Suspicious GCP API calls indicating logging bucket deletion
Description
AlphaSOC detected deletion of a GCP Cloud Logging bucket via
google.logging.v2.ConfigServiceV2.DeleteBucket. Adversaries may delete logging
buckets to cover their tracks after an attack, removing evidence of malicious
activity.
Impact
Logging bucket deletion destroys stored audit logs and application logs. This removes evidence needed for security investigations, compliance audits, and incident response. Historical data about attacker activities may be permanently lost, making it difficult to understand the scope and impact of a compromise.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the DeleteBucket action. Identify which logging
bucket was deleted and the principal responsible. Determine what log types were
affected.
If unauthorized, investigate the compromised identity for additional malicious activities. Recreate logging buckets to restore log collection. Review what logs may have been lost and check if they were exported to other destinations. Implement IAM policies to restrict logging bucket deletion and consider using bucket locks for compliance-critical logs.