GCP log sink deleted
Description
AlphaSOC detected deletion of a GCP Cloud Logging sink. Logging sinks export logs to external destinations such as BigQuery, Cloud Storage, or Pub/Sub for analysis and retention. Adversaries may delete logging sinks to evade detection and cover their tracks.
Impact
Deleting logging sinks removes the ability to export logs for security monitoring and analysis. This can create gaps in visibility, making it difficult to detect malicious activity or conduct forensic investigations. Historical logs may be lost if not already exported.
Severity
| Severity | Condition |
|---|---|
Medium | GCP Logging sink deleted |
Investigation and Remediation
Review GCP audit logs to identify which logging sink was deleted and the principal responsible. Determine what log types and destinations were affected.
If unauthorized, immediately recreate the logging sink to restore log export capabilities. Review other logging configurations for similar unauthorized changes. Check for gaps in exported logs during the deletion period. Rotate credentials for the compromised identity and implement IAM policies to restrict logging sink deletion.
Known False Positives
- Consolidation of logging infrastructure
- Migration to new log export destinations
- Cost optimization in non-production environments