storage bucket configuration may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

t1578
gcp
elastic

Techniques

T1578

Sample rules

GCP Storage Bucket Configuration Modification

source: elastic
technicques:
- T1578

Description

Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target’s environment.

Detection logic

event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success