Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for GCP VPC

GCP VPC
GCP VPC icon

Coralogix Extension For GCP VPC Includes:

Alerts - 8

Stay on top of GCP VPC key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Unusual Launches of VPC Networks

This alert gets triggered when an unusual number of VPC Networks are launched quickly. VPC provides networking functionality to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) clusters, and serverless workloads. Note: This alert establishes a threshold of over 10 VPCs within 15 minutes. Please feel free to adjust it as per your requirements. Impact The Virtual Private Cloud (VPC) offers networking capabilities for your cloud-based resources and services, which are globally accessible, scalable, and adaptable. Hence, its crucial to monitor resource and service consumption within your cloud infrastructure. Such monitoring helps differentiate between legitimate launches driven by high business demand and potential misconfigurations leading to the creation of VPCs without genuine business use. Failure to address this effectively can impact service resource allocation and result in significant billing increases. Mitigation Monitor the type of VPC launched and check for relevant tags, if available. Contact the user to request justification accordingly. If it seems to be part of testing or quality assurance, you may close the alert. Otherwise, investigate the root cause and take appropriate action. If necessary, you can delete or disable the unusual VPCs, but only with approval from the engineering team. MITRE Tactic: TA0042 MITRE Technique: T1584"

Network Was Configured By an Unknown Corp. Account

'Summary This alert gets triggered when a VPC network is configured by an unusual corporate user account. Note: Please review the whitelisted corporate domain and update it according to the registered corporate domains. Impact The Virtual Private Cloud (VPC) offers networking capabilities for your cloud-based resources and services, providing global, scalable, and flexible solutions. Therefore, it''s crucial to monitor resource and service utilization within your cloud infrastructure. While such activity could stem from legitimate sources like freelancers, testers, or external vendors engaged in business activities, any deviations suggest a potential compromise of your GCP account. Unauthorized VPC launches by external users could result in abnormal traffic redirection, disruption of internal VMs, attachment to production instances, and other concerning actions. Mitigation Analyze the type of VPC launched and any associated tags. Verify if there have been any recent user or vendor onboarding for testing purposes. Reach out to the engineering team to review onboarding logs and grant permissions for the user. If the activity aligns with expectations for the designated user or domain, add it to the whitelist to disregard future events from similar domains. Otherwise, consider blocking the account and thoroughly investigate logs for any additional user activity. Validate and address all actions taken by the user, ensuring the network is sanitized to eliminate any traces. MITRE Tactic: TA0004 MITRE Technique: T1098'

Subnet Flow Logs Disabled

This alert gets triggered when subnet flow logs are disabled or turned off. The flow log captures traffic for all network interfaces in the subnet. After you create a flow log, it can take several minutes to begin collecting and publishing data to the chosen destinations. Impact VPC Flow Logs capture a subset of network flows transmitted to and from VM instances, including those utilized as Google Kubernetes Engine nodes. These logs serve various purposes, such as network monitoring, forensic analysis, real-time security assessments, and cost optimization. Typically, such actions are not carried out without valid business justification or with malicious intent. Disabling these logs would halt monitoring, alerts for unusual traffic, and forensic analysis in the event of suspicious activity by internal or external users. Mitigation Disabling any form of logging is a critical action and raises concerns from a security standpoint. This becomes particularly worrisome when the logs pertain to network traffic, as it serves as a gateway for potential attackers to carry out malicious activities. Identify the user responsible for deactivating the event logs for a specific subnet and subsequently reach out to them or the engineering team to request a business justification. If the action was part of testing, maintain the alert until the logs are re-enabled and begin flowing to the monitoring console. In cases of intentional or unusual behavior, re-enable the logs and confirm that they are streaming to the security console for monitoring. For proactive measures, analyze audit logs from the console to assess the duration since the service was deactivated. MITRE Tactic: TA0005 MITRE Technique: T1562

Network Peering Removed

'Summary This alert gets triggered when a network peering was deleted by a user. Network Peering enables internal IP address connectivity across two Virtual Private Cloud (VPC) networks, regardless of whether they belong to the same project or the same organization. Impact A VPC peering connection establishes a network link between two VPCs, allowing traffic to be routed between them using private IPv4 or IPv6 addresses. Removing the peering identity will sever the connection between the two VPCs and disrupt network routing among multiple services. This could result in broken network traffic, communication failures, and traffic redirection issues, potentially leading to service shutdowns, website/application downtime, and interruptions to backend services. Mitigation Review the event logs to examine the type of network peering, assigned tags, and user involved. Reach out to the user for additional details and confirmation. If the activity seems genuine with no impact, you may close the event. Otherwise, escalate to the engineering team to reconfigure a similar peering connection and ensure connectivity with the affected VPCs and instances, facilitating the expected flow of traffic. MITRE Tactic: TA0040 MITRE Technique: T1489'

