Unexpected GCP API calls indicating DNS logging configuration disabled
Description
AlphaSOC detected that DNS logging was disabled on a GCP Cloud DNS policy via
dns.policies.patch with enableLogging set to false. Adversaries may
disable DNS logging to hide malicious network communications, including command
and control traffic, data exfiltration via DNS tunneling, or connections to
malicious domains.
Impact
Disabling DNS logging removes visibility into DNS queries within the environment. Security teams lose the ability to detect malicious domain lookups, DNS tunneling, or communication with command and control infrastructure. This can significantly hamper incident detection and forensic investigations.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the dns.policies.patch action and identify the
principal that disabled DNS logging. Verify if this was an authorized change.
If unauthorized, immediately re-enable DNS logging on the affected policy. Investigate the compromised identity for additional defense evasion activities. Review other logging configurations to ensure they remain intact. Check for signs of malicious activity that may have occurred while logging was disabled.