GCP Virtual Private Cloud Network Deletion

calendar May 22, 2024 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Configuration Audit Tactic: Defense Evasion  ·
Share on: linkedin copy

Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a
11virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall,
12as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business
13operations.
14"""
15false_positives = [
16    """
17    Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was
18    expected. Exceptions can be added to this rule to filter expected behavior.
19    """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Virtual Private Cloud Network Deletion"
25note = """## Setup
26
27The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://cloud.google.com/vpc/docs/vpc"]
29risk_score = 47
30rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6"
31severity = "medium"
32tags = [
33    "Domain: Cloud",
34    "Data Source: GCP",
35    "Data Source: Google Cloud Platform",
36    "Use Case: Configuration Audit",
37    "Tactic: Defense Evasion",
38]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1562"
51name = "Impair Defenses"
52reference = "https://attack.mitre.org/techniques/T1562/"
53[[rule.threat.technique.subtechnique]]
54id = "T1562.007"
55name = "Disable or Modify Cloud Firewall"
56reference = "https://attack.mitre.org/techniques/T1562/007/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

  • VPC networks  |  Google Cloud

    VPC networks A Virtual Private Cloud (VPC) network is a virtual version of a physical network that is implemented inside of Google's production network by using Andromeda. A VPC network does the fo...


    Read More

Related rules

to-top