GCP Storage Bucket Configuration Modification

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may
13modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.
14"""
15false_positives = [
16    """
17    Storage bucket configuration may be modified by system administrators. Verify that the configuration change was
18    expected. Exceptions can be added to this rule to filter expected behavior.
19    """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Storage Bucket Configuration Modification"
25note = """## Setup
26
27The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
29risk_score = 47
30rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
31severity = "medium"
32tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1578"
45name = "Modify Cloud Compute Infrastructure"
46reference = "https://attack.mitre.org/techniques/T1578/"
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"