GCP Logging Bucket Deletion

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize
11log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during
12that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their
13destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may
14delete a log bucket to evade detection.
15"""
16false_positives = [
17    """
18    Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource
19    name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or
20    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21    """,
22]
23index = ["filebeat-*", "logs-gcp*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "GCP Logging Bucket Deletion"
27note = """## Triage and analysis
28
29> **Disclaimer**:
30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
31
32### Investigating GCP Logging Bucket Deletion
33
34In GCP, log buckets are essential for storing and organizing log data, crucial for monitoring and auditing activities. Adversaries may delete these buckets to obscure their tracks and evade detection. The detection rule identifies successful deletion events by monitoring specific audit logs, focusing on actions that indicate bucket removal. This helps security analysts quickly spot and respond to potential defense evasion tactics.
35
36### Possible investigation steps
37
38- Review the audit logs for the specific event.action: google.logging.v*.ConfigServiceV*.DeleteBucket to confirm the deletion event and gather details such as the timestamp, user identity, and source IP address.
39- Investigate the user account associated with the event to determine if the action was authorized or if there are any signs of compromise, such as unusual login locations or times.
40- Check for any recent changes to log sinks that might indicate an attempt to stop log routing to the deleted bucket, which could suggest intentional evasion.
41- Assess the impact of the bucket deletion by identifying which logs were being routed to the bucket and determining if any critical log data might be lost or compromised.
42- Look for any correlated events or alerts around the same timeframe that might indicate a broader attack or unauthorized activity within the GCP environment.
43
44### False positive analysis
45
46- Routine maintenance activities by administrators may trigger bucket deletion events. To manage this, create exceptions for known maintenance periods or specific user accounts responsible for these tasks.
47- Automated scripts or tools used for log management might delete buckets as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by filtering based on their service accounts or specific identifiers.
48- Testing environments often involve the creation and deletion of resources, including log buckets. Exclude events from these environments by using labels or project identifiers to differentiate them from production environments.
49- Scheduled cleanup jobs that remove old or unused buckets can generate false positives. Document these jobs and adjust the detection rule to ignore deletions occurring within their scheduled time frames.
50- Misconfigured log sinks that inadvertently delete buckets should be reviewed. Regularly audit and adjust sink configurations to ensure they align with intended log routing and retention policies.
51
52### Response and remediation
53
54- Immediately halt any ongoing log routing to the deleted bucket by deleting or modifying the log sinks associated with it to prevent further data loss.
55- Restore the deleted log bucket from its pending deletion state within the 7-day window to recover any logs that may still be routed to it.
56- Conduct a thorough review of IAM permissions and roles to ensure that only authorized personnel have the ability to delete log buckets, reducing the risk of unauthorized deletions.
57- Implement additional logging and monitoring for any changes to log sinks and bucket configurations to detect and respond to similar activities promptly.
58- Escalate the incident to the security operations team for further investigation and to determine if the deletion was part of a broader attack strategy.
59- Review and update incident response plans to include specific procedures for handling log bucket deletions and similar defense evasion tactics.
60- Consider enabling alerts for any future attempts to delete log buckets, ensuring rapid detection and response to potential threats.
61
62## Setup
63
64The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
65references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"]
66risk_score = 47
67rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e"
68severity = "medium"
69tags = [
70    "Domain: Cloud",
71    "Data Source: GCP",
72    "Data Source: Google Cloud Platform",
73    "Use Case: Log Auditing",
74    "Tactic: Defense Evasion",
75    "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1562"
89name = "Impair Defenses"
90reference = "https://attack.mitre.org/techniques/T1562/"
91
92
93[rule.threat.tactic]
94id = "TA0005"
95name = "Defense Evasion"
96reference = "https://attack.mitre.org/tactics/TA0005/"