Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
'Detects when a Google Cloud Platform firewall rule is created or modified to allow traffic from any source (0.0.0.0/0 or 0.0.0.0). Open firewall rules expose resources to the internet and can significantly increase the attack surface of cloud infrastructure. This may indicate a misconfiguration, lack of security awareness, or malicious activity to create backdoor access. Adversaries may create or modify firewall rules to enable persistent access or facilitate lateral movement. This rule monitor
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Google Cloud Platform Audit Logs |
| ID | 8061c611-55f1-4ee5-a8f8-8f19f2c7aab2 |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | DefenseEvasion, Persistence, InitialAccess |
| Techniques | T1562.004, T1133, T1562.001 |
| Required Connectors | GCPAuditLogsDefinition |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
GCPAuditLogs |
GCPResourceType == "gce_firewall_rule"MethodName has "insert"MethodName has "patch"MethodName has_any "firewalls.insert"ServiceName == "compute.googleapis.com"Severity == "NOTICE" |
✓ | ✓ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Analytic Rules · Back to Google Cloud Platform Audit Logs