Rules

GCP Create Bucket

Detect creation of a bucket. Tags: cloud, gcp, gcp_storage_buckets

GCP Delete Bucket

Detect deletion of a bucket. Tags: cloud, gcp, gcp_storage_buckets

GCP Put Bucket ACL

Detect setting the permissions on an existing bucket using access control lists. Tags: cloud, gcp, gcp_storage_buckets, mitre_TA0005-defense-evasion, mitre_T1070-indicator-removal-on-host

GCP Set Bucket IAM Policy

Detect setting the permissions on an existing bucket using IAM policies. Tags: cloud, gcp, gcp_storage_buckets

GCP Create Cloud Function

Detect creation of a Cloud function. Tags: cloud, gcp, gcp_cloudfunctions, mitre_TA0003-persistence

GCP Create Cloud Function Not Using Latest Runtime

Detect creation of a Cloud Function using and old or deprecated runtime. Tags: cloud, gcp, gcp_cloudfunctions

GCP Update Cloud Function

Detect updates to a Cloud Function. Tags: cloud, gcp, gcp_cloudfunctions, mitre_TA0003-persistence, mitre_T1496-resource-hijacking

GCP Command Executed on Unused Region

Detect GCP command execution on unused regions. Tags: cloud, gcp

GCP Add Admin Privileges to Service Account

Detect addition of administrative privileges to a service account. Tags: cloud, gcp, gcp_iam, cis_controls_16

GCP Create Service Account Key

Detect creating an access key for a service account. Tags: cloud, gcp, gcp_iam, cis_controls_16

GCP Invitation Sent to Non-corporate Account

Detect sending invitations to not allowed corporate account. Tags: cloud, gcp, gcp_cloudresourcemanager, cis_controls_16.2

GCP Data Access Log Disabled

Detect disabling of a data access log. Tags: cloud, gcp, gcp_auditlog, mitre_TA0005-defense-evasion, mitre_T1089-disabling-security-tools

GCP Data Access Log Enabled

Detect enabling of a data access log. Tags: cloud, gcp, gcp_auditlog, mitre_TA0009-collection, mitre_T1530-data-from-cloud-storage-object

GCP Monitoring Alert Deleted

Detect deletion of an alert. Tags: cloud, gcp, gcp_monitoring, mitre_TA0005-defense-evasion, mitre_T1066-indicator-removal-from-tools

GCP Monitoring Alert Updated

Detect updating of an alert. Tags: cloud, gcp, gcp_monitoring, mitre_TA0005-defense-evasion, mitre_T1066-indicator-removal-from-tools