[Rule Tuning] GCP Firewall Rules Should Include App Engine (#2107)

* removed googlecloud.audit and added app engine event actions

* adjusted query for rule created

* adjusted queries to exclude v1

* Update rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml

@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/09/21"
-maturity = "production"
-updated_date = "2021/07/20"
 integration = "gcp"
+maturity = "production"
+updated_date = "2022/07/15"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules
-can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new
-firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic
-flows for their benefit.
+Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine.
+These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or
+specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls
+and allow more permissive ingress or egress traffic flows for their benefit.
 """
 false_positives = [
     """
@@ -25,7 +25,10 @@ name = "GCP Firewall Rule Creation"
 note = """## Setup
 
 The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://cloud.google.com/vpc/docs/firewalls"]
+references = [
+    "https://cloud.google.com/vpc/docs/firewalls",
+    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
+]
 risk_score = 21
 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170"
 severity = "low"
@@ -34,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert
+event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)
 '''
 
 

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml

@@ -1,15 +1,15 @@
 [metadata]
 creation_date = "2020/09/21"
-maturity = "production"
-updated_date = "2021/07/20"
 integration = "gcp"
+maturity = "production"
+updated_date = "2022/07/15"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules
-can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a
-firewall rule in order to weaken their target's security controls.
+Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine.
+These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or
+specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.
 """
 false_positives = [
     """
@@ -24,7 +24,10 @@ name = "GCP Firewall Rule Deletion"
 note = """## Setup
 
 The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://cloud.google.com/vpc/docs/firewalls"]
+references = [
+    "https://cloud.google.com/vpc/docs/firewalls",
+    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
+]
 risk_score = 47
 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1"
 severity = "medium"
@@ -33,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete
+event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)
 '''
 
 

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml

@@ -1,15 +1,16 @@
 [metadata]
 creation_date = "2020/09/21"
-maturity = "production"
-updated_date = "2021/07/20"
 integration = "gcp"
+maturity = "production"
+updated_date = "2022/07/15"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules
-can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a
-firewall rule in order to weaken their target's security controls.
+Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App
+Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or
+specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security
+controls and allow more permissive ingress or egress traffic flows for their benefit.
 """
 false_positives = [
     """
@@ -24,7 +25,10 @@ name = "GCP Firewall Rule Modification"
 note = """## Setup
 
 The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://cloud.google.com/vpc/docs/firewalls"]
+references = [
+    "https://cloud.google.com/vpc/docs/firewalls",
+    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
+]
 risk_score = 47
 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b"
 severity = "medium"
@@ -33,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch
+event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)
 '''