| ID | Technique | Tactic |
|---|---|---|
| T1530 | Data from Cloud Storage | Collection |
Detection: Detect GCP Storage access from a new IP
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment.
Search
1`google_gcp_pubsub_message`
2| multikv
3| rename sc_status_ as status
4| rename cs_object_ as bucket_name
5| rename c_ip_ as remote_ip
6| rename cs_uri_ as request_uri
7| rename cs_method_ as operation
8| search status="\"200\""
9| stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri
10| table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri
11| inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip
12| stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri
13| outputlookup previously_seen_gcp_storage_access_from_remote_ip
14| eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0)
15| where newIP=1
16| eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S")
17| eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S")
18| table first_time last_time bucket_name remote_ip operation request_uri
19| `detect_gcp_storage_access_from_a_new_ip_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| N/A | N/A | N/A | N/A | N/A |
Macros Used
| Name | Value |
|---|---|
| google_gcp_pubsub_message | sourcetype="google:gcp:pubsub:message" |
| detect_gcp_storage_access_from_a_new_ip_filter | search * |
detect_gcp_storage_access_from_a_new_ip_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_13
Fox Kitten
Scattered Spider
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.
Known False Positives
GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| tbd | 25 | 50 | 50 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | Not Applicable | N/A | N/A | N/A |
| Unit | ❌ Failing | N/A | N/A |
N/A |
| Integration | ❌ Failing | N/A | N/A |
N/A |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2