GCP Logging Bucket Deletion

calendar Jun 22, 2023 · Domain: Cloud Data Source: GCP Data Source: Google Cloud Platform Use Case: Log Auditing Tactic: Defense Evasion  ·
Share on: linkedin copy

Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize
13log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during
14that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their
15destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may
16delete a log bucket to evade detection.
17"""
18false_positives = [
19    """
20    Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource
21    name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or
22    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
23    """,
24]
25index = ["filebeat-*", "logs-gcp*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "GCP Logging Bucket Deletion"
29note = """## Setup
30
31The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
32references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"]
33risk_score = 47
34rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1562"
49name = "Impair Defenses"
50reference = "https://attack.mitre.org/techniques/T1562/"
51
52
53[rule.threat.tactic]
54id = "TA0005"
55name = "Defense Evasion"
56reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top