This detection rule aims to identify modifications to log sinks within Google Cloud Platform (GCP), which can be indicative of malicious activities by threat actors seeking to manipulate or disrupt log data. By monitoring the creation, update, or deletion of log sinks, the rule provides crucial insights into potential defense evasion tactics employed in cloud environments. The rule utilizes the Google Cloud audit logs to track events related to log sinks, specifically filtering out log entries associated with Google Service accounts to minimize the chances of false positives. The rule logic consists of a Snowflake SQL query that checks for relevant event names within the last two hours, focusing on certain keywords that indicate sink alterations. This capability is essential for administrators aiming to maintain the integrity of their logs and ensure that any unauthorized changes are promptly identified and addressed.