Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone

GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone

Back
Id9129a43e-e204-4a9a-969e-d8861ce3437c
RulenameGCP Audit Logs - DNSSEC Disabled on Managed DNS Zone
DescriptionDetects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone.

DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks.

Adversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or

to redirect traffic to malicious infrastructure without cryptographic validation.

This rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF.
SeverityHigh
TacticsDefenseEvasion
CommandAndControl
ResourceDevelopment
TechniquesT1562.001
T1071.004
T1584.002
Required data connectorsGCPAuditLogsDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDNSSECDisabledForDNSZone.yaml
Version1.0.0
Arm template9129a43e-e204-4a9a-969e-d8861ce3437c.json
Deploy To Azure
GCPAuditLogs
| where ServiceName == "dns.googleapis.com"
| where MethodName in ("dns.managedZones.update", "dns.managedZones.patch")
| where GCPResourceType == "dns_managed_zone" and Severity == "NOTICE"
| extend 
    ResponseJson = parse_json(Response),
    RequestMetadataJson = parse_json(RequestMetadata),
    AuthInfoJson = parse_json(AuthenticationInfo)
| extend ZoneContext = ResponseJson.operation.zoneContext
| where isnotempty(ZoneContext)
| extend 
    OldDnsSecState = tostring(ZoneContext.oldValue.dnssecConfig.state),
    NewDnsSecState = tostring(ZoneContext.newValue.dnssecConfig.state)
| where OldDnsSecState == "ON" and NewDnsSecState == "OFF"
| extend 
    ManagedZoneName = extract(@"managedZones/([^/]+)", 1, GCPResourceName),
    DnsName = tostring(ResponseJson.managedZone.dnsName),
    ZoneId = tostring(ResponseJson.managedZone.id),
    ZoneDescription = tostring(ResponseJson.managedZone.description),
    Visibility = tostring(ResponseJson.managedZone.visibility),
    OperationId = tostring(ResponseJson.operation.id),
    CallerIpAddress = tostring(RequestMetadataJson.callerIp),
    AuthEmail = tostring(AuthInfoJson.principalEmail)
| extend 
    AccountName = tostring(split(PrincipalEmail, "@")[0]), 
    AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
          PrincipalEmail,
          AuthEmail,
          ProjectId,
          ManagedZoneName,
          DnsName,
          ResourceName = GCPResourceName,
          Visibility,
          ZoneId,
          ZoneDescription,
          OperationId,
          CallerIpAddress,
          MethodName,
          ServiceName,
          Severity,
          LogName,
          InsertId,
          AccountName,
          AccountUPNSuffix

triggerOperator: gt
relevantTechniques:
- T1562.001
- T1071.004
- T1584.002
tactics:
- DefenseEvasion
- CommandAndControl
- ResourceDevelopment
triggerThreshold: 0
customDetails:
  Visibility: Visibility
  ResourceName: ResourceName
  ZoneId: ZoneId
  ManagedZoneName: ManagedZoneName
  ProjectId: ProjectId
  DnsName: DnsName
status: Available
tags:
- GCP
- DNS
- DNSSEC
- Cloud Security
id: 9129a43e-e204-4a9a-969e-d8861ce3437c
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
name: GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDNSSECDisabledForDNSZone.yaml
description: |
  'Detects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone.
  DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks.
  Adversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or
  to redirect traffic to malicious infrastructure without cryptographic validation.
  This rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF.'  
version: 1.0.0
kind: Scheduled
query: |
  GCPAuditLogs
  | where ServiceName == "dns.googleapis.com"
  | where MethodName in ("dns.managedZones.update", "dns.managedZones.patch")
  | where GCPResourceType == "dns_managed_zone" and Severity == "NOTICE"
  | extend 
      ResponseJson = parse_json(Response),
      RequestMetadataJson = parse_json(RequestMetadata),
      AuthInfoJson = parse_json(AuthenticationInfo)
  | extend ZoneContext = ResponseJson.operation.zoneContext
  | where isnotempty(ZoneContext)
  | extend 
      OldDnsSecState = tostring(ZoneContext.oldValue.dnssecConfig.state),
      NewDnsSecState = tostring(ZoneContext.newValue.dnssecConfig.state)
  | where OldDnsSecState == "ON" and NewDnsSecState == "OFF"
  | extend 
      ManagedZoneName = extract(@"managedZones/([^/]+)", 1, GCPResourceName),
      DnsName = tostring(ResponseJson.managedZone.dnsName),
      ZoneId = tostring(ResponseJson.managedZone.id),
      ZoneDescription = tostring(ResponseJson.managedZone.description),
      Visibility = tostring(ResponseJson.managedZone.visibility),
      OperationId = tostring(ResponseJson.operation.id),
      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
      AuthEmail = tostring(AuthInfoJson.principalEmail)
  | extend 
      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
  | project TimeGenerated,
            PrincipalEmail,
            AuthEmail,
            ProjectId,
            ManagedZoneName,
            DnsName,
            ResourceName = GCPResourceName,
            Visibility,
            ZoneId,
            ZoneDescription,
            OperationId,
            CallerIpAddress,
            MethodName,
            ServiceName,
            Severity,
            LogName,
            InsertId,
            AccountName,
            AccountUPNSuffix  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: PrincipalEmail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ProjectId
  - identifier: InstanceName
    columnName: ResourceName
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DnsName
severity: High
queryFrequency: 1h
alertDetailsOverride:
  alertDisplayNameFormat: DNSSEC Disabled on DNS Zone {{ManagedZoneName}} ({{DnsName}}) by {{PrincipalEmail}}
  alertDescriptionFormat: |-
    User {{PrincipalEmail}} disabled DNSSEC on DNS managed zone {{ManagedZoneName}} ({{DnsName}}).    
    This action removes cryptographic validation of DNS responses and may indicate an attempt to facilitate DNS-based attacks.
    Investigate immediately to determine if this change was authorized and assess potential security impact.
    Review DNS query logs for suspicious activity and consider re-enabling DNSSEC if unauthorized.    
queryPeriod: 1h