Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
This finding isn't available for project-level activations.
Audit logs are examined to detect changes to VPC Service Controls perimeters
that would lead to a reduction in the protection offered by that perimeter. The
following are some examples:
A project is removed from a perimeter
An access level policy
is added to an existing perimeter
Open the Defense Evasion: Modify VPC Service Control finding, as directed
in Reviewing findings. The panel for the finding
details opens, displaying the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following field:
Principal email: the account that performed the modification.
Affected resource, especially the following field:
Resource full name: the name of the VPC Service Controls perimeter
that was modified.
Related links:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
Click the JSON tab.
In the JSON, note the following fields.
sourceProperties
properties
name: the name of the VPC Service Controls perimeter that was modified
policyLink: the link to the access policy that controls the perimeter
delta: the changes, either REMOVE or ADD, to a perimeter that
reduced its protection
restricted_resources: the projects that follow the restrictions of
this perimeter. Protection is reduced if you remove a project
restricted_services: the services that are forbidden from running
by the restrictions of this perimeter. Protection is reduced if you
remove a restricted service
allowed_services: the services that are allowed to run under this
perimeter's restrictions. Protection is reduced if you add an
allowed service
access_levels: the access levels
that are configured to allow access to resources under the perimeter.
Protection is reduced if you add more access levels
Step 2: Check logs
On the Summary tab of the finding details panel, click the
Cloud Logging URI link to open the Logs Explorer.
Find admin activity logs related to VPC Service Controls changes by using
the following filters:
Review related findings by clicking the link on the Related findings
on the Related findings row in the Summary tab of the
finding details.
To develop a response plan, combine your investigation results with MITRE
research.
Step 4: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the VPC Service Controls policy and perimeter.
Consider reverting the changes for the perimeter until the investigation is
completed.
Consider revoking Access Context Manager roles
on the principal that modified the perimeter until the investigation is
completed.
Investigate how the reduced protections have been used. For example, if
"BigQuery Data Transfer Service API" is enabled, or added as allowed service,
check who started using that service and what they are transferring.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-10 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nThis finding isn't available for project-level activations.\n\nAudit logs are examined to detect changes to VPC Service Controls perimeters\nthat would lead to a reduction in the protection offered by that perimeter. The\nfollowing are some examples:\n\n- A project is removed from a perimeter\n- An [access level](/vpc-service-controls/docs/use-access-levels) policy is added to an existing perimeter\n- One or more services are added to the list of [accessible services](/vpc-service-controls/docs/vpc-accessible-services)\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open the `Defense Evasion: Modify VPC Service Control` finding, as directed in [Reviewing findings](/security-command-center/docs/how-to-investigate-threats#reviewing_findings). The panel for the finding details opens, displaying the **Summary** tab.\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following field:\n - **Principal email**: the account that performed the modification.\n - **Affected resource** , especially the following field:\n - **Resource full name**: the name of the VPC Service Controls perimeter that was modified.\n - **Related links** :\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n3. Click the **JSON** tab.\n\n4. In the JSON, note the following fields.\n\n - `sourceProperties`\n - `properties`\n - `name`: the name of the VPC Service Controls perimeter that was modified\n - `policyLink`: the link to the access policy that controls the perimeter\n - `delta`: the changes, either `REMOVE` or `ADD`, to a perimeter that reduced its protection\n - `restricted_resources`: the projects that follow the restrictions of this perimeter. Protection is reduced if you remove a project\n - `restricted_services`: the services that are forbidden from running by the restrictions of this perimeter. Protection is reduced if you remove a restricted service\n - `allowed_services`: the services that are allowed to run under this perimeter's restrictions. Protection is reduced if you add an allowed service\n - `access_levels`: the [access levels](/vpc-service-controls/docs/use-access-levels) that are configured to allow access to resources under the perimeter. Protection is reduced if you add more access levels\n\nStep 2: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. Find admin activity logs related to VPC Service Controls changes by using the following filters:\n - `protoPayload.methodName:\"AccessContextManager.UpdateServicePerimeter\"`\n - `protoPayload.methodName:\"AccessContextManager.ReplaceServicePerimeters\"`\n\nStep 3: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Defense Evasion: Modify Authentication Process](https://attack.mitre.org/techniques/T1556/).\n2. Review related findings by clicking the link on the **Related findings** on the **Related findings** row in the **Summary** tab of the finding details.\n3. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 4: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the VPC Service Controls policy and perimeter.\n- Consider reverting the changes for the perimeter until the investigation is completed.\n- Consider revoking [Access Context Manager roles](/vpc-service-controls/docs/access-control) on the principal that modified the perimeter until the investigation is completed.\n- Investigate how the reduced protections have been used. For example, if \"BigQuery Data Transfer Service API\" is enabled, or added as allowed service, check who started using that service and what they are transferring.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
