This detection rule is designed to identify when a new firewall rule is created in Google Cloud Platform (GCP). It utilizes GCP audit logs to monitor changes to firewall configurations by executing a SQL-like query. Specifically, the rule checks for any events in the GCP audit logs that pertain to the insertion of firewall rules within the last two hours. This is critical because creating or modifying firewall rules can be a tactic used by malicious actors to impair defenses or to integrate valid accounts into their operation for evading detection. The rule is associated with two known attack techniques: 'Impair Defenses' which refers to actions taken to disable or alter firewall protections, and 'Valid Accounts' indicating the use of legitimate credentials by adversaries to gain unauthorized access. Monitoring for such events can help detect potentially malicious activities and ensure the integrity of cloud network configurations.