GCP Virtual Private Cloud Route Deletion

Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes
11define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These
12destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the
13flow of network traffic in their target's cloud environment.
14"""
15false_positives = [
16    """
17    Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was
18    expected. Exceptions can be added to this rule to filter expected behavior.
19    """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Virtual Private Cloud Route Deletion"
25note = """## Setup
26
27The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"]
29risk_score = 47
30rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a"
31severity = "medium"
32tags = [
33    "Domain: Cloud",
34    "Data Source: GCP",
35    "Data Source: Google Cloud Platform",
36    "Use Case: Configuration Audit",
37    "Tactic: Defense Evasion",
38]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1562"
51name = "Impair Defenses"
52reference = "https://attack.mitre.org/techniques/T1562/"
53[[rule.threat.technique.subtechnique]]
54id = "T1562.007"
55name = "Disable or Modify Cloud Firewall"
56reference = "https://attack.mitre.org/techniques/T1562/007/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top