Cloud DNS GCP-dns.googleapis.com

5 operations, identified by methodName in the audit log.

methodName	Description
any	Catch-all entry for dns.googleapis.com. Source-only rules that attribute to the service without a specific method attribute here. Not a distinct audit log operation.
Dns-ManagedZones-Create	Creates a new managed zone.
Dns-ManagedZones-Delete	Deletes a previously created managed zone.
Dns-ManagedZones-Patch	Applies a partial update to an existing managed zone.
Dns-ManagedZones-Update	Updates an existing managed zone.

any: dns.googleapis.com (any method)

Service: GCP-dns.googleapis.com

Description

Catch-all entry for dns.googleapis.com. Source-only rules that attribute to the service without a specific method attribute here. Not a distinct audit log operation.

Fields #

Name	Description
`protoPayload.serviceName`	The GCP service endpoint that processed the request (e.g. compute.googleapis.com).
`protoPayload.methodName`	The specific API operation that was audited (versioned form, e.g. v1.compute.instances.insert).
`protoPayload.resourceName`	Scheme-less URI of the resource targeted by the operation.
`protoPayload.authenticationInfo.principalEmail`	Email address of the principal that performed the operation.
`protoPayload.requestMetadata.callerIp`	IP address of the caller.
`protoPayload.requestMetadata.callerSuppliedUserAgent`	User agent reported by the caller.
`protoPayload.authorizationInfo`	List of authorization checks performed (resource, permission, granted).
`protoPayload.request`	API request object (service-specific structure).
`protoPayload.response`	API response object (service-specific structure).
`logName`	Log stream identifier; suffix encodes the audit log type (activity, data_access, system_event, policy).

Dns-ManagedZones-Create: Create managed zone

Service: GCP-dns.googleapis.com

Description

Creates a new managed zone.

Fields #

Name	Description
`protoPayload.serviceName`	The GCP service endpoint that processed the request (e.g. compute.googleapis.com).
`protoPayload.methodName`	The specific API operation that was audited (versioned form, e.g. v1.compute.instances.insert).
`protoPayload.resourceName`	Scheme-less URI of the resource targeted by the operation.
`protoPayload.authenticationInfo.principalEmail`	Email address of the principal that performed the operation.
`protoPayload.requestMetadata.callerIp`	IP address of the caller.
`protoPayload.requestMetadata.callerSuppliedUserAgent`	User agent reported by the caller.
`protoPayload.authorizationInfo`	List of authorization checks performed (resource, permission, granted).
`protoPayload.request`	API request object (service-specific structure).
`protoPayload.response`	API response object (service-specific structure).
`logName`	Log stream identifier; suffix encodes the audit log type (activity, data_access, system_event, policy).

Dns-ManagedZones-Delete: Delete managed zone

Service: GCP-dns.googleapis.com

Description

Deletes a previously created managed zone.

Fields #

Name	Description
`protoPayload.serviceName`	The GCP service endpoint that processed the request (e.g. compute.googleapis.com).
`protoPayload.methodName`	The specific API operation that was audited (versioned form, e.g. v1.compute.instances.insert).
`protoPayload.resourceName`	Scheme-less URI of the resource targeted by the operation.
`protoPayload.authenticationInfo.principalEmail`	Email address of the principal that performed the operation.
`protoPayload.requestMetadata.callerIp`	IP address of the caller.
`protoPayload.requestMetadata.callerSuppliedUserAgent`	User agent reported by the caller.
`protoPayload.authorizationInfo`	List of authorization checks performed (resource, permission, granted).
`protoPayload.request`	API request object (service-specific structure).
`protoPayload.response`	API response object (service-specific structure).
`logName`	Log stream identifier; suffix encodes the audit log type (activity, data_access, system_event, policy).

Detection Rules #

View all rules referencing this event →

Sigma #

Google Cloud DNS Zone Modified or Deleted source medium: Identifies when a DNS Zone is modified or deleted in Google Cloud.↳ also matches Dns-ManagedZones-Patch: Patch managed zone, Dns-ManagedZones-Update: Update managed zone

Dns-ManagedZones-Patch: Patch managed zone

Service: GCP-dns.googleapis.com

Description

Applies a partial update to an existing managed zone.

