LoFP LoFP / T1530

T1530

TitleTags
authorization rule additions or modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. authorization rule additions or modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
based on the values of`datapointthreshold` and `deviationthreshold`, the false positive rate may vary. please modify this according the your environment.
gcp storage buckets can be accessed from any ip (if the acls are open to allow it), as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past two hours.
known or internal account ids or automation
s3 buckets can be accessed from any ip, as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past hour
subscription creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. subscription creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
topic creations may be done by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. topic creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail creations may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
while this search has no known false positives, it is possible that a gcp admin has legitimately created a public bucket for a specific purpose. that said, gcp strongly advises against granting full control to the \"allusers\" group.