Logging metric filter and alert for network firewall rule changes should be configured¶
Create or Update Firewall rule events indicate network access changes. Configuring a metric filter and alert for these changes may reduce the time it takes to detect suspicious activity.
Google Cloud Console¶
This is a two-part process. First, you create the log metric. Next, you create an alert policy.
Step 1: To create the log metric:
Navigate to Logs-based Metrics and click CREATE METRIC.
Ensure Metric Type is set to Counter.
Under Details, enter a name and description, and set Units to 1.
Under Filter selection, clear any text in the Build filter box and enter the following:
resource.type="gce_firewall_rule" AND (protoPayload.methodName:compute.firewalls.patch OR protoPayload.methodName:compute.firewalls.insert)
Click Create Metric.
Step 2: To create the alert policy:
Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.
Click the 3-dot icon in the rightmost column for the new metric and select Create alert from metric.
In the left sidebar, keep the defaults for the Alert Conditions sections, and under Alert Details, select Notifications and name.
Configure the desired notification channels in the section Configure notifications.
Name the alert and click Create Policy.