GCP Logging Sink Deletion
Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/18"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the
11log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to
12the sink's export destination. An adversary may delete a Logging sink to evade detection.
13"""
14false_positives = [
15 """
16 Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource
17 name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or
18 hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Logging Sink Deletion"
25note = """## Setup
26
27The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = ["https://cloud.google.com/logging/docs/export"]
29risk_score = 47
30rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305"
31severity = "medium"
32tags = [
33 "Domain: Cloud",
34 "Data Source: GCP",
35 "Data Source: Google Cloud Platform",
36 "Use Case: Log Auditing",
37 "Tactic: Defense Evasion",
38]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1562"
51name = "Impair Defenses"
52reference = "https://attack.mitre.org/techniques/T1562/"
53
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Logging Bucket Deletion
- GCP Pub/Sub Subscription Deletion
- GCP Pub/Sub Topic Deletion
- GCP Firewall Rule Creation
- GCP Firewall Rule Deletion