Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP Audit Logs - VPC Flow Logs Disabled

GCP Audit Logs - VPC Flow Logs Disabled

Back
Id8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a
RulenameGCP Audit Logs - VPC Flow Logs Disabled
DescriptionDetects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted.

VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis.

Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities.

Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsGCPAuditLogsDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml
Version1.0.0
Arm template8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a.json
Deploy To Azure
GCPAuditLogs
| where ServiceName == "networkmanagement.googleapis.com"
| where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
| extend 
    RequestJson = parse_json(Request),
    RequestMetadataJson = parse_json(RequestMetadata),
    AuthInfoJson = parse_json(AuthenticationInfo),
    AuthzInfoJson = parse_json(AuthorizationInfo)
| extend 
    FlowLogsConfigName = split(GCPResourceName, "/")[-1],
    ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
    CallerIpAddress = tostring(RequestMetadataJson.callerIp),
    AuthEmail = tostring(AuthInfoJson.principalEmail),
    Permission = tostring(AuthzInfoJson[0].permission),
    PermissionType = tostring(AuthzInfoJson[0].permissionType),
    PermissionGranted = tostring(AuthzInfoJson[0].granted)
| where PermissionType == "ADMIN_WRITE"
| where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
| extend 
    Action = case(
        MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
        ConfigState == "DISABLED", "Disabled",
        "Modified"),
    AccountName = tostring(split(PrincipalEmail, "@")[0]), 
    AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
          PrincipalEmail,
          AuthEmail,
          ProjectId,
          ResourceName = GCPResourceName,
          FlowLogsConfigName,
          Action,
          CallerIpAddress,
          MethodName,
          ServiceName,
          Severity,
          Permission,
          PermissionGranted,
          LogName,
          InsertId,
          AccountName,
          AccountUPNSuffix

name: GCP Audit Logs - VPC Flow Logs Disabled
kind: Scheduled
tags:
- GCP
- VPC Flow Logs
- Network Security
tactics:
- DefenseEvasion
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: GCP VPC Flow Logs {{FlowLogsConfigName}} {{Action}} by {{PrincipalEmail}}
  alertDescriptionFormat: |-
    GCP VPC Flow Logs configuration {{FlowLogsConfigName}} {{Action}} in project {{ProjectId}}.
    This action reduces network traffic visibility and may indicate an attempt to evade detection.    
    Investigate immediately to determine if this action was authorized and assess the security implications.
    Review recent network activity before the logs were disabled for signs of malicious behavior.    
queryFrequency: 1h
id: 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
  dataTypes:
  - GCPAuditLogs
relevantTechniques:
- T1562.001
description: |
  'Detects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted.
  VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis.
  Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities.
  Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic.'  
customDetails:
  FlowLogsConfigName: FlowLogsConfigName
  Permission: Permission
  ResourceName: ResourceName
  ProjectId: ProjectId
  Action: Action
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: PrincipalEmail
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: CallerIpAddress
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: ProjectId
    identifier: Name
  - columnName: ResourceName
    identifier: InstanceName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml
queryPeriod: 1h
severity: High
query: |
  GCPAuditLogs
  | where ServiceName == "networkmanagement.googleapis.com"
  | where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
  | extend 
      RequestJson = parse_json(Request),
      RequestMetadataJson = parse_json(RequestMetadata),
      AuthInfoJson = parse_json(AuthenticationInfo),
      AuthzInfoJson = parse_json(AuthorizationInfo)
  | extend 
      FlowLogsConfigName = split(GCPResourceName, "/")[-1],
      ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
      CallerIpAddress = tostring(RequestMetadataJson.callerIp),
      AuthEmail = tostring(AuthInfoJson.principalEmail),
      Permission = tostring(AuthzInfoJson[0].permission),
      PermissionType = tostring(AuthzInfoJson[0].permissionType),
      PermissionGranted = tostring(AuthzInfoJson[0].granted)
  | where PermissionType == "ADMIN_WRITE"
  | where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
  | extend 
      Action = case(
          MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
          ConfigState == "DISABLED", "Disabled",
          "Modified"),
      AccountName = tostring(split(PrincipalEmail, "@")[0]), 
      AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
  | project TimeGenerated,
            PrincipalEmail,
            AuthEmail,
            ProjectId,
            ResourceName = GCPResourceName,
            FlowLogsConfigName,
            Action,
            CallerIpAddress,
            MethodName,
            ServiceName,
            Severity,
            Permission,
            PermissionGranted,
            LogName,
            InsertId,
            AccountName,
            AccountUPNSuffix