Set up the gcp integration.
Detect when a service account lists out GCS Buckets.
This rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:
ListBucketsAPI call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it’s not needed, modify this rule’s filter to stop generating signals for this specific service account.