falcosecurity · poiana · Feb 12, 2026 · Feb 11, 2026
diff --git a/plugins/gcpaudit/README.md b/plugins/gcpaudit/README.md
@@ -87,33 +87,33 @@ For more details about what Cloud logging log queries, see the [GCP official doc
 # Supported Fields
 
 <!-- README-PLUGIN-FIELDS -->
-|             NAME              |   TYPE   | ARG  |                   DESCRIPTION                   |
-|-------------------------------|----------|------|-------------------------------------------------|
-| `gcp.user`                    | `string` | None | GCP principal email who committed the action    |
-| `gcp.callerIP`                | `string` | None | GCP principal caller IP                         |
-| `gcp.userAgent`               | `string` | None | GCP principal caller useragent                  |
-| `gcp.authorizationInfo`       | `string` | None | GCP authorization information affected resource |
-| `gcp.serviceName`             | `string` | None | GCP API service name                            |
-| `gcp.policyDelta`             | `string` | None | GCP service resource access policy              |
-| `gcp.request`                 | `string` | None | GCP API raw request                             |
-| `gcp.methodName`              | `string` | None | GCP API service method executed                 |
-| `gcp.cloudfunctions.function` | `string` | None | GCF name                                        |
-| `gcp.cloudsql.databaseId`     | `string` | None | GCP SQL database ID                             |
-| `gcp.compute.instanceId`      | `string` | None | GCE instance ID                                 |
-| `gcp.compute.networkId`       | `string` | None | GCP network ID                                  |
-| `gcp.compute.subnetwork`      | `string` | None | GCP subnetwork name                             |
-| `gcp.compute.subnetworkId`    | `string` | None | GCP subnetwork ID                               |
-| `gcp.dns.zone`                | `string` | None | GCP DNS zoned                                   |
-| `gcp.iam.serviceAccount`      | `string` | None | GCP service account                             |
-| `gcp.iam.serviceAccountId`    | `string` | None | GCP IAM unique ID                               |
-| `gcp.location`                | `string` | None | GCP region                                      |
-| `gcp.logging.sink`            | `string` | None | GCP logging sink                                |
-| `gcp.projectId`               | `string` | None | GCP project ID                                  |
-| `gcp.resourceName`            | `string` | None | GCP resource name                               |
-| `gcp.resourceType`            | `string` | None | GCP resource type                               |
-| `gcp.resourceLabels`          | `string` | None | GCP resource labels                             |
-| `gcp.storage.bucket`          | `string` | None | GCP bucket name                                 |
-| `gcp.time`                    | `string` | None | Timestamp of the event in RFC3339 format        |
+|             NAME              |   TYPE   | ARG  |               DESCRIPTION                |
+|-------------------------------|----------|------|------------------------------------------|
+| `gcp.user`                    | `string` | None | GCP principal, actor of the action       |
+| `gcp.callerIP`                | `string` | None | Actor's IP                               |
+| `gcp.userAgent`               | `string` | None | Actor's User Agent                       |
+| `gcp.authorizationInfo`       | `string` | None | GCP authorization (JSON)                 |
+| `gcp.serviceName`             | `string` | None | GCP API service name                     |
+| `gcp.policyDelta`             | `string` | None | GCP service resource access policy delta |
+| `gcp.request`                 | `string` | None | GCP API raw request (JSON)               |
+| `gcp.methodName`              | `string` | None | GCP API service method executed          |
+| `gcp.cloudfunctions.function` | `string` | None | GCF name                                 |
+| `gcp.cloudsql.databaseId`     | `string` | None | GCP SQL database ID                      |
+| `gcp.compute.instanceId`      | `string` | None | GCE instance ID                          |
+| `gcp.compute.networkId`       | `string` | None | GCP network ID                           |
+| `gcp.compute.subnetwork`      | `string` | None | GCP subnetwork name                      |
+| `gcp.compute.subnetworkId`    | `string` | None | GCP subnetwork ID                        |
+| `gcp.dns.zone`                | `string` | None | GCP DNS zone                             |
+| `gcp.iam.serviceAccount`      | `string` | None | GCP service account                      |
+| `gcp.iam.serviceAccountId`    | `string` | None | GCP IAM unique ID                        |
+| `gcp.location`                | `string` | None | GCP region                               |
+| `gcp.logging.sink`            | `string` | None | GCP logging sink                         |
+| `gcp.projectId`               | `string` | None | GCP project ID                           |
+| `gcp.resourceName`            | `string` | None | GCP resource name                        |
+| `gcp.resourceType`            | `string` | None | GCP resource type                        |
+| `gcp.resourceLabels`          | `string` | None | GCP resource labels (JSON)               |
+| `gcp.storage.bucket`          | `string` | None | GCP bucket name                          |
+| `gcp.time`                    | `string` | None | Timestamp of the event in RFC3339 format |
 <!-- /README-PLUGIN-FIELDS -->
 
