Detection: Compute Firewall Rule Deleted
Overview
Detect when a Compute firewall rule was deleted. Firewall rule deletions can leave resources unprotected and expose them to unauthorized access. Monitoring these actions helps maintain network security.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.compute_firewall_rule_deletedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.compute_firewall_rule_deleted --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
from gcp_audit_logwhere method_name ilike '%.compute.firewalls.delete' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;