compute.firewalls.delete
GCP
compute.firewalls.delete
Event
Deletes a firewall rule from a GCP VPC network.
Security Context
- Modifying network security controls can open unauthorized access paths while removing evidence of the original restrictive configuration.
Log Source
Cloud Audit Logs
Sample Event
Draco deletes the billywig-public-ingress firewall rule that restricts inbound 443 traffic to the BILLYWIG edge VPC, widening exposure or covering the tracks of an earlier firewalls.patch (T1686.001). Compute LROs emit a paired last entry on completion (progress: 100, status: DONE, operation.last: true); the first entry below is what defenders alert on.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.firewall-rules.delete invocation-id/90000000000000000000000000000010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T14:17:33.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.firewalls.delete", "authorizationInfo": [ { "permission": "compute.firewalls.delete", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress", "type": "compute.firewalls" } } ], "resourceName": "projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress", "request": { "@type": "type.googleapis.com/compute.firewalls.delete" }, "response": { "@type": "type.googleapis.com/operation", "id": "8200000000000000010", "name": "operation-1776265053000-62fa1f3a4f001-ab000010-cd000010", "operationType": "delete", "targetId": "6100000000000000010", "targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/firewalls/billywig-public-ingress", "selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/operation-1776265053000-62fa1f3a4f001-ab000010-cd000010", "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/8200000000000000010", "user": "draco@fantasticlogs.cloud", "status": "RUNNING", "progress": "0", "insertTime": "2026-04-15T07:17:33.301-07:00", "startTime": "2026-04-15T07:17:33.318-07:00" }, "resourceLocation": { "currentLocations": [ "global" ] } }, "insertId": "evt0000000010", "resource": { "type": "gce_firewall_rule", "labels": { "project_id": "fantasticlogs-prod", "firewall_rule_id": "6100000000000000010" } }, "timestamp": "2026-04-15T14:17:33.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "operation": { "id": "operation-1776265053000-62fa1f3a4f001-ab000010-cd000010", "producer": "compute.googleapis.com", "first": true }, "receiveTimestamp": "2026-04-15T14:17:33.567890123Z"}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1686.001 — Cloud Firewall — Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.