GCP Logging Sink Deletion

Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/18"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the
11log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to
12the sink's export destination. An adversary may delete a Logging sink to evade detection.
13"""
14false_positives = [
15    """
16    Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource
17    name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or
18    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
19    """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP Logging Sink Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP Logging Sink Deletion
31
32In GCP, logging sinks are crucial for exporting log entries to designated destinations for analysis and storage. Adversaries may delete these sinks to prevent logs from being exported, thereby evading detection. The detection rule identifies successful deletion events by monitoring specific audit logs, helping security teams quickly respond to potential defense evasion tactics.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.action: google.logging.v*.ConfigServiceV*.DeleteSink to identify the user or service account responsible for the deletion.
37- Check the event.dataset:gcp.audit logs for any preceding or subsequent suspicious activities by the same user or service account, which might indicate a pattern of malicious behavior.
38- Investigate the event.outcome:success to confirm the deletion was successful and determine the impact on log monitoring and export capabilities.
39- Assess the context and timing of the deletion event to see if it coincides with other security alerts or incidents, which might suggest a coordinated attack.
40- Verify the permissions and roles assigned to the user or service account involved in the deletion to ensure they align with the principle of least privilege and identify any potential misconfigurations.
41
42### False positive analysis
43
44- Routine maintenance or configuration changes by authorized personnel can trigger false positives. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
45- Automated scripts or tools used for managing logging configurations might inadvertently delete sinks as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using specific identifiers or service accounts.
46- Changes in project ownership or restructuring within the organization can lead to legitimate sink deletions. Document these organizational changes and adjust the monitoring rules to account for them, ensuring that alerts are only generated for unexpected deletions.
47- Test environments often undergo frequent changes, including sink deletions, which can result in false positives. Implement separate monitoring rules or exceptions for test environments to reduce noise in alerting.
48
49### Response and remediation
50
51- Immediately revoke access to the affected GCP project for any suspicious or unauthorized users identified in the audit logs to prevent further malicious activity.
52- Restore the deleted logging sink by recreating it with the original configuration to ensure that log entries are once again exported to the designated destination.
53- Conduct a thorough review of recent log entries and audit logs to identify any other unauthorized changes or suspicious activities that may have occurred around the time of the sink deletion.
54- Implement additional monitoring and alerting for any future attempts to delete logging sinks, focusing on the specific event action and outcome fields used in the detection query.
55- Escalate the incident to the security operations team for further investigation and to determine if the sink deletion is part of a larger attack campaign.
56- Review and update access controls and permissions for logging sink management to ensure that only authorized personnel have the ability to modify or delete sinks.
57- Consider enabling additional security features such as VPC Service Controls or Organization Policy constraints to provide an extra layer of protection against unauthorized modifications to logging configurations.
58
59## Setup
60
61The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
62references = ["https://cloud.google.com/logging/docs/export"]
63risk_score = 47
64rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305"
65severity = "medium"
66tags = [
67    "Domain: Cloud",
68    "Data Source: GCP",
69    "Data Source: Google Cloud Platform",
70    "Use Case: Log Auditing",
71    "Tactic: Defense Evasion",
72    "Resources: Investigation Guide",
73]
74timestamp_override = "event.ingested"
75type = "query"
76
77query = '''
78event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success
79'''
80
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1562"
86name = "Impair Defenses"
87reference = "https://attack.mitre.org/techniques/T1562/"
88
89
90[rule.threat.tactic]
91id = "TA0005"
92name = "Defense Evasion"
93reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In GCP, logging sinks are crucial for exporting log entries to designated destinations for analysis and storage. Adversaries may delete these sinks to prevent logs from being exported, thereby evading detection. The detection rule identifies successful deletion events by monitoring specific audit logs, helping security teams quickly respond to potential defense evasion tactics.

  • Review the audit logs for the specific event.action: google.logging.v*.ConfigServiceV*.DeleteSink to identify the user or service account responsible for the deletion.
  • Check the event.dataset:gcp.audit logs for any preceding or subsequent suspicious activities by the same user or service account, which might indicate a pattern of malicious behavior.
  • Investigate the event.outcome:success to confirm the deletion was successful and determine the impact on log monitoring and export capabilities.
  • Assess the context and timing of the deletion event to see if it coincides with other security alerts or incidents, which might suggest a coordinated attack.
  • Verify the permissions and roles assigned to the user or service account involved in the deletion to ensure they align with the principle of least privilege and identify any potential misconfigurations.
  • Routine maintenance or configuration changes by authorized personnel can trigger false positives. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for these tasks.
  • Automated scripts or tools used for managing logging configurations might inadvertently delete sinks as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using specific identifiers or service accounts.
  • Changes in project ownership or restructuring within the organization can lead to legitimate sink deletions. Document these organizational changes and adjust the monitoring rules to account for them, ensuring that alerts are only generated for unexpected deletions.
  • Test environments often undergo frequent changes, including sink deletions, which can result in false positives. Implement separate monitoring rules or exceptions for test environments to reduce noise in alerting.
  • Immediately revoke access to the affected GCP project for any suspicious or unauthorized users identified in the audit logs to prevent further malicious activity.
  • Restore the deleted logging sink by recreating it with the original configuration to ensure that log entries are once again exported to the designated destination.
  • Conduct a thorough review of recent log entries and audit logs to identify any other unauthorized changes or suspicious activities that may have occurred around the time of the sink deletion.
  • Implement additional monitoring and alerting for any future attempts to delete logging sinks, focusing on the specific event action and outcome fields used in the detection query.
  • Escalate the incident to the security operations team for further investigation and to determine if the sink deletion is part of a larger attack campaign.
  • Review and update access controls and permissions for logging sink management to ensure that only authorized personnel have the ability to modify or delete sinks.
  • Consider enabling additional security features such as VPC Service Controls or Organization Policy constraints to provide an extra layer of protection against unauthorized modifications to logging configurations.

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top