GCP monitoring alert policy impaired
Description
AlphaSOC detected deletion or explicit disabling of a GCP Cloud Monitoring alert
policy via google.monitoring.v3.AlertPolicyService.DeleteAlertPolicy or
UpdateAlertPolicy with enabled set to false. Adversaries may delete or
disable monitoring alerts to avoid detection during malicious activities such as
resource hijacking, cryptomining, or data exfiltration.
Impact
Disabling or deleting monitoring alerts reduces visibility into security events and operational issues. Attackers can operate undetected while security teams lose awareness of suspicious activities. Critical incidents may go unnoticed until significant damage has occurred.
Severity
| Severity | Condition |
|---|---|
Low | Alert policy deleted or disabled |
Investigation and Remediation
Review GCP audit logs for DeleteAlertPolicy or UpdateAlertPolicy actions.
Identify which alerts were affected and the principal responsible. Determine if
the changes were authorized as part of maintenance.
If unauthorized, restore the affected alert policies immediately. Investigate the compromised identity for additional defense evasion activities. Review any events that may have been missed during the period when alerts were impaired. Implement IAM policies to restrict alert policy modifications.