Risk Level: Low
Cloud Entity: GCP AlertPolicy
CloudGuard Rule ID: D9.GCP.LOG.22
Covered by Spectral: No
Category: Management Tools

GSL LOGIC

AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_firewall_rule" AND protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete"']

REMEDIATION

From Portal
Create the prescribed Log Metric:

Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".
Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
Clear any text and add:

resource.type="gce_firewall_rule"
AND protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.delete"

Click Submit Filter. Display logs appear based on the filter text entered by the user.
In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
Click Create Metric.

Create the prescribed alert policy:

Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
Click the 3-dot icon in the rightmost column for the new metric and select 'Create alert from Metric'. A new page appears.
Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:

Set `Aggregator` to `Count`

Set `Configuration`:

- Condition: above

- Threshold: 0

- For: most recent value

Configure the desired notification channels in the section Notifications.
Name the policy and click Save.

From TF

Create log based metric with expected filter
Create an alerting policy with type 'metric' based on the previous created log based metric.

Resources; google_logging_metric google_monitoring_alert_policy

See below example;

resource "google_logging_metric" "my_log_metrics" {
  project = "My-project-id"
  name = "my-(custom)/metric"
  filter = "resource.type=\"gce_firewall_rule\" AND protoPayload.methodName=\"v1.compute.firewalls.patch\" OR protoPayload.methodName=\"v1.compute.firewalls.insert\""
  description = "..."
  metric_descriptor {
    metric_kind = "DELTA"
    value_type  = "INT64"
  }
}

resource "google_monitoring_alert_policy" "alert_policy" {
  project = "My-project-id"
  display_name = "My Alert Policy"
  combiner = "OR"
  conditions {
    display_name = "test condition"
    condition_threshold {
      filter = "metric.type=\"logging.googleapis.com/user/my-(custom)/metric\" AND resource.type=\"cloud_composer_environment\""
      duration   = "0s"
      comparison = "COMPARISON_GT"
    }
  }
}

From Command Line

Create the prescribed log metric. Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create
use the command:

gcloud beta logging metrics create METRIC_NAME --description="DESCRIPTION" --log-filter="LOG_FILTER"

You can find the notification channel ID using:

gcloud alpha monitoring channels list --filter='displayName="channel_name"' --format='value(name)'

Create the prescribed alert policy.Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create -Create a json file with required properties and values for the policy(try creating a policy from console and then download it's json to have a reference) and use the command:

gcloud alpha monitoring policies create --policy-from-file="policyfile.json"

References

GCP AlertPolicy

Alerting policy describes the circumstances under which you want to be alerted and how you want to be notified. This page provides an overview of alerting policies

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.0.0
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5