GCP Storage Bucket Deletion
Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/21"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in
11order to disrupt their target's business operations.
12"""
13false_positives = [
14 """
15 Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name,
16 and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should
17 be investigated. If known behavior is causing false positives, it can be exempted from the rule.
18 """,
19]
20index = ["filebeat-*", "logs-gcp*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "GCP Storage Bucket Deletion"
24note = """## Setup
25
26The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
28risk_score = 47
29rule_id = "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331"
30severity = "medium"
31tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Tactic: Impact"]
32timestamp_override = "event.ingested"
33type = "query"
34
35query = '''
36event.dataset:gcp.audit and event.action:"storage.buckets.delete"
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1485"
44name = "Data Destruction"
45reference = "https://attack.mitre.org/techniques/T1485/"
46
47
48[rule.threat.tactic]
49id = "TA0040"
50name = "Impact"
51reference = "https://attack.mitre.org/tactics/TA0040/"
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP IAM Role Deletion
- GCP Service Account Deletion
- GCP Service Account Disabled
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion