Quick Start Security for GCP Cloud VPN
Thank you!
We got your information.
Coralogix Extension For GCP Cloud VPN Includes:
Alerts - 7
Stay on top of GCP Cloud VPN key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Cloud Router Was Deleted
This alert gets triggered when a cloud router is deleted by a user. Cloud Router enables you to dynamically exchange routes between your Virtual Private Cloud (VPC) and peer network by using Border Gateway Protocol (BGP). Impact Routers establish the routes for network traffic from a virtual machine (VM) instance to various destinations. Modifying or deleting the router will disrupt the flow of connection traffic between multiple interconnected devices such as VMs, instances, VPCs, LANs, etc. Consequently, this will render network connections unreachable, cause service downtime, halt connections, and lead to other interruptions related to network connectivity. Mitigation Examine the logs and assess the utilization of the router and associated services. If it relates to a critical/production service, promptly reach out to the user for justification. If there is business approval, you may close the case. Otherwise, contact the engineering team to configure the new router according to existing requirements and verify the affected service to ensure normal network operation. Additionally, consider downgrading or revoking user access as appropriate. MITRE Tactic: TA0040 MITRE Technique: T1489
VLAN Attachments Was Deleted
This alert gets triggered when a VLAN attachment was deleted. VLAN attachments (also known as interconnectAttachments ) determine which Virtual Private Cloud (VPC) networks can reach your on-premises network through a Dedicated Interconnect connection. Impact The function of a virtual LAN is to facilitate communication between LANs and their associated devices. Removing VLAN attachments will disrupt connections between internal devices and linked LANs. This action could result in network downtime, unreachability, service interruptions, and disruptions to business operations. Mitigation Review the logs and inspect the type of VLAN attachments and associated services. If it pertains to a critical or production service, promptly reach out to the user for justification. If there is business approval, you may proceed to close the case. Otherwise, contact the engineering team to configure the new VLAN according to the existing requirements and verify the impacted service to ensure smooth network operation. Additionally, consider downgrading or revoking the user's access as necessary. MITRE Tactic: TA0040 MITRE Technique: T1489
VPN Gateway Was Deleted
This alert gets triggered when a VPN gateway was deleted. VPN gateways provide secure connectivity between multiple sites, such as on-premises data centers, Google Cloud Virtual Private Cloud (VPC) networks, and Google Cloud VMware Engine private clouds. Impact The VPC gateway is crucial for networking, traffic flows, integrations, and secure encrypted paths. Any misconfiguration or deletion can disrupt the connection path and halt the service. The dedicated network VPC flow may be interrupted, failing to reach its destination as required. This can lead to major operational outages, unreachable connections, service downtime, exposure to unauthorized users, and security breaches. Mitigation Analyze the logs to determine the type of VPC gateway and connected services. If it is a critical or production service, immediately contact the user for justification. If there is business approval, you can close the case. Otherwise, contact the engineering team to reconfigure the VPC according to existing requirements and validate the impacted service to ensure the network operates as expected. Additionally, consider downgrading or removing the user's access as a corrective measure. MITRE Tactic: TA0040 MITRE Technique: T1489
External VPN Gateway Was Deleted
This alert gets triggered when a network external VPN gateway was deleted. Peer gateways enable local forwarding of packets without the need to cross the VPC peer link. Configuring the peer gateway feature must be done on both primary and secondary VPN peers and is non-disruptive to the operations of the device or to the VPC traffic. Impact A peer VPN gateway is crucial for VPC networking, traffic flows, and secure encrypted paths. Any misconfiguration or deletion can disrupt the connection path and halt services. The dedicated network VPC flow may be interrupted, failing to reach the intended destination. This can lead to major operational outages, unreachable connections, service downtime, exposure to unauthorized users, security breaches, and other issues. Mitigation Analyze the logs to identify the type of VPC gateway and connected services. If it is a critical or production service, immediately contact the user for justification. If there is business approval, close the case. Otherwise, contact the engineering team to reconfigure the VPC according to existing requirements and validate the impacted service to ensure the network operates as expected. Additionally, consider downgrading or removing the user's access as a corrective measure. MITRE Tactic: TA0040 MITRE Technique: T1489
User Permissions Granted to Hub
This alert gets triggered when a new user is granted admin/owner permissions to a network hub. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: For unauthorized user accounts/domains, feel free to whitelist the genuine domain accounts in "protoPayload.authenticationInfo.principalEmail" and permissions in the "role" field as required. Impact An unauthorized user or service account with high privileges can significantly impact your cloud environment. Users with admin or owner permissions can edit, move, and delete critical events, leading to service interruptions, privilege escalations, unauthorized access, modification of critical services and configurations, the creation of backdoors, exposure of Tor IPs to the public internet, and other critical activities. Mitigation Identify the user who added the account and determine the respective domain. Contact the IT team to check if there were any new hires or procurements for the alerted domain/user. If there were, request the approval ticket for access and close the case accordingly. If not, have the user account removed. Then, analyze the logs from the past few hours to ensure no critical or unusual activities were performed by the unknown user. MITRE Tactic: TA0004 MITRE Technique: T1098
Network Hub Was Deleted
This alert gets triggered when a user deletes a network hub. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: Please feel free to add the production labels/tagging schema and count threshold in the query to receive only the critical alerts. Impact The hub-and-spoke model is a network design where a central device, or hub, connects to multiple other devices, or spokes. Each spoke acts as a channel for centralized traffic flow. If critical spokes are deleted, it can disrupt network traffic and its intended pathways. This can impact network logging, connection flow, operational uptime, and accessibility, and potentially cause major network outages with significant business implications. Mitigation Analyze the event logs to identify the service and its type. If it is a critical or production service, contact the user for justification and take appropriate action based on their response. If the service was deleted by mistake, contact the engineering team to recreate the service with the same configurations. Validate the impacted service to ensure the network operates as expected. MITRE Tactic: TA0040 MITRE Technique: T1489
Network Spokes Was Deleted
This alert gets triggered when a user deletes a network spokes. Network Connectivity Center is a network connectivity product that employs a hub-and-spoke architecture for the management of hybrid connectivity. Note: Feel free to add the count threshold to receive an alert only for bulk deletions. Impact The hub-and-spoke model is a network design where a central device, or hub, connects to multiple other devices, or spokes. The spokes serve as channels for centralized traffic flow. If critical spokes are removed, this can disrupt network traffic and its designated pathways. Consequently, this may affect network logging, connection flow, operational uptime, and accessibility, and could potentially lead to major network outages with significant business repercussions. Mitigation Analyze the event logs to identify the service and its type. If it is a critical or production service, contact the user for justification and take appropriate action based on their response. If the service was mistakenly deleted, reach out to the engineering team to recreate the service with the same configurations. Validate the impacted service to ensure the network operates as expected. MITRE Tactic: TA0040 MITRE Technique: T1489
Integration
Learn more about Coralogix's out-of-the-box integration with GCP Cloud VPN in our documentation.