I need to create a rule that will trigger an alert every time a new bucket is created in GCP.
I tried to do this -
Generally the best path to building a rule like this would be to perform this action, collect the logs and review in search to get a feel for all of the fields that could be used to get your rule built. Below is a sample of what could be used. Note that this is a single event rule and does not aggregate these buckets being created but hopefully this is enough to get you started.
rule storage_bucket_creation_gcp {
meta:
author = "Google Cloud Security"
description = "Identify the creation of new storage bucket in GCP"
severity = "Low"
events:
$create.metadata.event_type = "RESOURCE_CREATION"
$create.metadata.product_event_type = "storage.buckets.create"
$create.metadata.product_name = "Google Cloud Storage"
$create.metadata.vendor_name = "Google Cloud Platform"
outcome:
$risk_score = 0
$bucket_name = $create.target.resource.name
$gcp_project_name = $create.target.cloud.project.name
$bucket_path = $create.target.file.full_path
$bucket_location = $create.target.location.name
$requesting_user = $create.principal.user.userid
$requesting_ip = array_distinct($create.principal.ip)
$user_agent = $create.network.http.user_agent
condition:
$create
}
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.