Google Compute Engine firewall rule modified

gcp

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a firewall rule is created, modified or deleted.

Strategy

Monitor Google Compute Engine activity audit logs to determine when any of the following methods are invoked:

  • v1.compute.firewalls.delete
  • v1.compute.firewalls.insert
  • v1.compute.firewalls.patch

Triage and response

  1. Review the log and role and ensure the permissions are scoped properly.
  2. Review the users associated with the role and ensure they should have the permissions attached to the role.