Hub query updates (#7)

Co-authored-by: Cody Bruno <cody@turbot.com>
Co-authored-by: Ved misra <47312748+misraved@users.noreply.github.com>

Author: 3 people

dashboards/activity_dashboard.pp

@@ -68,18 +68,24 @@
 # -----------------------------
 
 query "activity_dashboard_total_logs" {
-  title = "Log Count"
+  title       = "Log Count"
+  description = "Count the total log entries."
 
   sql = <<-EOQ
     select
       count(*) as "Total Logs"
     from
       gcp_audit_log;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_project" {
-  title = "Logs by Project"
+  title       = "Logs by Project"
+  description = "Count the total log entries grouped by project."
 
   sql = <<-EOQ
     select
@@ -95,10 +101,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_type" {
-  title = "Logs by Type"
+  title       = "Logs by Type"
+  description = "Count the total log entries grouped by type."
 
   sql = <<-EOQ
     select
@@ -114,10 +125,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_service" {
-  title = "Logs by Service"
+  title       = "Top 10 Services"
+  description = "List the top 10 services by frequency."
 
   sql = <<-EOQ
     select
@@ -133,10 +149,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_event" {
-  title = "Top 10 Events"
+  title       = "Top 10 Events"
+  description = "List the 10 most frequently called events."
 
   sql = <<-EOQ
     select
@@ -152,10 +173,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_actor" {
-  title = "Top 10 Actors"
+  title       = "Top 10 Actors"
+  description = "List the 10 most active actors."
 
   sql = <<-EOQ
     select
@@ -171,10 +197,15 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }
 
 query "activity_dashboard_logs_by_source_ip" {
-  title = "Top 10 Source IPs"
+  title       = "Top 10 Source IPs (Excluding GCP Internal)"
+  description = "List the 10 most active source IPs, excluding events from GCP internal."
 
   sql = <<-EOQ
     select
@@ -191,4 +222,8 @@
       count(*) desc
     limit 10;
   EOQ
+
+  tags = {
+    folder = "Project"
+  }
 }

detections/access_context_manager.pp

@@ -1,5 +1,6 @@
 locals {
   access_context_manager_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Access Context Manager"
     service = "GCP/AccessContextManager"
   })
 
@@ -57,6 +58,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.access_context_manager_common_tags
 }
 
 query "access_context_manager_access_level_deleted" {
@@ -71,4 +74,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.access_context_manager_common_tags
 }

detections/apigee.pp

@@ -1,5 +1,6 @@
 locals {
   apigee_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Apigee"
     service = "GCP/Apigee"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.apigee_common_tags
 }

detections/app_engine.pp

@@ -1,5 +1,6 @@
 locals {
   app_engine_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "App Engine"
     service = "GCP/AppEngine"
   })
 }
@@ -70,6 +71,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.app_engine_common_tags
 }
 
 query "app_engine_firewall_ingress_rule_updated" {
@@ -84,6 +87,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.app_engine_common_tags
 }
 
 query "app_engine_firewall_ingress_rule_deleted" {
@@ -98,4 +103,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.app_engine_common_tags
 }

detections/artifact_registry.pp

@@ -1,5 +1,6 @@
 locals {
   artifact_registry_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Artifact Registry"
     service = "GCP/ArtifactRegistry"
   })
 }
@@ -55,6 +56,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.artifact_registry_common_tags
 }
 
 query "artifact_registry_repository_deleted" {
@@ -69,4 +72,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.artifact_registry_common_tags
 }

detections/cloud_run.pp

@@ -1,5 +1,6 @@
 locals {
   cloud_run_function_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Cloud Run Function"
     service = "GCP/CloudRunFunction"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.cloud_run_function_common_tags
 }

detections/compute.pp

@@ -1,5 +1,6 @@
 locals {
   compute_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "Compute"
     service = "GCP/Compute"
   })
 
@@ -127,6 +128,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_vpn_tunnel_deleted" {
@@ -141,6 +144,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_image_iam_policy_set" {
@@ -155,6 +160,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_disk_iam_policy_set" {
@@ -169,6 +176,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_snapshot_iam_policy_set" {
@@ -183,6 +192,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_instance_with_public_network_interface" {
@@ -219,6 +230,8 @@
       order by
         timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }
 
 query "compute_subnetwork_flow_logs_disabled" {
@@ -234,4 +247,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.compute_common_tags
 }

detections/dlp.pp

@@ -1,5 +1,6 @@
 locals {
   dlp_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "DLP"
     service = "GCP/DLP"
   })
 }
@@ -42,4 +43,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.dlp_common_tags
 }

detections/dns.pp

@@ -1,5 +1,6 @@
 locals {
   dns_common_tags = merge(local.gcp_audit_log_detections_common_tags, {
+    folder  = "DNS"
     service = "GCP/DNS"
   })
 
@@ -86,6 +87,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.dns_common_tags
 }
 
 query "dns_managed_zone_updated" {
@@ -100,6 +103,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.dns_common_tags
 }
 
 query "dns_record_set_updated" {
@@ -114,6 +119,8 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.dns_common_tags
 }
 
 query "dns_record_set_deleted" {
@@ -128,4 +135,6 @@
     order by
       timestamp desc;
   EOQ
+
+  tags = local.dns_common_tags
 }