Unexpected GCP API calls indicating Cloud Logging deletion
Description
AlphaSOC detected the deletion of logs in Google Cloud Logging. Attackers often delete logs to cover their tracks and hinder forensic investigation. Log deletion removes evidence of malicious activity and can significantly impair incident response efforts.
Impact
Deleting cloud logs destroys audit trails and evidence needed for security investigations. Without logs, it becomes difficult to determine what actions were taken, what data was accessed, and how attackers moved through the environment. This can allow malicious activity to go undetected and unattributed.
Severity
| Severity | Condition |
|---|---|
Informational | Cloud logs deleted |
Low | Cloud logs deleted with anomalous behavioral patterns |
Medium | Cloud logs deleted in suspicious context |
Investigation and Remediation
Review GCP audit logs for the google.logging.v2.LoggingServiceV2.DeleteLog
action to identify who deleted the logs and which log entries were removed.
Investigate other actions performed by the same principal around the time of
deletion.
If unauthorized, immediately revoke the principal's permissions and investigate the scope of the compromise. Review any remaining logs for evidence of malicious activity. Consider implementing log sinks to export logs to separate storage where they cannot be easily deleted.