GCP Firewall Rule Creation
Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/21"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine.
11These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or
12specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls
13and allow more permissive ingress or egress traffic flows for their benefit.
14"""
15false_positives = [
16 """
17 Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected.
18 Exceptions can be added to this rule to filter expected behavior.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Firewall Rule Creation"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Firewall Rule Creation
31
32In GCP, firewall rules manage network traffic to and from VPCs and App Engine applications, crucial for maintaining security. Adversaries may exploit this by creating rules that permit unauthorized access, bypassing security measures. The detection rule monitors audit logs for specific actions indicating new rule creation, flagging potential defense evasion attempts to ensure timely investigation and response.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.dataset:gcp.audit entries to identify the source of the firewall rule creation, focusing on the event.action fields: *.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule.
37- Identify the user or service account responsible for the action by examining the actor information in the audit logs, such as the principalEmail field.
38- Determine the network or application affected by the new firewall rule by analyzing the target resources, such as the VPC or App Engine application, to understand the potential impact.
39- Assess the rule's configuration details, including the allowed or denied IP ranges, protocols, and ports, to evaluate if it introduces any security risks or deviates from established security policies.
40- Check for any recent changes in permissions or roles assigned to the user or service account involved, which might indicate privilege escalation or misuse.
41- Correlate the firewall rule creation event with other security events or alerts in the same timeframe to identify any suspicious patterns or activities that might suggest a coordinated attack.
42- Consult with relevant stakeholders or teams to verify if the firewall rule creation was authorized and aligns with current operational requirements or projects.
43
44### False positive analysis
45
46- Routine administrative actions by authorized personnel can trigger alerts when they create or update firewall rules for legitimate purposes. To manage this, establish a list of known IP addresses or user accounts that frequently perform these actions and create exceptions for them in the detection rule.
47- Automated processes or scripts that regularly update firewall configurations as part of normal operations may also cause false positives. Identify these processes and adjust the rule to exclude their specific actions or service accounts.
48- Changes made during scheduled maintenance windows might be flagged as suspicious. Implement time-based exceptions to ignore rule creation events during these predefined periods.
49- Integration with third-party security tools or services that modify firewall rules for enhanced protection can be mistaken for unauthorized activity. Verify these integrations and whitelist their actions to prevent unnecessary alerts.
50- Development and testing environments often require frequent firewall rule changes, which can lead to false positives. Differentiate these environments from production by tagging them appropriately and excluding their events from the detection rule.
51
52### Response and remediation
53
54- Immediately review the newly created firewall rule to determine its source and intent. Verify if the rule aligns with organizational security policies and intended network configurations.
55- Temporarily disable or delete the suspicious firewall rule to prevent unauthorized access while further investigation is conducted.
56- Conduct a thorough audit of recent firewall rule changes in the affected GCP project to identify any other unauthorized modifications.
57- Isolate affected systems or applications that may have been exposed due to the unauthorized firewall rule to prevent further exploitation.
58- Notify the security operations team and relevant stakeholders about the incident for awareness and further action.
59- Implement additional monitoring on the affected VPC or App Engine environment to detect any further unauthorized changes or suspicious activities.
60- Review and update access controls and permissions for creating and modifying firewall rules to ensure only authorized personnel have the necessary privileges.
61
62## Setup
63
64The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
65references = [
66 "https://cloud.google.com/vpc/docs/firewalls",
67 "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
68]
69risk_score = 21
70rule_id = "30562697-9859-4ae0-a8c5-dab45d664170"
71severity = "low"
72tags = [
73 "Domain: Cloud",
74 "Data Source: GCP",
75 "Data Source: Google Cloud Platform",
76 "Use Case: Configuration Audit",
77 "Tactic: Defense Evasion",
78 "Resources: Investigation Guide",
79]
80timestamp_override = "event.ingested"
81type = "query"
82
83query = '''
84event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)
85'''
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1562"
92name = "Impair Defenses"
93reference = "https://attack.mitre.org/techniques/T1562/"
94
95
96[rule.threat.tactic]
97id = "TA0005"
98name = "Defense Evasion"
99reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Firewall Rule Creation
In GCP, firewall rules manage network traffic to and from VPCs and App Engine applications, crucial for maintaining security. Adversaries may exploit this by creating rules that permit unauthorized access, bypassing security measures. The detection rule monitors audit logs for specific actions indicating new rule creation, flagging potential defense evasion attempts to ensure timely investigation and response.
Possible investigation steps
- Review the audit logs for the specific event.dataset:gcp.audit entries to identify the source of the firewall rule creation, focusing on the event.action fields: .compute.firewalls.insert or google.appengine..Firewall.Create*Rule.
- Identify the user or service account responsible for the action by examining the actor information in the audit logs, such as the principalEmail field.
- Determine the network or application affected by the new firewall rule by analyzing the target resources, such as the VPC or App Engine application, to understand the potential impact.
- Assess the rule's configuration details, including the allowed or denied IP ranges, protocols, and ports, to evaluate if it introduces any security risks or deviates from established security policies.
- Check for any recent changes in permissions or roles assigned to the user or service account involved, which might indicate privilege escalation or misuse.
- Correlate the firewall rule creation event with other security events or alerts in the same timeframe to identify any suspicious patterns or activities that might suggest a coordinated attack.
- Consult with relevant stakeholders or teams to verify if the firewall rule creation was authorized and aligns with current operational requirements or projects.
False positive analysis
- Routine administrative actions by authorized personnel can trigger alerts when they create or update firewall rules for legitimate purposes. To manage this, establish a list of known IP addresses or user accounts that frequently perform these actions and create exceptions for them in the detection rule.
- Automated processes or scripts that regularly update firewall configurations as part of normal operations may also cause false positives. Identify these processes and adjust the rule to exclude their specific actions or service accounts.
- Changes made during scheduled maintenance windows might be flagged as suspicious. Implement time-based exceptions to ignore rule creation events during these predefined periods.
- Integration with third-party security tools or services that modify firewall rules for enhanced protection can be mistaken for unauthorized activity. Verify these integrations and whitelist their actions to prevent unnecessary alerts.
- Development and testing environments often require frequent firewall rule changes, which can lead to false positives. Differentiate these environments from production by tagging them appropriately and excluding their events from the detection rule.
Response and remediation
- Immediately review the newly created firewall rule to determine its source and intent. Verify if the rule aligns with organizational security policies and intended network configurations.
- Temporarily disable or delete the suspicious firewall rule to prevent unauthorized access while further investigation is conducted.
- Conduct a thorough audit of recent firewall rule changes in the affected GCP project to identify any other unauthorized modifications.
- Isolate affected systems or applications that may have been exposed due to the unauthorized firewall rule to prevent further exploitation.
- Notify the security operations team and relevant stakeholders about the incident for awareness and further action.
- Implement additional monitoring on the affected VPC or App Engine environment to detect any further unauthorized changes or suspicious activities.
- Review and update access controls and permissions for creating and modifying firewall rules to ensure only authorized personnel have the necessary privileges.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP Virtual Private Cloud Network Deletion
- GCP Virtual Private Cloud Route Creation
- GCP Virtual Private Cloud Route Deletion