GCP GCR container uploaded
Description
This search show information on uploaded containers including source user, account, action, bucket name event name, http user agent, message and destination path.
- Type: Hunting
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-02-20
- Author: Rod Soto, Rico Valdez, Splunk
- ID: 4f00ca88-e766-4605-ac65-ae51c9fd185b
Annotations
ATT&CK
ID | Technique | Tactic |
---|---|---|
T1525 | Implant Internal Image | Persistence |
Kill Chain Phase
- Exploitation
NIST
CIS20
CVE
Search
1
2
3
4
|tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Storage where Storage.event_name=storage.objects.create by Storage.src_user Storage.account Storage.action Storage.bucket_name Storage.event_name Storage.http_user_agent Storage.msg Storage.object_path
| `drop_dm_object_name("Storage")`
| `gcp_gcr_container_uploaded_filter`
Macros
The SPL above uses the following Macros:
Note that gcp_gcr_container_uploaded_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
How To Implement
You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a subpub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model. Please also customize the container_implant_gcp_detection_filter
macro to filter out the false positives.
Known False Positives
Uploading container is a normal behavior from developers or users with access to container registry. GCP GCR registers container upload as a Storage event, this search must be considered under the context of CONTAINER upload creation which automatically generates a bucket entry for destination path.
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
25.0 | 50 | 50 | tbd |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1