Logging metric filter and alert for network firewall rule changes should be configured¶
Create or Update Firewall rule events indicate network access changes. Configuring a metric filter and alert for these changes may reduce the time it takes to detect suspicious activity.
Google Cloud Console¶
This is a two-part process. First, you create the log metric. Next, you create an alert policy.
Step 1: To create the log metric:
Navigate to Logs-based Metrics and click CREATE METRIC.
Ensure Metric Type is set to Counter.
Under Details, enter a name and description, and set Units to 1.
Under Filter selection, clear any text in the Build filter box and enter the following:
resource.type="gce_firewall_rule" AND (protoPayload.methodName:compute.firewalls.patch OR protoPayload.methodName:compute.firewalls.insert)
Click Create Metric.
Step 2: To create the alert policy:
Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.
Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric.
In the Find resource type and metric section, remove the selected resource type and select Global as the resource type instead.
Set Aggregator to Count and set the desired time period.
Under Configuration, choose the alerting threshold and configuration that makes sense for your organization. For example, a threshold of zero (0) for the most recent value ensures that a notification is triggered for every owner change in the project:
Set `Configuration`: - Condition: above - Threshold: 0 - For: most recent value
Configure the desired notifications channels in the section Notifications.
Name the policy and click Save.