Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP IAM - Publicly exposed storage bucket

GCP IAM - Publicly exposed storage bucket

Back
Id4a433846-4b05-4a27-99d7-92093feded79
RulenameGCP IAM - Publicly exposed storage bucket
DescriptionDetects possible misconfiguration for bucket policy making it publicly available.
SeverityMedium
TacticsDiscovery
TechniquesT1069
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
Version1.0.1
Arm template4a433846-4b05-4a27-99d7-92093feded79.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
| where ResourceType has 'bucket'
| extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
| extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
| where members in~ ('allUsers', 'allAuthenticatedUsers')
| where action =~ 'ADD'
| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])

requiredDataConnectors:
- dataTypes:
  - GCP_IAM
  connectorId: GCPIAMDataConnector
triggerThreshold: 0
relevantTechniques:
- T1069
queryPeriod: 1h
version: 1.0.1
id: 4a433846-4b05-4a27-99d7-92093feded79
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
  | where ResourceType has 'bucket'
  | extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
  | extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
  | where members in~ ('allUsers', 'allAuthenticatedUsers')
  | where action =~ 'ADD'
  | extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])  
status: Available
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: PayloadAuthenticationinfoPrincipalemail
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
tactics:
- Discovery
severity: Medium
name: GCP IAM - Publicly exposed storage bucket
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
description: |
    'Detects possible misconfiguration for bucket policy making it publicly available.'

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a433846-4b05-4a27-99d7-92093feded79')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a433846-4b05-4a27-99d7-92093feded79')]",
      "properties": {
        "alertRuleTemplateName": "4a433846-4b05-4a27-99d7-92093feded79",
        "customDetails": null,
        "description": "'Detects possible misconfiguration for bucket policy making it publicly available.'\n",
        "displayName": "GCP IAM - Publicly exposed storage bucket",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "PayloadAuthenticationinfoPrincipalemail",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml",
        "query": "GCP_IAM\n| where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'\n| where ResourceType has 'bucket'\n| extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']\n| extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']\n| where members in~ ('allUsers', 'allAuthenticatedUsers')\n| where action =~ 'ADD'\n| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[1])\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1069"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}