Google Compute Engine firewall rule modified

gcp

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a firewall rule is created, modified or deleted.

Strategy

Monitor Google Compute Engine activity audit logs to determine when any of the following methods are invoked:

  • v1.compute.firewalls.delete
  • v1.compute.firewalls.insert
  • v1.compute.firewalls.patch

Triage and response

  1. Review the log and role and ensure the permissions are scoped properly.
  2. Review the users associated with the role and ensure they should have the permissions attached to the role.