GCP Audit Logs - VPC Flow Logs Disabled
| Id | 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a |
| Rulename | GCP Audit Logs - VPC Flow Logs Disabled |
| Description | Detects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted. VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis. Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities. Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic. |
| Severity | High |
| Tactics | DefenseEvasion |
| Techniques | T1562.001 |
| Required data connectors | GCPAuditLogsDefinition |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml |
| Version | 1.0.0 |
| Arm template | 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a.json |
GCPAuditLogs
| where ServiceName == "networkmanagement.googleapis.com"
| where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
| extend
RequestJson = parse_json(Request),
RequestMetadataJson = parse_json(RequestMetadata),
AuthInfoJson = parse_json(AuthenticationInfo),
AuthzInfoJson = parse_json(AuthorizationInfo)
| extend
FlowLogsConfigName = split(GCPResourceName, "/")[-1],
ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
CallerIpAddress = tostring(RequestMetadataJson.callerIp),
AuthEmail = tostring(AuthInfoJson.principalEmail),
Permission = tostring(AuthzInfoJson[0].permission),
PermissionType = tostring(AuthzInfoJson[0].permissionType),
PermissionGranted = tostring(AuthzInfoJson[0].granted)
| where PermissionType == "ADMIN_WRITE"
| where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
| extend
Action = case(
MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
ConfigState == "DISABLED", "Disabled",
"Modified"),
AccountName = tostring(split(PrincipalEmail, "@")[0]),
AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
PrincipalEmail,
AuthEmail,
ProjectId,
ResourceName = GCPResourceName,
FlowLogsConfigName,
Action,
CallerIpAddress,
MethodName,
ServiceName,
Severity,
Permission,
PermissionGranted,
LogName,
InsertId,
AccountName,
AccountUPNSuffix
name: GCP Audit Logs - VPC Flow Logs Disabled
relevantTechniques:
- T1562.001
id: 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml
requiredDataConnectors:
- dataTypes:
- GCPAuditLogs
connectorId: GCPAuditLogsDefinition
version: 1.0.0
severity: High
triggerThreshold: 0
tags:
- GCP
- VPC Flow Logs
- Network Security
queryPeriod: 1h
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: PrincipalEmail
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: CallerIpAddress
entityType: IP
- fieldMappings:
- identifier: Name
columnName: ProjectId
- identifier: InstanceName
columnName: ResourceName
entityType: CloudApplication
kind: Scheduled
alertDetailsOverride:
alertDisplayNameFormat: GCP VPC Flow Logs {{FlowLogsConfigName}} {{Action}} by {{PrincipalEmail}}
alertDescriptionFormat: |-
GCP VPC Flow Logs configuration {{FlowLogsConfigName}} {{Action}} in project {{ProjectId}}.
This action reduces network traffic visibility and may indicate an attempt to evade detection.
Investigate immediately to determine if this action was authorized and assess the security implications.
Review recent network activity before the logs were disabled for signs of malicious behavior.
queryFrequency: 1h
status: Available
query: |
GCPAuditLogs
| where ServiceName == "networkmanagement.googleapis.com"
| where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
| extend
RequestJson = parse_json(Request),
RequestMetadataJson = parse_json(RequestMetadata),
AuthInfoJson = parse_json(AuthenticationInfo),
AuthzInfoJson = parse_json(AuthorizationInfo)
| extend
FlowLogsConfigName = split(GCPResourceName, "/")[-1],
ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
CallerIpAddress = tostring(RequestMetadataJson.callerIp),
AuthEmail = tostring(AuthInfoJson.principalEmail),
Permission = tostring(AuthzInfoJson[0].permission),
PermissionType = tostring(AuthzInfoJson[0].permissionType),
PermissionGranted = tostring(AuthzInfoJson[0].granted)
| where PermissionType == "ADMIN_WRITE"
| where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
| extend
Action = case(
MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
ConfigState == "DISABLED", "Disabled",
"Modified"),
AccountName = tostring(split(PrincipalEmail, "@")[0]),
AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
PrincipalEmail,
AuthEmail,
ProjectId,
ResourceName = GCPResourceName,
FlowLogsConfigName,
Action,
CallerIpAddress,
MethodName,
ServiceName,
Severity,
Permission,
PermissionGranted,
LogName,
InsertId,
AccountName,
AccountUPNSuffix
tactics:
- DefenseEvasion
customDetails:
Action: Action
FlowLogsConfigName: FlowLogsConfigName
Permission: Permission
ProjectId: ProjectId
ResourceName: ResourceName
description: |
'Detects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted.
VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis.
Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities.
Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic.'
triggerOperator: gt