Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes. It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.
Risk Level: Low
Cloud Entity: GCP AlertPolicy
CloudGuard Rule ID: D9.GCP.LOG.24
Covered by Spectral: No
Category: Management Tools
GSL LOGIC
AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type=gce_network AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")']
REMEDIATION
From Portal
Create the prescribed Log Metric:
- Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".
- Click the down arrow symbol on Filter Bar at the rightmost corner and select Convert to Advanced Filter.
- Clear any text and add:
resource.type=gce_network
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeerin")
- Click Submit Filter. Display logs appear based on the filter text entered by the user.
- In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.
- Click Create Metric.
Create the prescribed alert policy:
- Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
- Click the 3-dot icon in the rightmost column for the new metric and select 'Create alert from Metric'. A new page appears.
- Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
```bash Terminal
4. Configure the desired notification channels in the section Notifications.
5. Name the policy and click Save.
**From TF**
1. Create log based metric with expected filter
2. Create an alerting policy with type 'metric' based on the previous created log based metric.
Resources;
google_logging_metric
google_monitoring_alert_policy
See below example;
resource "google_logging_metric" "my_log_metrics" {
project = "My-project-id"
name = "my-(custom)/metric"
filter = "resource.type=gce_network AND protoPayload.methodName="beta.compute.networks.insert" OR protoPayload.methodName="beta.compute.networks.patch" OR protoPayload.methodName="v1.compute.networks.delete" OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.addPeering"
description = "..."
metric_descriptor {
metric_kind = "DELTA"
value_type = "INT64"
}
}
And
resource "google_monitoring_alert_policy" "alert_policy" {
project = "My-project-id"
display_name = "My Alert Policy"
combiner = "OR"
conditions {
display_name = "test condition"
condition_threshold {
filter = "metric.type="logging.googleapis.com/user/my-(custom)/metric" AND resource.type="cloud_composer_environment""
duration = "0s"
comparison = "COMPARISON_GT"
}
}
}
**From Command Line**
1. Create the prescribed log metric. Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create
use the command:
gcloud beta logging metrics create METRIC_NAME --description="DESCRIPTION" --log-filter="LOG_FILTER"
2. You can find the notification channel ID using:
gcloud alpha monitoring channels list --filter='displayName="channel_name"' --format='value(name)'
3. Create the prescribed alert policy.Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create
- Create a json file with required properties and values for the policy(try creating a policy from console and then download it's json to have a reference) and use the command:
gcloud alpha monitoring policies create --policy-from-file="policyfile.json"
**References**
1. https://cloud.google.com/logging/docs/logs-based-metrics/
2.https://cloud.google.com/monitoring/custom-metrics/
3. https://cloud.google.com/monitoring/alerts/
4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
5. https://cloud.google.com/vpc/docs/overview
6. https://workbench.cisecurity.org/sections/507170/recommendations/827560
## GCP AlertPolicy
Alerting policy describes the circumstances under which you want to be alerted and how you want to be notified. This page provides an overview of alerting policies
## Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago