[New Rule] GCP Storage Bucket Configuration Modified (#322)

* Create defense_evasion_gcp_storage_bucket_configuration_modified.toml * Update rule name to align with other rules Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2020-09-24 09:29:53 -06:00
parent 01c904f2dd
commit de6f326c72
1 changed files with 33 additions and 0 deletions
@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2020/09/22"
+ecs_version = ["1.6.0"]
+maturity = "production"
+updated_date = "2020/09/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may
+modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.
+"""
+false_positives = [
+    """
+    Storage bucket configuration may be modified by system administrators. Verify that the configuration change was
+    expected. Exceptions can be added to this rule to filter expected behavior.
+    """,
+]
+index = ["filebeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "GCP Storage Bucket Configuration Modification"
+note = "The GCP Filebeat module must be enabled to use this rule."
+references = ["https://cloud.google.com/storage/docs/key-terms#buckets"]
+risk_score = 47
+rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e"
+severity = "medium"
+tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"]
+type = "query"
+
+query = '''
+event.module:googlecloud and event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success
+'''