Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP IAM - Publicly exposed storage bucket

GCP IAM - Publicly exposed storage bucket

Back
Id4a433846-4b05-4a27-99d7-92093feded79
RulenameGCP IAM - Publicly exposed storage bucket
DescriptionDetects possible misconfiguration for bucket policy making it publicly available.
SeverityMedium
TacticsDiscovery
TechniquesT1069
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
Version1.0.1
Arm template4a433846-4b05-4a27-99d7-92093feded79.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
| where ResourceType has 'bucket'
| extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
| extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
| where members in~ ('allUsers', 'allAuthenticatedUsers')
| where action =~ 'ADD'
| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])

description: |
    'Detects possible misconfiguration for bucket policy making it publicly available.'
requiredDataConnectors:
- dataTypes:
  - GCP_IAM
  connectorId: GCPIAMDataConnector
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
id: 4a433846-4b05-4a27-99d7-92093feded79
name: GCP IAM - Publicly exposed storage bucket
relevantTechniques:
- T1069
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: PayloadAuthenticationinfoPrincipalemail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
kind: Scheduled
version: 1.0.1
triggerOperator: gt
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
  | where ResourceType has 'bucket'
  | extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
  | extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
  | where members in~ ('allUsers', 'allAuthenticatedUsers')
  | where action =~ 'ADD'
  | extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])  
status: Available
tactics:
- Discovery
queryPeriod: 1h
severity: Medium
queryFrequency: 1h