Navigation :

Detect New Open GCP Storage Buckets

Description

This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Collection

MITRE ATT&CK Techniques

Data from Cloud Storage Object

Data from Cloud Storage Object

Data Sources

GCP
Audit Trail

   Help

Detect New Open GCP Storage Buckets Help

This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).

   Search

`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table  _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`
Open in Search