Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes. Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.
Risk Level: Low
Cloud Entity: GCP AlertPolicy
CloudGuard Rule ID: D9.GCP.LOG.22
Covered by Spectral: No
Category: Management Tools
GSL LOGIC
AlertPolicy where conditions contain [ conditionThreshold.logName] and enabled='true' should have conditions contain [ getResource('LogBasedMetric',conditionThreshold.logName) getValue('filter') ='resource.type="gce_firewall_rule" AND protoPayload.methodName:"compute.firewalls.patch" OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete"']
REMEDIATION
From Portal
Create the prescribed Log Metric:
- Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".
- Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
- Clear any text and add:
resource.type="gce_firewall_rule"
AND protoPayload.methodName:"compute.firewalls.patch"
OR protoPayload.methodName:"compute.firewalls.insert"
OR protoPayload.methodName:"compute.firewalls.delete"
- Click Submit Filter. Display logs appear based on the filter text entered by the user.
- In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
- Click Create Metric.
Create the prescribed alert policy:
- Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
- Click the 3-dot icon in the rightmost column for the new metric and select 'Create alert from Metric'. A new page appears.
- Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the user's project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
```bash Terminal
4. Configure the desired notification channels in the section Notifications.
5. Name the policy and click Save.
**From TF**
1. Create log based metric with expected filter
2. Create an alerting policy with type 'metric' based on the previous created log based metric.
Resources;
google_logging_metric
google_monitoring_alert_policy
See below example;
resource "google_logging_metric" "my_log_metrics" {
project = "My-project-id"
name = "my-(custom)/metric"
filter = "resource.type="gce_firewall_rule" AND protoPayload.methodName="v1.compute.firewalls.patch" OR protoPayload.methodName="v1.compute.firewalls.insert"
description = "..."
metric_descriptor {
metric_kind = "DELTA"
value_type = "INT64"
}
}
And
resource "google_monitoring_alert_policy" "alert_policy" {
project = "My-project-id"
display_name = "My Alert Policy"
combiner = "OR"
conditions {
display_name = "test condition"
condition_threshold {
filter = "metric.type="logging.googleapis.com/user/my-(custom)/metric" AND resource.type="cloud_composer_environment""
duration = "0s"
comparison = "COMPARISON_GT"
}
}
}
**From Command Line**
1. Create the prescribed log metric. Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create
use the command:
gcloud beta logging metrics create METRIC_NAME --description="DESCRIPTION" --log-filter="LOG_FILTER"
2. You can find the notification channel ID using:
gcloud alpha monitoring channels list --filter='displayName="channel_name"' --format='value(name)'
3. Create the prescribed alert policy.Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create
-Create a json file with required properties and values for the policy(try creating a policy from console and then download it's json to have a reference) and use the command:
gcloud alpha monitoring policies create --policy-from-file="policyfile.json"
**References**
1. https://cloud.google.com/logging/docs/logs-based-metrics/
2. https://cloud.google.com/monitoring/custom-metrics/
3. https://cloud.google.com/monitoring/alerts/
4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
5. https://cloud.google.com/vpc/docs/firewalls
6. https://workbench.cisecurity.org/sections/507170/recommendations/827556
## GCP AlertPolicy
Alerting policy describes the circumstances under which you want to be alerted and how you want to be notified. This page provides an overview of alerting policies
## Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago