloadPrincipalSubject
+
+      - rename:
+          from:
+            - log.protoPayload.authenticationInfo.oauthInfo.oauthClientId
+          to: log.protoPayloadOauthClientId
+
+      - rename:
+          from:
+            - log.protoPayload.requestMetadata.callerIp
+          to: origin.ip
+
+      - rename:
+          from:
+            - log.protoPayload.requestMetadata.callerSuppliedUserAgent
+          to: log.httpUserAgent
+
+      - rename:
+          from:
+            - log.protoPayload.methodName
+          to: log.protoPayloadMethodName
+
+      - rename:
+          from:
+            - log.protoPayload.serviceName
+          to: log.protoPayloadServiceName
+
+      - rename:
+          from:
+            - log.protoPayload.resourceName
+          to: log.protoPayloadResourceName
+
+      - rename:
+          from:
+            - log.protoPayload.resourceLocation.currentLocations
+          to: log.protoPayloadResourceLocation
+
+      - rename:
+          from:
+            - log.protoPayload.authorizationInfo
+          to: log.protoPayloadAuthorizationInfo
+
+      - rename:
+          from:
+            - log.protoPayload.status.code
+          to: log.protoPayloadStatusCode
+
+      - rename:
+          from:
+            - log.protoPayload.status.message
+          to: log.protoPayloadStatusMessage
+
       # .......................................................................#
       # Renaming operation field
       # .......................................................................#
@@ -303,6 +373,11 @@ pipeline:
             - statusCode
           to: int
 
+      - cast:
+          fields:
+            - log.protoPayloadStatusCode
+          to: int
+
       # Adding severity field based on log.severity
       - add:
           function: "string"
@@ -383,6 +458,34 @@ pipeline:
             value: "denied"
           where: equals("log.jsonPayloadEnforcedEdgeSecurityPolicyOutcome", "DENY")
 
+      # Adding actionResult for Cloud Audit Logs (protoPayload):
+      # In GCP AuditLog, status.code follows google.rpc.Code — 0/absent = OK,
+      # any non-zero code = error. We only apply this when the event is an
+      # AuditLog (log.protoPayloadMethodName is always present in AuditLog;
+      # used as discriminator since log.protoPayload.@type can't be renamed
+      # due to the '@' character) so non-audit logs keep their existing
+      # actionResult derivation.
+      - add:
+          function: "string"
+          params:
+            key: actionResult
+            value: "success"
+          where: 'exists("log.protoPayloadMethodName") && !exists("log.protoPayloadStatusCode")'
+
+      - add:
+          function: "string"
+          params:
+            key: actionResult
+            value: "success"
+          where: 'exists("log.protoPayloadMethodName") && equals("log.protoPayloadStatusCode", 0)'
+
+      - add:
+          function: "string"
+          params:
+            key: actionResult
+            value: "failure"
+          where: 'exists("log.protoPayloadMethodName") && greaterThan("log.protoPayloadStatusCode", 0)'
+
       # Adding geolocation to origin.ip
       - dynamic:
           plugin: com.utmstack.geolocation

From b8efe2b6a7318c0e73dc10a76f064fd9d349bc68 Mon Sep 17 00:00:00 2001
From: JocLRojas <joc.l.rojas02@gmail.com>
Date: Mon, 8 Jun 2026 18:28:50 +0300
Subject: [PATCH 2/3] fix(filters/sophos-xg): guard renames and actionResult
 against missing fields

---
 filters/sophos/sophos_xg_firewall.yml | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/filters/sophos/sophos_xg_firewall.yml b/filters/sophos/sophos_xg_firewall.yml
index 1feb4926e..25f5a8ce5 100644
--- a/filters/sophos/sophos_xg_firewall.yml
+++ b/filters/sophos/sophos_xg_firewall.yml
@@ -1,4 +1,4 @@
-# Sophos_XG filter, version 3.0.5
+# Sophos_XG filter, version 3.0.6
 # Supports SF 20.0 version log types
 # See manual: https://docs.sophos.com/nsg/sophos-firewall/20.0/pdf/sf-syslog-guide-20.0.pdf
 # and documentation https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/TroubleshootingLogs/LogFileDetails/index.html#https-ftp-waf
@@ -318,6 +318,7 @@ pipeline:
           from:
             - log.statuscode
           to: log.statusCode
+          where: exists("log.statuscode")
 
       - rename:
           from:
@@ -682,11 +683,27 @@ pipeline:
             - origin.bytesSent
           to: float
 
+      # Adding actionResult based on log.subtype value
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'denied'
+          where: exists("log.subType") && equals("log.subType", "Denied")
+
+      - add:
+          function: 'string'
+          params:
+            key: actionResult
+            value: 'accepted'
+          where: exists("log.subType") && equals("log.subType", "Accepted") || equals("log.subType", "Allowed")
+
       # Renaming "log.statusCode" to "statusCode" to add it to the event structure
       - rename:
           from:
             - log.statusCode
           to: statusCode
+          where: exists("log.statusCode")
 
       # Adding actionResult
       # denied by default
@@ -695,13 +712,14 @@ pipeline:
           params:
             key: actionResult
             value: 'denied'
+          where: exists("statusCode")
 
       - add:
           function: 'string'
           params:
             key: actionResult
             value: 'accepted'
-          where: (greaterOrEqual("statusCode", 200) && lessOrEqual("statusCode", 299)) || (greaterOrEqual("statusCode", 300) && lessOrEqual("statusCode", 399) && greaterThan("origin.bytesReceived", 0))
+          where: exists("statusCode") && (greaterOrEqual("statusCode", 200) && lessOrEqual("statusCode", 299)) || (greaterOrEqual("statusCode", 300) && lessOrEqual("statusCode", 399) && greaterThan("origin.bytesReceived", 0))
 
       # Removing unused fields
       - delete:

From 0e065b2ca4391110ed13bbf68698e45fbf00cd18 Mon Sep 17 00:00:00 2001
From: JocLRojas <joc.l.rojas02@gmail.com>
Date: Mon, 8 Jun 2026 18:28:51 +0300
Subject: [PATCH 3/3] chore(filters/windows): rename log.data.SubStatus field

---
 filters/windows/windows-events.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/filters/windows/windows-events.yml b/filters/windows/windows-events.yml
index 0b277730c..a8dcceb73 100644
--- a/filters/windows/windows-events.yml
+++ b/filters/windows/windows-events.yml
@@ -45,6 +45,11 @@ pipeline:
             - log.data.SubjectUserSid
           to: log.eventDataSubjectUserSid
 
+      - rename:
+          from:
+            - log.data.SubStatus
+          to: log.eventDataSubStatus
+
       - rename:
           from:
             - log.data.PrivilegeList