Logging metric filter and alert for network changes should be configured¶
Network traffic flow can be impacted when a network is created, modified, or deleted, or when a network peering connection is created or deleted. Such changes can also indicate suspicious activity. Monitoring changes to VPCs can help detect anomalous actions and ensure traffic flow is not impacted.
Google Cloud Console¶
This is a two-part process. First, you create the log metric. Next, you create an alert policy.
Step 1: To create the log metric:
Navigate to Logs-based Metrics and click CREATE METRIC.
Ensure Metric Type is set to Counter.
Under Details, enter a name and description, and set Units to 1.
Under Filter selection, clear any text in the Build filter box and enter the following:
resource.type="gce_network" AND (protoPayload.methodName:compute.networks.insert OR protoPayload.methodName:compute.networks.patch OR protoPayload.methodName:compute.networks.delete OR protoPayload.methodName:compute.networks.removePeering OR protoPayload.methodName:compute.networks.addPeering)
Click Create Metric.
Step 2: To create the alert policy:
Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.
Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric.
In the Find resource type and metric section, remove the selected resource type and select Global as the resource type instead.
Set Aggregator to Count and set the desired time period.
Under Configuration, choose the alerting threshold and configuration that makes sense for your organization. For example, a threshold of zero (0) for the most recent value ensures that a notification is triggered for every owner change in the project:
Set `Configuration`: - Condition: above - Threshold: 0 - For: most recent value
Configure the desired notifications channels in the section Notifications.
Name the policy and click Save.