Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP Audit Logs - Detect Organization Policy Deletion or Updation

GCP Audit Logs - Detect Organization Policy Deletion or Updation

Back
Id205e1c9f-faee-43f1-b3b8-1952ffbbeea4
RulenameGCP Audit Logs - Detect Organization Policy Deletion or Updation
DescriptionDetects when a Google Cloud Platform organization policy is deleted or updated.

Organization policies provide centralized control over your organization’s cloud resources and help ensure security and compliance.

Deletion or modification of org policies may indicate an attempt to bypass security controls or weaken the security posture of GCP projects.

Adversaries may delete or update organization policies to disable security constraints before performing malicious activities.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsGCPAuditLogsDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPOrgPolicyDeletion.yaml
Version1.0.0
Arm template205e1c9f-faee-43f1-b3b8-1952ffbbeea4.json
Deploy To Azure
GCPAuditLogs
| where ServiceName == "orgpolicy.googleapis.com"
| where MethodName has_any ("OrgPolicy.DeletePolicy", "OrgPolicy.UpdatePolicy")
| extend 
    RequestMetadataJson = parse_json(RequestMetadata),
    AuthInfoJson = parse_json(AuthenticationInfo),
    AuthzInfoJson = parse_json(AuthorizationInfo)
| extend 
    PolicyName = split(GCPResourceName, "/")[-1],
    CallerIpAddress = tostring(RequestMetadataJson.callerIp),
    UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
    AuthEmail = tostring(AuthInfoJson.principalEmail),
    Permission = tostring(AuthzInfoJson[0].permission),
    PermissionGranted = tostring(AuthzInfoJson[0].granted)
| extend 
    AccountName = tostring(split(PrincipalEmail, "@")[0]), 
    AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
          PrincipalEmail,
          AuthEmail,
          ProjectId,
          ResourceName = GCPResourceName,
          PolicyName,
          CallerIpAddress,
          UserAgent,
          MethodName,
          ServiceName,
          Severity,
          Permission,
          PermissionGranted,
          LogName,
          InsertId,
          AccountName,
          AccountUPNSuffix

name: GCP Audit Logs - Detect Organization Policy Deletion or Updation
query: |
  GCPAuditLogs
  | where ServiceName == "orgpolicy.googleapis.com"
  | where MethodName has_any ("OrgPolicy.DeletePolicy", "OrgPolicy.UpdatePolicy")
  | extend 
      RequestMetadataJson = parse_json(RequestMetadata),
      AuthInfoJson = parse_json(AuthenticationInfo),
      AuthzInfoJson = parse_json(AuthorizationInfo)
  | extend 
      PolicyName = split(GCPResourceName, "/")[-1],
      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
      UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
      AuthEmail = tostring(AuthInfoJson.principalEmail),
      Permission = tostring(AuthzInfoJson[0].permission),
      PermissionGranted = tostring(AuthzInfoJson[0].granted)
  | extend 
      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
  | project TimeGenerated,
            PrincipalEmail,
            AuthEmail,
            ProjectId,
            ResourceName = GCPResourceName,
            PolicyName,
            CallerIpAddress,
            UserAgent,
            MethodName,
            ServiceName,
            Severity,
            Permission,
            PermissionGranted,
            LogName,
            InsertId,
            AccountName,
            AccountUPNSuffix  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: PrincipalEmail
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: CallerIpAddress
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: ProjectId
    identifier: Name
  - columnName: ResourceName
    identifier: InstanceName
queryPeriod: 1h
version: 1.0.0
tactics:
- DefenseEvasion
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPOrgPolicyDeletion.yaml
alertDetailsOverride:
  alertDescriptionFormat: |-
    Orgnization policy {{PolicyName}} was deleted. This action may weaken security controls and compliance posture.

    Resource: {{ResourceName}}
    Source IP: {{CallerIpAddress}}

    Investigate whether this deletion was authorized and assess the impact on security controls.    
  alertDisplayNameFormat: GCP Organization Policy {{PolicyName}} Deleted by {{PrincipalEmail}}
relevantTechniques:
- T1562.001
id: 205e1c9f-faee-43f1-b3b8-1952ffbbeea4
tags:
- GCP
- IAM Organization Policy
- Compliance
severity: High
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
status: Available
description: |
  'Detects when a Google Cloud Platform organization policy is deleted or updated. 
  Organization policies provide centralized control over your organization's cloud resources and help ensure security and compliance.
  Deletion or modification of org policies may indicate an attempt to bypass security controls or weaken the security posture of GCP projects.
  Adversaries may delete or update organization policies to disable security constraints before performing malicious activities.'  
customDetails:
  UserAgent: UserAgent
  ProjectId: ProjectId
  ResourceName: ResourceName
  PolicyName: PolicyName
  MethodName: MethodName
  Permission: Permission
queryFrequency: 1h