GCP Logging Bucket Deletion

Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize
11log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during
12that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their
13destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may
14delete a log bucket to evade detection.
15"""
16false_positives = [
17    """
18    Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource
19    name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or
20    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21    """,
22]
23index = ["filebeat-*", "logs-gcp*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "GCP Logging Bucket Deletion"
27note = """## Setup
28
29The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"]
31risk_score = 47
32rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e"
33severity = "medium"
34tags = [
35    "Domain: Cloud",
36    "Data Source: GCP",
37    "Data Source: Google Cloud Platform",
38    "Use Case: Log Auditing",
39    "Tactic: Defense Evasion",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1562"
53name = "Impair Defenses"
54reference = "https://attack.mitre.org/techniques/T1562/"
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top