LoFP / exceptions can be added to this rule to filter expected behavior.

Techniques

• t1562

Sample rules

Google Cloud Firewall Modified or Deleted

• source: sigma
• technicques:
  • t1562

Description

Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - v*.Compute.Firewalls.Delete
  - v*.Compute.Firewalls.Patch
  - v*.Compute.Firewalls.Update
  - v*.Compute.Firewalls.Insert