GoogleCloudSCC
| where tostring(Findings.state) == "ACTIVE"
| extend FindingCategory = tostring(Findings.category)
| where FindingCategory in ("BUCKET_LOGGING_DISABLED", "FIREWALL_RULE_LOGGING_DISABLED", "DNS_LOGGING_DISABLED")
| extend FindingsJson = parse_json(Findings)
| extend Resource = tostring(FindingsJson.resourceName),
ExternalUri = tostring(FindingsJson.externalUri),
Description = tostring(FindingsJson.description),
Severity = tostring(FindingsJson.severity),
ProjectName = extract(@"projects/([^/]+)", 1, tostring(FindingsJson.resourceName)),
ResourceType = extract(@"//([a-z0-9_.-]+)/", 1, tostring(FindingsJson.resourceName)),
SourceProps = parse_json(tostring(FindingsJson.sourceProperties))
// Normalize display-friendly resource id
| extend ResourceName = case(
Resource contains "firewalls/", extract(@"firewalls/([^/]+)", 1, Resource),
Resource contains "storage.googleapis.com/", extract(@'storage.googleapis.com/([^/\"]+)', 1, Resource),
Resource contains "networks/", extract(@"networks/([^/]+)", 1, Resource),
Resource
)
| project TimeGenerated, ProjectName, ResourceType, ResourceName, Resource, FindingCategory, Severity, ExternalUri, Description
alertDetailsOverride:
alertDescriptionFormat: 'Resource {{ResourceName}} in project {{ProjectName}} (type: {{ResourceType}}) has logging disabled.'
alertDisplayNameFormat: 'GCP resources with logging disabled: {{ProjectName}} ({{ResourceType}})'
description: |
Detects Google Cloud resources where logging is disabled for services like (Cloud Storage buckets, Firewall rules, Cloud DNS networks) based on Google Cloud Security Command Center findings.
kind: Scheduled
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: GoogleSCCDefinition
dataTypes:
- GoogleCloudSCC
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Security Command Center/Analytic Rules/GCPLoggingDisabled.yaml
severity: Medium
name: GCP Security Command Center - Detect Resources with Logging Disabled
customDetails:
ProjectName: ProjectName
ExternalUri: ExternalUri
Severity: Severity
Description: Description
ResourceType: ResourceType
FindingCategory: FindingCategory
triggerThreshold: 0
queryPeriod: 1h
query: |
GoogleCloudSCC
| where tostring(Findings.state) == "ACTIVE"
| extend FindingCategory = tostring(Findings.category)
| where FindingCategory in ("BUCKET_LOGGING_DISABLED", "FIREWALL_RULE_LOGGING_DISABLED", "DNS_LOGGING_DISABLED")
| extend FindingsJson = parse_json(Findings)
| extend Resource = tostring(FindingsJson.resourceName),
ExternalUri = tostring(FindingsJson.externalUri),
Description = tostring(FindingsJson.description),
Severity = tostring(FindingsJson.severity),
ProjectName = extract(@"projects/([^/]+)", 1, tostring(FindingsJson.resourceName)),
ResourceType = extract(@"//([a-z0-9_.-]+)/", 1, tostring(FindingsJson.resourceName)),
SourceProps = parse_json(tostring(FindingsJson.sourceProperties))
// Normalize display-friendly resource id
| extend ResourceName = case(
Resource contains "firewalls/", extract(@"firewalls/([^/]+)", 1, Resource),
Resource contains "storage.googleapis.com/", extract(@'storage.googleapis.com/([^/\"]+)', 1, Resource),
Resource contains "networks/", extract(@"networks/([^/]+)", 1, Resource),
Resource
)
| project TimeGenerated, ProjectName, ResourceType, ResourceName, Resource, FindingCategory, Severity, ExternalUri, Description
relevantTechniques:
- T1562
id: d1fe8d30-4852-463a-b6ee-3b459788b75d
queryFrequency: 1h
status: Available
version: 1.0.0
triggerOperator: gt
eventGroupingSettings:
aggregationKind: AlertPerResult
tags:
- Logging
- GCP
entityMappings:
- entityType: CloudApplication
fieldMappings:
- columnName: ResourceName
identifier: Name
