Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GCP IAM - Publicly exposed storage bucket

GCP IAM - Publicly exposed storage bucket

Back
Id4a433846-4b05-4a27-99d7-92093feded79
RulenameGCP IAM - Publicly exposed storage bucket
DescriptionDetects possible misconfiguration for bucket policy making it publicly available.
SeverityMedium
TacticsDiscovery
TechniquesT1069
Required data connectorsGCPIAMDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
Version1.0.1
Arm template4a433846-4b05-4a27-99d7-92093feded79.json
Deploy To Azure
GCP_IAM
| where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
| where ResourceType has 'bucket'
| extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
| extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
| where members in~ ('allUsers', 'allAuthenticatedUsers')
| where action =~ 'ADD'
| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])

status: Available
triggerThreshold: 0
queryFrequency: 1h
id: 4a433846-4b05-4a27-99d7-92093feded79
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml
severity: Medium
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: PayloadAuthenticationinfoPrincipalemail
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
relevantTechniques:
- T1069
requiredDataConnectors:
- connectorId: GCPIAMDataConnector
  dataTypes:
  - GCP_IAM
name: GCP IAM - Publicly exposed storage bucket
query: |
  GCP_IAM
  | where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'
  | where ResourceType has 'bucket'
  | extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']
  | extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']
  | where members in~ ('allUsers', 'allAuthenticatedUsers')
  | where action =~ 'ADD'
  | extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, "@")[1])  
queryPeriod: 1h
tactics:
- Discovery
triggerOperator: gt
kind: Scheduled
version: 1.0.1
description: |
    'Detects possible misconfiguration for bucket policy making it publicly available.'

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a433846-4b05-4a27-99d7-92093feded79')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a433846-4b05-4a27-99d7-92093feded79')]",
      "properties": {
        "alertRuleTemplateName": "4a433846-4b05-4a27-99d7-92093feded79",
        "customDetails": null,
        "description": "'Detects possible misconfiguration for bucket policy making it publicly available.'\n",
        "displayName": "GCP IAM - Publicly exposed storage bucket",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "PayloadAuthenticationinfoPrincipalemail",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIAM/Analytic Rules/GCPIAMPublicBucket.yaml",
        "query": "GCP_IAM\n| where PayloadMethodname =~ 'google.iam.v1.IAMPolicy.SetIamPolicy'\n| where ResourceType has 'bucket'\n| extend members = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['members']\n| extend action = parse_json(todynamic(PayloadRequestPolicyBindings))[0]['action']\n| where members in~ ('allUsers', 'allAuthenticatedUsers')\n| where action =~ 'ADD'\n| extend AccountName = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[0]), AccountUPNSuffix = tostring(split(PayloadAuthenticationinfoPrincipalemail, \"@\")[1])\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1069"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}