Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes. It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.

Risk Level: Low
Cloud Entity: GCP AlertPolicy
CloudGuard Rule ID: D9.GCP.LOG.24
Covered by Spectral: No
Category: Management Tools

GSL LOGIC

AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type=gce_network AND (protoPayload.methodName:"compute.networks.insert" OR protoPayload.methodName:"compute.networks.patch" OR protoPayload.methodName:"compute.networks.delete" OR protoPayload.methodName:"compute.networks.removePeering" OR protoPayload.methodName:"compute.networks.addPeering")']

REMEDIATION

From Portal
Create the prescribed Log Metric:

  1. Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".
  2. Click the down arrow symbol on Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add:
resource.type=gce_network
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeerin")
  1. Click Submit Filter. Display logs appear based on the filter text entered by the user.
  2. In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.
  3. Click Create Metric.

Create the prescribed alert policy:

  1. Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
  2. Click the 3-dot icon in the rightmost column for the new metric and select 'Create alert from Metric'. A new page appears.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:
Set `Aggregator` to `Count`

Set `Configuration`:

- Condition: above

- Threshold: 0

- For: most recent value

```bash Terminal
4. Configure the desired notification channels in the section Notifications.
5. Name the policy and click Save.


**From TF**
1. Create log based metric with expected filter
2. Create an alerting policy with type 'metric' based on the previous created log based metric.

Resources;
google_logging_metric
google_monitoring_alert_policy

See below example;

resource "google_logging_metric" "my_log_metrics" {
project = "My-project-id"
name = "my-(custom)/metric"
filter = "resource.type=gce_network AND protoPayload.methodName="beta.compute.networks.insert" OR protoPayload.methodName="beta.compute.networks.patch" OR protoPayload.methodName="v1.compute.networks.delete" OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.addPeering"
description = "..."
metric_descriptor {
metric_kind = "DELTA"
value_type = "INT64"
}
}

And

resource "google_monitoring_alert_policy" "alert_policy" {
project = "My-project-id"
display_name = "My Alert Policy"
combiner = "OR"
conditions {
display_name = "test condition"
condition_threshold {
filter = "metric.type="logging.googleapis.com/user/my-(custom)/metric" AND resource.type="cloud_composer_environment""
duration = "0s"
comparison = "COMPARISON_GT"
}
}
}


**From Command Line**
1. Create the prescribed log metric. Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create
use the command:

gcloud beta logging metrics create METRIC_NAME --description="DESCRIPTION" --log-filter="LOG_FILTER"

2. You can find the notification channel ID using:

gcloud alpha monitoring channels list --filter='displayName="channel_name"' --format='value(name)'

3. Create the prescribed alert policy.Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create
- Create a json file with required properties and values for the policy(try creating a policy from console and then download it's json to have a reference) and use the command:

gcloud alpha monitoring policies create --policy-from-file="policyfile.json"


**References**
1. https://cloud.google.com/logging/docs/logs-based-metrics/
2.https://cloud.google.com/monitoring/custom-metrics/
3. https://cloud.google.com/monitoring/alerts/
4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
5. https://cloud.google.com/vpc/docs/overview
6. https://workbench.cisecurity.org/sections/507170/recommendations/827560


## GCP AlertPolicy
Alerting policy describes the circumstances under which you want to be alerted and how you want to be notified. This page provides an overview of alerting policies

## Compliance Frameworks
 - CloudGuard GCP All Rules Ruleset
 - GCP CIS Controls V 8
 - GCP CIS Foundations v. 1.0.0
 - GCP CIS Foundations v. 1.1.0
 - GCP CIS Foundations v. 1.2.0
 - GCP CIS Foundations v. 1.3.0
 - GCP CIS Foundations v. 2.0
 - GCP CloudGuard Best Practices
 - GCP MITRE ATT&CK Framework v12.1
 - GCP NIST 800-53 Rev 5