The detection rule titled 'GCP: Firewall Rule Modified' targets potential malicious activity within Google Cloud Platform (GCP) environments, specifically focusing on alterations made to firewall rules. Adversaries may attempt to modify or disable a firewall to bypass established security controls, permitting unauthorized network access and increasing the risk of compromise. Firewalls in cloud ecosystems are typically configured to limit traffic to pre-authorized IPs, protocols, and ports by using security groups and rules. The rule leverages data from GCP audit logs to identify events where firewall rules are patched or updated. It captures significant fields such as timestamp, host, user responsible for the event, event name, resource ID, and source IP alongside user agent details. The logic implemented in this rule involves a query that retrieves data on firewall modifications, and aggregates events based on the source IP, enabling security teams to monitor unauthorized or unusual activities more effectively. Utilizing this rule, organizations can enhance their vigilance against potential privilege escalation or lateral movements initiated by adversaries.