Logging metric filter and alert for network firewall rule changes should be configured

Description

Create or Update Firewall rule events indicate network access changes. Configuring a metric filter and alert for these changes may reduce the time it takes to detect suspicious activity.

Remediation Steps

Google Cloud Console

This is a two-part process. First, you create the log metric. Next, you create an alert policy.

Step 1: To create the log metric:

  • Navigate to Logs-based Metrics and click CREATE METRIC.

  • Ensure Metric Type is set to Counter.

  • Under Details, enter a name and description, and set Units to 1.

  • Under Filter selection, clear any text in the Build filter box and enter the following:

resource.type="gce_firewall_rule"
AND (protoPayload.methodName:compute.firewalls.patch
OR protoPayload.methodName:compute.firewalls.insert)
  • Click Create Metric.

Step 2: To create the alert policy:

  • Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.

  • Click the 3-dot icon in the rightmost column for the new metric and select Create alert from metric.

  • In the left sidebar, keep the defaults for the Alert Conditions sections, and under Alert Details, select Notifications and name.

  • Configure the desired notification channels in the section Configure notifications.

  • Name the alert and click Create Policy.

gcloud CLI

  • To create the log metric:

    • gcloud beta logging metrics create

For flags, see Google Cloud’s CLI reference.

  • To create the alert policy:

    • gcloud alpha monitoring policies create

For flags, see Google Cloud’s CLI reference.