gcp storage buckets can be accessed from any ip (if the acls are open to allow it), as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past two hours.

Techniques

T1530

Sample rules

Detect GCP Storage access from a new IP

source: splunk
technicques:
- T1530

Description

The following analytic identifies access to GCP Storage buckets from new or previously unseen remote IP addresses. It leverages GCP Storage bucket-access logs ingested via Cloud Pub/Sub and compares current access events against a lookup table of previously seen IP addresses. This activity is significant as it may indicate unauthorized access or potential reconnaissance by an attacker. If confirmed malicious, this could lead to data exfiltration, unauthorized data manipulation, or further compromise of the GCP environment.

Detection logic

`google_gcp_pubsub_message` 
| multikv 
| rename sc_status_ as status 
| rename cs_object_ as bucket_name 
| rename c_ip_ as remote_ip 
| rename cs_uri_ as request_uri 
| rename cs_method_ as operation 
| search status="\"200\"" 
| stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri 
| table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri 
| inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip 
| stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri 
| outputlookup previously_seen_gcp_storage_access_from_remote_ip 
| eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) 
| where newIP=1 
| eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") 
| eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") 
| table  first_time last_time bucket_name remote_ip operation request_uri 
| `detect_gcp_storage_access_from_a_new_ip_filter`