Skip to content

compute.firewalls.delete

GCP

compute.firewalls.delete

service: GCP - Compute Engine
techniques:

Event

Deletes a firewall rule from a GCP VPC network.

Security Context

  • Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.

Log Source

Cloud Audit Logs

Sample Event

Draco deletes the billywig-public-ingress firewall rule that restricts inbound 443 traffic to the BILLYWIG edge VPC, widening exposure or covering the tracks of an earlier firewalls.patch (T1686.001). Compute LROs emit a paired last entry on completion (progress: 100, status: DONE, operation.last: true); the first entry below is what defenders alert on.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.firewall-rules.delete invocation-id/90000000000000000000000000000010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T14:17:33.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.firewalls.delete",
"authorizationInfo": [
{
"permission": "compute.firewalls.delete",
"granted": true,
"resourceAttributes": {
"service": "compute",
"name": "projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress",
"type": "compute.firewalls"
}
}
],
"resourceName": "projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress",
"request": {
"@type": "type.googleapis.com/compute.firewalls.delete"
},
"response": {
"@type": "type.googleapis.com/operation",
"id": "8200000000000000010",
"name": "operation-1776265053000-62fa1f3a4f001-ab000010-cd000010",
"operationType": "delete",
"targetId": "6100000000000000010",
"targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress",
"selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/operation-1776265053000-62fa1f3a4f001-ab000010-cd000010",
"selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/8200000000000000010",
"user": "draco@fantasticlogs.cloud",
"status": "RUNNING",
"progress": "0",
"insertTime": "2026-04-15T07:17:33.301-07:00",
"startTime": "2026-04-15T07:17:33.318-07:00"
},
"resourceLocation": {
"currentLocations": [
"global"
]
}
},
"insertId": "evt0000000010",
"resource": {
"type": "gce_firewall_rule",
"labels": {
"project_id": "fantasticlogs-prod",
"firewall_rule_id": "6100000000000000010"
}
},
"timestamp": "2026-04-15T14:17:33.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"operation": {
"id": "operation-1776265053000-62fa1f3a4f001-ab000010-cd000010",
"producer": "compute.googleapis.com",
"first": true
},
"receiveTimestamp": "2026-04-15T14:17:33.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.