🚀Launch Week 09, June 30th - July 4th, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-gcp-audit-log-detections
Overview
3Dashboards
40Benchmarks
47Queries
1Variables
GitHub

Detection: Compute Firewall Rule Deleted

Overview

Detect when a Compute firewall rule was deleted. Firewall rule deletions can leave resources unprotected and expose them to unauthorized access. Monitoring these actions helps maintain network security.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.compute_firewall_rule_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.compute_firewall_rule_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
  method_name as operation,
  resource_name as resource,
  authentication_info.principal_email as actor,
  tp_source_ip as source_ip,
  tp_index as project,
  tp_id as source_id,
  -- Create new aliases to preserve original row data
  operation as operation_src,
  resource as resource_src,
  * exclude operation,
  resource
from
  gcp_audit_log
where
  method_name ilike '%.compute.firewalls.delete'
  and severity != 'Error'
order by
  timestamp desc;

Tags

category = Detection
folder = Compute
mitre_attack_ids = TA0005:T1578.005
plugin = gcp
service = GCP/Compute