GCP Storage Bucket Configuration Modification
Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may
11modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.
12"""
13false_positives = [
14 """
15 Storage bucket configuration may be modified by system administrators. Verify that the configuration change was
16 expected. Exceptions can be added to this rule to filter expected behavior.
17 """,
18]
19index = ["filebeat-*", "logs-gcp*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GCP Storage Bucket Configuration Modification"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating GCP Storage Bucket Configuration Modification
29
30Google Cloud Platform (GCP) storage buckets are essential for storing and managing data in the cloud. Adversaries may alter bucket configurations to weaken security, enabling unauthorized access or data exfiltration. The detection rule monitors audit logs for successful configuration changes, flagging potential defense evasion attempts by identifying suspicious modifications to storage settings.
31
32### Possible investigation steps
33
34- Review the audit logs for the specific event.action "storage.buckets.update" to identify the user or service account responsible for the configuration change.
35- Examine the event.outcome field to confirm the success of the configuration modification and gather details on what specific changes were made to the storage bucket settings.
36- Investigate the context of the change by checking the timestamp of the event to determine if it aligns with any known maintenance or deployment activities.
37- Assess the permissions and roles of the user or service account involved in the modification to ensure they have the appropriate level of access and determine if any privilege escalation occurred.
38- Cross-reference the modified bucket's configuration with security policies and best practices to identify any potential security weaknesses introduced by the change.
39- Check for any other recent suspicious activities or alerts related to the same user or service account to identify patterns of potentially malicious behavior.
40- If unauthorized changes are suspected, initiate a response plan to revert the configuration to its previous state and strengthen access controls to prevent future incidents.
41
42### False positive analysis
43
44- Routine administrative updates to storage bucket configurations by authorized personnel can trigger alerts. To manage this, maintain a list of known administrators and their typical activities, and create exceptions for these actions in the monitoring system.
45- Automated processes or scripts that regularly update bucket configurations for maintenance or compliance purposes may cause false positives. Identify these processes and exclude their actions from triggering alerts by using service accounts or specific identifiers.
46- Changes made by cloud management tools or third-party services integrated with GCP might be flagged. Review and whitelist these tools if they are verified and necessary for operations.
47- Scheduled updates or configuration changes as part of regular security audits can appear suspicious. Document these schedules and incorporate them into the monitoring system to prevent unnecessary alerts.
48- Temporary configuration changes for testing or development purposes might be misinterpreted as threats. Ensure that such activities are logged and communicated to the security team to adjust monitoring rules accordingly.
49
50### Response and remediation
51
52- Immediately revoke any unauthorized access to the affected GCP storage bucket by reviewing and adjusting IAM policies to ensure only legitimate users have access.
53- Conduct a thorough review of recent bucket configuration changes to identify any unauthorized modifications and revert them to their original secure state.
54- Isolate the affected storage bucket from the network if suspicious activity is detected, to prevent further unauthorized access or data exfiltration.
55- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure coordinated response efforts.
56- Implement additional logging and monitoring on the affected bucket to detect any further unauthorized access attempts or configuration changes.
57- Review and update security policies and access controls for all GCP storage buckets to prevent similar incidents in the future.
58- Escalate the incident to the cloud security team for a comprehensive analysis and to determine if further action is required, such as involving legal or compliance teams.
59
60## Setup
61
62The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
64risk_score = 47
65rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
66severity = "medium"
67tags = [
68 "Domain: Cloud",
69 "Data Source: GCP",
70 "Data Source: Google Cloud Platform",
71 "Use Case: Identity and Access Audit",
72 "Tactic: Defense Evasion",
73 "Resources: Investigation Guide",
74]
75timestamp_override = "event.ingested"
76type = "query"
77
78query = '''
79event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success
80'''
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1578"
87name = "Modify Cloud Compute Infrastructure"
88reference = "https://attack.mitre.org/techniques/T1578/"
89
90
91[rule.threat.tactic]
92id = "TA0005"
93name = "Defense Evasion"
94reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Storage Bucket Configuration Modification
Google Cloud Platform (GCP) storage buckets are essential for storing and managing data in the cloud. Adversaries may alter bucket configurations to weaken security, enabling unauthorized access or data exfiltration. The detection rule monitors audit logs for successful configuration changes, flagging potential defense evasion attempts by identifying suspicious modifications to storage settings.
Possible investigation steps
- Review the audit logs for the specific event.action "storage.buckets.update" to identify the user or service account responsible for the configuration change.
- Examine the event.outcome field to confirm the success of the configuration modification and gather details on what specific changes were made to the storage bucket settings.
- Investigate the context of the change by checking the timestamp of the event to determine if it aligns with any known maintenance or deployment activities.
- Assess the permissions and roles of the user or service account involved in the modification to ensure they have the appropriate level of access and determine if any privilege escalation occurred.
- Cross-reference the modified bucket's configuration with security policies and best practices to identify any potential security weaknesses introduced by the change.
- Check for any other recent suspicious activities or alerts related to the same user or service account to identify patterns of potentially malicious behavior.
- If unauthorized changes are suspected, initiate a response plan to revert the configuration to its previous state and strengthen access controls to prevent future incidents.
False positive analysis
- Routine administrative updates to storage bucket configurations by authorized personnel can trigger alerts. To manage this, maintain a list of known administrators and their typical activities, and create exceptions for these actions in the monitoring system.
- Automated processes or scripts that regularly update bucket configurations for maintenance or compliance purposes may cause false positives. Identify these processes and exclude their actions from triggering alerts by using service accounts or specific identifiers.
- Changes made by cloud management tools or third-party services integrated with GCP might be flagged. Review and whitelist these tools if they are verified and necessary for operations.
- Scheduled updates or configuration changes as part of regular security audits can appear suspicious. Document these schedules and incorporate them into the monitoring system to prevent unnecessary alerts.
- Temporary configuration changes for testing or development purposes might be misinterpreted as threats. Ensure that such activities are logged and communicated to the security team to adjust monitoring rules accordingly.
Response and remediation
- Immediately revoke any unauthorized access to the affected GCP storage bucket by reviewing and adjusting IAM policies to ensure only legitimate users have access.
- Conduct a thorough review of recent bucket configuration changes to identify any unauthorized modifications and revert them to their original secure state.
- Isolate the affected storage bucket from the network if suspicious activity is detected, to prevent further unauthorized access or data exfiltration.
- Notify the security operations team and relevant stakeholders about the incident for further investigation and to ensure coordinated response efforts.
- Implement additional logging and monitoring on the affected bucket to detect any further unauthorized access attempts or configuration changes.
- Review and update security policies and access controls for all GCP storage buckets to prevent similar incidents in the future.
- Escalate the incident to the cloud security team for a comprehensive analysis and to determine if further action is required, such as involving legal or compliance teams.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Storage Bucket Permissions Modification
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion
- GCP Firewall Rule Modification
- GCP IAM Custom Role Creation