From 75ee07c6e1686864351a124ed5aeebe166bb30c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Fri, 13 Feb 2026 16:37:07 +0100 Subject: [PATCH] chore(gcp): enhance metadata for `logging` service (#9648) Co-authored-by: HugoPBrito Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com> --- prowler/CHANGELOG.md | 1 + ...onfiguration_changes_enabled.metadata.json | 25 ++++++++++------- ...t_permission_changes_enabled.metadata.json | 26 ++++++++++------- ...onfiguration_changes_enabled.metadata.json | 2 +- ..._custom_role_changes_enabled.metadata.json | 25 ++++++++++------- ...ct_ownership_changes_enabled.metadata.json | 26 ++++++++++------- ...onfiguration_changes_enabled.metadata.json | 25 ++++++++++------- ...irewall_rule_changes_enabled.metadata.json | 25 ++++++++++------- ..._vpc_network_changes_enabled.metadata.json | 25 ++++++++++------- ...etwork_route_changes_enabled.metadata.json | 25 ++++++++++------- .../logging_sink_created.metadata.json | 28 +++++++++++-------- 11 files changed, 141 insertions(+), 92 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 1da18fb9cb..f447b016ac 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -35,6 +35,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update GCP GKE service metadata to new format [(#9645)](https://github.com/prowler-cloud/prowler/pull/9645) - Update GCP IAM service metadata to new format [(#9646)](https://github.com/prowler-cloud/prowler/pull/9646) - Update GCP KMS service metadata to new format [(#9647)](https://github.com/prowler-cloud/prowler/pull/9647) +- Update GCP Logging service metadata to new format [(#9648)](https://github.com/prowler-cloud/prowler/pull/9648) ### 🔐 Security diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.metadata.json index 1d87991ba3..a8da3973fd 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled", - "CheckTitle": "Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes.", + "CheckTitle": "Log metric filter for audit configuration changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes.", - "Risk": "Admin Activity audit logs and Data Access audit logs produced by the Google Cloud Audit Logs service can be extremely useful for security analysis, resource change tracking, and compliance auditing.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "**Cloud Logging** log-based metrics capture **audit configuration changes** (e.g., `SetIamPolicy` with `auditConfigDeltas`), and an associated **Cloud Monitoring alert policy** notifies when such log entries occur.", + "Risk": "Unmonitored **Audit Config** changes can reduce or disable **Admin Activity/Data Access** logging, creating blind spots. Adversaries could suppress evidence, evade detection, and alter permissions unnoticed, degrading **confidentiality**, **integrity**, and the **availability** of forensic telemetry.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-audit-configuration-changes-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-audit-configuration-changes-monitoring.html", - "Terraform": "" + "Other": "1. In Cloud Console, go to Logging > Logs-based metrics and click Create metric\n2. Set Metric type to Counter, Name to , and Filter to:\n protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*\n3. Save the metric\n4. Go to Monitoring > Alerting > Create policy > Add condition\n5. Select Metric as the condition type, then choose metric: logging.googleapis.com/user/\n6. Set condition to is above 0 for 1 minute and click Done\n7. Name the policy and click Create (notification channels are optional for this check)", + "Terraform": "```hcl\nresource \"google_logging_metric\" \"metric\" {\n name = \"\"\n # Critical: this filter captures audit config changes via SetIamPolicy\n filter = \"protoPayload.methodName=\\\"SetIamPolicy\\\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*\"\n}\n\nresource \"google_monitoring_alert_policy\" \"alert\" {\n display_name = \"\"\n combiner = \"OR\"\n\n conditions {\n display_name = \"\"\n condition_threshold {\n # Critical: associates the alert with the log-based metric created above\n filter = \"metric.type=\\\"logging.googleapis.com/user/\\\"\"\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"60s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "By using Google Cloud alerting policies to detect audit configuration changes, you make sure that the recommended state of audit configuration is well maintained so that all the activities performed within your GCP project are available for security analysis and auditing at any point in time.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Create a log-based metric for **audit configuration changes** and pair it with a **log-based alert policy** that notifies responders.