GCP Audit Logs - Detect Organization Policy Deletion or Updation

Back


Id	205e1c9f-faee-43f1-b3b8-1952ffbbeea4
Rulename	GCP Audit Logs - Detect Organization Policy Deletion or Updation
Description	Detects when a Google Cloud Platform organization policy is deleted or updated. Organization policies provide centralized control over your organization’s cloud resources and help ensure security and compliance. Deletion or modification of org policies may indicate an attempt to bypass security controls or weaken the security posture of GCP projects. Adversaries may delete or update organization policies to disable security constraints before performing malicious activities.
Severity	High
Tactics	DefenseEvasion
Techniques	T1562.001
Required data connectors	GCPAuditLogsDefinition
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPOrgPolicyDeletion.yaml
Version	1.0.0
Arm template	205e1c9f-faee-43f1-b3b8-1952ffbbeea4.json

KQL

GCPAuditLogs
| where ServiceName == "orgpolicy.googleapis.com"
| where MethodName has_any ("OrgPolicy.DeletePolicy", "OrgPolicy.UpdatePolicy")
| extend 
    RequestMetadataJson = parse_json(RequestMetadata),
    AuthInfoJson = parse_json(AuthenticationInfo),
    AuthzInfoJson = parse_json(AuthorizationInfo)
| extend 
    PolicyName = split(GCPResourceName, "/")[-1],
    CallerIpAddress = tostring(RequestMetadataJson.callerIp),
    UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
    AuthEmail = tostring(AuthInfoJson.principalEmail),
    Permission = tostring(AuthzInfoJson[0].permission),
    PermissionGranted = tostring(AuthzInfoJson[0].granted)
| extend 
    AccountName = tostring(split(PrincipalEmail, "@")[0]), 
    AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
          PrincipalEmail,
          AuthEmail,
          ProjectId,
          ResourceName = GCPResourceName,
          PolicyName,
          CallerIpAddress,
          UserAgent,
          MethodName,
          ServiceName,
          Severity,
          Permission,
          PermissionGranted,
          LogName,
          InsertId,
          AccountName,
          AccountUPNSuffix

YAML

tags:
- GCP
- IAM Organization Policy
- Compliance
queryFrequency: 1h
kind: Scheduled
version: 1.0.0
relevantTechniques:
- T1562.001
alertDetailsOverride:
  alertDisplayNameFormat: GCP Organization Policy {{PolicyName}} Deleted by {{PrincipalEmail}}
  alertDescriptionFormat: |-
    Orgnization policy {{PolicyName}} was deleted. This action may weaken security controls and compliance posture.

    Resource: {{ResourceName}}
    Source IP: {{CallerIpAddress}}

    Investigate whether this deletion was authorized and assess the impact on security controls.    
triggerOperator: gt
customDetails:
  ProjectId: ProjectId
  Permission: Permission
  UserAgent: UserAgent
  ResourceName: ResourceName
  PolicyName: PolicyName
  MethodName: MethodName
status: Available
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
id: 205e1c9f-faee-43f1-b3b8-1952ffbbeea4
name: GCP Audit Logs - Detect Organization Policy Deletion or Updation
query: |
  GCPAuditLogs
  | where ServiceName == "orgpolicy.googleapis.com"
  | where MethodName has_any ("OrgPolicy.DeletePolicy", "OrgPolicy.UpdatePolicy")
  | extend 
      RequestMetadataJson = parse_json(RequestMetadata),
      AuthInfoJson = parse_json(AuthenticationInfo),
      AuthzInfoJson = parse_json(AuthorizationInfo)
  | extend 
      PolicyName = split(GCPResourceName, "/")[-1],
      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
      UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
      AuthEmail = tostring(AuthInfoJson.principalEmail),
      Permission = tostring(AuthzInfoJson[0].permission),
      PermissionGranted = tostring(AuthzInfoJson[0].granted)
  | extend 
      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
  | project TimeGenerated,
            PrincipalEmail,
            AuthEmail,
            ProjectId,
            ResourceName = GCPResourceName,
            PolicyName,
            CallerIpAddress,
            UserAgent,
            MethodName,
            ServiceName,
            Severity,
            Permission,
            PermissionGranted,
            LogName,
            InsertId,
            AccountName,
            AccountUPNSuffix  
queryPeriod: 1h
triggerThreshold: 0
description: |
  'Detects when a Google Cloud Platform organization policy is deleted or updated. 
  Organization policies provide centralized control over your organization's cloud resources and help ensure security and compliance.
  Deletion or modification of org policies may indicate an attempt to bypass security controls or weaken the security posture of GCP projects.
  Adversaries may delete or update organization policies to disable security constraints before performing malicious activities.'  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: PrincipalEmail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ProjectId
  - identifier: InstanceName
    columnName: ResourceName
severity: High
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPOrgPolicyDeletion.yaml

ARM