Detection: App Engine Firewall Ingress Rule Created
Overview
Detect when an App Engine Firewall Ingress Rule was created. These rules control access to applications and services hosted on App Engine. Monitoring for new rule creations helps ensure that unauthorized or misconfigured rules do not expose sensitive resources to potential threats.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.app_engine_firewall_ingress_rule_created
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.app_engine_firewall_ingress_rule_created --share
SQL
This detection uses a named query:
select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
from gcp_audit_logwhere method_name ilike 'google.app_engine.v%.firewall.createingressrule' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;