lacework-global-252
Ensure That the Log Metric Filter and Alerts Exist for Virtual Private Cloud (VPC) Network Changes (Automated)
Profile Applicability
• Level 1
Description
Establish a metric filter and alarm for Virtual Private Cloud (VPC) network changes.
Rationale
It is possible to have more than one VPC within a project. In addition, it is also possible to create a peer connection between two VPCs enabling network traffic to route between VPCs.
Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.
Impact
Enabling of logging may result in your project being charged for the additional logs usage.
Audit
From Console:
Ensure the prescribed log metric is present:
- Go to
Logging/Logs-based Metrics
by visiting https://console.cloud.google.com/logs/metrics. - In the
User-defined Metrics
section, ensure at least one metric<Log_Metric_Name>
is present with filter text:
resource.type=gce_network
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering")
Ensure the prescribed alerting policy is present:
- Go to
Alerting
by visiting https://console.cloud.google.com/monitoring/alerting. - Under the
Policies
section, ensure that at least one alert policy exists for the log metric above. Clicking on the policy should show that it is configured with a condition. For example,Violates when: Any logging.googleapis.com/user/<Log Metric Name> stream
is above a threshold of 0 for greater than 0 seconds
means that the alert will trigger for any new owner change. Verify that the chosen alerting thresholds make sense for the user's organization. - Ensure that appropriate notification channels have been set up.
From Command Line:
Ensure the log metric is present:
- List the log metrics:
gcloud beta logging metrics list --format json
- Ensure that the output contains at least one metric with filter set to:
resource.type=gce_network
AND protoPayload.methodName="beta.compute.networks.insert"
OR protoPayload.methodName="beta.compute.networks.patch"
OR protoPayload.methodName="v1.compute.networks.delete"
OR protoPayload.methodName="v1.compute.networks.removePeering"
OR protoPayload.methodName="v1.compute.networks.addPeering"
- Note the value of the property
metricDescriptor.type
for the identified metric, in the formatlogging.googleapis.com/user/<Log Metric Name>
.
Ensure the prescribed alerting policy is present:
- List the alerting policies:
gcloud alpha monitoring policies list --format json
- Ensure that the output contains at least one alert policy where:
conditions.conditionThreshold.filter
is set tometric.type=\"logging.googleapis.com/user/<Log Metric Name>\"
- AND
enabled
is set totrue
Remediation
From Console:
Create the prescribed log metric:
- Go to
Logging/Logs-based Metrics
by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC". - Click the down arrow symbol on
Filter Bar
at the rightmost corner and selectConvert to Advanced Filter
. - Clear any text and add:
resource.type=gce_network
AND (protoPayload.methodName:"compute.networks.insert"
OR protoPayload.methodName:"compute.networks.patch"
OR protoPayload.methodName:"compute.networks.delete"
OR protoPayload.methodName:"compute.networks.removePeering"
OR protoPayload.methodName:"compute.networks.addPeering")
- Click
Submit Filter
. Display logs appear based on the filter text entered by the user. - In the
Metric Editor
menu on the right, fill out the name field. SetUnits
to1
(default) andType
toCounter
. This ensures that the log metric counts the number of log entries matching the user's advanced logs query. - Click
Create Metric
.
Create the prescribed alert policy:
- Identify the newly created metric under the section
User-defined Metrics
at https://console.cloud.google.com/logs/metrics. - Click the 3-dot icon in the rightmost column for the new metric and select
Create alert from Metric
. A new page appears. - Fill out the alert policy configuration and click
Save
. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of 0 for the most recent value triggers a notification for every owner change in the project:
Set 'Aggregator' to 'Count'
Set 'Configuration':
- Condition: above
- Threshold: 0
- For: most recent value
- Configure the desired notification channels in the section
Notifications
. - Name the policy and click
Save
.
From Command Line:
Create the prescribed Log Metric:
- Use the command: gcloud beta logging metrics create
- Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create
Create the prescribed alert policy:
- Use the command: gcloud alpha monitoring policies create
- Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create
References
https://cloud.google.com/logging/docs/logs-based-metrics/
https://cloud.google.com/monitoring/custom-metrics/
https://cloud.google.com/monitoring/alerts/
https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
https://cloud.google.com/vpc/docs/overview