GCP API calls indicating firewall modification
Description
AlphaSOC detected modification of a GCP firewall rule, including creation, deletion, or updates to existing rules. Firewall rules control network access to GCP resources. Adversaries may modify firewall rules to expose services to unauthorized access, enable data exfiltration, or evade detection.
Impact
Unauthorized firewall modifications can expose internal services to the internet, allow attacker connections to compromised instances, or enable outbound data exfiltration. Deleting protective rules removes network-level security controls, while creating permissive rules opens new attack vectors.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for v1.compute.firewalls.delete,
v1.compute.firewalls.insert, or v1.compute.firewalls.patch actions. Identify
the specific rule changes and the principal responsible.
If unauthorized, revert the firewall rules to their previous configuration. Review VPC flow logs for suspicious traffic during the period of modified rules. Rotate credentials for the compromised identity and implement IAM policies to restrict firewall modification permissions.
Known False Positives
- Authorized administrators configuring network access
- Infrastructure as Code deployments updating firewall rules
- DevOps teams opening access for new applications