GCP Firewall Rule Modification

Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App
11Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or
12specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security
13controls and allow more permissive ingress or egress traffic flows for their benefit.
14"""
15false_positives = [
16    """
17    Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected.
18    Exceptions can be added to this rule to filter expected behavior.
19    """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Firewall Rule Modification"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Firewall Rule Modification
31
32In GCP, firewall rules regulate network traffic to and from VPCs and App Engine applications, crucial for maintaining security. Adversaries may alter these rules to weaken defenses, enabling unauthorized access or data exfiltration. The detection rule monitors audit logs for modifications to firewall rules, identifying potential defense evasion attempts by flagging suspicious changes in network configurations.
33
34### Possible investigation steps
35
36- Review the audit logs for entries with the event.dataset field set to gcp.audit to confirm the source of the alert.
37- Examine the event.action field for values such as *.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule to identify the specific type of firewall rule modification.
38- Identify the user or service account responsible for the modification by checking the actor information in the audit logs.
39- Assess the changes made to the firewall rule, including the before and after states, to determine if the modification allows more permissive ingress or egress traffic.
40- Investigate the context of the modification by reviewing related activities in the audit logs around the same time to identify any suspicious patterns or sequences of actions.
41- Check for any recent security incidents or alerts involving the affected VPC or App Engine application to understand potential motives or impacts of the rule change.
42- If unauthorized or suspicious activity is confirmed, initiate incident response procedures to mitigate any potential security risks.
43
44### False positive analysis
45
46- Routine updates or maintenance activities by authorized personnel can trigger alerts. To manage this, create exceptions for known IP addresses or user accounts that regularly perform these tasks.
47- Automated scripts or tools used for infrastructure management might modify firewall rules as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags.
48- Changes made during scheduled maintenance windows can be considered non-threatening. Implement time-based exceptions to ignore modifications during these periods.
49- Modifications related to scaling operations in App Engine or VPCs might be legitimate. Review and whitelist specific actions associated with scaling events to prevent unnecessary alerts.
50- Regular audits or compliance checks might involve temporary rule changes. Document these activities and exclude them from detection by correlating with audit logs or change management records.
51
52### Response and remediation
53
54- Immediately isolate the affected VPC or App Engine application by applying a restrictive firewall rule to prevent further unauthorized access or data exfiltration.
55- Review the audit logs to identify the source of the modification, including user accounts and IP addresses involved, and revoke any suspicious credentials or access.
56- Restore the firewall rule to its previous secure state using backup configurations or documented baselines to ensure the network is protected.
57- Conduct a thorough security assessment of the affected environment to identify any additional unauthorized changes or indicators of compromise.
58- Notify the security operations team and relevant stakeholders about the incident, providing details of the modification and actions taken.
59- Implement enhanced monitoring and alerting for future firewall rule changes to detect and respond to similar threats more quickly.
60- Consider engaging with Google Cloud support or a third-party security expert if the incident scope is beyond internal capabilities or if further expertise is required.
61
62## Setup
63
64The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
65references = [
66    "https://cloud.google.com/vpc/docs/firewalls",
67    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
68]
69risk_score = 47
70rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b"
71severity = "medium"
72tags = [
73    "Domain: Cloud",
74    "Data Source: GCP",
75    "Data Source: Google Cloud Platform",
76    "Use Case: Configuration Audit",
77    "Tactic: Defense Evasion",
78    "Resources: Investigation Guide",
79]
80timestamp_override = "event.ingested"
81type = "query"
82
83query = '''
84event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)
85'''
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1562"
92name = "Impair Defenses"
93reference = "https://attack.mitre.org/techniques/T1562/"
94
95
96[rule.threat.tactic]
97id = "TA0005"
98name = "Defense Evasion"
99reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In GCP, firewall rules regulate network traffic to and from VPCs and App Engine applications, crucial for maintaining security. Adversaries may alter these rules to weaken defenses, enabling unauthorized access or data exfiltration. The detection rule monitors audit logs for modifications to firewall rules, identifying potential defense evasion attempts by flagging suspicious changes in network configurations.

  • Review the audit logs for entries with the event.dataset field set to gcp.audit to confirm the source of the alert.
  • Examine the event.action field for values such as .compute.firewalls.patch or google.appengine..Firewall.Update*Rule to identify the specific type of firewall rule modification.
  • Identify the user or service account responsible for the modification by checking the actor information in the audit logs.
  • Assess the changes made to the firewall rule, including the before and after states, to determine if the modification allows more permissive ingress or egress traffic.
  • Investigate the context of the modification by reviewing related activities in the audit logs around the same time to identify any suspicious patterns or sequences of actions.
  • Check for any recent security incidents or alerts involving the affected VPC or App Engine application to understand potential motives or impacts of the rule change.
  • If unauthorized or suspicious activity is confirmed, initiate incident response procedures to mitigate any potential security risks.
  • Routine updates or maintenance activities by authorized personnel can trigger alerts. To manage this, create exceptions for known IP addresses or user accounts that regularly perform these tasks.
  • Automated scripts or tools used for infrastructure management might modify firewall rules as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags.
  • Changes made during scheduled maintenance windows can be considered non-threatening. Implement time-based exceptions to ignore modifications during these periods.
  • Modifications related to scaling operations in App Engine or VPCs might be legitimate. Review and whitelist specific actions associated with scaling events to prevent unnecessary alerts.
  • Regular audits or compliance checks might involve temporary rule changes. Document these activities and exclude them from detection by correlating with audit logs or change management records.
  • Immediately isolate the affected VPC or App Engine application by applying a restrictive firewall rule to prevent further unauthorized access or data exfiltration.
  • Review the audit logs to identify the source of the modification, including user accounts and IP addresses involved, and revoke any suspicious credentials or access.
  • Restore the firewall rule to its previous secure state using backup configurations or documented baselines to ensure the network is protected.
  • Conduct a thorough security assessment of the affected environment to identify any additional unauthorized changes or indicators of compromise.
  • Notify the security operations team and relevant stakeholders about the incident, providing details of the modification and actions taken.
  • Implement enhanced monitoring and alerting for future firewall rule changes to detect and respond to similar threats more quickly.
  • Consider engaging with Google Cloud support or a third-party security expert if the incident scope is beyond internal capabilities or if further expertise is required.

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top