Production VPC Network Deleted

'Summary This alert gets triggered when a VPC network is deleted by a user. VPC is a virtual version of a physical network that is implemented inside Google''s production network by using Andromeda. A VPC network does the following: Provides connectivity for your Compute Engine virtual machine (VM) instances. Note: Please feel free to adjust the test/dev labels in the query to ensure that you obtain accurate results specifically for production VPCs. Impact The Virtual Private Cloud (VPC) offers networking capabilities to Compute Engine virtual machine (VM) instances, Google Kubernetes Engine (GKE) clusters, and serverless workloads. It furnishes global, scalable, and flexible networking for your cloud-based resources and services. Deleting a critical production VPC could result in the disconnection of all associated instances, VMs, and services, disrupting traffic and data flow among these components and compromising smooth and secure connections. Mitigation Review the event logs to determine the type of VPC and its associated labels. Gather all pertinent details and reach out to the user for confirmation. If the activity seems genuinely approved, close the case; otherwise, escalate to the engineering team to configure a new VPC with a comparable setup and connect it to the affected service. Finally, verify that data and traffic flow are functioning as intended. MITRE Tactic: TA0040 MITRE Technique: T1489'

Route Map Deleted

This alert gets triggered when a routing map was deleted by a user. A route consists of a single destination prefix in CIDR format and a single next hop. When an instance in a VPC network sends a packet, Google Cloud delivers the packet to the routes next hop if the packet's destination address is within the route's destination range. Impact A Virtual Private Cloud (VPC) includes an implicit router, and route tables are utilized to manage the direction of network traffic. Every subnet within your VPC must be linked to a route table, dictating the routing for the subnet. Deleting a route could halt the flow of traffic to the intended destination, as alternative paths/IPs are no longer available. This action could significantly affect your services, websites, and overall network traffic, leading to major repercussions for network operations. Mitigation Examine the logs to identify the type of route that was deleted, and consider adding dev/test labels to the query if necessary. Subsequently, verify the connected service, and VPC-to-router connection, and reach out to the user for additional details and confirmation. If the action seems to be genuinely approved, you may close the event. Otherwise, contact the engineering team to configure a new route according to requirements and ensure connectivity to the affected service, confirming that the service and network flow are functioning as expected. MITRE Tactic: TA0040 MITRE Technique: T1489"

Network Subnet Deleted

This alert gets triggered when a running network subnet was deleted by a user. Each VPC network consists of one or more IP address ranges called subnets. Subnets are regional resources and have IP address ranges associated with them. In Google Cloud, the terms subnet and subnetwork are synonymous. Impact Users or auto-mode networks typically create regular subnets for utilization with VM instances, enhancing network efficiency. Subnets facilitate shorter travel distances for network traffic, avoiding unnecessary router detours to reach their destinations. Removing production subnets could disrupt service configurations and routes assigned to dedicated VPCs, potentially causing service downtime, longer traversal paths, unnecessary network hops, and increased latency. Mitigation After whitelisting this event for production, ensure that such permissions are exclusively assigned to the engineering team admins. Next, examine the logs and verify the VPC associated with the deleted subnet. If it seems critical, reach out to the user or the engineering team for further details and confirmation. Proceed with appropriate actions, such as closing the case or reconfiguring the subnets and connecting them to the dedicated VPC and services. MITRE Tactic: TA0040 MITRE Technique: T1489

Production Reserved Internal/External IP Released/Deleted

This alert gets triggered when a reserved internal/external static IP is released by the user. Reserved IP is an IP that you reserved for yourself and can be assigned to an instance or a load balancer at any time. Note: Feel free to adjust the test, sandbox, and dev labels in the query to achieve more precise results. Impact Reserved IP addresses are leased from the DHCP server, ensuring that a particular client consistently receives the same IP address. Releasing or deleting a reserved IP could result in the permanent loss of that IP address if its needed in the future. In such instances, you may need to select a different IP for whitelisting or establishing a static connection, and then implement the necessary changes. This can affect technical operations, network monitoring, and security, as the trusted IP will no longer be associated with your instance or service. Mitigation Initially, limit critical permissions to only the admin and engineering teams. Next, examine the logs to ascertain the type of IP and associated labels. If it was part of testing, you may close the matter; otherwise, seek justification, particularly for production IPs with tags. If the situation seems unusual or affects critical services, ensure that the new/same IP is configured again to mitigate any impact. MITRE Tactic: TA0040 MITRE Technique: T1489"

Integration

Learn more about Coralogix's out-of-the-box integration with GCP VPC in our documentation.

Read More
Schedule Demo