Google Cloud logging sink modified

gcp

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect changes to Google Cloud logging sinks, which can stop audit logs from being sent to Datadog.

Strategy

Monitor Google Cloud admin activity audit logs to determine when any of the following methods are invoked:

  • google.logging.v2.ConfigServiceV2.UpdateSink
  • google.logging.v2.ConfigServiceV2.DeleteSink

Triage and response

Review the sink and ensure the sink is properly configured.

Changelog

7 February 2023 - Updated query.