gcp_dns_modification.yaral tuning issue

phaubertin · 10-25-2023 07:27 AM

Hi all, I'm working on tuning that yaral rules gcp_cloudaudit/gcp_dns_modification.yaral from the github repo. When I look at detection vs rules languages, the udm fields target.user.email_addresses isn't present in our procedural filtering. the udm fields that lookalike the most has an email address, is target.user.userid .

I want to know if target.user.email_addresses is still a valid field? if not, by which it's replaced.
Other question, our goal whould be to exclude all DNS operation made by container-engine-robot.iam.gserviceaccount.com that is GKE managed SA by GCP. We are under the impression that SA is managed by google, and It would be tiny risk that Threat actor could take over this account.

Thanks for your help,

Chris_B

Did you already try running an equivalent search for examples in Raw Search?

When I can't use grouped fields, and even then, I often have to hunt for the best fieldname by search in Raw and seeing what fields get parsed in UDM and which one is best for my purpose.

phaubertin

Hi Chris, thank for answering my message. thank you for providing me a solution of looking through raw log. Right now, our goal is to reduce the noise because there a some DNS change by SA. Also, in the yaral, the rule use the udm field target.user.email_addresses to exclude Service account. however, this fields is not found parse.

My 2 main concern, if this field, target.user.email_addresses, is still valid? I could probably the principal.user.email_addresses to make the exclusion. Last thing, do we parse the log correctly. I look at prebuilt parser, and It look gibberish to me. Field still has rules to be parse, but it not face condition.

Best regards,

PH