Suspicious GCP API calls indicating monitoring alert policy modification
Description
AlphaSOC detected modification of a GCP Cloud Monitoring alert policy via
google.monitoring.v3.AlertPolicyService.UpdateAlertPolicy. While alert policy
modifications are common in normal operations, adversaries may modify alert
conditions to prevent detection of their activities. Changes may include raising
thresholds, modifying filters, or altering notification channels.
Impact
Unauthorized alert policy modifications can reduce the effectiveness of security monitoring. Attackers may modify conditions to avoid triggering alerts during malicious activities. Changes to notification channels could redirect alerts away from security teams.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the UpdateAlertPolicy action. Examine what changes
were made to alert conditions, thresholds, or notification channels. Verify if
the modifications align with authorized change management processes.
If unauthorized, restore the alert policy to its previous configuration. Investigate the compromised identity for additional defense evasion activities. Review alerts that may have been suppressed due to modified conditions. Implement alerts on alert policy configuration changes.