From d60cd6190eaad76c3323be67c466760ce973445f Mon Sep 17 00:00:00 2001 From: developutm Date: Tue, 9 Jun 2026 14:57:37 +0000 Subject: [PATCH] feature(rules/google): add rule Cloud Logging Sink Modified --- .../google/gcp_logging_sink_modified.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/cloud/google/gcp_logging_sink_modified.yml diff --git a/rules/cloud/google/gcp_logging_sink_modified.yml b/rules/cloud/google/gcp_logging_sink_modified.yml new file mode 100644 index 000000000..5c797bd1b --- /dev/null +++ b/rules/cloud/google/gcp_logging_sink_modified.yml @@ -0,0 +1,30 @@ +# Rule version v1.0.0 + +dataTypes: + - google +name: GCP Cloud Logging Sink Modified +impact: + confidentiality: 2 + integrity: 3 + availability: 2 +category: Defense Evasion +technique: "T1070 - Indicator Removal" +adversary: origin +references: + - https://cloud.google.com/logging/docs/audit/cal-categories#cloud_logging + - https://cloud.google.com/logging/docs/sinks + - https://attack.mitre.org/techniques/T1070/ +description: | + Detects creation, modification, or deletion of Cloud Logging sinks. Attackers may manipulate logging sinks to redirect, suppress, or delete audit trail data, effectively blinding security monitoring. This is a classic defense evasion technique. + + Next Steps: + 1. Verify if the sink change was authorized by the logging/SECOPS team + 2. For deletions: check if the sink was forwarding to a security tool (SIEM, SOAR) + 3. For creations: verify the destination is a legitimate logging backend + 4. For updates: compare the old and new sink configurations + 5. Restore any deleted security-relevant sinks immediately + 6. Review Cloud Audit logs for other logging configuration changes +where: | + equals("log.protoPayloadServiceName", "logging.googleapis.com") && + oneof("log.protoPayloadMethodName", ["google.logging.v2.ConfigServiceV2.CreateSink", "google.logging.v2.ConfigServiceV2.DeleteSink", "google.logging.v2.ConfigServiceV2.UpdateSink"]) && + exists("origin.user")