Skip to main content

GCP flow logs disabled

ID:gcp_flow_logs_disabled
Data type:Google Cloud Platform
Severity:
Low
MITRE ATT&CK:TA0005:T1562.008

Description

AlphaSOC detected that VPC flow logs were disabled on a GCP subnetwork through the v1.compute.subnetworks.patch action with enableFlowLogs set to false. VPC flow logs capture network traffic metadata including source/destination IPs, ports, protocols, and packet counts. While disabling flow logs is often legitimate for cost optimization in non-production environments, attackers may disable logging to reduce visibility before conducting malicious activities.

Impact

Disabling VPC flow logs reduces network visibility used for threat detection and investigation. Without flow logs, security teams cannot monitor network-level anomalies, detect unusual connection patterns, or reconstruct network activity during incident response. This limits the ability to identify data exfiltration, lateral movement, or unauthorized connections within the affected subnetwork.

Severity

SeverityCondition
Low
GCP flow logs disabled

Investigation and Remediation

Review GCP audit logs for the v1.compute.subnetworks.patch event to identify the affected subnetwork, VPC, and region. Verify the principal (user or service account) that performed the modification and check the source IP address to confirm authorized activity.

If unauthorized, re-enable flow logging using the GCP Console or gcloud compute networks subnets update with --enable-flow-logs flag. Review other log sources (Cloud Audit Logs, firewall logs) for the period when logging was disabled to identify potential malicious activity. Rotate credentials for compromised principals and review IAM policies for least privilege access. Implement Organization Policy constraints to enforce flow logging on critical subnets and configure Cloud Monitoring alerts for configuration changes.

Known False Positives

  • Cost optimization in development or testing environments
  • Network troubleshooting requiring temporary log suspension
  • Benign subnet modifications during infrastructure changes

Further Reading