Techniques
Sample rules
Detect GCP Storage access from a new IP
- source: splunk
- technicques:
- T1530
Description
This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.
Detection logic
`google_gcp_pubsub_message`
| multikv
| rename sc_status_ as status
| rename cs_object_ as bucket_name
| rename c_ip_ as remote_ip
| rename cs_uri_ as request_uri
| rename cs_method_ as operation
| search status="\"200\""
| stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri
| table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri
| inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip
| stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri
| outputlookup previously_seen_gcp_storage_access_from_remote_ip
| eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0)
| where newIP=1
| eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S")
| eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S")
| table first_time last_time bucket_name remote_ip operation request_uri
| `detect_gcp_storage_access_from_a_new_ip_filter`