LoFP / storage bucket permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.

Techniques

• T1222

Sample rules

GCP Storage Bucket Permissions Modification

• source: elastic
• technicques:
  • T1222

Description

Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target’s security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.

Detection logic

event.dataset:gcp.audit and event.action:"storage.setIamPermissions" and event.outcome:success