Skip to content

Commit c56e7dc

Browse files
rahul0216rahul0216
committed
Remove unused ResourceName mapping in GCP VM snapshot rule
1 parent fce9085 commit c56e7dc

File tree

3 files changed

+2
-9
lines changed

3 files changed

+2
-9
lines changed

Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPBulkVMSnapshotDeletion.yaml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,6 @@ query: |
6666
TimeGenerated = FirstDeletion,
6767
PrincipalEmail,
6868
ProjectId,
69-
ResourceName = GCPResourceName,
7069
SnapshotCount,
7170
SnapshotList,
7271
FirstDeletion,
@@ -76,7 +75,7 @@ query: |
7675
UserAgent,
7776
OperationIds,
7877
AccountName,
79-
AccountUPNSuffix,
78+
AccountUPNSuffix
8079
entityMappings:
8180
- entityType: Account
8281
fieldMappings:
@@ -90,8 +89,6 @@ entityMappings:
9089
fieldMappings:
9190
- identifier: Name
9291
columnName: ProjectId
93-
- identifier: InstanceName
94-
columnName: ResourceName
9592
customDetails:
9693
ProjectId: ProjectId
9794
SnapshotCount: SnapshotCount

Solutions/Google Cloud Platform Audit Logs/Package/3.0.2.zip

-12 Bytes
Binary file not shown.

Solutions/Google Cloud Platform Audit Logs/Package/mainTemplate.json

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -618,7 +618,7 @@
618618
"description": "Detects bulk deletion of Google Cloud VM snapshots within a short time period, which may indicate data destruction or defense evasion activities.\nVM snapshots are critical for backup and disaster recovery. Bulk deletion of snapshots can prevent recovery from incidents and may indicate\nmalicious activity such as ransomware, data destruction, or an attempt to cover tracks after a security breach.\nAdversaries may delete snapshots to maximize damage, prevent forensic investigation, or hinder recovery efforts.\nThis rule triggers when multiple snapshots are deleted by the same user within a 1-minute window.",
619619
"displayName": "GCP Audit Logs - Detect Bulk VM Snapshot Deletion",
620620
"enabled": false,
621-
"query": "// Update these thresholds if noisy in your environment\nlet SnapshotDeletionThreshold = 10;\nlet TimeWindow = 1m;\nGCPAuditLogs\n| where ServiceName == \"compute.googleapis.com\"\n| where MethodName has \"compute.snapshots.delete\"\n| where GCPResourceType == \"gce_snapshot\" and Severity == \"NOTICE\"\n| extend \n AuthzInfoJson = parse_json(AuthorizationInfo),\n RequestMetadataJson = parse_json(RequestMetadata),\n ResponseJson = parse_json(Response)\n| extend PermissionType = tostring(AuthzInfoJson[0].permissionType)\n| where PermissionType == \"ADMIN_WRITE\"\n| extend \n CallerIpAddress = tostring(RequestMetadataJson.callerIp),\n UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),\n SnapshotName = extract(@\"snapshots/([^/]+)\", 1, GCPResourceName),\n OperationType = tostring(ResponseJson.operationType),\n OperationId = tostring(ResponseJson.id)\n| summarize \n SnapshotCount = count(),\n SnapshotList = make_set(SnapshotName, 100),\n FirstDeletion = min(TimeGenerated),\n LastDeletion = max(TimeGenerated),\n OperationIds = make_set(OperationId, 100),\n CallerIPs = make_set(CallerIpAddress, 10)\n by PrincipalEmail, ProjectId, UserAgent\n| where SnapshotCount >= SnapshotDeletionThreshold\n| extend DeletionTimeSpan = LastDeletion - FirstDeletion\n| where DeletionTimeSpan <= TimeWindow\n| extend \n AccountName = tostring(split(PrincipalEmail, \"@\")[0]), \n AccountUPNSuffix = tostring(split(PrincipalEmail, \"@\")[1])\n| project \n TimeGenerated = FirstDeletion,\n PrincipalEmail,\n ProjectId,\n ResourceName = GCPResourceName,\n SnapshotCount,\n SnapshotList,\n FirstDeletion,\n LastDeletion,\n DeletionTimeSpan,\n CallerIPs,\n UserAgent,\n OperationIds,\n AccountName,\n AccountUPNSuffix,\n",
621+
"query": "// Update these thresholds if noisy in your environment\nlet SnapshotDeletionThreshold = 10;\nlet TimeWindow = 1m;\nGCPAuditLogs\n| where ServiceName == \"compute.googleapis.com\"\n| where MethodName has \"compute.snapshots.delete\"\n| where GCPResourceType == \"gce_snapshot\" and Severity == \"NOTICE\"\n| extend \n AuthzInfoJson = parse_json(AuthorizationInfo),\n RequestMetadataJson = parse_json(RequestMetadata),\n ResponseJson = parse_json(Response)\n| extend PermissionType = tostring(AuthzInfoJson[0].permissionType)\n| where PermissionType == \"ADMIN_WRITE\"\n| extend \n CallerIpAddress = tostring(RequestMetadataJson.callerIp),\n UserAgent = tostring(RequestMetadataJson.callerSuppliedUserAgent),\n SnapshotName = extract(@\"snapshots/([^/]+)\", 1, GCPResourceName),\n OperationType = tostring(ResponseJson.operationType),\n OperationId = tostring(ResponseJson.id)\n| summarize \n SnapshotCount = count(),\n SnapshotList = make_set(SnapshotName, 100),\n FirstDeletion = min(TimeGenerated),\n LastDeletion = max(TimeGenerated),\n OperationIds = make_set(OperationId, 100),\n CallerIPs = make_set(CallerIpAddress, 10)\n by PrincipalEmail, ProjectId, UserAgent\n| where SnapshotCount >= SnapshotDeletionThreshold\n| extend DeletionTimeSpan = LastDeletion - FirstDeletion\n| where DeletionTimeSpan <= TimeWindow\n| extend \n AccountName = tostring(split(PrincipalEmail, \"@\")[0]), \n AccountUPNSuffix = tostring(split(PrincipalEmail, \"@\")[1])\n| project \n TimeGenerated = FirstDeletion,\n PrincipalEmail,\n ProjectId,\n SnapshotCount,\n SnapshotList,\n FirstDeletion,\n LastDeletion,\n DeletionTimeSpan,\n CallerIPs,\n UserAgent,\n OperationIds,\n AccountName,\n AccountUPNSuffix\n",
622622
"queryFrequency": "PT15M",
623623
"queryPeriod": "PT15M",
624624
"severity": "High",
@@ -670,10 +670,6 @@
670670
{
671671
"identifier": "Name",
672672
"columnName": "ProjectId"
673-
},
674-
{
675-
"identifier": "InstanceName",
676-
"columnName": "ResourceName"
677673
}
678674
],
679675
"entityType": "CloudApplication"

0 commit comments

Comments
 (0)