Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP Audit Logs - Detect Bulk VM Snapshot Deletion

GCP Audit Logs - Detect Bulk VM Snapshot Deletion

Back
Iddfdffdc7-929f-4c7e-8f48-30e5ffddb067
RulenameGCP Audit Logs - Detect Bulk VM Snapshot Deletion
DescriptionDetects bulk deletion of Google Cloud VM snapshots within a short time period, which may indicate data destruction or defense evasion activities.

VM snapshots are critical for backup and disaster recovery. Bulk deletion of snapshots can prevent recovery from incidents and may indicate

malicious activity such as ransomware, data destruction, or an attempt to cover tracks after a security breach.

Adversaries may delete snapshots to maximize damage, prevent forensic investigation, or hinder recovery efforts.

This rule triggers when multiple snapshots are deleted by the same user within a 1-minute window.
SeverityHigh
TacticsImpact
DefenseEvasion
TechniquesT1485
T1490
T1562.001
Required data connectorsGCPAuditLogsDefinition
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPBulkVMSnapshotDeletion.yaml
Version1.0.0
Arm templatedfdffdc7-929f-4c7e-8f48-30e5ffddb067.json
Deploy To Azure
// Update these thresholds if noisy in your environment
let SnapshotDeletionThreshold = 10;
let TimeWindow = 1m;
GCPAuditLogs
| where ServiceName == "compute.googleapis.com"
| where MethodName has "compute.snapshots.delete"
| where GCPResourceType == "gce_snapshot" and Severity == "NOTICE"
| extend 
    AuthzInfoJson = parse_json(AuthorizationInfo),
    RequestMetadataJson = parse_json(RequestMetadata),
    ResponseJson = parse_json(Response)
| extend PermissionType = tostring(AuthzInfoJson[0].permissionType)
| where PermissionType == "ADMIN_WRITE"
| extend 
    CallerIpAddress = tostring(RequestMetadataJson.callerIp),
    UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
    SnapshotName = extract(@"snapshots/([^/]+)", 1, GCPResourceName),
    OperationType = tostring(ResponseJson.operationType),
    OperationId = tostring(ResponseJson.id)
| summarize 
    SnapshotCount = count(),
    SnapshotList = make_set(SnapshotName, 100),
    FirstDeletion = min(TimeGenerated),
    LastDeletion = max(TimeGenerated),
    OperationIds = make_set(OperationId, 100),
    CallerIPs = make_set(CallerIpAddress, 10)
    by PrincipalEmail, ProjectId, UserAgent
| where SnapshotCount >= SnapshotDeletionThreshold
| extend DeletionTimeSpan = LastDeletion - FirstDeletion
| where DeletionTimeSpan <= TimeWindow
| extend 
    AccountName = tostring(split(PrincipalEmail, "@")[0]), 
    AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project 
    TimeGenerated = FirstDeletion,
    PrincipalEmail,
    ProjectId,
    SnapshotCount,
    SnapshotList,
    FirstDeletion,
    LastDeletion,
    DeletionTimeSpan,
    CallerIPs,
    UserAgent,
    OperationIds,
    AccountName,
    AccountUPNSuffix

name: GCP Audit Logs - Detect Bulk VM Snapshot Deletion
relevantTechniques:
- T1485
- T1490
- T1562.001
id: dfdffdc7-929f-4c7e-8f48-30e5ffddb067
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPBulkVMSnapshotDeletion.yaml
requiredDataConnectors:
- dataTypes:
  - GCPAuditLogs
  connectorId: GCPAuditLogsDefinition
version: 1.0.0
severity: High
triggerThreshold: 0
tags:
- GCP
- Compute
- Data Destruction
- Cloud Security
queryPeriod: 15m
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: PrincipalEmail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: ProjectId
  entityType: CloudApplication
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: 'Bulk VM Snapshot Deletion: {{SnapshotCount}} snapshots deleted by {{PrincipalEmail}} in {{ProjectId}}'
  alertDescriptionFormat: |-
    User {{PrincipalEmail}} deleted {{SnapshotCount}} VM snapshots in project {{ProjectId}} within a short time period. 
    This may indicate ransomware, data destruction, or defense evasion activity. Verify authorization, check remaining snapshots, review IP addresses, and investigate for compromise.    
queryFrequency: 15m
status: Available
query: |
  // Update these thresholds if noisy in your environment
  let SnapshotDeletionThreshold = 10;
  let TimeWindow = 1m;
  GCPAuditLogs
  | where ServiceName == "compute.googleapis.com"
  | where MethodName has "compute.snapshots.delete"
  | where GCPResourceType == "gce_snapshot" and Severity == "NOTICE"
  | extend 
      AuthzInfoJson = parse_json(AuthorizationInfo),
      RequestMetadataJson = parse_json(RequestMetadata),
      ResponseJson = parse_json(Response)
  | extend PermissionType = tostring(AuthzInfoJson[0].permissionType)
  | where PermissionType == "ADMIN_WRITE"
  | extend 
      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
      UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),
      SnapshotName = extract(@"snapshots/([^/]+)", 1, GCPResourceName),
      OperationType = tostring(ResponseJson.operationType),
      OperationId = tostring(ResponseJson.id)
  | summarize 
      SnapshotCount = count(),
      SnapshotList = make_set(SnapshotName, 100),
      FirstDeletion = min(TimeGenerated),
      LastDeletion = max(TimeGenerated),
      OperationIds = make_set(OperationId, 100),
      CallerIPs = make_set(CallerIpAddress, 10)
      by PrincipalEmail, ProjectId, UserAgent
  | where SnapshotCount >= SnapshotDeletionThreshold
  | extend DeletionTimeSpan = LastDeletion - FirstDeletion
  | where DeletionTimeSpan <= TimeWindow
  | extend 
      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
  | project 
      TimeGenerated = FirstDeletion,
      PrincipalEmail,
      ProjectId,
      SnapshotCount,
      SnapshotList,
      FirstDeletion,
      LastDeletion,
      DeletionTimeSpan,
      CallerIPs,
      UserAgent,
      OperationIds,
      AccountName,
      AccountUPNSuffix  
tactics:
- Impact
- DefenseEvasion
customDetails:
  CallerIPs: CallerIPs
  DeletionTimeSpan: DeletionTimeSpan
  LastDeletion: LastDeletion
  UserAgent: UserAgent
  FirstDeletion: FirstDeletion
  ProjectId: ProjectId
  SnapshotCount: SnapshotCount
  SnapshotList: SnapshotList
description: |
  'Detects bulk deletion of Google Cloud VM snapshots within a short time period, which may indicate data destruction or defense evasion activities.
  VM snapshots are critical for backup and disaster recovery. Bulk deletion of snapshots can prevent recovery from incidents and may indicate
  malicious activity such as ransomware, data destruction, or an attempt to cover tracks after a security breach.
  Adversaries may delete snapshots to maximize damage, prevent forensic investigation, or hinder recovery efforts.
  This rule triggers when multiple snapshots are deleted by the same user within a 1-minute window.'  
triggerOperator: gt