Classification:

attack

Tactic:

TA0009-collection

Technique:

T1530-data-from-cloud-storage

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect unauthenticated access to an object in a GCS bucket (bucket_name).

Strategy

Monitor GCS bucket (bucket_name) for get requests(@evt.name:storage.objects.get) made by unauthenticated users (@usr.id).

Triage and response

Investigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.

Changelog

• 27 October 2022 - updated tags.