Fields #

Name	Description
`protoPayload.serviceName`	The GCP service endpoint that processed the request (e.g. compute.googleapis.com).
`protoPayload.methodName`	The specific API operation that was audited (versioned form, e.g. v1.compute.instances.insert).
`protoPayload.resourceName`	Scheme-less URI of the resource targeted by the operation.
`protoPayload.authenticationInfo.principalEmail`	Email address of the principal that performed the operation.
`protoPayload.requestMetadata.callerIp`	IP address of the caller.
`protoPayload.requestMetadata.callerSuppliedUserAgent`	User agent reported by the caller.
`protoPayload.authorizationInfo`	List of authorization checks performed (resource, permission, granted).
`protoPayload.request`	API request object (service-specific structure).
`protoPayload.response`	API response object (service-specific structure).
`logName`	Log stream identifier; suffix encodes the audit log type (activity, data_access, system_event, policy).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Severity`	eq	`NOTICE`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Google Cloud DNS Zone Modified or Deleted source medium: Identifies when a DNS Zone is modified or deleted in Google Cloud.↳ also matches Dns-ManagedZones-Delete: Delete managed zone, Dns-ManagedZones-Update: Update managed zone

Kusto #

GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone source high: Detects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone. DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks. Adversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or to redirect traffic to malicious infrastructure without cryptographic validation. This rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF.↳ also matches Dns-ManagedZones-Update: Update managed zone

Dns-ManagedZones-Update: Update managed zone

Service: GCP-dns.googleapis.com

Description

Updates an existing managed zone.

Fields #

Name	Description
`protoPayload.serviceName`	The GCP service endpoint that processed the request (e.g. compute.googleapis.com).
`protoPayload.methodName`	The specific API operation that was audited (versioned form, e.g. v1.compute.instances.insert).
`protoPayload.resourceName`	Scheme-less URI of the resource targeted by the operation.
`protoPayload.authenticationInfo.principalEmail`	Email address of the principal that performed the operation.
`protoPayload.requestMetadata.callerIp`	IP address of the caller.
`protoPayload.requestMetadata.callerSuppliedUserAgent`	User agent reported by the caller.
`protoPayload.authorizationInfo`	List of authorization checks performed (resource, permission, granted).
`protoPayload.request`	API request object (service-specific structure).
`protoPayload.response`	API response object (service-specific structure).
`logName`	Log stream identifier; suffix encodes the audit log type (activity, data_access, system_event, policy).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Severity`	eq	`NOTICE`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Google Cloud DNS Zone Modified or Deleted source medium: Identifies when a DNS Zone is modified or deleted in Google Cloud.↳ also matches Dns-ManagedZones-Delete: Delete managed zone, Dns-ManagedZones-Patch: Patch managed zone

Kusto #

GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone source high: Detects when DNSSEC (DNS Security Extensions) is disabled on a Google Cloud DNS managed zone. DNSSEC provides cryptographic authentication of DNS data, preventing DNS spoofing and cache poisoning attacks. Adversaries may disable DNSSEC to enable DNS-based command and control, phishing campaigns, or to redirect traffic to malicious infrastructure without cryptographic validation. This rule monitors DNS zone patch operations where DNSSEC state changes from ON to OFF.↳ also matches Dns-ManagedZones-Patch: Patch managed zone

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Cloud DNS GCP-dns.googleapis.com

any: dns.googleapis.com (any method)

Description

Fields #

Dns-ManagedZones-Create: Create managed zone

Description

Fields #

Dns-ManagedZones-Delete: Delete managed zone

Description

Fields #

Detection Rules #

Sigma #

Dns-ManagedZones-Patch: Patch managed zone

Description

Fields #

Common Indicators #

Detection Rules #

Sigma #

Kusto #

Dns-ManagedZones-Update: Update managed zone

Description

Fields #

Common Indicators #

Detection Rules #

Sigma #

Kusto #

Keyboard shortcuts

Search operators