defense_evasion_gcp_logging_sink_deletion.toml

[metadata]
creation_date = "2020/09/18"
integration = ["gcp"]
maturity = "production"
updated_date = "2024/05/21"

[rule]
author = ["Elastic"]
description = """
Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the
log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to
the sink's export destination. An adversary may delete a Logging sink to evade detection.
"""
false_positives = [
    """
    Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource
    name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
index = ["filebeat-*", "logs-gcp*"]
language = "kuery"
license = "Elastic License v2"
name = "GCP Logging Sink Deletion"
note = """## Setup

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://cloud.google.com/logging/docs/export"]
risk_score = 47
rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Data Source: GCP",
    "Data Source: Google Cloud Platform",
    "Use Case: Log Auditing",
    "Tactic: Defense Evasion",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"