Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →

Plugins Docs Home

turbot/tailpipe-mod-gcp-audit-log-detections

access_context_manager_access_level_deleted access_context_manager_policy_deleted activity_dashboard_logs_by_actor activity_dashboard_logs_by_event activity_dashboard_logs_by_project activity_dashboard_logs_by_service activity_dashboard_logs_by_source_ip activity_dashboard_logs_by_type activity_dashboard_total_logs apigee_security_action_disabled app_engine_firewall_ingress_rule_created app_engine_firewall_ingress_rule_deleted app_engine_firewall_ingress_rule_updated artifact_registry_package_deleted artifact_registry_repository_deleted cloud_run_function_deleted compute_disk_iam_policy_set compute_firewall_rule_deleted compute_image_iam_policy_set compute_instance_with_public_network_interface compute_snapshot_iam_policy_set compute_subnetwork_flow_logs_disabled compute_vpn_tunnel_deleted dlp_reidentify_content dns_managed_zone_deleted dns_managed_zone_updated dns_record_set_deleted dns_record_set_updated iam_organization_policy_updated iam_owner_role_policy_set iam_service_account_access_token_generated iam_service_account_created iam_service_account_deleted iam_service_account_disabled iam_service_account_key_created iam_service_account_key_deleted iam_service_account_token_creator_role_assigned logging_bucket_deleted logging_sink_deleted monitoring_alert_policy_deleted monitoring_metric_descriptor_deleted resource_manager_iam_policy_set security_command_center_notification_config_deleted sql_ssl_certificate_deleted sql_user_deleted storage_bucket_iam_permission_granted_public_access storage_bucket_iam_permission_set

Query: compute_instance_with_public_network_interface

Usage

powerpipe query gcp_audit_log_detections.query.compute_instance_with_public_network_interface

Tags

category = Detection

folder = Compute

service = GCP/Compute

SQL

with network_if as (
  select
      *,
    unnest(from_json(request -> 'networkInterfaces', '["json"]')) as netif
  from
    gcp_audit_log
  where
    (
    method_name ilike '%.compute.instances.insert'
    or method_name ilike '%.compute.instances.update'
    )
  ),
  access_cfg as (
    select
      *,
      unnest(from_json(netif -> 'accessConfigs', '["json"]')) as ac
    from network_if
  )
  select
    tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
operation as operation_src,
resource as resource_src,
*
exclude operation, resource

    ac
  from
    access_cfg
  where
    (
      (ac ->> 'name') ilike '%nat%'
      or (ac ->> 'name') ilike '%external%'
    )
    and severity != 'Error'

  order by
    timestamp desc;

Detections

The query is being used by the following detections:

Compute Instance with Public Network Interface