Skip to content

Latest commit

 

History

History
132 lines (110 loc) · 3.81 KB

3.02.md

File metadata and controls

132 lines (110 loc) · 3.81 KB
Raw

3.02 - Disabling VPC Flows logging

Disabling VPC Flows logging.

Category: Cloud Provisioning Activity
Use Cases: Detect
Data Sources: Audit Logs - Admin Activity

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

Update the configuration of a subnet and disable VPC Flow logging.

Test Prerequisites

  1. Install gcloud
  2. Create a custom VPC Subnet

Test Input

Name Description Type Default Value
subnet test subnet to modify VPC Flow logging String test-subnet

Test Commands

gcloud compute networks subnets update #{subnet} --no-enable-flow-log

Sample Event

google.v1.compute.subnetworks.patch-disableFlowLogs

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "[email protected]"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "callerSuppliedUserAgent": "<redacted>",
      "requestAttributes": {
        "time": "2022-09-20T13:41:37.743273Z",
        "reason": "1234567891234567891",
        "auth": {
        }
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "compute.googleapis.com",
    "methodName": "v1.compute.subnetworks.patch",
    "authorizationInfo": [
      {
        "permission": "compute.subnetworks.update",
        "granted": true,
        "resourceAttributes": {
          "service": "compute",
          "name": "projects/1234/regions/us-central1/subnetworks/subnet-1",
          "type": "compute.subnetworks"
        }
      }
    ],
    "resourceName": "projects/1234/regions/us-central1/subnetworks/subnet-1",
    "request": {
      "enableFlowLogs": false,
      "@type": "type.googleapis.com/compute.subnetworks.patch",
      "fingerprint": "1234567891234567891"
    },
    "response": {
      "name": "operation-1234567891234567891",
      "id": "1234567891234567891",
      "startTime": "2022-09-20T06:41:37.700-07:00",
      "region": "https://www.googleapis.com/compute/v1/projects/1234/regions/us-central1",
      "insertTime": "2022-09-20T06:41:37.699-07:00",
      "operationType": "compute.subnetworks.patch",
      "user": "[email protected]",
      "targetLink": "https://www.googleapis.com/compute/v1/projects/1234/regions/us-central1/subnetworks/subnet-1",
      "status": "DONE",
      "selfLink": "https://www.googleapis.com/compute/v1/projects/1234/regions/us-central1/operations/operation-1234567891234567891",
      "@type": "type.googleapis.com/operation",
      "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/1234/regions/us-central1/operations/1234567891234567891",
      "progress": "100",
      "endTime": "2022-09-20T06:41:37.700-07:00",
      "targetId": "1234567891234567891"
    },
    "resourceLocation": {
      "currentLocations": [
        "us-central1"
      ]
    }
  },
  "insertId": "1234567891234567891",
  "resource": {
    "type": "gce_subnetwork",
    "labels": {
      "subnetwork_name": "subnet-1",
      "project_id": "1234",
      "subnetwork_id": "1234567891234567891",
      "location": "us-central1"
    }
  },
  "timestamp": "2022-09-20T13:41:37.380381Z",
  "severity": "NOTICE",
  "logName": "projects/1234/logs/cloudaudit.googleapis.com%2Factivity",
  "operation": {
    "id": "operation-1234567891234567891",
    "producer": "compute.googleapis.com",
    "first": true,
    "last": true
  },
  "receiveTimestamp": "2022-09-20T13:41:38.678988188Z"
}