From 9ff17d9a216554d21929a35438988764cb6820a2 Mon Sep 17 00:00:00 2001
From: developutm <development@utmstack.com>
Date: Tue, 9 Jun 2026 14:37:24 +0000
Subject: [PATCH] feature(rules/google): add rule GCS Bucket Created

---
 rules/cloud/google/gcp_gcs_bucket_created.yml | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/cloud/google/gcp_gcs_bucket_created.yml

diff --git a/rules/cloud/google/gcp_gcs_bucket_created.yml b/rules/cloud/google/gcp_gcs_bucket_created.yml
new file mode 100644
index 000000000..41a21f77f
--- /dev/null
+++ b/rules/cloud/google/gcp_gcs_bucket_created.yml
@@ -0,0 +1,30 @@
+# Rule version v1.0.0
+
+dataTypes:
+  - google
+name: GCP Cloud Storage Bucket Created
+impact:
+  confidentiality: 3
+  integrity: 2
+  availability: 1
+category: Collection
+technique: "T1560 - Archive Collected Data"
+adversary: origin
+references:
+  - https://cloud.google.com/storage/docs/audit-logging
+  - https://cloud.google.com/logging/docs/audit/cal-categories#cloud_storage
+  - https://attack.mitre.org/techniques/T1560/
+description: |
+  Detects creation of a new Google Cloud Storage (GCS) bucket. Attackers may create buckets to stage stolen data, host malware, or establish command-and-control infrastructure. Unexpected bucket creation should be investigated, especially if the bucket has public access configured.
+
+  Next Steps:
+  1. Verify if the bucket creation was authorized
+  2. Check the bucket's name and location for suspicious patterns
+  3. Review the bucket's IAM bindings and uniform bucket-level access settings
+  4. Check if the bucket has public access or default object ACLs
+  5. If unauthorized, delete the bucket and investigate the user
+  6. Review other storage operations by the same user in the same time window
+where: |
+  equals("log.protoPayloadServiceName", "storage.googleapis.com") &&
+  equals("log.protoPayloadMethodName", "storage.buckets.create") &&
+  exists("origin.user")