This detection rule identifies potentially unauthorized access to Google Cloud Platform (GCP) Storage buckets from new or previously unseen IP addresses. It utilizes GCP Storage bucket-access logs that are ingested through Cloud Pub/Sub and compares these logs against a lookup table of previously known IPs. When a request is made to a bucket and comes from an IP not previously recorded, it raises a flag, indicating a possibly malicious access attempt. Such activity may suggest unauthorized entry into environments, which could lead to data exfiltration or manipulation, posing a significant risk to the security of the GCP infrastructure. The rule runs searches every hour and uses both `stats` and `eval` functions to aggregate and filter data, ultimately flagging new IP addresses that have accessed GCP Storage in the last 70 minutes. If confirmed, this detection enables timely response to potential breaches or data threats.