Skip to content

Add GCP rule: Firewall Rule Deleted#2183

Open
developutm wants to merge 1 commit into
release/v11.2.9from
feature/google-rule-gcp_firewall_rule_deleted
Open

Add GCP rule: Firewall Rule Deleted#2183
developutm wants to merge 1 commit into
release/v11.2.9from
feature/google-rule-gcp_firewall_rule_deleted

Conversation

@developutm

@developutm developutm commented Jun 9, 2026

Copy link
Copy Markdown
  • A detailed explanation of the changes: Adds detection for deletion of GCP VPC firewall rules.
  • The reasoning behind these changes: Attackers may delete security rules such as egress filters or blocking rules to facilitate data exfiltration or lateral movement (Impact - T1562).
  • Reference: N/A

@developutm developutm requested a review from a team June 9, 2026 14:08
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output 
🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Addition of a new detection rule; no architectural deviations or structural changes detected.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Found a typo in the documentation link and a potential logic error in the rule filter.

  • medium rules/cloud/google/gcp_firewall_rule_deleted.yml:10 — Typo in reference URL: 'cal-categories' should likely be 'audit-categories' (https://cloud.google.com/logging/docs/audit/audit-categories#compute_engine).
  • medium rules/cloud/google/gcp_firewall_rule_deleted.yml:29 — Potential logic error: 'v1.compute.firewalls.delete' is likely incorrect. GCP audit logs typically use 'v1.compute.firewalls.delete' as a method name, but the prefix 'v1.' is often not part of the method name string in standard GCP audit logs. Verify if the filter will match actual logs.

security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: New detection rule for GCP firewall deletions; no vulnerabilities or information disclosure identified.

No findings.

utmstackprapprover[bot]
utmstackprapprover Bot suggested changes Jun 9, 2026
View reviewed changes

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — see approver comments above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@utmstackprapprover utmstackprapprover[bot] utmstackprapprover[bot] requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@developutm