\n- Enforce **least privilege** on logging/IAM changes\n- Apply **change control** and **separation of duties**\n- Route alerts to durable channels and include response runbooks for **defense in depth**", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.metadata.json index e2188d51f6..552f0fc538 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled.metadata.json @@ -1,30 +1,36 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled", - "CheckTitle": "Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes.", + "CheckTitle": "Log metric filter for Cloud Storage IAM permission changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes.", - "Risk": "Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "**Cloud Logging** defines a log-based metric for **Cloud Storage IAM changes** using filter `resource.type=\"gcs_bucket\" AND protoPayload.methodName=\"storage.setIamPermissions\"`, and a **Cloud Monitoring alert policy** that references that metric.", + "Risk": "Lack of alerting on bucket IAM changes degrades **confidentiality and integrity**. Adversaries or misconfigurations can:\n- grant broad/public access\n- persist access by adding roles\n- read, alter, or delete data\nDelays in detection enable **data exfiltration**, tampering, and disruptive actions.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-bucket-permission-changes-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-bucket-permission-changes-monitoring.html", - "Terraform": "" + "Other": "1. In Google Cloud console, go to Logging > Logs-based metrics\n2. Click Create metric\n3. Name: \n4. In Filter, paste: resource.type=\"gcs_bucket\" AND protoPayload.methodName=\"storage.setIamPermissions\"\n5. Click Create\n6. In the metrics list, click the three dots for the new metric and select Create alert from metric\n7. Keep condition as Count > 0 for Most recent value and click Save", + "Terraform": "```hcl\n# Create a logs-based metric for GCS IAM permission changes\nresource \"google_logging_metric\" \"\" {\n name = \"\"\n filter = \"resource.type=\\\"gcs_bucket\\\" AND protoPayload.methodName=\\\"storage.setIamPermissions\\\"\" # CRITICAL: matches required filter for detection\n}\n\n# Alert policy referencing the above metric\nresource \"google_monitoring_alert_policy\" \"\" {\n display_name = \"\"\n combiner = \"OR\"\n conditions {\n display_name = \"\"\n condition_threshold {\n filter = \"metric.type=\\\"logging.googleapis.com/user/${google_logging_metric..name}\\\"\" # CRITICAL: ties alert to the metric so check passes\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"0s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Establish a **log-based metric** for bucket IAM permission changes with filter `resource.type=\"gcs_bucket\" AND protoPayload.methodName=\"storage.setIamPermissions\"` and link a **log-based alert policy** with clear notifications. Enforce **least privilege** and **separation of duties**, and routinely review alerts and audit logs to prevent and contain unauthorized access.", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging", + "identity-access" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled.metadata.json index 9cdbbc51e8..d2eb0c8ef3 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_compute_configuration_changes_enabled.metadata.json @@ -13,7 +13,7 @@ "Risk": "Without monitoring for Compute Engine configuration changes, **unauthorized modifications** to compute resources may go undetected. Attackers can establish **persistence** through instance modifications, escalate privileges via IAM policy changes, disable security controls, or pivot to other resources. This compromises **confidentiality**, **integrity**, and **availability** of workloads and may enable **data exfiltration** or **lateral movement**.", "RelatedUrl": "", "AdditionalURLs": [ - "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/gcp-compute-engine-configuration-changes.html", + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/ComputeEngine/gcp-compute-engine-configuration-changes.html", "https://cloud.google.com/logging/docs/audit", "https://cloud.google.com/monitoring/alerts" ], diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.metadata.json index e6237e21de..e86597895a 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_custom_role_changes_enabled", - "CheckTitle": "Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes.", + "CheckTitle": "Log metric filter for IAM custom role changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes.", - "Risk": "Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "Cloud projects are assessed for log-based metrics that filter `resource.type=\"iam_role\"` and the methods `CreateRole`, `DeleteRole`, `UpdateRole`, and for an associated Cloud Monitoring **alert policy** that references those metrics.", + "Risk": "Without alerts on custom role changes, privilege modifications can go unnoticed, enabling **privilege escalation**, unauthorized data access (confidentiality), permission tampering (integrity), and accidental revocations that disrupt services (availability). Insider misuse or compromised admins can silently reshape access across projects.