GCP Logging sink modified
Description
AlphaSOC detected modifications to a Google Cloud Logging sink. Logging sinks export logs to external destinations such as Cloud Storage, BigQuery, or Pub/Sub. Attackers may modify sinks to redirect logs to attacker-controlled destinations for exfiltration or to impair log collection and detection capabilities.
Impact
Compromised logging sinks can redirect sensitive audit logs and application data to attackers for intelligence gathering. Modified sinks may also filter out specific log types, allowing malicious activity to go undetected. Disrupting logging infrastructure undermines incident response capabilities and forensic investigations.
Severity
| Severity | Condition |
|---|---|
Low | Logging sink modified |
Investigation and Remediation
Review the specific changes made to the logging sink configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Examine the destination settings to ensure logs are being sent to legitimate internal destinations. If unauthorized changes are detected, revert the configuration and investigate potential data exfiltration.
Known False Positives
- Legitimate updates to logging infrastructure
- Changes to log destinations during migration or reorganization
- Filter updates to reduce log volume or costs