Logging metric filter and alert for network changes should be configured¶

Description¶

Network traffic flow can be impacted when a network is created, modified, or deleted, or when a network peering connection is created or deleted. Such changes can also indicate suspicious activity. Monitoring changes to VPCs can help detect anomalous actions and ensure traffic flow is not impacted.

Remediation Steps¶

Google Cloud Console¶

This is a two-part process. First, you create the log metric. Next, you create an alert policy.

Step 1: To create the log metric:

Navigate to Logs-based Metrics and click CREATE METRIC.
Ensure Metric Type is set to Counter.
Under Details, enter a name and description, and set Units to 1.
Under Filter selection, clear any text in the Build filter box and enter the following:

resource.type="gce_network"
AND (protoPayload.methodName:compute.networks.insert
OR protoPayload.methodName:compute.networks.patch
OR protoPayload.methodName:compute.networks.delete
OR protoPayload.methodName:compute.networks.removePeering
OR protoPayload.methodName:compute.networks.addPeering)

Click Create Metric.

Step 2: To create the alert policy:

Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.
Click the 3-dot icon in the rightmost column for the new metric and select Create alert from metric.
In the left sidebar, keep the defaults for the Alert Conditions sections, and under Alert Details, select Notifications and name.
Configure the desired notification channels in the section Configure notifications.
Name the alert and click Create Policy.

gcloud CLI¶

To create the log metric:
- gcloud beta logging metrics create

For flags, see Google Cloud’s CLI reference.

To create the alert policy:
- gcloud alpha monitoring policies create