GCP Audit Logs - Data Access Logging Exemption Added for Principal

Back


Id	b7da45ce-fcc8-43c7-a37c-c08454579d26
Rulename	GCP Audit Logs - Data Access Logging Exemption Added for Principal
Description	Detects when a principal (user or service account) is exempted from GCP data access audit logging. This is a critical security event as it reduces visibility into privileged operations and may indicate an attempt to hide malicious activity. Adversaries may exempt their accounts from audit logging to evade detection while performing reconnaissance, privilege escalation, or data exfiltration. This rule monitors SetIamPolicy operations that add audit log exemptions for ADMIN_READ, DATA_READ, or DATA_WRITE log types.
Severity	High
Tactics	DefenseEvasion PrivilegeEscalation
Techniques	T1562.008 T1078.004
Required data connectors	GCPAuditLogsDefinition
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDataAccessLoggingExemption.yaml
Version	1.0.0
Arm template	b7da45ce-fcc8-43c7-a37c-c08454579d26.json

KQL

GCPAuditLogs
 | where ServiceName == "cloudresourcemanager.googleapis.com"
 | where MethodName == "SetIamPolicy"
 | where GCPResourceType == "project" and Severity == "NOTICE"
 | where isnotempty(ServiceData)
 | extend ServiceDataJson = parse_json(ServiceData)
 | extend PolicyDelta = ServiceDataJson.policyDelta.auditConfigDeltas
 | where isnotempty(PolicyDelta)
 | mv-expand ConfigDelta = PolicyDelta
 | where ConfigDelta.action == "ADD"
 | extend LogType = tostring(ConfigDelta.logType)
 | where LogType in ("ADMIN_READ", "DATA_READ", "DATA_WRITE")
 | extend 
     ExemptedMember = tostring(ConfigDelta.exemptedMember),
     ServiceAffected = tostring(ConfigDelta.service),
     RequestMetadataJson = parse_json(RequestMetadata),
     AuthInfoJson = parse_json(AuthenticationInfo)
 | where isnotempty(ExemptedMember)
 | extend 
     CallerIpAddress = tostring(RequestMetadataJson.callerIp),
     UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
     AuthEmail = tostring(AuthInfoJson.principalEmail),
     ExemptedAccountName = tostring(split(ExemptedMember, ":")[1])
 | summarize 
     ExemptedLogTypes = make_set(LogType, 10),
     ExemptedServices = make_set(ServiceAffected, 50),
     FirstExemption = min(TimeGenerated),
     LastExemption = max(TimeGenerated)
     by PrincipalEmail, ProjectId, GCPResourceName, ExemptedMember, 
        CallerIpAddress, UserAgent, LogName, ExemptedAccountName, MethodName, ServiceName, AuthEmail
 | extend
     AccountName = tostring(split(PrincipalEmail, "@")[0]), 
     AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
 | project TimeGenerated = LastExemption,
     PrincipalEmail,
     ProjectId,
     ResourceName = GCPResourceName,
     ExemptedMember,
     ExemptedAccountName,
     ExemptedLogTypes,
     ExemptedServices,
     FirstExemption,
     LastExemption,
     CallerIpAddress,
     UserAgent,
     AuthEmail,
     MethodName,
     ServiceName,
     LogName,
     AccountName,
     AccountUPNSuffix

YAML

alertDetailsOverride:
  alertDescriptionFormat: |-
    Principal {{ExemptedAccountName}} added as exception from Data Access logging in project {{ProjectId}} for Service {{ExemptedServices}}.
    This action reduces audit visibility and may indicate an attempt to evade detection. Verify this change was authorized and investigate any suspicious activity performed by the exempted principal.    
  alertDisplayNameFormat: GCP Data Access Logging Exemption Added for {{ExemptedAccountName}} by {{PrincipalEmail}} in Service {{ExemptedServices}}
relevantTechniques:
- T1562.008
- T1078.004
name: GCP Audit Logs - Data Access Logging Exemption Added for Principal
queryFrequency: 1h
version: 1.0.0
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
tactics:
- DefenseEvasion
- PrivilegeEscalation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDataAccessLoggingExemption.yaml
query: |
  GCPAuditLogs
   | where ServiceName == "cloudresourcemanager.googleapis.com"
   | where MethodName == "SetIamPolicy"
   | where GCPResourceType == "project" and Severity == "NOTICE"
   | where isnotempty(ServiceData)
   | extend ServiceDataJson = parse_json(ServiceData)
   | extend PolicyDelta = ServiceDataJson.policyDelta.auditConfigDeltas
   | where isnotempty(PolicyDelta)
   | mv-expand ConfigDelta = PolicyDelta
   | where ConfigDelta.action == "ADD"
   | extend LogType = tostring(ConfigDelta.logType)
   | where LogType in ("ADMIN_READ", "DATA_READ", "DATA_WRITE")
   | extend 
       ExemptedMember = tostring(ConfigDelta.exemptedMember),
       ServiceAffected = tostring(ConfigDelta.service),
       RequestMetadataJson = parse_json(RequestMetadata),
       AuthInfoJson = parse_json(AuthenticationInfo)
   | where isnotempty(ExemptedMember)
   | extend 
       CallerIpAddress = tostring(RequestMetadataJson.callerIp),
       UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
       AuthEmail = tostring(AuthInfoJson.principalEmail),
       ExemptedAccountName = tostring(split(ExemptedMember, ":")[1])
   | summarize 
       ExemptedLogTypes = make_set(LogType, 10),
       ExemptedServices = make_set(ServiceAffected, 50),
       FirstExemption = min(TimeGenerated),
       LastExemption = max(TimeGenerated)
       by PrincipalEmail, ProjectId, GCPResourceName, ExemptedMember, 
          CallerIpAddress, UserAgent, LogName, ExemptedAccountName, MethodName, ServiceName, AuthEmail
   | extend
       AccountName = tostring(split(PrincipalEmail, "@")[0]), 
       AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
   | project TimeGenerated = LastExemption,
       PrincipalEmail,
       ProjectId,
       ResourceName = GCPResourceName,
       ExemptedMember,
       ExemptedAccountName,
       ExemptedLogTypes,
       ExemptedServices,
       FirstExemption,
       LastExemption,
       CallerIpAddress,
       UserAgent,
       AuthEmail,
       MethodName,
       ServiceName,
       LogName,
       AccountName,
       AccountUPNSuffix  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: PrincipalEmail
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CallerIpAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: ProjectId
    identifier: Name
  - columnName: ResourceName
    identifier: InstanceName
  entityType: CloudApplication
queryPeriod: 1h
triggerOperator: gt
customDetails:
  ExemptedServices: ExemptedServices
  UserAgent: UserAgent
  ExemptedMember: ExemptedMember
  ProjectId: ProjectId
  ExemptedAccountName: ExemptedAccountName
  ExemptedLogTypes: ExemptedLogTypes
id: b7da45ce-fcc8-43c7-a37c-c08454579d26
tags:
- Cloud Security
- Audit Logging
- Defense Evasion
status: Available
description: |
  'Detects when a principal (user or service account) is exempted from GCP data access audit logging.
  This is a critical security event as it reduces visibility into privileged operations and may indicate an attempt to hide malicious activity.
  Adversaries may exempt their accounts from audit logging to evade detection while performing reconnaissance, privilege escalation, or data exfiltration.
  This rule monitors SetIamPolicy operations that add audit log exemptions for ADMIN_READ, DATA_READ, or DATA_WRITE log types.'

ARM