Google Cloud VPC Flow Logs

Cloud & SaaSNetwork TrafficGoogle CloudCloud Control PlaneSIEM / Log Aggregator

Location

Cloud Logging entries for compute.googleapis.com/vpc_flows or exported sinks

Description

Network-flow telemetry for Google Cloud VPC resources, including source and destination addresses, ports, bytes, packets, and decision metadata for accepted traffic samples and aggregates.

Forensic Value

VPC Flow Logs help confirm lateral movement, external communication, and exfiltration volume in Google Cloud when packet capture is unavailable. They are especially useful for mapping suspicious workload-to-workload and workload-to-internet communication patterns across projects and subnets.

Tools Required

Google Cloud Consolegcloud CLILogs ExplorerSIEM

Collection Commands

gcloud CLI

gcloud logging read "logName:compute.googleapis.com%2Fvpc_flows AND timestamp>="2026-03-01T00:00:00Z"" --format=json > gcp_vpc_flow_logs.json

gcloud CLI

gcloud compute networks subnets describe <subnet-name> --region <region> --format=json > subnet_flow_log_config.json

Collection Constraints

•VPC Flow Logs are metadata, not packet payloads, and their fidelity depends on subnet configuration and logging settings.
•Historic flow visibility depends on how long Cloud Logging or export sinks retained the data.

MITRE ATT&CK Techniques

T1041T1021T1071

References

VPC Flow Logs

Used in Procedures

Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

analyze

Related Blockers

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

Acquisition Methods

Google Cloud Logging Export

linux — cloud