LoFP / storage buckets may be deleted by a system or network administrator. verify whether the user email, resource name, and/or hostname should be making changes in your environment. bucket deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• T1485

Sample rules

GCP Storage Bucket Deletion

• source: elastic
• technicques:
  • T1485

Description

Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target’s business operations.

Detection logic

event.dataset:gcp.audit and event.action:"storage.buckets.delete"