List all IP addresses, including the time window each address was seen in the VPC Flow logs, a nested list of all other IP addresses it connected to, and the total volume of inbound/outbound traffic. Default lookback window is 60 days.
For IP addresses associated with internal entities (e.g. VM or GKE node), return corresponding metadata as well. For example, if an IP address belongs to a VM instance, return VM name and VPC name if available.
Category: Network Activity
Use Cases: Audit, Respond
Data Sources: VPC Flow Logs
BigQuery | Log Analytics | Google SecOps |
---|---|---|
SQL | SQL | Contribute rule |
No event generation steps provided. Contribute emulation test to this use case.
{
"insertId": "d1i39zftx389b",
"jsonPayload": {
"reporter": "SRC",
"end_time": "2023-04-28T19:25:48.419716230Z",
"connection": {
"src_ip": "10.10.0.2",
"dest_port": 50604,
"dest_ip": "203.0.113.255",
"src_port": 80,
"protocol": 6
},
"packets_sent": "32",
"src_vpc": {
"vpc_name": "vpc-1",
"subnetwork_name": "subnet-1",
"project_id": "1234"
},
"bytes_sent": "5342",
"start_time": "2023-04-28T19:25:48.419716230Z",
"src_instance": {
"zone": "us-central1-f",
"project_id": "1234",
"vm_name": "my-vm-7p94",
"region": "us-central1"
},
"dest_location": {
"continent": "America",
"country": "usa",
"asn": 15169
}
},
"resource": {
"type": "gce_subnetwork",
"labels": {
"location": "us-central1-f",
"subnetwork_name": "subnet-1",
"subnetwork_id": "1234567891234567891",
"project_id": "1234"
}
},
"timestamp": "2023-04-28T19:25:51.990209956Z",
"logName": "projects/1234/logs/compute.googleapis.com%2Fvpc_flows",
"receiveTimestamp": "2023-04-28T19:25:51.990209956Z"
}