Added GCPDNSSECDisabled.yaml again

Author: rahul0216

Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPBulkVMSnapshotDeletion.yaml

@@ -65,17 +65,18 @@ query: |
   | project 
       TimeGenerated = FirstDeletion,
       PrincipalEmail,
-      AccountName,
-      AccountUPNSuffix,
       ProjectId,
+      ResourceName = GCPResourceName,
       SnapshotCount,
       SnapshotList,
       FirstDeletion,
       LastDeletion,
       DeletionTimeSpan,
       CallerIPs,
       UserAgent,
-      OperationIds
+      OperationIds,
+      AccountName,
+      AccountUPNSuffix,
 entityMappings:
   - entityType: Account
     fieldMappings:

Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPDNSSECDisabled.yaml

@@ -0,0 +1,116 @@
+id: 9129a43e-e204-4a9a-969e-d8861ce3437c
+name: GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone
+description: |
+  'Detects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone.
+  DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks.
+  Adversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or
+  to redirect traffic to malicious infrastructure without cryptographic validation.
+  This rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF.'
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: GCPAuditLogsDefinition
+    dataTypes:
+      - GCPAuditLogs
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - CommandAndControl
+  - ResourceDevelopment
+relevantTechniques:
+  - T1562.001
+  - T1071.004
+  - T1584.002
+tags:
+  - GCP
+  - DNS
+  - DNSSEC
+  - Cloud Security
+query: |
+  GCPAuditLogs
+  | where ServiceName == "dns.googleapis.com"
+  | where MethodName in ("dns.managedZones.update", "dns.managedZones.patch")
+  | where GCPResourceType == "dns_managed_zone" and Severity == "NOTICE"
+  | extend 
+      ResponseJson = parse_json(Response),
+      RequestMetadataJson = parse_json(RequestMetadata),
+      AuthInfoJson = parse_json(AuthenticationInfo)
+  | extend ZoneContext = ResponseJson.operation.zoneContext
+  | where isnotempty(ZoneContext)
+  | extend 
+      OldDnsSecState = tostring(ZoneContext.oldValue.dnssecConfig.state),
+      NewDnsSecState = tostring(ZoneContext.newValue.dnssecConfig.state)
+  | where OldDnsSecState == "ON" and NewDnsSecState == "OFF"
+  | extend 
+      ManagedZoneName = extract(@"managedZones/([^/]+)", 1, GCPResourceName),
+      DnsName = tostring(ResponseJson.managedZone.dnsName),
+      ZoneId = tostring(ResponseJson.managedZone.id),
+      ZoneDescription = tostring(ResponseJson.managedZone.description),
+      Visibility = tostring(ResponseJson.managedZone.visibility),
+      OperationId = tostring(ResponseJson.operation.id),
+      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
+      AuthEmail = tostring(AuthInfoJson.principalEmail)
+  | extend 
+      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
+      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
+  | project TimeGenerated,
+            PrincipalEmail,
+            AuthEmail,
+            ProjectId,
+            ManagedZoneName,
+            DnsName,
+            ResourceName = GCPResourceName,
+            Visibility,
+            ZoneId,
+            ZoneDescription,
+            OperationId,
+            CallerIpAddress,
+            MethodName,
+            ServiceName,
+            Severity,
+            LogName,
+            InsertId,
+            AccountName,
+            AccountUPNSuffix
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: PrincipalEmail
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: CallerIpAddress
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: ProjectId
+      - identifier: InstanceName
+        columnName: ResourceName
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DnsName
+customDetails:
+  ProjectId: ProjectId
+  ManagedZoneName: ManagedZoneName
+  DnsName: DnsName
+  ResourceName: ResourceName
+  Visibility: Visibility
+  ZoneId: ZoneId
+alertDetailsOverride:
+  alertDisplayNameFormat: "DNSSEC Disabled on DNS Zone {{ManagedZoneName}} ({{DnsName}}) by {{PrincipalEmail}}"
+  alertDescriptionFormat: |-
+    User {{PrincipalEmail}} disabled DNSSEC on DNS managed zone {{ManagedZoneName}} ({{DnsName}}).    
+    This action removes cryptographic validation of DNS responses and may indicate an attempt to facilitate DNS-based attacks.
+    Investigate immediately to determine if this change was authorized and assess potential security impact.
+    Review DNS query logs for suspicious activity and consider re-enabling DNSSEC if unauthorized.
+version: 1.0.0
+kind: Scheduled

Solutions/Google Cloud Platform Audit Logs/Data/Solution_GCPAuditLogs.json

@@ -12,7 +12,8 @@
     "Analytic Rules/GCPOpenFirewallRuleCreated.yaml",
     "Analytic Rules/GCPOrgPolicyDeletion.yaml",
     "Analytic Rules/GCPStorageBucketMadePublic.yaml",
-    "Analytic Rules/GCPVpcFlowLogsDisabled.yaml"
+    "Analytic Rules/GCPVpcFlowLogsDisabled.yaml",
+    "Analytic Rules/GCPDNSSECDisabled.yaml"
   ],
   "Hunting Queries": [
     "Hunting Queries/GCPDataAccessLoggingDisabled.yaml",

Solutions/Google Cloud Platform Audit Logs/Package/3.0.2.zip

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/logo/Google-Cloud-Branding.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.\n\n**Data Connectors:** 1, **Analytic Rules:** 6, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/logo/Google-Cloud-Branding.png\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture and track all activity that occurs in your GCP environment. These audit logs provide valuable insights for monitoring user activity, troubleshooting issues, and ensuring compliance with security regulations. They serve as a record of events that practitioners can utilize to monitor access and identify potential threats across GCP resources.\n\n**Data Connectors:** 1, **Analytic Rules:** 7, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -184,6 +184,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic7",
+            "type": "Microsoft.Common.Section",
+            "label": "GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone",
+            "elements": [
+              {
+                "name": "analytic7-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Detects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone.\nDNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks.\nAdversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or\nto redirect traffic to malicious infrastructure without cryptographic validation.\nThis rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF."
+                }
+              }
+            ]
           }
         ]
       },