Monitor for firewall rule creation
- Solomon F Prophete
Analytics
Description:
Monitoring firewall rule creation and update events gives you insight into network access changes, and can help you quickly detect suspicious activity.
Solution:
CREATE METRIC: Go to https://console.cloud.google.com/logs/viewer click "CREATE METRIC", click the drop-down menu in the right-hand side of the search bar and select "Convert to advanced filter", clear any text from Advanced Filter and add the "RecommendedLogFilter" below.
Set "Type" to "Counter" and "Units" to 1 (default), fill out the remaining fields and click "Create Metric".
CREATE ALERT POLICY: Go to https://console.cloud.google.com/logs/metrics and in the section "User-defined Metrics", for the target metric (any one from the "QualifiedLogMetricNames"), click 3 dot icon in rightmost column and select "Create alert from Metric".
On the "Create new alerting policy" page, configure the parameters you desire. For example, setting "Aggregator" to "Count", "Threshold" to 0, and "For" to "most recent value" will alert on every event. Click "Save" and make sure to set up a notification channel and then click "Save" again.
Reference:
https://cloud.google.com/vpc/docs/firewalls