 # Development

diff --git a/plugins/gcpaudit/pkg/gcpaudit/extract.go b/plugins/gcpaudit/pkg/gcpaudit/extract.go
@@ -27,29 +27,29 @@ import (
 
 func (p *Plugin) Fields() []sdk.FieldEntry {
 	return []sdk.FieldEntry{
-		{Type: "string", Name: "gcp.user", Display: "User", Desc: "GCP principal email who committed the action"},
-		{Type: "string", Name: "gcp.callerIP", Display: "Caller IP", Desc: "GCP principal caller IP"},
-		{Type: "string", Name: "gcp.userAgent", Display: "User Agent", Desc: "GCP principal caller useragent"},
-		{Type: "string", Name: "gcp.authorizationInfo", Display: "Authorization Info", Desc: "GCP authorization information affected resource"},
+		{Type: "string", Name: "gcp.user", Display: "User", Desc: "GCP principal, actor of the action"},
+		{Type: "string", Name: "gcp.callerIP", Display: "Caller IP", Desc: "Actor's IP"},
+		{Type: "string", Name: "gcp.userAgent", Display: "User Agent", Desc: "Actor's User Agent"},
+		{Type: "string", Name: "gcp.authorizationInfo", Display: "Authorization Info", Desc: "GCP authorization (JSON)"},
 		{Type: "string", Name: "gcp.serviceName", Display: "Service Name", Desc: "GCP API service name"},
-		{Type: "string", Name: "gcp.policyDelta", Display: "Policy", Desc: "GCP service resource access policy"},
-		{Type: "string", Name: "gcp.request", Display: "Request", Desc: "GCP API raw request"},
+		{Type: "string", Name: "gcp.policyDelta", Display: "Policy", Desc: "GCP service resource access policy delta"},
+		{Type: "string", Name: "gcp.request", Display: "Request", Desc: "GCP API raw request (JSON)"},
 		{Type: "string", Name: "gcp.methodName", Display: "Method", Desc: "GCP API service method executed"},
 		{Type: "string", Name: "gcp.cloudfunctions.function", Display: "Function Name", Desc: "GCF name"},
 		{Type: "string", Name: "gcp.cloudsql.databaseId", Display: "Database ID", Desc: "GCP SQL database ID"},
 		{Type: "string", Name: "gcp.compute.instanceId", Display: "Instance ID", Desc: "GCE instance ID"},
 		{Type: "string", Name: "gcp.compute.networkId", Display: "Network ID", Desc: "GCP network ID"},
 		{Type: "string", Name: "gcp.compute.subnetwork", Display: "Subnetwork Name", Desc: "GCP subnetwork name"},
 		{Type: "string", Name: "gcp.compute.subnetworkId", Display: "Subnetwork ID", Desc: "GCP subnetwork ID"},
-		{Type: "string", Name: "gcp.dns.zone", Display: "DNS Zone", Desc: "GCP DNS zoned"},
+		{Type: "string", Name: "gcp.dns.zone", Display: "DNS Zone", Desc: "GCP DNS zone"},
 		{Type: "string", Name: "gcp.iam.serviceAccount", Display: "Service Account", Desc: "GCP service account"},
 		{Type: "string", Name: "gcp.iam.serviceAccountId", Display: "Service Account ID", Desc: "GCP IAM unique ID"},
 		{Type: "string", Name: "gcp.location", Display: "Location", Desc: "GCP region"},
 		{Type: "string", Name: "gcp.logging.sink", Display: "Sink", Desc: "GCP logging sink"},
 		{Type: "string", Name: "gcp.projectId", Display: "Project ID", Desc: "GCP project ID"},
 		{Type: "string", Name: "gcp.resourceName", Display: "Resource Name", Desc: "GCP resource name"},
 		{Type: "string", Name: "gcp.resourceType", Display: "Resource Type", Desc: "GCP resource type"},
-		{Type: "string", Name: "gcp.resourceLabels", Display: "Resource Labels", Desc: "GCP resource labels"},
+		{Type: "string", Name: "gcp.resourceLabels", Display: "Resource Labels", Desc: "GCP resource labels (JSON)"},
 		{Type: "string", Name: "gcp.storage.bucket", Display: "Bucket Name", Desc: "GCP bucket name"},
 		{Type: "string", Name: "gcp.time", Display: "Timestamp of the event", Desc: "Timestamp of the event in RFC3339 format"},
 	}