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-custom-role-changes-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-custom-role-changes-monitoring.html", - "Terraform": "" + "Other": "1. In Google Cloud Console, go to Logging > Logs-based metrics\n2. Click Create metric (Counter), set Name to \n3. In Filter, paste exactly: resource.type=\"iam_role\" AND (protoPayload.methodName=\"google.iam.admin.v1.CreateRole\" OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\") and Save\n4. Go to Monitoring > Alerting > Create policy\n5. Add Condition > Metric\n6. For Metric, search and select logging.googleapis.com/user/\n7. Set threshold > 0 and duration 0 min (or 0s), then Save the policy", + "Terraform": "```hcl\nresource \"google_logging_metric\" \"\" {\n name = \"\"\n # Critical: log-based metric for IAM custom role create/update/delete\n filter = \"resource.type=\\\"iam_role\\\" AND (protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\" OR protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\")\"\n}\n\nresource \"google_monitoring_alert_policy\" \"\" {\n display_name = \"\"\n conditions {\n condition_threshold {\n # Critical: alert policy targets the user log-based metric by name\n filter = \"metric.type=\\\"logging.googleapis.com/user/\\\"\"\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"0s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Define log-based metrics capturing `resource.type=\"iam_role\"` events for `CreateRole`, `DeleteRole`, and `UpdateRole`, and attach **alert policies** to notify responders.\n\nEnforce **least privilege**, **separation of duties**, and **change control** for role management, and retain **audit logs** for investigation.", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_custom_role_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.metadata.json index c537ee2302..eaa437aa3c 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled.metadata.json @@ -1,30 +1,36 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled", - "CheckTitle": "Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes.", + "CheckTitle": "Log metric filter for project ownership assignments/changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes.", - "Risk": "Project ownership has the highest level of privileges on a GCP project. These privileges include viewer permissions on all GCP services inside the project, permission to modify the state of all GCP services within the project, set up billing and manage roles and permissions for the project and all the resources inside the project.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "Cloud Logging contains a **log-based metric** targeting project ownership changes in Cloud Resource Manager events, and Cloud Monitoring has an **alerting policy** tied to that metric. It detects metrics matching `roles/owner` additions/removals or ownership invites, and whether an alert references that metric.", + "Risk": "Lack of alerts on ownership changes enables **privilege escalation** and **project takeover**. Attackers can add/remove `roles/owner`, causing unauthorized data access (confidentiality), unauthorized config/billing changes (integrity), and resource deletion or lockout (availability) without timely detection.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-ownership-assignments-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-ownership-assignments-monitoring.html", - "Terraform": "" + "Other": "1. In the Google Cloud console, go to Logging > Logs-based metrics and click Create metric\n2. Set Name to \n3. In Filter, paste:\n (protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")\n4. Click Create\n5. Go to Monitoring > Alerting > Create policy > Add condition\n6. Choose Metric, then select metric type logging.googleapis.com/user/\n7. Set condition to Greater than 0 with a duration of 0 minutes, then click Add\n8. Click Create policy (notification channels optional)\n9. Verify the alert condition filter contains ", + "Terraform": "```hcl\nresource \"google_logging_metric\" \"\" {\n name = \"\"\n # CRITICAL: Detects project ownership assignments/changes\n filter = <<-EOT\n(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"REMOVE\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=\"ADD\" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=\"roles/owner\")\nEOT\n}\n\nresource \"google_monitoring_alert_policy\" \"\" {\n display_name = \"\"\n combiner = \"OR\"\n\n conditions {\n condition_threshold {\n # CRITICAL: References the log-based metric so an alert is associated with it\n filter = \"metric.type=\\\"logging.googleapis.com/user/${google_logging_metric..name}\\\"\"\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"0s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "Using Google Cloud alerting policies to detect ownership assignments/changes will help you maintain the right access permissions for each IAM member created within your project, follow the security principle of least privilege, and prevent any accidental or intentional changes that may lead to unauthorized actions.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Create a log-based metric for ownership assignment/removal events and link it to an alerting policy that notifies a monitored channel. Minimize use of `roles/owner` per **least privilege**, require approvals and separation of duties, and apply **defense in depth** with centralized monitoring of IAM changes across projects.", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging", + "identity-access" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.metadata.json index 98a4eaa3c7..261dc25eb0 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled", - "CheckTitle": "Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes.", + "CheckTitle": "Log metric filter for Cloud SQL instance configuration changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes.", - "Risk": "Monitoring changes to SQL instance configuration changes may reduce the time needed to detect and correct misconfigurations done on the SQL server.