This detection rule monitors Google Cloud Storage (GCS) for enumeration activities aimed at listing storage buckets. It specifically looks for API method calls related to the 'storage.buckets.list' and 'storage.buckets.listChannels' functions within GCP audit logs. These calls can indicate an unauthorized attempt to gather information about available buckets, which might be a precursor to data exfiltration or further malicious activities. The rule is set to trigger under the condition that at least one of these methods is detected. Given that some enumeration may be legitimate (such as by system administrators), the rule includes guidance for handling false positives. Investigations should focus on user identity, user agent, and hostname to distinguish between legitimate administrative actions and potentially malicious behavior. The detection aids in protecting cloud assets by ensuring visibility into actions that could compromise bucket security.