Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone

GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone

Back
Id9129a43e-e204-4a9a-969e-d8861ce3437c
RulenameGCP Audit Logs - DNSSEC Disabled on Managed DNS Zone
DescriptionDetects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone.

DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks.

Adversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or

to redirect traffic to malicious infrastructure without cryptographic validation.

This rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF.
SeverityHigh
TacticsDefenseEvasion
CommandAndControl
ResourceDevelopment
TechniquesT1562.001
T1071.004
T1584.002
Required data connectorsGCPAuditLogsDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDNSSECDisabledForDNSZone.yaml
Version1.0.0
Arm template9129a43e-e204-4a9a-969e-d8861ce3437c.json
Deploy To Azure
GCPAuditLogs
| where ServiceName == "dns.googleapis.com"
| where MethodName in ("dns.managedZones.update", "dns.managedZones.patch")
| where GCPResourceType == "dns_managed_zone" and Severity == "NOTICE"
| extend 
    ResponseJson = parse_json(Response),
    RequestMetadataJson = parse_json(RequestMetadata),
    AuthInfoJson = parse_json(AuthenticationInfo)
| extend ZoneContext = ResponseJson.operation.zoneContext
| where isnotempty(ZoneContext)
| extend 
    OldDnsSecState = tostring(ZoneContext.oldValue.dnssecConfig.state),
    NewDnsSecState = tostring(ZoneContext.newValue.dnssecConfig.state)
| where OldDnsSecState == "ON" and NewDnsSecState == "OFF"
| extend 
    ManagedZoneName = extract(@"managedZones/([^/]+)", 1, GCPResourceName),
    DnsName = tostring(ResponseJson.managedZone.dnsName),
    ZoneId = tostring(ResponseJson.managedZone.id),
    ZoneDescription = tostring(ResponseJson.managedZone.description),
    Visibility = tostring(ResponseJson.managedZone.visibility),
    OperationId = tostring(ResponseJson.operation.id),
    CallerIpAddress = tostring(RequestMetadataJson.callerIp),
    AuthEmail = tostring(AuthInfoJson.principalEmail)
| extend 
    AccountName = tostring(split(PrincipalEmail, "@")[0]), 
    AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
          PrincipalEmail,
          AuthEmail,
          ProjectId,
          ManagedZoneName,
          DnsName,
          ResourceName = GCPResourceName,
          Visibility,
          ZoneId,
          ZoneDescription,
          OperationId,
          CallerIpAddress,
          MethodName,
          ServiceName,
          Severity,
          LogName,
          InsertId,
          AccountName,
          AccountUPNSuffix

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDNSSECDisabledForDNSZone.yaml
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
customDetails:
  ProjectId: ProjectId
  Visibility: Visibility
  ZoneId: ZoneId
  DnsName: DnsName
  ManagedZoneName: ManagedZoneName
  ResourceName: ResourceName
name: GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone
entityMappings:
- fieldMappings:
  - columnName: PrincipalEmail
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CallerIpAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: ProjectId
    identifier: Name
  - columnName: ResourceName
    identifier: InstanceName
  entityType: CloudApplication
- fieldMappings:
  - columnName: DnsName
    identifier: DomainName
  entityType: DNS
id: 9129a43e-e204-4a9a-969e-d8861ce3437c
tags:
- GCP
- DNS
- DNSSEC
- Cloud Security
description: |
  'Detects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone.
  DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks.
  Adversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or
  to redirect traffic to malicious infrastructure without cryptographic validation.
  This rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF.'  
tactics:
- DefenseEvasion
- CommandAndControl
- ResourceDevelopment
triggerThreshold: 0
kind: Scheduled
query: |
  GCPAuditLogs
  | where ServiceName == "dns.googleapis.com"
  | where MethodName in ("dns.managedZones.update", "dns.managedZones.patch")
  | where GCPResourceType == "dns_managed_zone" and Severity == "NOTICE"
  | extend 
      ResponseJson = parse_json(Response),
      RequestMetadataJson = parse_json(RequestMetadata),
      AuthInfoJson = parse_json(AuthenticationInfo)
  | extend ZoneContext = ResponseJson.operation.zoneContext
  | where isnotempty(ZoneContext)
  | extend 
      OldDnsSecState = tostring(ZoneContext.oldValue.dnssecConfig.state),
      NewDnsSecState = tostring(ZoneContext.newValue.dnssecConfig.state)
  | where OldDnsSecState == "ON" and NewDnsSecState == "OFF"
  | extend 
      ManagedZoneName = extract(@"managedZones/([^/]+)", 1, GCPResourceName),
      DnsName = tostring(ResponseJson.managedZone.dnsName),
      ZoneId = tostring(ResponseJson.managedZone.id),
      ZoneDescription = tostring(ResponseJson.managedZone.description),
      Visibility = tostring(ResponseJson.managedZone.visibility),
      OperationId = tostring(ResponseJson.operation.id),
      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
      AuthEmail = tostring(AuthInfoJson.principalEmail)
  | extend 
      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
  | project TimeGenerated,
            PrincipalEmail,
            AuthEmail,
            ProjectId,
            ManagedZoneName,
            DnsName,
            ResourceName = GCPResourceName,
            Visibility,
            ZoneId,
            ZoneDescription,
            OperationId,
            CallerIpAddress,
            MethodName,
            ServiceName,
            Severity,
            LogName,
            InsertId,
            AccountName,
            AccountUPNSuffix  
alertDetailsOverride:
  alertDescriptionFormat: |-
    User {{PrincipalEmail}} disabled DNSSEC on DNS managed zone {{ManagedZoneName}} ({{DnsName}}).    
    This action removes cryptographic validation of DNS responses and may indicate an attempt to facilitate DNS-based attacks.
    Investigate immediately to determine if this change was authorized and assess potential security impact.
    Review DNS query logs for suspicious activity and consider re-enabling DNSSEC if unauthorized.    
  alertDisplayNameFormat: DNSSEC Disabled on DNS Zone {{ManagedZoneName}} ({{DnsName}}) by {{PrincipalEmail}}
triggerOperator: gt
status: Available
queryPeriod: 1h
queryFrequency: 1h
version: 1.0.0
severity: High
relevantTechniques:
- T1562.001
- T1071.004
- T1584.002