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "**Cloud Logging** has a log-based metric matching Cloud SQL instance updates (`protoPayload.methodName=\"cloudsql.instances.update\"`) and a **Cloud Monitoring** alert policy references that metric to notify on configuration changes.", + "Risk": "Without this visibility, **unauthorized or accidental Cloud SQL configuration changes** can persist undetected. Attackers or insiders might open public access, relax TLS, alter authorized networks, or disable backups, degrading **confidentiality**, **integrity**, and **availability** and delaying containment.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-network-route-changes-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-network-route-changes-monitoring.html", - "Terraform": "" + "Other": "1. In Google Cloud console, go to Logging > Logs-based metrics and click Create metric\n2. Set Name to and Filter to: protoPayload.methodName=\"cloudsql.instances.update\" then click Create\n3. Go to Monitoring > Alerting > Create policy\n4. Click Add condition > Metric\n5. For Metric, select logging.googleapis.com/user/\n6. Set threshold to Greater than 0 over 0 minutes and click Add\n7. Click Save policy", + "Terraform": "```hcl\nresource \"google_logging_metric\" \"sql_config_changes\" {\n name = \"\"\n # Critical: captures Cloud SQL instance configuration updates\n filter = \"protoPayload.methodName=\\\"cloudsql.instances.update\\\"\"\n}\n\nresource \"google_monitoring_alert_policy\" \"sql_config_change_alert\" {\n display_name = \"\"\n combiner = \"OR\"\n\n conditions {\n condition_threshold {\n # Critical: reference the logs-based metric so the alert is associated\n filter = \"metric.type=\\\"logging.googleapis.com/user/${google_logging_metric.sql_config_changes.name}\\\"\"\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"0s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended that a metric filter and alarm be established for SQL instance configuration changes.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Implement a **log-based metric** for Cloud SQL update events and attach a **Monitoring alert policy** that routes timely notifications. Apply **least privilege** for admin actions, enforce **change management** and **separation of duties**, and integrate alerts with on-call workflows to speed triage and prevent misconfigurations.", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.metadata.json index 9214f1dfb9..e97042a2d3 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled", - "CheckTitle": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes.", + "CheckTitle": "Log metric filter for VPC network firewall rule changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes.", - "Risk": "Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "Cloud Logging has a log-based metric for **VPC firewall rule** changes, matching `resource.type=\"gce_firewall_rule\"` and `protoPayload.methodName` of `compute.firewalls.insert`, `compute.firewalls.patch`, or `compute.firewalls.delete`, and Cloud Monitoring includes an alerting policy that references this metric.", + "Risk": "Without alerts on firewall rule changes, unauthorized or accidental modifications can go unnoticed, exposing services or blocking critical traffic.\n\nConfidentiality suffers (opened ports), integrity is reduced (tampered controls), and availability can be impacted (outages), enabling lateral movement and data exfiltration.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-firewall-rule-changes-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-firewall-rule-changes-monitoring.html", - "Terraform": "" + "Other": "1. In Google Cloud Console, go to Logging > Logs-based metrics\n2. Click Create metric, set Name to \n3. In Filter, paste: resource.type=\"gce_firewall_rule\" AND (protoPayload.methodName:\"compute.firewalls.patch\" OR protoPayload.methodName:\"compute.firewalls.insert\" OR protoPayload.methodName:\"compute.firewalls.delete\")\n4. Save the metric\n5. Go to Monitoring > Alerting > Create policy\n6. Add Condition > Metric threshold\n7. For Metric, select User-defined and choose logging.googleapis.com/user/\n8. Set condition to > 0 with duration 0 minutes (or the minimum allowed)\n9. Create the policy (notification channels are optional)", + "Terraform": "```hcl\nresource \"google_logging_metric\" \"\" {\n name = \"\"\n # CRITICAL: this filter captures VPC firewall rule changes\n filter = \"resource.type=\\\"gce_firewall_rule\\\" AND (protoPayload.methodName:\\\"compute.firewalls.patch\\\" OR protoPayload.methodName:\\\"compute.firewalls.insert\\\" OR protoPayload.methodName:\\\"compute.firewalls.delete\\\")\"\n}\n\nresource \"google_monitoring_alert_policy\" \"\" {\n display_name = \"\"\n combiner = \"OR\"\n\n conditions {\n display_name = \"\"\n condition_threshold {\n # CRITICAL: reference the user log metric so the alert policy is associated\n # This makes the policy filter contain the metric name, satisfying the check\n filter = \"metric.type=\\\"logging.googleapis.com/user/${google_logging_metric..name}\\\"\"\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"0s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Establish a log-based metric for `gce_firewall_rule` insert/patch/delete events and tie it to an alerting policy that notifies responders.