This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

gcp_dns_modification.yaral tuning issue

Posted on 10-25-2023 07:27 AM
phaubertin
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi all, I'm working on tuning that yaral rules gcp_cloudaudit/gcp_dns_modification.yaral   from the github repo. When I look at detection vs rules languages, the udm fields target.user.email_addresses isn't present in our procedural filtering.  the udm fields that lookalike the most has an email address, is  target.user.userid .

  1. I want to know if target.user.email_addresses is still a valid field? if not, by which it's replaced.
  2. Other question, our goal whould be to exclude all DNS operation made by  container-engine-robot.iam.gserviceaccount.com that is GKE managed SA by GCP. We are under the impression that SA is managed by google, and It would be tiny risk that Threat actor could take over this account. 

Thanks for your help, 

0 2 367
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Chris_B
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Did you already try running an equivalent search for examples in Raw Search?

When I can't use grouped fields, and even then, I often have to hunt for the best fieldname by search in Raw and seeing what fields get parsed in UDM and which one is best for my purpose.

Chris_B_0-1698254260587.png

Chris_B_1-1698254327153.png

Chris_B_3-1698254897397.png

 

Chris_B_2-1698254859075.png

 

0 Likes

Posted on --/--/---- --:-- AM
phaubertin
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi Chris, thank for answering my message. thank you for providing me a solution of looking through raw log.  Right now, our goal is to reduce the noise because there a some DNS change by SA. Also, in the yaral, the rule use the udm field target.user.email_addresses  to exclude Service account. however, this fields is not found parse. 

 

phaubertin_0-1698258571499.png

phaubertin_1-1698258673698.png

 My 2 main concern, if this field, target.user.email_addresses, is still valid? I could probably  the principal.user.email_addresses to make the exclusion. Last thing, do we parse the log correctly. I look at prebuilt parser, and It look gibberish to me. Field still has rules  to be parse, but it not face condition.  

Best regards,

PH 

0 Likes
Top Solution Authors
View all