GCP Audit Logs - VPC Flow Logs Disabled
| Id | 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a |
| Rulename | GCP Audit Logs - VPC Flow Logs Disabled |
| Description | Detects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted. VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis. Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities. Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic. |
| Severity | High |
| Tactics | DefenseEvasion |
| Techniques | T1562.001 |
| Required data connectors | GCPAuditLogsDefinition |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml |
| Version | 1.0.0 |
| Arm template | 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a.json |
GCPAuditLogs
| where ServiceName == "networkmanagement.googleapis.com"
| where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
| extend
RequestJson = parse_json(Request),
RequestMetadataJson = parse_json(RequestMetadata),
AuthInfoJson = parse_json(AuthenticationInfo),
AuthzInfoJson = parse_json(AuthorizationInfo)
| extend
FlowLogsConfigName = split(GCPResourceName, "/")[-1],
ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
CallerIpAddress = tostring(RequestMetadataJson.callerIp),
AuthEmail = tostring(AuthInfoJson.principalEmail),
Permission = tostring(AuthzInfoJson[0].permission),
PermissionType = tostring(AuthzInfoJson[0].permissionType),
PermissionGranted = tostring(AuthzInfoJson[0].granted)
| where PermissionType == "ADMIN_WRITE"
| where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
| extend
Action = case(
MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
ConfigState == "DISABLED", "Disabled",
"Modified"),
AccountName = tostring(split(PrincipalEmail, "@")[0]),
AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
PrincipalEmail,
AuthEmail,
ProjectId,
ResourceName = GCPResourceName,
FlowLogsConfigName,
Action,
CallerIpAddress,
MethodName,
ServiceName,
Severity,
Permission,
PermissionGranted,
LogName,
InsertId,
AccountName,
AccountUPNSuffix
alertDetailsOverride:
alertDescriptionFormat: |-
GCP VPC Flow Logs configuration {{FlowLogsConfigName}} {{Action}} in project {{ProjectId}}.
This action reduces network traffic visibility and may indicate an attempt to evade detection.
Investigate immediately to determine if this action was authorized and assess the security implications.
Review recent network activity before the logs were disabled for signs of malicious behavior.
alertDisplayNameFormat: GCP VPC Flow Logs {{FlowLogsConfigName}} {{Action}} by {{PrincipalEmail}}
relevantTechniques:
- T1562.001
name: GCP Audit Logs - VPC Flow Logs Disabled
queryFrequency: 1h
version: 1.0.0
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
dataTypes:
- GCPAuditLogs
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml
query: |
GCPAuditLogs
| where ServiceName == "networkmanagement.googleapis.com"
| where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
| extend
RequestJson = parse_json(Request),
RequestMetadataJson = parse_json(RequestMetadata),
AuthInfoJson = parse_json(AuthenticationInfo),
AuthzInfoJson = parse_json(AuthorizationInfo)
| extend
FlowLogsConfigName = split(GCPResourceName, "/")[-1],
ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
CallerIpAddress = tostring(RequestMetadataJson.callerIp),
AuthEmail = tostring(AuthInfoJson.principalEmail),
Permission = tostring(AuthzInfoJson[0].permission),
PermissionType = tostring(AuthzInfoJson[0].permissionType),
PermissionGranted = tostring(AuthzInfoJson[0].granted)
| where PermissionType == "ADMIN_WRITE"
| where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
| extend
Action = case(
MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
ConfigState == "DISABLED", "Disabled",
"Modified"),
AccountName = tostring(split(PrincipalEmail, "@")[0]),
AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
PrincipalEmail,
AuthEmail,
ProjectId,
ResourceName = GCPResourceName,
FlowLogsConfigName,
Action,
CallerIpAddress,
MethodName,
ServiceName,
Severity,
Permission,
PermissionGranted,
LogName,
InsertId,
AccountName,
AccountUPNSuffix
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: PrincipalEmail
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: CallerIpAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: ProjectId
identifier: Name
- columnName: ResourceName
identifier: InstanceName
entityType: CloudApplication
queryPeriod: 1h
triggerOperator: gt
customDetails:
Permission: Permission
FlowLogsConfigName: FlowLogsConfigName
Action: Action
ResourceName: ResourceName
ProjectId: ProjectId
id: 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a
tags:
- GCP
- VPC Flow Logs
- Network Security
status: Available
description: |
'Detects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted.
VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis.
Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities.
Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic.'