Try in Splunk Security Cloud

Description

Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-08-05
  • Author: Shannon Davis, Splunk
  • ID: 4d656b2e-d6be-11ea-87d0-0242ac130003

Narrative

Similar to other cloud providers, GCP operates on a shared responsibility model. This means the end user, you, are responsible for setting appropriate access control lists and permissions on your GCP resources.\ This Analytics Story concentrates on detecting things like open storage buckets (both read and write) along with storage bucket access from unfamiliar users and IP addresses.

Detections

Name Technique Type
Detect GCP Storage access from a new IP Data from Cloud Storage Object Anomaly
Detect New Open GCP Storage Buckets Data from Cloud Storage Object TTP

Reference

source | version: 1