GCP Storage Bucket Configuration Modification

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may
11modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.
12"""
13false_positives = [
14    """
15    Storage bucket configuration may be modified by system administrators. Verify that the configuration change was
16    expected. Exceptions can be added to this rule to filter expected behavior.
17    """,
18]
19index = ["filebeat-*", "logs-gcp*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GCP Storage Bucket Configuration Modification"
23note = """## Setup
24
25The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
27risk_score = 47
28rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
29severity = "medium"
30tags = [
31    "Domain: Cloud",
32    "Data Source: GCP",
33    "Data Source: Google Cloud Platform",
34    "Use Case: Identity and Access Audit",
35    "Tactic: Defense Evasion",
36]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:gcp.audit and event.action:"storage.buckets.update" and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1578"
49name = "Modify Cloud Compute Infrastructure"
50reference = "https://attack.mitre.org/techniques/T1578/"
51
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"