fix(rule/google): changing 'exists(log.protoPayload.request.policy.auditConfigs)' to 'exists(log.protoPayload.request.policy.bindings) to improve detection logic

developutm · developutm · commit e1672e8206b3 · 2026-06-09T18:41:53.000Z
diff --git a/rules/cloud/google/gcp_iam_policy_changed.yml b/rules/cloud/google/gcp_iam_policy_changed.yml
@@ -27,4 +27,4 @@ description: |
 where: |
   oneof("log.protoPayloadServiceName", ["cloudresourcemanager.googleapis.com", "pubsub.googleapis.com"]) &&
   oneof("log.protoPayloadMethodName", ["SetIamPolicy", "google.iam.v1.IAMPolicy.SetIamPolicy"]) &&
-  exists("log.protoPayload.request.policy.auditConfigs") && contains("log.logName", "activity") && exists("origin.user")
+  exists("log.protoPayload.request.policy.bindings") && contains("log.logName", "activity") && exists("origin.user")
