Detect New Open GCP Storage Buckets

Status: experimental
Severity: medium
Author: Shannon Davis, Splunk
Source: github.com/splunk/security_content

The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the storage.setIamPermissions method and checks if the allUsers member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.

MITRE ATT&CK coverage

Tactic	Techniques
Collection	`T1530` Data from Cloud Storage

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

GCP GCS IAM Permission Changes (Panther)
GCP Storage Bucket Permissions Modification (Elastic)
GCS Bucket Made Public (Panther)

Rule body splunk

name: Detect New Open GCP Storage Buckets
id: f6ea3466-d6bb-11ea-87d0-0242ac130003
version: 8
creation_date: '2020-08-19'
modification_date: '2026-05-13'
author: Shannon Davis, Splunk
status: experimental
type: TTP
description: The following analytic identifies the creation of new open/public GCP Storage buckets. It leverages GCP PubSub events, specifically monitoring for the `storage.setIamPermissions` method and checks if the `allUsers` member is added. This activity is significant because open storage buckets can expose sensitive data to the public, posing a severe security risk. If confirmed malicious, an attacker could access, modify, or delete data within the bucket, leading to data breaches and potential compliance violations.
data_source: []
search: |-
    `google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions
      | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action
      | spath output=user path=data.protoPayload.authenticationInfo.principalEmail
      | spath output=location path=data.protoPayload.resourceLocation.currentLocations{}
      | spath output=src path=data.protoPayload.requestMetadata.callerIp
      | spath output=bucketName path=data.protoPayload.resourceName
      | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role
      | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member
      | search (member=allUsers AND action=ADD)
      | table  _time, bucketName, src, user, location, action, role, member
      | search `detect_new_open_gcp_storage_buckets_filter`
how_to_implement: This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).
known_false_positives: While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group.
references: []
finding:
    title: |
        "allUser" member added to $bucketName$ by $user$ making the bucket available to the public
    entity:
        field: user
        type: user
        score: 50
analytic_story:
    - Suspicious GCP Storage Activities
asset_type: GCP Storage Bucket
mitre_attack_id:
    - T1530
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: network

Stages and Predicates

Stage 1: `search`

`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions

Stage 2: `spath`

| spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action

Stage 3: `spath`

| spath output=user path=data.protoPayload.authenticationInfo.principalEmail

Stage 4: `spath`

| spath output=location path=data.protoPayload.resourceLocation.currentLocations{}

Stage 5: `spath`

| spath output=src path=data.protoPayload.requestMetadata.callerIp

Stage 6: `spath`

| spath output=bucketName path=data.protoPayload.resourceName

Stage 7: `spath`

| spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role

Stage 8: `spath`

| spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member

Stage 9: `search`

| search (member=allUsers AND action=ADD)

Stage 10: `table`

| table  _time, bucketName, src, user, location, action, role, member

Stage 11: `search`

| search `detect_new_open_gcp_storage_buckets_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`action`	eq	`ADD`
`data.protoPayload.methodName`	eq	`storage.setIamPermissions`
`data.resource.type`	eq	`gcs_bucket`
`member`	eq	`allUsers`
`sourcetype`	eq	`google:gcp:pubsub:message`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Detect New Open GCP Storage Buckets

MITRE ATT&CK coverage

Rules detecting the same action

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `spath`

Stage 3: `spath`

Stage 4: `spath`

Stage 5: `spath`

Stage 6: `spath`

Stage 7: `spath`

Stage 8: `spath`

Stage 9: `search`

Stage 10: `table`

Stage 11: `search`

Indicators

Keyboard shortcuts

Search operators

Detect New Open GCP Storage Buckets

MITRE ATT&CK coverage

Rules detecting the same action

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: spath

Stage 3: spath

Stage 4: spath

Stage 5: spath

Stage 6: spath

Stage 7: spath

Stage 8: spath

Stage 9: search

Stage 10: table

Stage 11: search

Indicators

Stage 1: `search`

Stage 2: `spath`

Stage 3: `spath`

Stage 4: `spath`

Stage 5: `spath`

Stage 6: `spath`

Stage 7: `spath`

Stage 8: `spath`

Stage 9: `search`

Stage 10: `table`

Stage 11: `search`