A GCP request occurred to either create a new public or open bucket. While there are some use cases for GCP S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public.
| Detail |
Value |
| Type |
Templated Match |
| Category |
Defense Evasion |
| Apply Risk to Entities |
user_username, srcDevice_ip |
| Signal Name |
GCP Bucket Open |
| Summary Expression |
User: {{user_username}} made storage bucket public |
| Score/Severity |
Static: 3 |
| Enabled by Default |
True |
| Prototype |
False |
| Tags |
_mitreAttackTactic:TA0009, _mitreAttackTechnique:T1530 |
| Origin |
Field |
| Normalized Schema |
action |
| Direct from Record |
fields['message.data.protoPayload.serviceData.policyDelta.bindingDeltas.1.action'] |
| Direct from Record |
fields['message.data.protoPayload.serviceData.policyDelta.bindingDeltas.1.member'] |
| Direct from Record |
fields['message.data.resource.type'] |
| Normalized Schema |
metadata_product |
| Normalized Schema |
metadata_vendor |
| Normalized Schema |
srcDevice_ip |
| Normalized Schema |
user_username |