LoFP / storage buckets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Google Cloud Storage Buckets Modified or Deleted

• source: sigma
• technicques:

Description

Detects when storage bucket is modified or deleted in Google Cloud.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - storage.buckets.delete
  - storage.buckets.insert
  - storage.buckets.update
  - storage.buckets.patch