Name:Detect New Open GCP Storage Buckets id:f6ea3466-d6bb-11ea-87d0-0242ac130003 version:4 date:2024-11-14 author:Shannon Davis, Splunk status:experimental type:TTP Description:The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations. Data_source:
how_to_implement:This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). known_false_positives:While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group. References: drilldown_searches:
: tags: analytic_story: - 'Suspicious GCP Storage Activities' asset_type:GCP Storage Bucket mitre_attack_id: - 'T1530' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network