\n\nEnforce **least privilege** and change control on firewall updates, apply **separation of duties**, and monitor all projects for rapid, auditable detection of network control changes.", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.metadata.json index 70c76b966f..4c89bdcb7e 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled", - "CheckTitle": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes.", + "CheckTitle": "Log metric filter for VPC network changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes.", - "Risk": "Monitoring changes to a VPC will help ensure VPC traffic flow is not getting impacted.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "Cloud projects are evaluated for a **log-based metric** with a linked **Cloud Monitoring alert** that targets **VPC network changes** on `gce_network` audit events: `compute.networks.insert`, `patch`, `delete`, `addPeering`, `removePeering`.\n\nIt checks that these changes are captured and generate notifications.", + "Risk": "Missing alerts on VPC changes lets **unauthorized or accidental modifications** go unnoticed, risking:\n- Data exposure via unintended peering or new networks\n- Segmentation bypass through routing/subnet edits\n- Outages from deletions or misconfigurations\n\nThis affects confidentiality, integrity, and availability.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-vpc-network-changes-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-vpc-network-changes-monitoring.html", - "Terraform": "" + "Other": "1. In the Google Cloud Console, go to Logging > Logs-based metrics > + Create metric\n2. Name: \n3. In Filter, paste exactly:\n resource.type=\"gce_network\" AND (protoPayload.methodName:\"compute.networks.insert\" OR protoPayload.methodName:\"compute.networks.patch\" OR protoPayload.methodName:\"compute.networks.delete\" OR protoPayload.methodName:\"compute.networks.removePeering\" OR protoPayload.methodName:\"compute.networks.addPeering\")\n4. Click Create metric\n5. Go to Monitoring > Alerting > + Create policy > Add condition\n6. Select the metric logging.googleapis.com/user/\n7. Condition: Greater than, Threshold: 0, For: 0 minutes; click Add\n8. Name the policy and click Create policy", + "Terraform": "```hcl\n# Create a logs-based metric for VPC network changes\nresource \"google_logging_metric\" \"\" {\n name = \"\"\n # CRITICAL: Filter capturing VPC network create/modify/delete/peering changes\n filter = \"resource.type=\\\"gce_network\\\" AND (protoPayload.methodName:\\\"compute.networks.insert\\\" OR protoPayload.methodName:\\\"compute.networks.patch\\\" OR protoPayload.methodName:\\\"compute.networks.delete\\\" OR protoPayload.methodName:\\\"compute.networks.removePeering\\\" OR protoPayload.methodName:\\\"compute.networks.addPeering\\\")\"\n}\n\n# Alert policy associated with the logs-based metric\nresource \"google_monitoring_alert_policy\" \"\" {\n display_name = \"\"\n\n conditions {\n condition_threshold {\n # CRITICAL: Reference the logs-based metric so the policy is associated with it\n filter = \"metric.type=\\\"logging.googleapis.com/user/\\\"\"\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"0s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network changes.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Implement a **log-based metric** for VPC change audit events and attach an **alerting policy** that notifies accountable teams.\n\nApply **least privilege** for network admins, enforce **change approval**, and adopt **defense in depth** to prevent and quickly detect unintended network changes.", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.metadata.json b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.metadata.json index 2fa5010aed..8e0dad31f9 100644 --- a/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled.metadata.json @@ -1,30 +1,35 @@ { "Provider": "gcp", "CheckID": "logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled", - "CheckTitle": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes.", + "CheckTitle": "Log metric filter for VPC network route changes has an associated alert policy", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "MetricFilter", - "ResourceGroup": "monitoring", - "Description": "Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes.", - "Risk": "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.", + "ResourceType": "logging.googleapis.com/LogMetric", + "Description": "**Cloud Logging** includes a **log-based metric** for **VPC route modifications** and a linked **Cloud Monitoring alert**.