3.11 - Unusual number of firewall rules modified in the last 7 days

Unusual number of firewall rules modified on any given day in the last 7 days, where unusual is defined as daily_count > avg(daily_count) + 2 * stddev(daily_count), and daily_count is the number of change actions on a given day. Aggregate averages and standard deviations are computed for each day looking back at the preceding daily counts. Default lookback window is the last 90 days.

Category: Cloud Provisioning Activity
Use Cases: Detect
Data Sources: Audit Logs - Admin Activity

Queries or Rules

BigQuery	Log Analytics	Google SecOps
SQL	SQL	Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

No log samples provided. Contribute log samples to this use case.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

3.11.md

3.11.md

3.11 - Unusual number of firewall rules modified in the last 7 days

Queries or Rules

Event Generation

Sample Event

Files

3.11.md

Latest commit

History

3.11.md

File metadata and controls

3.11 - Unusual number of firewall rules modified in the last 7 days

Queries or Rules

Event Generation

Sample Event