GCP Virtual Private Cloud Route Creation
Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes
11define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
12destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the
13flow of network traffic in their target's cloud environment.
14"""
15false_positives = [
16 """
17 Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was
18 expected. Exceptions can be added to this rule to filter expected behavior.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Virtual Private Cloud Route Creation"
25note = """## Setup
26
27The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"]
29risk_score = 21
30rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8"
31severity = "low"
32tags = [
33 "Domain: Cloud",
34 "Data Source: GCP",
35 "Data Source: Google Cloud Platform",
36 "Use Case: Configuration Audit",
37 "Tactic: Defense Evasion",
38]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1562"
51name = "Impair Defenses"
52reference = "https://attack.mitre.org/techniques/T1562/"
53[[rule.threat.technique.subtechnique]]
54id = "T1562.007"
55name = "Disable or Modify Cloud Firewall"
56reference = "https://attack.mitre.org/techniques/T1562/007/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP Virtual Private Cloud Network Deletion
- GCP Virtual Private Cloud Route Deletion