This rule detects unauthorized modifications to Logging sinks within Google Cloud Platform (GCP). Logging sinks are responsible for directing log entries to specified destinations, which could be altered by adversaries to exfiltrate sensitive logs. The rule uses GCP audit logs to identify when a Logging sink has been successfully modified, specifically by monitoring for specific event actions that indicate a sink configuration change. False positives may arise from legitimate administrative actions, so thorough investigation steps are outlined to confirm unauthorized activity. These steps include verifying the event outcome, the user responsible for changes, and the destination of the logs. In case of unauthorized modifications, immediate remediation actions are recommended, including reverting changes, restricting access, and notifying stakeholders. This rule contributes to an overall strategy to prevent data exfiltration through careful monitoring of logging configurations.