Analytics Story: Suspicious GCP Storage Activities
Description
Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.
Why it matters
Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.
Detections
| Name | Technique | Type |
|---|---|---|
| Detect GCP Storage access from a new IP | Data from Cloud Storage | Anomaly |
| Detect New Open GCP Storage Buckets | Data from Cloud Storage | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|
References
- https://cloud.google.com/blog/products/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security
- https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/
Source: GitHub | Version: 1