GCP flow logs disabled
Description
AlphaSOC detected that VPC flow logs were disabled on a GCP subnetwork through
the v1.compute.subnetworks.patch action with enableFlowLogs set to false.
VPC flow logs capture network traffic metadata including source/destination IPs,
ports, protocols, and packet counts. While disabling flow logs is often
legitimate for cost optimization in non-production environments, attackers may
disable logging to reduce visibility before conducting malicious activities.
Impact
Disabling VPC flow logs reduces network visibility used for threat detection and investigation. Without flow logs, security teams cannot monitor network-level anomalies, detect unusual connection patterns, or reconstruct network activity during incident response. This limits the ability to identify data exfiltration, lateral movement, or unauthorized connections within the affected subnetwork.
Severity
| Severity | Condition |
|---|---|
Low | GCP flow logs disabled |
Investigation and Remediation
Review GCP audit logs for the v1.compute.subnetworks.patch event to identify
the affected subnetwork, VPC, and region. Verify the principal (user or service
account) that performed the modification and check the source IP address to
confirm authorized activity.
If unauthorized, re-enable flow logging using the GCP Console or
gcloud compute networks subnets update with --enable-flow-logs flag. Review
other log sources (Cloud Audit Logs, firewall logs) for the period when logging
was disabled to identify potential malicious activity. Rotate credentials for
compromised principals and review IAM policies for least privilege access.
Implement Organization Policy constraints to enforce flow logging on critical
subnets and configure Cloud Monitoring alerts for configuration changes.
Known False Positives
- Cost optimization in development or testing environments
- Network troubleshooting requiring temporary log suspension
- Benign subnet modifications during infrastructure changes