\n\nIt targets `gce_route` entries for `compute.routes.insert` and `compute.routes.delete` so route creations or deletions generate alertable signals.", + "Risk": "Without visibility into **route changes**, attackers or mistakes can:\n- Reroute traffic to bypass inspection **data exfiltration** (confidentiality)\n- Alter paths enabling **lateral movement** (integrity)\n- Blackhole networks causing **outages** (availability)", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/enable-network-route-changes-monitoring.html", + "https://cloud.google.com/monitoring/alerts" + ], "Remediation": { "Code": { "CLI": "", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/enable-network-route-changes-monitoring.html", - "Terraform": "" + "Other": "1. In Google Cloud Console, go to Logging > Logs-based metrics and click Create metric\n2. Set Name to \n3. In Filter, paste: resource.type=\"gce_route\" AND (protoPayload.methodName:\"compute.routes.delete\" OR protoPayload.methodName:\"compute.routes.insert\")\n4. Click Create metric\n5. Go to Monitoring > Alerting > Create policy\n6. Add Condition: Metric threshold; Select metric logging.googleapis.com/user/; Set condition to > 0 for 0 minutes\n7. Click Create policy (skip notification channels if not needed)\n", + "Terraform": "```hcl\nresource \"google_logging_metric\" \"\" {\n name = \"\"\n filter = \"resource.type=\\\"gce_route\\\" AND (protoPayload.methodName:\\\"compute.routes.delete\\\" OR protoPayload.methodName:\\\"compute.routes.insert\\\")\" # Critical: matches VPC route insert/delete events\n}\n\nresource \"google_monitoring_alert_policy\" \"\" {\n display_name = \"\"\n\n conditions {\n condition_threshold {\n filter = \"metric.type=\\\"logging.googleapis.com/user/\\\"\" # Critical: alert evaluates the log-based metric by name\n comparison = \"COMPARISON_GT\"\n threshold_value = 0\n duration = \"0s\"\n }\n }\n}\n```" }, "Recommendation": { - "Text": "It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) network route changes.", - "Url": "https://cloud.google.com/monitoring/alerts" + "Text": "Create a **log-based metric** for `compute.routes.insert` and `compute.routes.delete`, and attach a **log-based alert** with reliable notifications.\n\nApply **least privilege** to route management, require **change approval**, and use **defense in depth** (egress filtering, private routing, durable audit logs).", + "Url": "https://hub.prowler.com/check/logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled" } }, - "Categories": [], + "Categories": [ + "logging" + ], "DependsOn": [], "RelatedTo": [], "Notes": "" diff --git a/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.metadata.json b/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.metadata.json index beac1b934a..be7ce98c8f 100644 --- a/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.metadata.json +++ b/prowler/providers/gcp/services/logging/logging_sink_created/logging_sink_created.metadata.json @@ -1,30 +1,36 @@ { "Provider": "gcp", "CheckID": "logging_sink_created", - "CheckTitle": "Ensure there is at least one sink used to export copies of all the log entries.", + "CheckTitle": "Project has at least one logging sink exporting copies of all log entries", "CheckType": [], "ServiceName": "logging", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Sink", - "ResourceGroup": "monitoring", - "Description": "Ensure there is at least one sink used to export copies of all the log entries.", - "Risk": "If sinks are not created, logs would be deleted after the configured retention period, and would not be backed up.", + "ResourceType": "logging.googleapis.com/LogSink", + "Description": "**Cloud Logging** project contains at least one **sink** that exports a copy of **all log entries** to a destination for centralized retention or processing", + "Risk": "Without exporting all logs, audit evidence can expire or be altered in-project, reducing the **availability** and **integrity** of telemetry. This hinders threat detection and forensics, prevents cross-project correlation, and can let attacker actions evade scrutiny after log rotation or deletion.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudLogging/export-all-log-entries.html", + "https://cloud.google.com/logging/docs/export" + ], "Remediation": { "Code": { - "CLI": "gcloud logging sinks create ", + "CLI": "gcloud logging sinks create logging.googleapis.com/projects/", "NativeIaC": "", - "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/CloudLogging/export-all-log-entries.html", - "Terraform": "" + "Other": "1. In Google Cloud Console, go to Logging > Log Router\n2. Click Create sink\n3. Set Sink name to \n4. For Sink destination, select Google Cloud project and choose \n5. Leave the inclusion filter empty (exports all logs)\n6. Click Create", + "Terraform": "```hcl\n# Create a project-level logging sink exporting all logs\nresource \"google_logging_project_sink\" \"sink\" {\n name = \"\" # critical: creates the sink required by the check\n destination = \"logging.googleapis.com/projects/\" # critical: required destination\n # No filter set -> exports all log entries (fixes the finding)\n}\n```" }, "Recommendation": { - "Text": "It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).", - "Url": "https://cloud.google.com/logging/docs/export" + "Text": "Create a **centralized export sink** that routes all logs to a secured, durable, preferably **immutable** destination with extended retention. Apply **least privilege** to sink identities, separate duties by isolating destinations, use **defense in depth** (encryption, access controls), and monitor sink health for continuity.", + "Url": "https://hub.prowler.com/check/logging_sink_created" } }, - "Categories": [], + "Categories": [ + "logging", + "forensics-ready" + ], "DependsOn": [], "RelatedTo": [], "Notes": ""