Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP Audit Logs - Data Access Logging Exemption Added for Principal

GCP Audit Logs - Data Access Logging Exemption Added for Principal

Back
Idb7da45ce-fcc8-43c7-a37c-c08454579d26
RulenameGCP Audit Logs - Data Access Logging Exemption Added for Principal
DescriptionDetects when a principal (user or service account) is exempted from GCP data access audit logging.

This is a critical security event as it reduces visibility into privileged operations and may indicate an attempt to hide malicious activity.

Adversaries may exempt their accounts from audit logging to evade detection while performing reconnaissance, privilege escalation, or data exfiltration.

This rule monitors SetIamPolicy operations that add audit log exemptions for ADMIN_READ, DATA_READ, or DATA_WRITE log types.
SeverityHigh
TacticsDefenseEvasion
PrivilegeEscalation
TechniquesT1562.008
T1078.004
Required data connectorsGCPAuditLogsDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDataAccessLoggingExemption.yaml
Version1.0.0
Arm templateb7da45ce-fcc8-43c7-a37c-c08454579d26.json
Deploy To Azure
GCPAuditLogs
 | where ServiceName == "cloudresourcemanager.googleapis.com"
 | where MethodName == "SetIamPolicy"
 | where GCPResourceType == "project" and Severity == "NOTICE"
 | where isnotempty(ServiceData)
 | extend ServiceDataJson = parse_json(ServiceData)
 | extend PolicyDelta = ServiceDataJson.policyDelta.auditConfigDeltas
 | where isnotempty(PolicyDelta)
 | mv-expand ConfigDelta = PolicyDelta
 | where ConfigDelta.action == "ADD"
 | extend LogType = tostring(ConfigDelta.logType)
 | where LogType in ("ADMIN_READ", "DATA_READ", "DATA_WRITE")
 | extend 
     ExemptedMember = tostring(ConfigDelta.exemptedMember),
     ServiceAffected = tostring(ConfigDelta.service),
     RequestMetadataJson = parse_json(RequestMetadata),
     AuthInfoJson = parse_json(AuthenticationInfo)
 | where isnotempty(ExemptedMember)
 | extend 
     CallerIpAddress = tostring(RequestMetadataJson.callerIp),
     UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
     AuthEmail = tostring(AuthInfoJson.principalEmail),
     ExemptedAccountName = tostring(split(ExemptedMember, ":")[1])
 | summarize 
     ExemptedLogTypes = make_set(LogType, 10),
     ExemptedServices = make_set(ServiceAffected, 50),
     FirstExemption = min(TimeGenerated),
     LastExemption = max(TimeGenerated)
     by PrincipalEmail, ProjectId, GCPResourceName, ExemptedMember, 
        CallerIpAddress, UserAgent, LogName, ExemptedAccountName, MethodName, ServiceName, AuthEmail
 | extend
     AccountName = tostring(split(PrincipalEmail, "@")[0]), 
     AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
 | project TimeGenerated = LastExemption,
     PrincipalEmail,
     ProjectId,
     ResourceName = GCPResourceName,
     ExemptedMember,
     ExemptedAccountName,
     ExemptedLogTypes,
     ExemptedServices,
     FirstExemption,
     LastExemption,
     CallerIpAddress,
     UserAgent,
     AuthEmail,
     MethodName,
     ServiceName,
     LogName,
     AccountName,
     AccountUPNSuffix

name: GCP Audit Logs - Data Access Logging Exemption Added for Principal
relevantTechniques:
- T1562.008
- T1078.004
id: b7da45ce-fcc8-43c7-a37c-c08454579d26
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDataAccessLoggingExemption.yaml
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
version: 1.0.0
severity: High
triggerThreshold: 0
tags:
- Cloud Security
- Audit Logging
- Defense Evasion
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: PrincipalEmail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: ProjectId
  - identifier: InstanceName
    columnName: ResourceName
  entityType: CloudApplication
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: GCP Data Access Logging Exemption Added for {{ExemptedAccountName}} by {{PrincipalEmail}} in Service {{ExemptedServices}}
  alertDescriptionFormat: |-
    Principal {{ExemptedAccountName}} added as exception from Data Access logging in project {{ProjectId}} for Service {{ExemptedServices}}.
    This action reduces audit visibility and may indicate an attempt to evade detection. Verify this change was authorized and investigate any suspicious activity performed by the exempted principal.    
queryFrequency: 1h
status: Available
query: |
  GCPAuditLogs
   | where ServiceName == "cloudresourcemanager.googleapis.com"
   | where MethodName == "SetIamPolicy"
   | where GCPResourceType == "project" and Severity == "NOTICE"
   | where isnotempty(ServiceData)
   | extend ServiceDataJson = parse_json(ServiceData)
   | extend PolicyDelta = ServiceDataJson.policyDelta.auditConfigDeltas
   | where isnotempty(PolicyDelta)
   | mv-expand ConfigDelta = PolicyDelta
   | where ConfigDelta.action == "ADD"
   | extend LogType = tostring(ConfigDelta.logType)
   | where LogType in ("ADMIN_READ", "DATA_READ", "DATA_WRITE")
   | extend 
       ExemptedMember = tostring(ConfigDelta.exemptedMember),
       ServiceAffected = tostring(ConfigDelta.service),
       RequestMetadataJson = parse_json(RequestMetadata),
       AuthInfoJson = parse_json(AuthenticationInfo)
   | where isnotempty(ExemptedMember)
   | extend 
       CallerIpAddress = tostring(RequestMetadataJson.callerIp),
       UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
       AuthEmail = tostring(AuthInfoJson.principalEmail),
       ExemptedAccountName = tostring(split(ExemptedMember, ":")[1])
   | summarize 
       ExemptedLogTypes = make_set(LogType, 10),
       ExemptedServices = make_set(ServiceAffected, 50),
       FirstExemption = min(TimeGenerated),
       LastExemption = max(TimeGenerated)
       by PrincipalEmail, ProjectId, GCPResourceName, ExemptedMember, 
          CallerIpAddress, UserAgent, LogName, ExemptedAccountName, MethodName, ServiceName, AuthEmail
   | extend
       AccountName = tostring(split(PrincipalEmail, "@")[0]), 
       AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
   | project TimeGenerated = LastExemption,
       PrincipalEmail,
       ProjectId,
       ResourceName = GCPResourceName,
       ExemptedMember,
       ExemptedAccountName,
       ExemptedLogTypes,
       ExemptedServices,
       FirstExemption,
       LastExemption,
       CallerIpAddress,
       UserAgent,
       AuthEmail,
       MethodName,
       ServiceName,
       LogName,
       AccountName,
       AccountUPNSuffix  
tactics:
- DefenseEvasion
- PrivilegeEscalation
customDetails:
  ExemptedAccountName: ExemptedAccountName
  ExemptedLogTypes: ExemptedLogTypes
  ExemptedServices: ExemptedServices
  ProjectId: ProjectId
  UserAgent: UserAgent
  ExemptedMember: ExemptedMember
description: |
  'Detects when a principal (user or service account) is exempted from GCP data access audit logging.
  This is a critical security event as it reduces visibility into privileged operations and may indicate an attempt to hide malicious activity.
  Adversaries may exempt their accounts from audit logging to evade detection while performing reconnaissance, privilege escalation, or data exfiltration.
  This rule monitors SetIamPolicy operations that add audit log exemptions for ADMIN_READ, DATA_READ, or DATA_WRITE log types.'  
triggerOperator: gt