---
title: Google Cloud disable Cloud Logging
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Google Cloud disable Cloud Logging
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Google Cloud disable Cloud Logging
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detects when a principal attempts to disable Google Cloud Logging via the Service Usage API, whether the attempt succeeds or is repeatedly denied.

## Strategy{% #strategy %}

This rule monitors GCP audit logs for `ServiceUsage.DisableService` events targeting the Cloud Logging service (`logging.googleapis.com`). Both a successful disable (authorization granted) event, and repeated denied attempts in a short period (>5 in 1 hour) are monitoried. Disabling Cloud Logging is a well-known defense evasion technique used to delete audit trail visibility to hide malicious activity. Because Admin Activity audit logs are still generated even when the Logging API is disabled, the disable event itself remains visible. Repeated denied attempts may indicate an actor's attempt to erase the logs.

## Triage and Response{% #triage-and-response %}

- Determine whether the principal `{{@data.protoPayload.authenticationInfo.principalEmail}}` had a legitimate reason to disable Cloud Logging.
- Review recent IAM activity for this principal to identify unusual permission grants that may have enabled, or been intended to enable, this action.(i.e. data
- Check for other defense evasion activity from the same principal around the same timeframe, such as log sink deletions or exclusion-filter modifications.
- Examine the full sequence of the API calls from this principal in the hour preceding the delete event to see if there's any attack chain pattern.
- If Cloud Logging is confirmed as disabled, certain logs are not recoverable during the loggging gap period. (i.e. Servless logs like Cloud Runs). Consider implementing aggregarted sinks and organization policies to prevent future tampering.
