GCP Logging Bucket Deletion
Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/21"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize
11log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during
12that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their
13destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may
14delete a log bucket to evade detection.
15"""
16false_positives = [
17 """
18 Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource
19 name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or
20 hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
21 """,
22]
23index = ["filebeat-*", "logs-gcp*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "GCP Logging Bucket Deletion"
27note = """## Setup
28
29The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
30references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"]
31risk_score = 47
32rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e"
33severity = "medium"
34tags = [
35 "Domain: Cloud",
36 "Data Source: GCP",
37 "Data Source: Google Cloud Platform",
38 "Use Case: Log Auditing",
39 "Tactic: Defense Evasion",
40]
41timestamp_override = "event.ingested"
42type = "query"
43
44query = '''
45event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1562"
53name = "Impair Defenses"
54reference = "https://attack.mitre.org/techniques/T1562/"
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
This document describes how to create and manage Cloud Logging buckets using the Google Cloud console, the Google Cloud CLI, and the Logging API. It also provides instructions for creating and mana...
Read More -
Learn how log data is received by Cloud Logging, how log data is stored, and how you can view that log data.
Read More
Related rules
- GCP Logging Sink Deletion
- GCP Pub/Sub Subscription Deletion
- GCP Pub/Sub Topic Deletion
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion