Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP Compute Engine

GCP Compute Engine
GCP Compute Engine icon

Coralogix Extension For GCP Compute Engine Includes:

Alerts - 15

Stay on top of GCP Compute Engine key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A New User Added to a VM Instance With Owner Permissions Full Access

This alert gets triggered when a new user has been added to an existing VM instance as an owner with full access. Impact Verifying the authorization of the user added to a VM instance is crucial. The inclusion of an unauthorized user in a VM could result in potential risks, including data exfiltration, configuration alterations, and a significant impact on business operations. Mitigation Reach out to the individual who added the user, request an approval ticket for the same user, and proceed with subsequent actions based on the provided approval. MITRE Tactic: TA0004 MITRE Technique: T1098

A VM Migration Service was Enabled

This alert gets triggered when a VM migration service is enabled. Migrating to VMs uses Google Cloud projects to control the migration process (the host project) and as a target environment (the target projects). Migrating to VMs requires a host project. You can also optionally add one or more target projects to use as destinations for the migrated VMs. Impact Ideally, migrations enable the operations team to utilize the environment as both a host and a target. However, it is crucial to closely monitor the activation process, as migrations entail significant costs based on the storage size. The overall expenses for cloud migration can vary, ranging from $5,000 for smaller workloads to $500,000 and beyond for more extensive tasks. Additionally, It is important to check the destination, where the migration is scheduled/set for future use, and the level of access assigned to the authorized users only. Mitigation Contact the user/owner and inquire about the business approval obtained for enabling this service. Additionally, gather information on use cases such as creating a new application, deploying, API integration, etc. Take the next course of action accordingly. MITRE Tactic: TA0042 MITRE Technique: T1585

A New API Key was Created

This alert gets triggered when a new API key was created for further integrations and use. Impact Misuse of the API key can result in unauthorized access to your internal data, logs, and administrative activities. The extent of this access can be traced based on the type of API key that has been generated. Mitigation Get in touch with the user, request business justification, and ensure that the key is handled with care. Avoid sharing it with unauthorized individuals, and make sure to rotate the keys when necessary. MITRE Tactic: TA0042 MITRE Technique: T1585

An API Key was Deleted

This alert gets triggered when an API key is deleted. Impact This occurrence can potentially disrupt operations, affect production services, and disrupt integrations. Ideally, such actions should only be taken when the key''s purpose has been fulfilled or if the key has been compromised. Mitigation Reach out to the user to determine whether the deletion was part of testing or if a legitimate key was accidentally removed. If it is a production key that was deleted in error, create a new key promptly and cautiously replace it in the production code. MITRE Tactic: TA0040 MITRE Technique: T1485

New OAuth Application was Configured

This alert gets created when a new OAuth Application is configured by a user. This could be any type of application like- Android, Web App, IOS, etc. Impact Configuring an unauthorized OAuth application may grant access through assigned users in your network, using methods such as SAML or OAuth login. The application may not have undergone the necessary security checks as per your corporate policy. Consequently, this could result in a data breach and potential misuse. Mitigation Verify that the IT and security teams have executed the application procurement and deployment by the corporate vendor management policy. Only after this confirmation, proceed with setting up OAuth configuration and assigning the appropriate individuals to the application. MITRE Tactic: TA0042 MITRE Technique: T1585

An Existing OAuth Application was Deleted

This alert gets triggered when an existing OAuth application has been deleted. Impact The deletion of a production OAuth application currently in use can result in significant business impacts, including service downtime, operational disruptions, financial losses, and restricted customer access. Mitigation Promptly reach out to the user and ascertain whether the application deletion was part of testing or a legitimate action. Inquire about the reason for deleting the application, and based on the response, proceed with the necessary actions. If it is a genuine approval step, consider closing the case else create a new app with the same config and update the impacted services. MITRE Tactic: TA0040 MITRE Technique: T1485

External Public IP was Configured

This alert gets triggered when an external IP is configured with a VM instance. Impact Setting up an external public IP address can expand the attack surface of a resource, heightening its susceptibility to internet-based attacks. This configuration may lead to compliance violations if the resource holds sensitive data meant to remain inaccessible from the internet. Mitigation To alleviate potential adverse effects associated with configuring an external public IP address, it is crucial to adhere to security best practices. These practices include implementing firewalls to limit access to the resource, consistently monitoring for suspicious activity, and applying timely security patches and updates. Furthermore, thoughtful consideration should be given to the necessity of an external public IP address, exploring alternative access methods such as VPNs or private networks where applicable. MITRE Tactic: TA0001 MITRE Technique: T1190

Connection through Serial Ports was Enabled

This alert gets triggered when the "Enable connecting to serial ports" configuration setting is enabled. Impact The Serial Port, commonly known as the Interactive Serial Console, operates akin to a terminal window. It functions entirely in text mode without a graphical interface or mouse support. Enabling this feature on an instance permits clients to establish remote access to the instance from any IP address. Mitigation Examine whether any project-wide SSH key was utilized to access the VM instance, verify for any unauthorized changes, and disable the serial port connection if there is no business use. If this configuration is active, disable it by editing the instance and turning it off under Basic Information > Remote Access. MITRE Tactic: TA0001 MITRE Technique: T1133

