LoFP / storage buckets enumerated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Google Cloud Storage Buckets Enumeration

• source: sigma
• technicques:

Description

Detects when storage bucket is enumerated in Google Cloud.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - storage.buckets.list
  - storage.buckets.listChannels