while this search has no known false positives, it is possible that a gcp admin has legitimately created a public bucket for a specific purpose. that said, gcp strongly advises against granting full control to the \"allusers\" group.

Techniques

T1530

Sample rules

Detect New Open GCP Storage Buckets

source: splunk
technicques:
- T1530

Description

This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.

Detection logic

`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions 
| spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action 
| spath output=user path=data.protoPayload.authenticationInfo.principalEmail 
| spath output=location path=data.protoPayload.resourceLocation.currentLocations{} 
| spath output=src path=data.protoPayload.requestMetadata.callerIp 
| spath output=bucketName path=data.protoPayload.resourceName 
| spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role 
| spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member 
| search (member=allUsers AND action=ADD) 
| table  _time, bucketName, src, user, location, action, role, member 
| search `detect_new_open_gcp_storage_buckets_filter`