Block Project-Wide SSH Keys Feature was Disabled

This alert gets triggered when a "Block Project-Wide SSH Keys" security feature is disabled. Impact The security feature known as "Block Project-Wide SSH Keys" guarantees that Google Compute Engine (GCE) disregards public/shared keys. The selected instance is configured to use project-wide (shared) public SSH keys instead of instance-level SSH keys. While many SSH keys are long dormant and forgotten, just as with orphaned accounts, they can provide a backdoor for hackers to infiltrate critical servers. Once one server and SSH key are cracked, an attacker could move laterally and find more hidden keys. Mitigation If this feature is turned off, it can be activated while the instance is running by navigating to the "Security and Access" section. Please ensure that it is enabled. Note: Instances generated by Google Kubernetes Engine (GKE) follow different settings and are exempt from this procedure. GKE-created instances are prefixed with "gke-" and labeled as "goog-gke-node. MITRE Tactic: TA0001 MITRE Technique: T1133

A New User Added to a VM Instance

This alert gets triggered when a new user has been added to an existing VM instance. The permission could be anything editor, reader, specific to a service, etc. Impact It is crucial to verify the user added to a VM instance and confirm their access authorization. The addition of an unauthorized user to a VM can result in potential risks such as data exfiltration, configuration changes, and significant business impact. Mitigation Reach out to the owner who added the user, request an approval ticket for the same user, and proceed with appropriate actions based on the provided approval. MITRE Tactic: TA0004 MITRE Technique: T1098

Multiple VM Instances Deleted

This alert gets triggered when multiple VM instances are deleted in a specific interval of time. Note - For this alert, the set condition is when VM counts more than 10 in 15 minutes. Please fine-tune the condition as per your requirements. Impact Monitoring VM deletions in the production account is crucial. Typically, deletion activity of this nature should not occur in production or critical accounts. However, if it does, it could have a significant impact on business operations, leading to data loss, service downtime, and other critical consequences. Mitigation Verify that the VM deletion protection setting is activated for critical and production accounts. If a deletion event occurs in the critical account, promptly contact the user to obtain business approval and proceed with the necessary actions. MITRE Tactic: TA0040 MITRE Technique: T1489

VM Instance was Launched with IP Forwarding Set to Enabled

This alert gets triggered when an IP forwarding is set to enabled for a dedicated VM instance. Impact The IP Forwarding feature allows the virtual machine (VM) linked to the network interface to accept network traffic not intended for any of the IP addresses specified in the attached IP configurations. It also enables the VM to transmit network traffic with a source IP address different from the one assigned to any of the IP configurations of the network interface. Mitigation Regularly review all NICs with active IP forwarding for security and compliance purposes. IP forwarding should be exclusively utilized by virtual machines requiring traffic forwarding, commonly referred to as network virtual appliances. Promptly communicate with the user, examine the IP forwarding routes, and assess the business use case for this occurrence. Ensure that the VM is properly logged and monitored to detect any unusual activities. MITRE Tactic: TA0042 MITRE Technique: T1585

Multiple VMs Suspended OR Stopped

This alert gets triggered when multiple VM instances are suspended or stopped in a specific interval of time. Note - For this alert, the set condition is when VM counts more than 10 in 15 minutes. Please fine-tune the condition as per your requirements. Impact Suspended instances preserve the guest OS memory, device, and application state. Google charges for the storage necessary to save instance memory. You can only suspend an instance for up to 60 days. After 60 days, the instance is automatically moved to the TERMINATED state. It is important to check and make sure the unnecessary VMs are not running as it may have a high-cost implication based on the configuration set by the user OR if the critical instance has been suspended or stopped by the unauthorized user/mistake this may impact your business operations, integration, service downtime, etc. Mitigation Check with the user if the VM is no longer needed and get it deleted. So, the cost can be saved and further close the case. If the critical instance has been suspended/stopped by mistake, get it resumed/start immediately. MITRE Tactic: TA0040 MITRE Technique: T1529

Multiple VM Instances Launched

This alert gets triggered when multiple VM instances are launched in a specific interval of time. Note - The given threshold for this alert is more than 15 instances in 15 minutes. Please fine-tune this condition as per your requirements. Impact Monitoring new VM launches is crucial, as they come with significant costs, operational implications, and potential impacts on services. A single misconfiguration could potentially expose the instance to external attackers or lead to data leakage. The bulk creation indicates some unauthorized access and unusual resource consumption. Mitigation Examine the configuration settings and reach out to the user if security best practices have not been adhered to, ensuring necessary corrections are made. It is advisable to create a checklist and whitelist the specified configuration in the alert system. This way, alerts will only be triggered for launches that deviate from the established norms. MITRE Tactic: TA0008 MITRE Technique: T1021

Delete Protection was Disabled for VM Instance

This alert gets triggered when a delete protection is disabled for a VM instance. Impact Deletion Protection ensures that the VM instance is not unintentionally deleted, providing valuable safeguards for instances with mission-critical or production use cases. The unintentional deletion may impact running operation services, data loss, integrations, etc. Mitigation Verify whether the authorization for disabling deletion protection was granted; if not, enable the service and conduct a thorough investigation. This configuration, when deactivated, can be reactivated within the Basic Information section under deletion protection. MITRE Tactic: TA0040 MITRE Technique: T1529

Integration

Learn more about Coralogix's out-of-the-box integration with GCP Compute Engine in our documentation.

Read More
Schedule Demo