Cloud Storage Creation (59ec10d9-546b-4b8e-bccb-fa85f71e5055)
Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples:
- AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the
CreateBucketAPI call. - Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the
Create Containeroperation. - Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using
storage.buckets.create. - OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the
PUTmethod.
This data component can be collected through the following measures:
Enable Logging for Cloud Storage Services
- AWS S3: Enable AWS CloudTrail to log CreateBucket API actions.
- Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations.
- Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls.
- OpenStack Swift: Configure Swift logging to capture PUT requests to new containers.
Centralized Logging and Analysis
- Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Cloud Storage Creation (59ec10d9-546b-4b8e-bccb-fa85f71e5055) | mitre-data-component | Transfer Data to Cloud Account - T1537 (d4bdbdea-eaec-4071-b4f9-5105e12ea4b6) | Attack Pattern | 1 |