Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GCP IAM - Publicly exposed storage bucket

Back
Id4a433846-4b05-4a27-99d7-92093feded79
RulenameGCP IAM - Publicly exposed storage bucket
DescriptionDetects possible misconfiguration for bucket policy making it publicly available.
SeverityMedium
TacticsDiscovery
TechniquesT1069
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
Version1.0.1
Arm template4a433846-4b05-4a27-99d7-92093feded79.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
| where ResourceType has 'bucket'
| extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
| extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
| where members in~ ('allUsers', 'allAuthenticatedUsers')
| where action =~ 'ADD'
| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])
status: Available
id: 4a433846-4b05-4a27-99d7-92093feded79
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
  | where ResourceType has 'bucket'
  | extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
  | extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
  | where members in~ ('allUsers', 'allAuthenticatedUsers')
  | where action =~ 'ADD'
  | extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
description: |
    'Detects possible misconfiguration for bucket policy making it publicly available.'
name: GCP IAM - Publicly exposed storage bucket
relevantTechniques:
- T1069
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: PayloadAuthenticationinfoPrincipalemail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - GCP_IAM
  connectorId: GCPIAMDataConnector
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.1
kind: Scheduled
tactics:
- Discovery
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a433846-4b05-4a27-99d7-92093feded79')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a433846-4b05-4a27-99d7-92093feded79')]",
      "properties": {
        "alertRuleTemplateName": "4a433846-4b05-4a27-99d7-92093feded79",
        "customDetails": null,
        "description": "'Detects possible misconfiguration for bucket policy making it publicly available.'\n",
        "displayName": "GCP IAM - Publicly exposed storage bucket",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "PayloadAuthenticationinfoPrincipalemail",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml",
        "query": "GCP_IAM\n| where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'\n| where ResourceType has 'bucket'\n| extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']\n| extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']\n| where members in~ ('allUsers', 'allAuthenticatedUsers')\n| where action =~ 'ADD'\n| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[1])\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1069"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}