Google Cloud Firewall Modified or Deleted
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
Sigma rule (View on GitHub)
1title: Google Cloud Firewall Modified or Deleted
2id: fe513c69-734c-4d4a-8548-ac5f609be82b
3status: test
4description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
5references:
6 - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
7 - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
8author: Austin Songer @austinsonger
9date: 2021/08/13
10modified: 2022/10/09
11tags:
12 - attack.defense_evasion
13 - attack.t1562
14logsource:
15 product: gcp
16 service: gcp.audit
17detection:
18 selection:
19 gcp.audit.method_name:
20 - v*.Compute.Firewalls.Delete
21 - v*.Compute.Firewalls.Patch
22 - v*.Compute.Firewalls.Update
23 - v*.Compute.Firewalls.Insert
24 condition: selection
25falsepositives:
26 - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
27 - Exceptions can be added to this rule to filter expected behavior.
28level: medium
References
-
Autopilot Standard This document describes the audit logs created by Google Kubernetes Engine as part of Cloud Audit Logs. Overview Google Cloud services write audit logs to help you answer the que...
Read More -
Modifier and Type Method and Description Compute.Firewalls.Delete delete(java.lang.String project, java.lang.String firewall) Deletes the specified firewall. Compute.Firewalls.Get get(java.lang.Str...
Read More
Related rules
- AWS SecurityHub Findings Evasion
- ETW Logging Disabled For SCM
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled In .NET Processes - Sysmon Registry
- Hide Schedule Task Via Index Value Tamper