defense_evasion_gcp_logging_sink_deletion.toml

[metadata]
creation_date = "2020/09/18"
maturity = "production"
updated_date = "2021/07/20"
integration = "gcp"

[rule]
author = ["Elastic"]
description = """
Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the
log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to
the sink's export destination. An adversary may delete a Logging sink to evade detection.
"""
false_positives = [
    """
    Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource
    name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
index = ["filebeat-*", "logs-gcp*"]
language = "kuery"
license = "Elastic License v2"
name = "GCP Logging Sink Deletion"
note = """## Config

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://cloud.google.com/logging/docs/export"]
risk_score = 47
rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305"
severity = "medium"
tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"