Skip to main content

πŸ“ Google Logging Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist 🟒

  • Contextual name: πŸ“ Log Metric Filter and Alerts for VPC Network Firewall Rule Changes do not exist 🟒
  • ID: /ce/ca/google/logging/vpc-network-firewall-rule-changes-monitoring
  • Located in: πŸ“ Google Logging

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended that a metric filter and alarm be established for Virtual Private Cloud (VPC) Network Firewall rule changes.

Rationale​

Monitoring for Create or Update Firewall rule events gives insight to network access changes and may reduce the time it takes to detect suspicious activity.

Impact​

Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.

Audit​

From Google Cloud Console​

Ensure that the prescribed log metric is present:

  1. Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics.

  2. In the User-defined Metrics section, ensure at least one metric <Log_Metric_Name> is present with this filter text:

     resource.type="gce_firewall_rule" 
     AND (protoPayload.methodName:"compute.firewalls.patch" 
     OR protoPayload.methodName:"compute.firewalls.insert" 
     OR protoPayload.methodName:"compute.firewalls.delete")

Ensure that the prescribed alerting policy is present:

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

Create the prescribed log metric:

  1. Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".

  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.

  3. Clear any text and add:

     resource.type="gce_firewall_rule" 
     AND (protoPayload.methodName:"compute.firewalls.patch" 
     OR protoPayload.methodName:"compute.firewalls.insert" 
     OR protoPayload.methodName:"compute.firewalls.delete")

  4. Click Submit Filter. Display logs appear based on the filter text entered by the user.

  5. In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.

  6. Click Create Metric.

Create the prescribed Alert Policy:

  1. Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes - Level 2 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49