A security engineer needs to investigate a potential data exfiltration incident in a Google Cloud environment. The engineer has access to Cloud Logging and wants to identify any unusual outbound network traffic from Compute Engine instances. Which log sink filter should the engineer create to capture VPC flow logs for traffic destined to an external IP address not in the internal network ranges?
Trap 1: Create a sink with filter: 'resource.type="gce_subnetwork" AND…
Source IP filter is irrelevant; also the filter syntax is incorrect.
Trap 2: Create a sink with filter: 'resource.type="gce_subnetwork" AND…
Filtering on reporter=src and dest_ip=0.0.0.0/0 is not valid; also it captures only traffic reported by source.
Trap 3: Create a sink with filter: 'compute.googleapis.com/vpc_flows'
This filter captures all VPC flow logs, which is too broad and not focused on external traffic.
- A
Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
Why wrong: Source IP filter is irrelevant; also the filter syntax is incorrect.
- B
Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.reporter="src" AND jsonPayload.connection.dest_ip="0.0.0.0/0"'
Why wrong: Filtering on reporter=src and dest_ip=0.0.0.0/0 is not valid; also it captures only traffic reported by source.
- C
Create a sink with filter: 'resource.type="gce_subnetwork" AND jsonPayload.connection.dest_ip!="10.0.0.0/8" AND jsonPayload.connection.dest_ip!="172.16.0.0/12" AND jsonPayload.connection.dest_ip!="192.168.0.0/16"'
This filter captures VPC flow logs where destination IP is not in private ranges, thus external traffic.
- D
Create a sink with filter: 'compute.googleapis.com/vpc_flows'
Why wrong: This filter captures all VPC flow logs, which is too broad and not focused on external traffic.