Unexpected GCP API calls indicating GKE metrics configuration change
Description
AlphaSOC detected that metrics collection was disabled on a GKE cluster via
google.container.v1beta1.ClusterManager.UpdateCluster by setting an empty
monitoring component configuration. GKE metrics provide visibility into cluster
health, resource usage, and potential anomalies.
Adversaries may disable metrics to evade performance-based security monitoring that could detect cryptomining, resource abuse, or anomalous container behavior.
Impact
Disabling GKE metrics removes visibility into cluster resource usage and performance patterns. Security teams lose the ability to detect cryptomining through CPU anomalies, resource exhaustion attacks, or unusual container behavior. Operational teams lose monitoring capabilities for cluster health.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the UpdateCluster action with
desiredMonitoringConfig.componentConfig changes. Identify the principal that
disabled metrics and verify if this was an authorized change.
If unauthorized, immediately re-enable GKE metrics collection. Investigate the compromised identity for additional defense evasion activities. Review cluster workloads for signs of unauthorized resource usage such as cryptomining.