GCP Firewall Rule Deletion

Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine.
11These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or
12specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.
13"""
14false_positives = [
15    """
16    Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected.
17    Exceptions can be added to this rule to filter expected behavior.
18    """,
19]
20index = ["filebeat-*", "logs-gcp*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "GCP Firewall Rule Deletion"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating GCP Firewall Rule Deletion
30
31In GCP, firewall rules are crucial for controlling network traffic to and from VM instances and applications, ensuring robust security. Adversaries may delete these rules to bypass security measures, facilitating unauthorized access or data exfiltration. The detection rule monitors audit logs for deletion actions, flagging potential defense evasion attempts by identifying specific deletion events in VPC or App Engine environments.
32
33### Possible investigation steps
34
35- Review the audit logs for the specific event.dataset:gcp.audit to confirm the deletion action and gather details such as the timestamp, user identity, and source IP address associated with the event.
36- Investigate the event.action field to determine whether the deletion occurred in the VPC or App Engine environment, and identify the specific firewall rule that was deleted.
37- Check the user or service account activity around the time of the deletion to identify any suspicious behavior or unauthorized access attempts.
38- Assess the impact of the deleted firewall rule by reviewing the network traffic patterns and security posture before and after the deletion.
39- Collaborate with the network security team to determine if the deletion was part of a legitimate change management process or if it indicates a potential security incident.
40
41### False positive analysis
42
43- Routine maintenance or updates by authorized personnel may trigger firewall rule deletions. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
44- Automated scripts or tools used for infrastructure management might delete and recreate firewall rules as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using service accounts or tags associated with these tools.
45- Changes in application deployment processes, especially in environments like App Engine, can lead to legitimate firewall rule deletions. Review deployment logs and processes to identify patterns and exclude these from alerts.
46- Organizational policy changes that involve restructuring network security may result in bulk deletions of firewall rules. Coordinate with network security teams to understand planned changes and temporarily adjust detection rules during these periods.
47- Test environments often have dynamic configurations where firewall rules are frequently added and removed. Exclude specific projects or environments designated for testing from the detection rule to reduce noise.
48
49### Response and remediation
50
51- Immediately isolate affected VM instances or applications by applying restrictive firewall rules to prevent further unauthorized access or data exfiltration.
52- Review audit logs to identify the source of the deletion action, including user accounts and IP addresses involved, and verify if the action was authorized.
53- Recreate the deleted firewall rules based on the last known good configuration to restore security controls and prevent unauthorized access.
54- Conduct a security review of the affected environment to identify any additional unauthorized changes or indicators of compromise.
55- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data were impacted.
56- Implement enhanced monitoring and alerting for firewall rule changes to detect and respond to similar threats more quickly in the future.
57- Review and update access controls and permissions for users and service accounts to ensure that only authorized personnel can modify firewall rules.
58
59## Setup
60
61The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
62references = [
63    "https://cloud.google.com/vpc/docs/firewalls",
64    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
65]
66risk_score = 47
67rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1"
68severity = "medium"
69tags = [
70    "Domain: Cloud",
71    "Data Source: GCP",
72    "Data Source: Google Cloud Platform",
73    "Use Case: Configuration Audit",
74    "Tactic: Defense Evasion",
75    "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1562"
89name = "Impair Defenses"
90reference = "https://attack.mitre.org/techniques/T1562/"
91
92
93[rule.threat.tactic]
94id = "TA0005"
95name = "Defense Evasion"
96reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In GCP, firewall rules are crucial for controlling network traffic to and from VM instances and applications, ensuring robust security. Adversaries may delete these rules to bypass security measures, facilitating unauthorized access or data exfiltration. The detection rule monitors audit logs for deletion actions, flagging potential defense evasion attempts by identifying specific deletion events in VPC or App Engine environments.

  • Review the audit logs for the specific event.dataset:gcp.audit to confirm the deletion action and gather details such as the timestamp, user identity, and source IP address associated with the event.
  • Investigate the event.action field to determine whether the deletion occurred in the VPC or App Engine environment, and identify the specific firewall rule that was deleted.
  • Check the user or service account activity around the time of the deletion to identify any suspicious behavior or unauthorized access attempts.
  • Assess the impact of the deleted firewall rule by reviewing the network traffic patterns and security posture before and after the deletion.
  • Collaborate with the network security team to determine if the deletion was part of a legitimate change management process or if it indicates a potential security incident.
  • Routine maintenance or updates by authorized personnel may trigger firewall rule deletions. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
  • Automated scripts or tools used for infrastructure management might delete and recreate firewall rules as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using service accounts or tags associated with these tools.
  • Changes in application deployment processes, especially in environments like App Engine, can lead to legitimate firewall rule deletions. Review deployment logs and processes to identify patterns and exclude these from alerts.
  • Organizational policy changes that involve restructuring network security may result in bulk deletions of firewall rules. Coordinate with network security teams to understand planned changes and temporarily adjust detection rules during these periods.
  • Test environments often have dynamic configurations where firewall rules are frequently added and removed. Exclude specific projects or environments designated for testing from the detection rule to reduce noise.
  • Immediately isolate affected VM instances or applications by applying restrictive firewall rules to prevent further unauthorized access or data exfiltration.
  • Review audit logs to identify the source of the deletion action, including user accounts and IP addresses involved, and verify if the action was authorized.
  • Recreate the deleted firewall rules based on the last known good configuration to restore security controls and prevent unauthorized access.
  • Conduct a security review of the affected environment to identify any additional unauthorized changes or indicators of compromise.
  • Escalate the incident to the security operations team for further investigation and to determine if additional systems or data were impacted.
  • Implement enhanced monitoring and alerting for firewall rule changes to detect and respond to similar threats more quickly in the future.
  • Review and update access controls and permissions for users and service accounts to ensure that only authorized personnel can modify firewall rules.

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top