From 5ff3844fbe4e3668207019049244090d162f50d0 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Thu, 21 Jul 2022 11:56:28 -0400
Subject: [PATCH] [Rule Tuning] GCP Firewall Rules Should Include App Engine
 (#2107)

* removed googlecloud.audit and added app engine event actions

* adjusted query for rule created

* adjusted queries to exclude v1

* Update rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 ...nse_evasion_gcp_firewall_rule_created.toml | 19 +++++++++++--------
 ...nse_evasion_gcp_firewall_rule_deleted.toml | 17 ++++++++++-------
 ...se_evasion_gcp_firewall_rule_modified.toml | 18 +++++++++++-------
 3 files changed, 32 insertions(+), 22 deletions(-)

diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml
index a74e6bfe2..30f92a924 100644
--- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml
+++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml
@@ -1,16 +1,16 @@
 [metadata]
 creation_date = "2020/09/21"
-maturity = "production"
-updated_date = "2021/07/20"
 integration = "gcp"
+maturity = "production"
+updated_date = "2022/07/15"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a firewall rule is created in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules
-can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may create a new
-firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic
-flows for their benefit.
+Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine.
+These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or
+specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls
+and allow more permissive ingress or egress traffic flows for their benefit.
 """
 false_positives = [
     """
@@ -25,7 +25,10 @@ name = "GCP Firewall Rule Creation"
 note = """## Setup
 
 The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://cloud.google.com/vpc/docs/firewalls"]
+references = [
+    "https://cloud.google.com/vpc/docs/firewalls",
+    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
+]
 risk_score = 21
 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170"
 severity = "low"
@@ -34,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.insert
+event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)
 '''
 
 
diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml
index 710e22b12..bf6db7372 100644
--- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml
+++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml
@@ -1,15 +1,15 @@
 [metadata]
 creation_date = "2020/09/21"
-maturity = "production"
-updated_date = "2021/07/20"
 integration = "gcp"
+maturity = "production"
+updated_date = "2022/07/15"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a firewall rule is deleted in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules
-can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may delete a
-firewall rule in order to weaken their target's security controls.
+Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine.
+These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or
+specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.
 """
 false_positives = [
     """
@@ -24,7 +24,10 @@ name = "GCP Firewall Rule Deletion"
 note = """## Setup
 
 The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://cloud.google.com/vpc/docs/firewalls"]
+references = [
+    "https://cloud.google.com/vpc/docs/firewalls",
+    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
+]
 risk_score = 47
 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1"
 severity = "medium"
@@ -33,7 +36,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.delete
+event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)
 '''
 
 
diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml
index fdfd02114..ff7252261 100644
--- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml
+++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml
@@ -1,15 +1,16 @@
 [metadata]
 creation_date = "2020/09/21"
-maturity = "production"
-updated_date = "2021/07/20"
 integration = "gcp"
+maturity = "production"
+updated_date = "2022/07/15"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when a firewall rule is modified in Google Cloud Platform (GCP). Virtual Private Cloud (VPC) firewall rules
-can be configured to allow or deny connections to or from virtual machine (VM) instances. An adversary may modify a
-firewall rule in order to weaken their target's security controls.
+Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App
+Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or
+specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security
+controls and allow more permissive ingress or egress traffic flows for their benefit.
 """
 false_positives = [
     """
@@ -24,7 +25,10 @@ name = "GCP Firewall Rule Modification"
 note = """## Setup
 
 The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://cloud.google.com/vpc/docs/firewalls"]
+references = [
+    "https://cloud.google.com/vpc/docs/firewalls",
+    "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls",
+]
 risk_score = 47
 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b"
 severity = "medium"
@@ -33,7 +37,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:(googlecloud.audit or gcp.audit) and event.action:v*.compute.firewalls.patch
+event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)
 '''