Try in Splunk Security Cloud


This search show information on uploaded containers including source user, account, action, bucket name event name, http user agent, message and destination path.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2020-02-20
  • Author: Rod Soto, Rico Valdez, Splunk
  • ID: 4f00ca88-e766-4605-ac65-ae51c9fd185b


ID Technique Tactic
T1525 Implant Internal Image Persistence
Kill Chain Phase
  • Exploitation
|tstats count min(_time) as firstTime max(_time) as lastTime  FROM datamodel=Cloud_Infrastructure.Storage where Storage.event_name=storage.objects.create by Storage.src_user Storage.account Storage.action Storage.bucket_name Storage.event_name Storage.http_user_agent Storage.msg Storage.object_path 
| `drop_dm_object_name("Storage")`  
| `gcp_gcr_container_uploaded_filter` 


The SPL above uses the following Macros:

Note that gcp_gcr_container_uploaded_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time

How To Implement

You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a subpub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model. Please also customize the container_implant_gcp_detection_filter macro to filter out the false positives.

Known False Positives

Uploading container is a normal behavior from developers or users with access to container registry. GCP GCR registers container upload as a Storage event, this search must be considered under the context of CONTAINER upload creation which automatically generates a bucket entry for destination path.

Associated Analytic story


Risk Score Impact Confidence Message
25.0 50 50 tbd


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1