Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-gcp-audit-log-detections
Overview
3Dashboards
40Benchmarks
47Queries
1Variables
GitHub

Detection: Compute Firewall Rule Deleted

Overview

Detect when a Compute firewall rule was deleted. Firewall rule deletions can leave resources unprotected and expose them to unauthorized access. Monitoring these actions helps maintain network security.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.compute_firewall_rule_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.compute_firewall_rule_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
operation as operation_src,
resource as resource_src,
*
exclude operation, resource


from
  gcp_audit_log
where
  method_name ilike '%.compute.firewalls.delete'
  and severity != 'Error'


order by
  timestamp desc;

Tags

category = Detection
folder = Compute
mitre_attack_ids = TA0005:T1578.005
plugin = gcp
service = GCP/Compute