GCP logging sink deletion

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-12-08

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: Gcp Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
Severity	Informational

Description

A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.
An attacker might use this technique to evade detection.

Attacker's Goals

Evade detection by limiting collected data.

Investigative actions

Identify the logs impacted by the deletion.
Review cloud identity activity before and after the deletion.

Variations

GCP logging sink deletion

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Severity

Low

Description

A GCP logging sink entity was deleted. Logs that match the logging sink rule will not arrive at their destination.
An attacker might use this technique to evade detection.

Attacker's Goals

Evade detection by limiting collected data.

Investigative actions

Identify the logs impacted by the deletion.
Review cloud identity activity before and after the deletion.