Skip to main content

I need to create a rule that will trigger an alert every time a new bucket is created in GCP.

I tried to do this -

 

rule new_bucket_creation {
 
meta:
description = "Alert if a new bucket is created"
severity = "Medium"

events:
$bucket.metadata.event_type = "RESOURCE_CREATION"
$bucket.target.resource.resource_type = "STORAGE_BUCKET"

outcome:
$risk_score = 0

condition:
$bucket
}
 
How do I write such a rule?
How should I properly change the rule I wrote?
 
Thank you

Generally the best path to building a rule like this would be to perform this action, collect the logs and review in search to get a feel for all of the fields that could be used to get your rule built. Below is a sample of what could be used. Note that this is a single event rule and does not aggregate these buckets being created but hopefully this is enough to get you started.


rule storage_bucket_creation_gcp {

meta:
author = "Google Cloud Security"
description = "Identify the creation of new storage bucket in GCP"
severity = "Low"

events:
$create.metadata.event_type = "RESOURCE_CREATION"
$create.metadata.product_event_type = "storage.buckets.create"
$create.metadata.product_name = "Google Cloud Storage"
$create.metadata.vendor_name = "Google Cloud Platform"

outcome:
$risk_score = 0
$bucket_name = $create.target.resource.name
$gcp_project_name = $create.target.cloud.project.name
$bucket_path = $create.target.file.full_path
$bucket_location = $create.target.location.name
$requesting_user = $create.principal.user.userid
$requesting_ip = array_distinct($create.principal.ip)
$user_agent = $create.network.http.user_agent

condition:
$create
}

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.