forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
defense_evasion_gcp_logging_bucket_deletion.toml
61 lines (53 loc) · 2.1 KB
/
defense_evasion_gcp_logging_bucket_deletion.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[metadata]
creation_date = "2020/09/21"
integration = ["gcp"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize
log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during
that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their
destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may
delete a log bucket to evade detection.
"""
false_positives = [
"""
Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource
name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
index = ["filebeat-*", "logs-gcp*"]
language = "kuery"
license = "Elastic License v2"
name = "GCP Logging Bucket Deletion"
note = """## Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"]
risk_score = 47
rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: GCP",
"Data Source: Google Cloud Platform",
"Use Case: Log Auditing",
"Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"