GCP Audit Logs - Detect Organization Policy Deletion or Updation

Back


Id	205e1c9f-faee-43f1-b3b8-1952ffbbeea4
Rulename	GCP Audit Logs - Detect Organization Policy Deletion or Updation
Description	Detects when a Google Cloud Platform organization policy is deleted or updated. Organization policies provide centralized control over your organization’s cloud resources and help ensure security and compliance. Deletion or modification of org policies may indicate an attempt to bypass security controls or weaken the security posture of GCP projects. Adversaries may delete or update organization policies to disable security constraints before performing malicious activities.
Severity	High
Tactics	DefenseEvasion
Techniques	T1562.001
Required data connectors	GCPAuditLogsDefinition
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPOrgPolicyDeletion.yaml
Version	1.0.0
Arm template	205e1c9f-faee-43f1-b3b8-1952ffbbeea4.json

KQL

GCPAuditLogs
| where ServiceName == "orgpolicy.googleapis.com"
| where MethodName has_any ("OrgPolicy.DeletePolicy", "OrgPolicy.UpdatePolicy")
| extend 
    RequestMetadataJson = parse_json(RequestMetadata),
    AuthInfoJson = parse_json(AuthenticationInfo),
    AuthzInfoJson = parse_json(AuthorizationInfo)
| extend 
    PolicyName = split(GCPResourceName, "/")[-1],
    CallerIpAddress = tostring(RequestMetadataJson.callerIp),
    UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
    AuthEmail = tostring(AuthInfoJson.principalEmail),
    Permission = tostring(AuthzInfoJson[0].permission),
    PermissionGranted = tostring(AuthzInfoJson[0].granted)
| extend 
    AccountName = tostring(split(PrincipalEmail, "@")[0]), 
    AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
          PrincipalEmail,
          AuthEmail,
          ProjectId,
          ResourceName = GCPResourceName,
          PolicyName,
          CallerIpAddress,
          UserAgent,
          MethodName,
          ServiceName,
          Severity,
          Permission,
          PermissionGranted,
          LogName,
          InsertId,
          AccountName,
          AccountUPNSuffix

YAML

name: GCP Audit Logs - Detect Organization Policy Deletion or Updation
relevantTechniques:
- T1562.001
id: 205e1c9f-faee-43f1-b3b8-1952ffbbeea4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPOrgPolicyDeletion.yaml
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
version: 1.0.0
severity: High
triggerThreshold: 0
tags:
- GCP
- IAM Organization Policy
- Compliance
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: PrincipalEmail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: ProjectId
  - identifier: InstanceName
    columnName: ResourceName
  entityType: CloudApplication
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: GCP Organization Policy {{PolicyName}} Deleted by {{PrincipalEmail}}
  alertDescriptionFormat: |-
    Orgnization policy {{PolicyName}} was deleted. This action may weaken security controls and compliance posture.

    Resource: {{ResourceName}}
    Source IP: {{CallerIpAddress}}

    Investigate whether this deletion was authorized and assess the impact on security controls.    
queryFrequency: 1h
status: Available
query: |
  GCPAuditLogs
  | where ServiceName == "orgpolicy.googleapis.com"
  | where MethodName has_any ("OrgPolicy.DeletePolicy", "OrgPolicy.UpdatePolicy")
  | extend 
      RequestMetadataJson = parse_json(RequestMetadata),
      AuthInfoJson = parse_json(AuthenticationInfo),
      AuthzInfoJson = parse_json(AuthorizationInfo)
  | extend 
      PolicyName = split(GCPResourceName, "/")[-1],
      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
      UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
      AuthEmail = tostring(AuthInfoJson.principalEmail),
      Permission = tostring(AuthzInfoJson[0].permission),
      PermissionGranted = tostring(AuthzInfoJson[0].granted)
  | extend 
      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
  | project TimeGenerated,
            PrincipalEmail,
            AuthEmail,
            ProjectId,
            ResourceName = GCPResourceName,
            PolicyName,
            CallerIpAddress,
            UserAgent,
            MethodName,
            ServiceName,
            Severity,
            Permission,
            PermissionGranted,
            LogName,
            InsertId,
            AccountName,
            AccountUPNSuffix  
tactics:
- DefenseEvasion
customDetails:
  MethodName: MethodName
  UserAgent: UserAgent
  Permission: Permission
  ProjectId: ProjectId
  ResourceName: ResourceName
  PolicyName: PolicyName
description: |
  'Detects when a Google Cloud Platform organization policy is deleted or updated. 
  Organization policies provide centralized control over your organization's cloud resources and help ensure security and compliance.
  Deletion or modification of org policies may indicate an attempt to bypass security controls or weaken the security posture of GCP projects.
  Adversaries may delete or update organization policies to disable security constraints before performing malicious activities.'  
triggerOperator: gt

ARM