GCP Storage Bucket Deletion
Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/21"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in
11order to disrupt their target's business operations.
12"""
13false_positives = [
14 """
15 Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name,
16 and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should
17 be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18 """,
19]
20index = ["filebeat-*", "logs-gcp*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "GCP Storage Bucket Deletion"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating GCP Storage Bucket Deletion
30
31Google Cloud Platform (GCP) storage buckets are essential for storing and managing data in cloud environments. Adversaries may target these buckets to delete critical data, causing operational disruptions. The detection rule monitors audit logs for deletion actions, identifying potential malicious activity by flagging events where storage buckets are removed, thus enabling timely investigation and response.
32
33### Possible investigation steps
34
35- Review the audit logs for the specific event.action "storage.buckets.delete" to identify the user or service account responsible for the deletion.
36- Check the timestamp of the deletion event to determine when the bucket was deleted and correlate it with any other suspicious activities around that time.
37- Investigate the IP address and location from which the deletion request originated to assess if it aligns with expected access patterns.
38- Examine the permissions and roles assigned to the user or service account involved in the deletion to determine if they had legitimate access.
39- Look for any recent changes in IAM policies or permissions that might have allowed unauthorized access to the storage bucket.
40- Contact the relevant stakeholders or data owners to confirm if the deletion was authorized or if it was unexpected.
41
42### False positive analysis
43
44- Routine maintenance or scheduled deletions by authorized personnel can trigger false positives. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
45- Automated scripts or applications that manage storage lifecycle policies might delete buckets as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using service account identifiers.
46- Development or testing environments often involve frequent creation and deletion of storage buckets. Exclude these environments from monitoring by filtering based on project IDs or environment tags.
47- Organizational policy changes that involve restructuring storage resources can lead to legitimate bucket deletions. Coordinate with relevant teams to update detection rules temporarily during such changes.
48
49### Response and remediation
50
51- Immediately isolate the affected GCP project to prevent further unauthorized access or actions. This can be done by revoking access keys and permissions for any suspicious accounts identified in the audit logs.
52- Restore the deleted storage bucket from the most recent backup to minimize data loss and operational disruption. Ensure that the backup is clean and free from any malicious alterations.
53- Conduct a thorough review of IAM roles and permissions associated with the affected storage bucket to ensure that only authorized users have the necessary access. Implement the principle of least privilege.
54- Enable versioning on critical storage buckets to protect against accidental or malicious deletions in the future, allowing for easier recovery of deleted objects.
55- Set up alerts for any future deletion actions on storage buckets to ensure immediate awareness and response to similar threats.
56- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data were compromised.
57- Document the incident, including actions taken and lessons learned, to improve response strategies and update incident response plans for future reference.
58
59## Setup
60
61The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
62references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
63risk_score = 47
64rule_id = "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331"
65severity = "medium"
66tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Tactic: Impact", "Resources: Investigation Guide"]
67timestamp_override = "event.ingested"
68type = "query"
69
70query = '''
71event.dataset:gcp.audit and event.action:"storage.buckets.delete"
72'''
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1485"
79name = "Data Destruction"
80reference = "https://attack.mitre.org/techniques/T1485/"
81
82
83[rule.threat.tactic]
84id = "TA0040"
85name = "Impact"
86reference = "https://attack.mitre.org/tactics/TA0040/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP Storage Bucket Deletion
Google Cloud Platform (GCP) storage buckets are essential for storing and managing data in cloud environments. Adversaries may target these buckets to delete critical data, causing operational disruptions. The detection rule monitors audit logs for deletion actions, identifying potential malicious activity by flagging events where storage buckets are removed, thus enabling timely investigation and response.
Possible investigation steps
- Review the audit logs for the specific event.action "storage.buckets.delete" to identify the user or service account responsible for the deletion.
- Check the timestamp of the deletion event to determine when the bucket was deleted and correlate it with any other suspicious activities around that time.
- Investigate the IP address and location from which the deletion request originated to assess if it aligns with expected access patterns.
- Examine the permissions and roles assigned to the user or service account involved in the deletion to determine if they had legitimate access.
- Look for any recent changes in IAM policies or permissions that might have allowed unauthorized access to the storage bucket.
- Contact the relevant stakeholders or data owners to confirm if the deletion was authorized or if it was unexpected.
False positive analysis
- Routine maintenance or scheduled deletions by authorized personnel can trigger false positives. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
- Automated scripts or applications that manage storage lifecycle policies might delete buckets as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using service account identifiers.
- Development or testing environments often involve frequent creation and deletion of storage buckets. Exclude these environments from monitoring by filtering based on project IDs or environment tags.
- Organizational policy changes that involve restructuring storage resources can lead to legitimate bucket deletions. Coordinate with relevant teams to update detection rules temporarily during such changes.
Response and remediation
- Immediately isolate the affected GCP project to prevent further unauthorized access or actions. This can be done by revoking access keys and permissions for any suspicious accounts identified in the audit logs.
- Restore the deleted storage bucket from the most recent backup to minimize data loss and operational disruption. Ensure that the backup is clean and free from any malicious alterations.
- Conduct a thorough review of IAM roles and permissions associated with the affected storage bucket to ensure that only authorized users have the necessary access. Implement the principle of least privilege.
- Enable versioning on critical storage buckets to protect against accidental or malicious deletions in the future, allowing for easier recovery of deleted objects.
- Set up alerts for any future deletion actions on storage buckets to ensure immediate awareness and response to similar threats.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data were compromised.
- Document the incident, including actions taken and lessons learned, to improve response strategies and update incident response plans for future reference.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP IAM Role Deletion
- GCP Service Account Deletion
- GCP Service Account Disabled
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion