Google Cloud Logging Bucket deleted

gcp

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a logging bucket is deleted in Google Cloud. An adversary may delete a logging bucket as a means of defense evasion.

Strategy

Monitor Google Cloud audit logs to determine when the following method is invoked:

  • google.logging.v2.ConfigServiceV2.DeleteBucket

Triage and response

Determine if the Google Cloud user {{@usr.id}} should be deleting the logging bucket identified in the @data.protoPayload.resourceName field.

PREVIEWING: brett0000FF/node-compatibility