Detect New Open GCP Storage Buckets

Original Source: [splunk source]
Name:Detect New Open GCP Storage Buckets
id:f6ea3466-d6bb-11ea-87d0-0242ac130003
version:3
date:2024-10-17
author:Shannon Davis, Splunk
status:experimental
type:TTP
Description:The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.
Data_source:
search:`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions
| spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action
| spath output=user path=data.protoPayload.authenticationInfo.principalEmail
| spath output=location path=data.protoPayload.resourceLocation.currentLocations{}
| spath output=src path=data.protoPayload.requestMetadata.callerIp
| spath output=bucketName path=data.protoPayload.resourceName
| spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role
| spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member
| search (member=allUsers AND action=ADD)
| table _time, bucketName, src, user, location, action, role, member
| search `detect_new_open_gcp_storage_buckets_filter`

how_to_implement:This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).
known_false_positives:While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Suspicious GCP Storage Activities'
  asset_type:GCP Storage Bucket
  confidence:50
  impact:50
  message:tbd
  mitre_attack_id:
    - 'T1530'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'data.resource.type'
    - 'data.protoPayload.methodName'
    - 'data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action'
    - 'data.protoPayload.authenticationInfo.principalEmail'
    - 'data.protoPayload.resourceLocation.currentLocations{}'
    - 'data.protoPayload.requestMetadata.callerIp'
    - 'data.protoPayload.resourceName'
    - 'data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role'
    - 'data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member'
  risk_score:25
  security_domain:network

tests:
  :
manual_test:None

Related Analytic Stories


Suspicious GCP Storage Activities

© 2024 DetectionCode Website. All Rights Reserved.