Logging metric filter and alert for network firewall rule changes should be configured

Description

Create or Update Firewall rule events indicate network access changes. Configuring a metric filter and alert for these changes may reduce the time it takes to detect suspicious activity.

Remediation Steps

Google Cloud Console

This is a two-part process. First, you create the log metric. Next, you create an alert policy.

Step 1: To create the log metric:

  • Navigate to Logs-based Metrics and click CREATE METRIC.

  • Ensure Metric Type is set to Counter.

  • Under Details, enter a name and description, and set Units to 1.

  • Under Filter selection, clear any text in the Build filter box and enter the following:

resource.type="gce_firewall_rule"
AND (protoPayload.methodName:compute.firewalls.patch
OR protoPayload.methodName:compute.firewalls.insert)
  • Click Create Metric.

Step 2: To create the alert policy:

  • Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.

  • Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric.

  • In the Find resource type and metric section, remove the selected resource type and select Global as the resource type instead.

  • Set Aggregator to Count and set the desired time period.

  • Under Configuration, choose the alerting threshold and configuration that makes sense for your organization. For example, a threshold of zero (0) for the most recent value ensures that a notification is triggered for every owner change in the project:

Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
  • Click Save.

  • Configure the desired notifications channels in the section Notifications.

  • Name the policy and click Save.

gcloud CLI

  • To create the log metric:

    • gcloud beta logging metrics create

For flags, see Google Cloud’s CLI reference.

  • To create the alert policy:

    • gcloud alpha monitoring policies create

For flags, see Google Cloud’s CLI reference.