GCP Audit Logs - VPC Flow Logs Disabled
| Id | 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a |
| Rulename | GCP Audit Logs - VPC Flow Logs Disabled |
| Description | Detects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted. VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis. Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities. Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic. |
| Severity | High |
| Tactics | DefenseEvasion |
| Techniques | T1562.001 |
| Required data connectors | GCPAuditLogsDefinition |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml |
| Version | 1.0.0 |
| Arm template | 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a.json |
GCPAuditLogs
| where ServiceName == "networkmanagement.googleapis.com"
| where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
| extend
RequestJson = parse_json(Request),
RequestMetadataJson = parse_json(RequestMetadata),
AuthInfoJson = parse_json(AuthenticationInfo),
AuthzInfoJson = parse_json(AuthorizationInfo)
| extend
FlowLogsConfigName = split(GCPResourceName, "/")[-1],
ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
CallerIpAddress = tostring(RequestMetadataJson.callerIp),
AuthEmail = tostring(AuthInfoJson.principalEmail),
Permission = tostring(AuthzInfoJson[0].permission),
PermissionType = tostring(AuthzInfoJson[0].permissionType),
PermissionGranted = tostring(AuthzInfoJson[0].granted)
| where PermissionType == "ADMIN_WRITE"
| where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
| extend
Action = case(
MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
ConfigState == "DISABLED", "Disabled",
"Modified"),
AccountName = tostring(split(PrincipalEmail, "@")[0]),
AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
PrincipalEmail,
AuthEmail,
ProjectId,
ResourceName = GCPResourceName,
FlowLogsConfigName,
Action,
CallerIpAddress,
MethodName,
ServiceName,
Severity,
Permission,
PermissionGranted,
LogName,
InsertId,
AccountName,
AccountUPNSuffix
severity: High
queryPeriod: 1h
name: GCP Audit Logs - VPC Flow Logs Disabled
tags:
- GCP
- VPC Flow Logs
- Network Security
entityMappings:
- fieldMappings:
- columnName: PrincipalEmail
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: CallerIpAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: ProjectId
identifier: Name
- columnName: ResourceName
identifier: InstanceName
entityType: CloudApplication
alertDetailsOverride:
alertDescriptionFormat: |-
GCP VPC Flow Logs configuration {{FlowLogsConfigName}} {{Action}} in project {{ProjectId}}.
This action reduces network traffic visibility and may indicate an attempt to evade detection.
Investigate immediately to determine if this action was authorized and assess the security implications.
Review recent network activity before the logs were disabled for signs of malicious behavior.
alertDisplayNameFormat: GCP VPC Flow Logs {{FlowLogsConfigName}} {{Action}} by {{PrincipalEmail}}
version: 1.0.0
relevantTechniques:
- T1562.001
status: Available
id: 8f3e9c2d-5b4a-4d6e-9a7c-2f8b5e1d3c9a
queryFrequency: 1h
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google Cloud Platform Audit Logs/Analytic Rules/GCPVpcFlowLogsDisabled.yaml
query: |
GCPAuditLogs
| where ServiceName == "networkmanagement.googleapis.com"
| where MethodName has_any ("VpcFlowLogsService.UpdateVpcFlowLogsConfig", "VpcFlowLogsService.DeleteVpcFlowLogsConfig")
| extend
RequestJson = parse_json(Request),
RequestMetadataJson = parse_json(RequestMetadata),
AuthInfoJson = parse_json(AuthenticationInfo),
AuthzInfoJson = parse_json(AuthorizationInfo)
| extend
FlowLogsConfigName = split(GCPResourceName, "/")[-1],
ConfigState = tostring(RequestJson.vpc_flow_logs_config.state),
CallerIpAddress = tostring(RequestMetadataJson.callerIp),
AuthEmail = tostring(AuthInfoJson.principalEmail),
Permission = tostring(AuthzInfoJson[0].permission),
PermissionType = tostring(AuthzInfoJson[0].permissionType),
PermissionGranted = tostring(AuthzInfoJson[0].granted)
| where PermissionType == "ADMIN_WRITE"
| where MethodName has "DeleteVpcFlowLogsConfig" or ConfigState == "DISABLED"
| extend
Action = case(
MethodName has "DeleteVpcFlowLogsConfig", "Deleted",
ConfigState == "DISABLED", "Disabled",
"Modified"),
AccountName = tostring(split(PrincipalEmail, "@")[0]),
AccountUPNSuffix = tostring(split(PrincipalEmail, "@")[1])
| project TimeGenerated,
PrincipalEmail,
AuthEmail,
ProjectId,
ResourceName = GCPResourceName,
FlowLogsConfigName,
Action,
CallerIpAddress,
MethodName,
ServiceName,
Severity,
Permission,
PermissionGranted,
LogName,
InsertId,
AccountName,
AccountUPNSuffix
customDetails:
ProjectId: ProjectId
FlowLogsConfigName: FlowLogsConfigName
Permission: Permission
ResourceName: ResourceName
Action: Action
description: |
'Detects when Google Cloud Platform VPC Flow Logs configurations are disabled or deleted.
VPC Flow Logs capture information about IP traffic going to and from network interfaces in VPC networks, providing critical visibility for security monitoring and forensic analysis.
Disabling VPC Flow Logs reduces network visibility and may indicate an attempt to evade detection before performing malicious activities.
Adversaries may disable flow logs to hide lateral movement, data exfiltration, or command and control traffic.'
requiredDataConnectors:
- connectorId: GCPAuditLogsDefinition
dataTypes:
- GCPAuditLogs
tactics:
- DefenseEvasion
kind: Scheduled