GCP GCE Firewall Rule Modified
Security Monitoring is now available Security Monitoring is now available
<  Back to rules search

GCP GCE Firewall Rule Modified

gcp

Classification:

compliance

Set up the gcp integration.

Overview

Goal

Detect when a firewall rule is created, modified or deleted.

Strategy

Monitor GCP GCE activity audit logs to determine when any of the following methods are invoked:

  • v1.compute.firewalls.delete
  • v1.compute.firewalls.insert
  • v1.compute.firewalls.patch

Triage & Response

  1. Review the log and role and ensure the permissions are scoped properly.
  2. Review the users associated with the role and ensure they should have the permissions attached to the role.