GCP logging sink modification

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-12-08

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires: Gcp Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Impair Defenses (T1562) Impair Defenses: Disable or Modify Cloud Logs (T1562.008)
Severity	Informational

Description

A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.

Attacker's Goals

Evade detection by limiting collected data.

Investigative actions

Identify the relevant logs impacted by the modification.
Review the cloud identity activity before and after the logging sink modification.

Variations

GCP logging sink modification

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Severity

Low

Description

A GCP logging sink entity was modified. Logs that match the logging sink rule will not arrive at their destination. An attacker might use this technique to evade detection.

Attacker's Goals

Evade detection by limiting collected data.

Investigative actions

Identify the relevant logs impacted by the modification.
Review the cloud identity activity before and after the logging sink modification.