gcp storage buckets can be accessed from any ip (if the acls are open to allow it), as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past two hours.

Techniques

T1530

Sample rules

Detect GCP Storage access from a new IP

source: splunk
technicques:
- T1530

Description

This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.

Detection logic

`google_gcp_pubsub_message` 
| multikv 
| rename sc_status_ as status 
| rename cs_object_ as bucket_name 
| rename c_ip_ as remote_ip 
| rename cs_uri_ as request_uri 
| rename cs_method_ as operation 
| search status="\"200\"" 
| stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri 
| table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri 
| inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip 
| stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri 
| outputlookup previously_seen_gcp_storage_access_from_remote_ip 
| eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) 
| where newIP=1 
| eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") 
| eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") 
| table  first_time last_time bucket_name remote_ip operation request_uri 
| `detect_gcp_storage_access_from_a_new_ip_filter`