Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP Audit Logs - Data Access Logging Exemption Added for Principal

GCP Audit Logs - Data Access Logging Exemption Added for Principal

Back
Idb7da45ce-fcc8-43c7-a37c-c08454579d26
RulenameGCP Audit Logs - Data Access Logging Exemption Added for Principal
DescriptionDetects when a principal (user or service account) is exempted from GCP data access audit logging.

This is a critical security event as it reduces visibility into privileged operations and may indicate an attempt to hide malicious activity.

Adversaries may exempt their accounts from audit logging to evade detection while performing reconnaissance, privilege escalation, or data exfiltration.

This rule monitors SetIamPolicy operations that add audit log exemptions for ADMIN_READ, DATA_READ, or DATA_WRITE log types.
SeverityHigh
TacticsDefenseEvasion
PrivilegeEscalation
TechniquesT1562.008
T1078.004
Required data connectorsGCPAuditLogsDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDataAccessLoggingExemption.yaml
Version1.0.0
Arm templateb7da45ce-fcc8-43c7-a37c-c08454579d26.json
Deploy To Azure
GCPAuditLogs
 | where ServiceName == "cloudresourcemanager.googleapis.com"
 | where MethodName == "SetIamPolicy"
 | where GCPResourceType == "project" and Severity == "NOTICE"
 | where isnotempty(ServiceData)
 | extend ServiceDataJson = parse_json(ServiceData)
 | extend PolicyDelta = ServiceDataJson.policyDelta.auditConfigDeltas
 | where isnotempty(PolicyDelta)
 | mv-expand ConfigDelta = PolicyDelta
 | where ConfigDelta.action == "ADD"
 | extend LogType = tostring(ConfigDelta.logType)
 | where LogType in ("ADMIN_READ", "DATA_READ", "DATA_WRITE")
 | extend 
     ExemptedMember = tostring(ConfigDelta.exemptedMember),
     ServiceAffected = tostring(ConfigDelta.service),
     RequestMetadataJson = parse_json(RequestMetadata),
     AuthInfoJson = parse_json(AuthenticationInfo)
 | where isnotempty(ExemptedMember)
 | extend 
     CallerIpAddress = tostring(RequestMetadataJson.callerIp),
     UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
     AuthEmail = tostring(AuthInfoJson.principalEmail),
     ExemptedAccountName = tostring(split(ExemptedMember, ":")[1])
 | summarize 
     ExemptedLogTypes = make_set(LogType, 10),
     ExemptedServices = make_set(ServiceAffected, 50),
     FirstExemption = min(TimeGenerated),
     LastExemption = max(TimeGenerated)
     by PrincipalEmail, ProjectId, GCPResourceName, ExemptedMember, 
        CallerIpAddress, UserAgent, LogName, ExemptedAccountName, MethodName, ServiceName, AuthEmail
 | extend
     AccountName = tostring(split(PrincipalEmail, "@")[0]), 
     AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
 | project TimeGenerated = LastExemption,
     PrincipalEmail,
     ProjectId,
     ResourceName = GCPResourceName,
     ExemptedMember,
     ExemptedAccountName,
     ExemptedLogTypes,
     ExemptedServices,
     FirstExemption,
     LastExemption,
     CallerIpAddress,
     UserAgent,
     AuthEmail,
     MethodName,
     ServiceName,
     LogName,
     AccountName,
     AccountUPNSuffix

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDataAccessLoggingExemption.yaml
queryPeriod: 1h
description: |
  'Detects when a principal (user or service account) is exempted from GCP data access audit logging.
  This is a critical security event as it reduces visibility into privileged operations and may indicate an attempt to hide malicious activity.
  Adversaries may exempt their accounts from audit logging to evade detection while performing reconnaissance, privilege escalation, or data exfiltration.
  This rule monitors SetIamPolicy operations that add audit log exemptions for ADMIN_READ, DATA_READ, or DATA_WRITE log types.'  
tags:
- Cloud Security
- Audit Logging
- Defense Evasion
triggerThreshold: 0
name: GCP Audit Logs - Data Access Logging Exemption Added for Principal
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: PrincipalEmail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ProjectId
  - identifier: InstanceName
    columnName: ResourceName
kind: Scheduled
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
customDetails:
  ExemptedMember: ExemptedMember
  ExemptedServices: ExemptedServices
  ProjectId: ProjectId
  ExemptedLogTypes: ExemptedLogTypes
  UserAgent: UserAgent
  ExemptedAccountName: ExemptedAccountName
queryFrequency: 1h
tactics:
- DefenseEvasion
- PrivilegeEscalation
id: b7da45ce-fcc8-43c7-a37c-c08454579d26
status: Available
version: 1.0.0
query: |
  GCPAuditLogs
   | where ServiceName == "cloudresourcemanager.googleapis.com"
   | where MethodName == "SetIamPolicy"
   | where GCPResourceType == "project" and Severity == "NOTICE"
   | where isnotempty(ServiceData)
   | extend ServiceDataJson = parse_json(ServiceData)
   | extend PolicyDelta = ServiceDataJson.policyDelta.auditConfigDeltas
   | where isnotempty(PolicyDelta)
   | mv-expand ConfigDelta = PolicyDelta
   | where ConfigDelta.action == "ADD"
   | extend LogType = tostring(ConfigDelta.logType)
   | where LogType in ("ADMIN_READ", "DATA_READ", "DATA_WRITE")
   | extend 
       ExemptedMember = tostring(ConfigDelta.exemptedMember),
       ServiceAffected = tostring(ConfigDelta.service),
       RequestMetadataJson = parse_json(RequestMetadata),
       AuthInfoJson = parse_json(AuthenticationInfo)
   | where isnotempty(ExemptedMember)
   | extend 
       CallerIpAddress = tostring(RequestMetadataJson.callerIp),
       UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
       AuthEmail = tostring(AuthInfoJson.principalEmail),
       ExemptedAccountName = tostring(split(ExemptedMember, ":")[1])
   | summarize 
       ExemptedLogTypes = make_set(LogType, 10),
       ExemptedServices = make_set(ServiceAffected, 50),
       FirstExemption = min(TimeGenerated),
       LastExemption = max(TimeGenerated)
       by PrincipalEmail, ProjectId, GCPResourceName, ExemptedMember, 
          CallerIpAddress, UserAgent, LogName, ExemptedAccountName, MethodName, ServiceName, AuthEmail
   | extend
       AccountName = tostring(split(PrincipalEmail, "@")[0]), 
       AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
   | project TimeGenerated = LastExemption,
       PrincipalEmail,
       ProjectId,
       ResourceName = GCPResourceName,
       ExemptedMember,
       ExemptedAccountName,
       ExemptedLogTypes,
       ExemptedServices,
       FirstExemption,
       LastExemption,
       CallerIpAddress,
       UserAgent,
       AuthEmail,
       MethodName,
       ServiceName,
       LogName,
       AccountName,
       AccountUPNSuffix  
alertDetailsOverride:
  alertDescriptionFormat: |-
    Principal {{ExemptedAccountName}} added as exception from Data Access logging in project {{ProjectId}} for Service {{ExemptedServices}}.
    This action reduces audit visibility and may indicate an attempt to evade detection. Verify this change was authorized and investigate any suspicious activity performed by the exempted principal.    
  alertDisplayNameFormat: GCP Data Access Logging Exemption Added for {{ExemptedAccountName}} by {{PrincipalEmail}} in Service {{ExemptedServices}}
severity: High
relevantTechniques:
- T1562.008
- T1078.004