GCP API calls indicating GKE logging configuration change
Description
AlphaSOC detected that logging was disabled on a GKE cluster via
google.container.v1beta1.ClusterManager.UpdateCluster by setting an empty
logging component configuration. GKE logging captures system, workload, and API
server logs critical for security monitoring.
Adversaries may disable cluster logging to hide malicious activities within the Kubernetes environment, including unauthorized container deployments, privilege escalation, or data exfiltration.
Impact
Disabling GKE logging removes visibility into cluster operations, container activities, and Kubernetes API calls. Security teams lose the ability to detect malicious container deployments, unauthorized access, or suspicious workload behavior. Forensic investigations become difficult without historical logs.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the UpdateCluster action with
desiredLoggingConfig.componentConfig changes. Identify the principal that
disabled logging and verify if this was an authorized change.
If unauthorized, immediately re-enable GKE logging with appropriate component coverage. Investigate the compromised identity for additional defense evasion activities. Review cluster activities that may have occurred while logging was disabled.