
Summary
This detection rule is designed to monitor and alert on the deletion of Google Cloud Platform (GCP) Log Buckets or Logging Sinks. The intent is to help identify potential malicious activities where adversaries might attempt to delete logs to erase their tracks. The rule achieves this by analyzing GCP's Audit Logs for specific delete operations related to log buckets and sinks, ensuring security teams can respond to such actions promptly. With a medium severity level, the deletion of logs is treated with caution as it may highlight unauthorized activities. The associated runbook emphasizes the necessity of confirming whether the deletion actions were authorized to differentiate between legitimate management tasks and potentially malicious activities.
Categories
- Cloud
- GCP
- Infrastructure
Data Sources
- Group
- Logon Session
- Cloud Service
- Application Log
Created: 2023-06-14