GCP-Log-metric-filter-and-alert-disable-for-VPC-Network-Firewall-rule-changes

Severity: Low

Description: This control identifies the GCP accounts which do not have a log metric filter and alert for VPC Network Firewall rule changes. Monitoring for Create or Update firewall rule events gives insight network access changes and may reduce the time it takes to detect suspicious activity.

Remediation Steps:

Perform following to enable metric filter and alert for NF rule changes :

1. Sign in to GCP Console https://console.cloud.google.com.

2. Navigate to Logs-based metrics under section Operations-Logging.

3. Click on CREATE METRIC.

4. Provide Metric Type and Details. In Filter selection, add filter as

   • resource.type="gce_firewall_rule" AND jsonPayload.event_subtype="compute.firewalls.patch" OR jsonPayload.event_subtype="compute.firewalls.insert".

5. Click on CREATE METRIC.

6. Under User-defined metrics section, choose the metric you created in step 6 and click on kebab menu (Vertical 3 dots) on the right side of metrics.

7. Under kebab menu (Vertical 3 dots) option choose the click on Create alert from metric, it will navigate to section Monitoring.

8. For step 1, enter any name to the condition and select metric name that was created in step 6 under Find resource type and metric section, choose an appropriate value for other alert condition parameters as desired.

9. Click on ADD, Then Click on NEXT.

10. For step 2, Set the Notifications channel type, Then Click on NEXT.

11. For step 3, Name the alert policy.

12. Click on SAVE.

Important:

It is recommended to create a metric filter and alarm to detect VPC Network Firewall rule changes.

Reference: