
Summary
This detection rule identifies instances where VPC flow logs are disabled for a subnet in Google Cloud Platform (GCP). Flow logs are critical for monitoring and analyzing network traffic, which is essential for maintaining security and compliance within cloud environments. The rule captures events related to subnet configuration updates, particularly focusing on the 'enableFlowLogs' setting. If a patch operation is performed on a subnet where flow logs are explicitly disabled, this triggers the detection mechanism. The rule is configured to monitor audit logs from GCP, specifically looking for changes where 'enableFlowLogs' is set to false. If such an event is logged, it indicates a potential misconfiguration or a policy violation that could impact the organization's network visibility and security posture. This medium severity rule is crucial for organizations leveraging GCP for their cloud infrastructure, ensuring that critical network logs remain enabled, thereby facilitating effective monitoring and troubleshooting.
Categories
- Cloud
- GCP
- Infrastructure
Data Sources
- Cloud Service
- Application Log
Created: 2023-03-13