GCP Virtual Private Cloud Route Creation
Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes
11define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
12destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the
13flow of network traffic in their target's cloud environment.
14"""
15false_positives = [
16 """
17 Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was
18 expected. Exceptions can be added to this rule to filter expected behavior.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Virtual Private Cloud Route Creation"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Virtual Private Cloud Route Creation
31
32In Google Cloud Platform, VPC routes dictate the network paths for traffic from VM instances to various destinations, both within and outside the VPC. Adversaries may exploit this by creating routes to reroute or intercept traffic, potentially disrupting or spying on network communications. The detection rule identifies such activities by monitoring specific audit events related to route creation, aiding in the early detection of unauthorized network modifications.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.dataset:gcp.audit and event.action values (v*.compute.routes.insert or "beta.compute.routes.insert") to identify the exact time and user account associated with the route creation.
37- Examine the details of the newly created route, including the destination IP range and next hop, to determine if it aligns with expected network configurations or if it appears suspicious.
38- Check the IAM permissions and roles of the user account that created the route to assess if they had the necessary privileges and if those privileges are appropriate for their role.
39- Investigate any recent changes in the environment that might explain the route creation, such as new deployments or changes in network architecture.
40- Correlate the route creation event with other security events or alerts in the same timeframe to identify potential patterns or coordinated activities that could indicate malicious intent.
41- Consult with the network or cloud infrastructure team to verify if the route creation was part of an authorized change or if it was unexpected.
42
43### False positive analysis
44
45- Routine network configuration changes by authorized personnel can trigger alerts. To manage this, maintain a list of known IP addresses and users who frequently make legitimate changes and exclude their activities from triggering alerts.
46- Automated deployment tools that create or modify routes as part of their normal operation may cause false positives. Identify these tools and their associated service accounts, then configure exceptions for these accounts in the monitoring system.
47- Scheduled maintenance activities often involve creating or updating routes. Document these activities and set temporary exceptions during the maintenance window to prevent unnecessary alerts.
48- Integration with third-party services might require route creation. Verify these integrations and whitelist the associated actions to avoid false positives.
49- Development and testing environments may have frequent route changes. Consider applying different monitoring thresholds or rules for these environments to reduce noise.
50
51### Response and remediation
52
53- Immediately isolate the affected VM instances by removing or disabling the suspicious route to prevent further unauthorized traffic redirection.
54- Conduct a thorough review of recent route creation activities in the GCP environment to identify any other unauthorized or suspicious routes.
55- Revoke any unauthorized access or permissions that may have allowed the adversary to create the route, focusing on IAM roles and service accounts with route creation privileges.
56- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
57- Implement network monitoring and logging to detect any future unauthorized route creation attempts, ensuring that alerts are configured for similar activities.
58- Review and update the GCP VPC network security policies to enforce stricter controls on route creation and modification, limiting these actions to trusted administrators only.
59- If applicable, report the incident to Google Cloud support for further assistance and to understand if there are any additional security measures or advisories.
60
61## Setup
62
63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"]
65risk_score = 21
66rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8"
67severity = "low"
68tags = [
69 "Domain: Cloud",
70 "Data Source: GCP",
71 "Data Source: Google Cloud Platform",
72 "Use Case: Configuration Audit",
73 "Tactic: Defense Evasion",
74 "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or "beta.compute.routes.insert")
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1562"
88name = "Impair Defenses"
89reference = "https://attack.mitre.org/techniques/T1562/"
90[[rule.threat.technique.subtechnique]]
91id = "T1562.007"
92name = "Disable or Modify Cloud Firewall"
93reference = "https://attack.mitre.org/techniques/T1562/007/"
94
95
96
97[rule.threat.tactic]
98id = "TA0005"
99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Virtual Private Cloud Route Creation
In Google Cloud Platform, VPC routes dictate the network paths for traffic from VM instances to various destinations, both within and outside the VPC. Adversaries may exploit this by creating routes to reroute or intercept traffic, potentially disrupting or spying on network communications. The detection rule identifies such activities by monitoring specific audit events related to route creation, aiding in the early detection of unauthorized network modifications.
Possible investigation steps
- Review the audit logs for the specific event.dataset:gcp.audit and event.action values (v*.compute.routes.insert or "beta.compute.routes.insert") to identify the exact time and user account associated with the route creation.
- Examine the details of the newly created route, including the destination IP range and next hop, to determine if it aligns with expected network configurations or if it appears suspicious.
- Check the IAM permissions and roles of the user account that created the route to assess if they had the necessary privileges and if those privileges are appropriate for their role.
- Investigate any recent changes in the environment that might explain the route creation, such as new deployments or changes in network architecture.
- Correlate the route creation event with other security events or alerts in the same timeframe to identify potential patterns or coordinated activities that could indicate malicious intent.
- Consult with the network or cloud infrastructure team to verify if the route creation was part of an authorized change or if it was unexpected.
False positive analysis
- Routine network configuration changes by authorized personnel can trigger alerts. To manage this, maintain a list of known IP addresses and users who frequently make legitimate changes and exclude their activities from triggering alerts.
- Automated deployment tools that create or modify routes as part of their normal operation may cause false positives. Identify these tools and their associated service accounts, then configure exceptions for these accounts in the monitoring system.
- Scheduled maintenance activities often involve creating or updating routes. Document these activities and set temporary exceptions during the maintenance window to prevent unnecessary alerts.
- Integration with third-party services might require route creation. Verify these integrations and whitelist the associated actions to avoid false positives.
- Development and testing environments may have frequent route changes. Consider applying different monitoring thresholds or rules for these environments to reduce noise.
Response and remediation
- Immediately isolate the affected VM instances by removing or disabling the suspicious route to prevent further unauthorized traffic redirection.
- Conduct a thorough review of recent route creation activities in the GCP environment to identify any other unauthorized or suspicious routes.
- Revoke any unauthorized access or permissions that may have allowed the adversary to create the route, focusing on IAM roles and service accounts with route creation privileges.
- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
- Implement network monitoring and logging to detect any future unauthorized route creation attempts, ensuring that alerts are configured for similar activities.
- Review and update the GCP VPC network security policies to enforce stricter controls on route creation and modification, limiting these actions to trusted administrators only.
- If applicable, report the incident to Google Cloud support for further assistance and to understand if there are any additional security measures or advisories.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP Virtual Private Cloud Network Deletion
- GCP Virtual Private Cloud Route Deletion