6.15 - List all IP addresses with any associated entities

April 24, 2024 · View on GitHub

List all IP addresses, including the time window each address was seen in the VPC Flow logs, a nested list of all other IP addresses it connected to, and the total volume of inbound/outbound traffic. Default lookback window is 60 days.

For IP addresses associated with internal entities (e.g. VM or GKE node), return corresponding metadata as well. For example, if an IP address belongs to a VM instance, return VM name and VPC name if available.

Category: Network Activity
Use Cases: Audit, Respond
Data Sources: VPC Flow Logs

Queries or Rules

BigQuery	Log Analytics	Google SecOps
SQL	SQL	Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

google.compute.googleapis.com.vpc_flows

{
  "insertId": "d1i39zftx389b",
  "jsonPayload": {
    "reporter": "SRC",
    "end_time": "2023-04-28T19:25:48.419716230Z",
    "connection": {
      "src_ip": "10.10.0.2",
      "dest_port": 50604,
      "dest_ip": "203.0.113.255",
      "src_port": 80,
      "protocol": 6
    },
    "packets_sent": "32",
    "src_vpc": {
      "vpc_name": "vpc-1",
      "subnetwork_name": "subnet-1",
      "project_id": "1234"
    },
    "bytes_sent": "5342",
    "start_time": "2023-04-28T19:25:48.419716230Z",
    "src_instance": {
      "zone": "us-central1-f",
      "project_id": "1234",
      "vm_name": "my-vm-7p94",
      "region": "us-central1"
    },
    "dest_location": {
      "continent": "America",
      "country": "usa",
      "asn": 15169
    }
  },
  "resource": {
    "type": "gce_subnetwork",
    "labels": {
      "location": "us-central1-f",
      "subnetwork_name": "subnet-1",
      "subnetwork_id": "1234567891234567891",
      "project_id": "1234"
    }
  },
  "timestamp": "2023-04-28T19:25:51.990209956Z",
  "logName": "projects/1234/logs/compute.googleapis.com%2Fvpc_flows",
  "receiveTimestamp": "2023-04-28T19:25:51.990209956Z"
}