GCP Virtual Private Cloud Network Deletion
Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a
11virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall,
12as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business
13operations.
14"""
15false_positives = [
16 """
17 Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was
18 expected. Exceptions can be added to this rule to filter expected behavior.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Virtual Private Cloud Network Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Virtual Private Cloud Network Deletion
31
32Google Cloud Platform's Virtual Private Cloud (VPC) networks are essential for managing isolated network environments within a project, encompassing subnets, routes, and firewalls. Adversaries may target VPC deletions to disrupt operations and evade defenses. The detection rule monitors audit logs for successful VPC deletions, flagging potential malicious activity by correlating specific event actions and outcomes.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.action value "v*.compute.networks.delete" to identify the exact time and user account associated with the VPC network deletion.
37- Check the event.outcome field to confirm the success of the deletion and correlate it with any other suspicious activities around the same timeframe.
38- Investigate the user account or service account that performed the deletion to determine if it was authorized and if there are any signs of compromise or misuse.
39- Examine the project and network configurations to assess the impact of the VPC deletion on the organization's operations and identify any critical resources that were affected.
40- Look for any recent changes in IAM roles or permissions that might have allowed unauthorized users to delete the VPC network.
41- Cross-reference the deletion event with other security alerts or incidents to identify potential patterns or coordinated attacks.
42
43### False positive analysis
44
45- Routine maintenance activities may involve the deletion of VPC networks as part of infrastructure updates or reconfigurations. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
46- Automated scripts or tools used for environment cleanup might trigger false positives if they delete VPC networks as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags associated with these tools.
47- Development and testing environments often undergo frequent changes, including VPC deletions. Consider excluding these environments from alerts by filtering based on project IDs or environment tags to reduce noise.
48- Organizational policy changes might lead to the intentional deletion of VPC networks. Ensure that such policy-driven actions are documented and that the responsible teams are excluded from triggering alerts by using role-based access controls or specific user identifiers.
49
50### Response and remediation
51
52- Immediately isolate the affected project by restricting network access to prevent further unauthorized deletions or modifications.
53- Review the audit logs to identify the source of the deletion request, including the user account and IP address, and verify if it was authorized.
54- Recreate the deleted VPC network using the latest backup or configuration snapshot to restore network operations and minimize downtime.
55- Implement additional access controls, such as multi-factor authentication and least privilege principles, to prevent unauthorized access to VPC management.
56- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
57- Escalate the incident to Google Cloud Platform support if necessary, especially if there are indications of a broader compromise or if assistance is needed in recovery.
58- Enhance monitoring and alerting for VPC-related activities to detect and respond to similar threats more effectively in the future.
59
60## Setup
61
62The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = ["https://cloud.google.com/vpc/docs/vpc"]
64risk_score = 47
65rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6"
66severity = "medium"
67tags = [
68 "Domain: Cloud",
69 "Data Source: GCP",
70 "Data Source: Google Cloud Platform",
71 "Use Case: Configuration Audit",
72 "Tactic: Defense Evasion",
73 "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "query"
77
78query = '''
79event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1562"
87name = "Impair Defenses"
88reference = "https://attack.mitre.org/techniques/T1562/"
89[[rule.threat.technique.subtechnique]]
90id = "T1562.007"
91name = "Disable or Modify Cloud Firewall"
92reference = "https://attack.mitre.org/techniques/T1562/007/"
93
94
95
96[rule.threat.tactic]
97id = "TA0005"
98name = "Defense Evasion"
99reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Virtual Private Cloud Network Deletion
Google Cloud Platform's Virtual Private Cloud (VPC) networks are essential for managing isolated network environments within a project, encompassing subnets, routes, and firewalls. Adversaries may target VPC deletions to disrupt operations and evade defenses. The detection rule monitors audit logs for successful VPC deletions, flagging potential malicious activity by correlating specific event actions and outcomes.
Possible investigation steps
- Review the audit logs for the specific event.action value "v*.compute.networks.delete" to identify the exact time and user account associated with the VPC network deletion.
- Check the event.outcome field to confirm the success of the deletion and correlate it with any other suspicious activities around the same timeframe.
- Investigate the user account or service account that performed the deletion to determine if it was authorized and if there are any signs of compromise or misuse.
- Examine the project and network configurations to assess the impact of the VPC deletion on the organization's operations and identify any critical resources that were affected.
- Look for any recent changes in IAM roles or permissions that might have allowed unauthorized users to delete the VPC network.
- Cross-reference the deletion event with other security alerts or incidents to identify potential patterns or coordinated attacks.
False positive analysis
- Routine maintenance activities may involve the deletion of VPC networks as part of infrastructure updates or reconfigurations. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
- Automated scripts or tools used for environment cleanup might trigger false positives if they delete VPC networks as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags associated with these tools.
- Development and testing environments often undergo frequent changes, including VPC deletions. Consider excluding these environments from alerts by filtering based on project IDs or environment tags to reduce noise.
- Organizational policy changes might lead to the intentional deletion of VPC networks. Ensure that such policy-driven actions are documented and that the responsible teams are excluded from triggering alerts by using role-based access controls or specific user identifiers.
Response and remediation
- Immediately isolate the affected project by restricting network access to prevent further unauthorized deletions or modifications.
- Review the audit logs to identify the source of the deletion request, including the user account and IP address, and verify if it was authorized.
- Recreate the deleted VPC network using the latest backup or configuration snapshot to restore network operations and minimize downtime.
- Implement additional access controls, such as multi-factor authentication and least privilege principles, to prevent unauthorized access to VPC management.
- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
- Escalate the incident to Google Cloud Platform support if necessary, especially if there are indications of a broader compromise or if assistance is needed in recovery.
- Enhance monitoring and alerting for VPC-related activities to detect and respond to similar threats more effectively in the future.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP Virtual Private Cloud Route Creation
- GCP Virtual Private Cloud Route Deletion