More Info:

Ensures that logging and log alerts exist for VPC network changes.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, NIST, CISGCP, CBP, HIPAA, ISO27001, HITRUST, GDPR, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Network Change Log Alerts Should Be Enabled” in GCP using GCP console, you can follow these steps:
  1. Open the GCP console and navigate to the Cloud Logging page.
  2. Click on “Logs-based Metrics” in the left-hand menu.
  3. Click on the “Create Metric” button.
  4. In the “Create a Metric” dialog box, select “Counter” as the metric type.
  5. Enter a name for the metric, such as “Network Change Log Alerts Enabled”.
  6. In the “Filter” field, enter the following filter to capture network changes: 
    resource.type="gce_network" AND protoPayload.methodName="v1.compute.networks.patch"
  7. Click “Create”.
  8. Navigate to the “Alerting” page in the left-hand menu.
  9. Click on “Create Policy” to create a new alerting policy.
  10. In the “Create a Policy” dialog box, enter a name and description for the policy.
  11. In the “Conditions” section, click on the “Add Condition” button and select “Metric Threshold”.
  12. Select the metric you created earlier, “Network Change Log Alerts Enabled”, from the drop-down menu.
  13. Set the threshold to “1” and select a duration for the threshold to be met, such as “5 minutes”.
  14. In the “Notifications” section, add the email addresses of the individuals who should receive the alerts.
  15. Click “Save” to create the alerting policy.
After completing these steps, the GCP console will send an alert to the specified email addresses when a network change occurs in the GCP environment.

To remediate the misconfiguration “Network Change Log Alerts Should Be Enabled” for GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell from the GCP console.
  2. Run the following command to enable the Network Change Log Alerts: 
gcloud logging sinks create [SINK_NAME] storage.googleapis.com/[BUCKET_NAME] --log-filter='resource.type="gce_network" AND protoPayload.methodName="v1.compute.networks.patch" OR protoPayload.methodName="v1.compute.networks.updatePeering" OR protoPayload.methodName="v1.compute.networks.addPeering" OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.insert" OR protoPayload.methodName="v1.compute.networks.delete" OR protoPayload.methodName="v1.compute.networks.patch" OR protoPayload.methodName="v1.compute.networks.update" OR protoPayload.methodName="v1.compute.networks.addFlowLogs" OR protoPayload.methodName="v1.compute.networks.removeFlowLogs" OR protoPayload.methodName="v1.compute.networks.updateFlowLogsConfig" OR protoPayload.methodName="v1.compute.networks.deleteFlowLogsConfig" OR protoPayload.methodName="v1.compute.networks.addPeering" OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.updatePeering" OR protoPayload.methodName="v1.compute.networks.addSubnetwork" OR protoPayload.methodName="v1.compute.networks.deleteSubnetwork" OR protoPayload.methodName="v1.compute.networks.updateSubnetwork" OR protoPayload.methodName="v1.compute.networks.addPeering" OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.updatePeering" OR protoPayload.methodName="v1.compute.globalAddresses.insert" OR protoPayload.methodName="v1.compute.globalAddresses.delete" OR protoPayload.methodName="v1.compute.globalAddresses.update" OR protoPayload.methodName="v1.compute.globalForwardingRules.insert" OR protoPayload.methodName="v1.compute.globalForwardingRules.delete" OR protoPayload.methodName="v1.compute.globalForwardingRules.update" OR protoPayload.methodName="v1.compute.globalNetworkEndpointGroups.attachNetworkEndpoints" OR protoPayload.methodName="v1.compute.globalNetworkEndpointGroups.detachNetworkEndpoints" OR protoPayload.methodName="v1.compute.globalNetworkEndpointGroups.insert" OR protoPayload.methodName="v1.compute.globalNetworkEndpointGroups.delete" OR protoPayload.methodName="v1.compute.globalNetworkEndpointGroups.update" OR protoPayload.methodName="v1.compute.globalNetworkEndpointGroups.updateNetworkEndpoint" OR protoPayload.methodName="v1.compute.globalOperations.delete" OR protoPayload.methodName="v1.compute.globalOperations.cancel" OR protoPayload.methodName="v1.compute.healthChecks.insert" OR protoPayload.methodName="v1.compute.healthChecks.delete" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update" OR protoPayload.methodName="v1.compute.healthChecks.patch" OR protoPayload.methodName="v1.compute.healthChecks.update
To remediate the misconfiguration “Network Change Log Alerts Should Be Enabled” in GCP using Python, follow the below steps:
  1. Import the required libraries:
from google.cloud import logging_v2
from google.cloud.logging_v2 import enums
from google.cloud.logging_v2.handlers import CloudLoggingHandler
  1. Set up the GCP project ID and the Cloud Logging client:
project_id = "<PROJECT_ID>"
client = logging_v2.LoggingServiceV2Client()
parent = client.project_path(project_id)
  1. Create a sink to export the logs to Cloud Pub/Sub:
sink_name = "pubsub-sink"
filter_ = "logName:\"logs/cloudaudit.googleapis.com\" AND protoPayload.methodName:\"v1.compute.instances.insert\""
destination = "pubsub.googleapis.com/projects/<PROJECT_ID>/topics/<TOPIC_NAME>"
sink = {
    "name": sink_name,
    "filter": filter_,
    "destination": destination,
    "output_version_format": enums.LogSink.VersionFormat.V2,
}
client.create_sink(parent, sink)
  1. Create a metric to track the number of log entries:
metric_name = "network_change_log_alerts"
metric_type = "logging.googleapis.com/user/{}".format(metric_name)
metric = {
    "name": metric_type,
    "metric_kind": enums.MetricDescriptor.MetricKind.DELTA,
    "value_type": enums.MetricDescriptor.ValueType.INT64,
    "unit": "1",
    "description": "Number of network change log alerts",
}
client.create_metric_descriptor(parent, metric)
  1. Create an alerting policy to trigger an email notification when the metric exceeds a certain threshold:
policy_name = "network_change_log_alerts_policy"
condition_name = "network_change_log_alerts_condition"
condition = {
    "name": condition_name,
    "display_name": "Network Change Log Alerts Condition",
    "condition_threshold": {
        "aggregations": [
            {
                "alignment_period": {"seconds": 300},
                "per_series_aligner": enums.Aggregation.Aligner.ALIGN_COUNT_TRUE,
                "cross_series_reducer": enums.Aggregation.Reducer.REDUCE_SUM,
                "group_by_fields": ["resource.type"],
            }
        ],
        "comparison": enums.ComparisonType.COMPARISON_GT,
        "threshold_value": 0,
        "duration": {"seconds": 0},
        "trigger": {"count": 1},
    },
}
notification_channel_name = "network_change_log_alerts_channel"
notification_channel = {
    "name": notification_channel_name,
    "type_": "email",
    "labels": {"email_address": "<EMAIL_ADDRESS>"},
}
policy = {
    "name": policy_name,
    "display_name": "Network Change Log Alerts Policy",
    "conditions": [condition],
    "combiner": enums.AlertPolicy.ConditionCombinerType.AND,
    "notification_channels": [notification_channel_name],
}
client.create_alert_policy(parent, policy)
  1. Verify that the alerting policy is created successfully:
policy = client.get_alert_policy(client.alert_policy_path(project_id, policy_name))
print(policy)
After following these steps, the misconfiguration “Network Change Log Alerts Should Be Enabled” should be remediated for GCP using Python.

Additional Reading: