diff --git a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml new file mode 100644 index 000000000..ecd6bf53f --- /dev/null +++ b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2020/09/18" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/09/18" + +[rule] +author = ["Elastic"] +description = """ +Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the +log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to +the sink's export destination. An adversary may delete a Logging sink to evade detection. +""" +false_positives = [ + """ + Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource + name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or + hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +index = ["filebeat-*"] +language = "kuery" +license = "Elastic License" +name = "GCP Logging Sink Deletion" +note = "The GCP Filebeat module must be enabled to use this rule." +references = ["https://cloud.google.com/logging/docs/export"] +risk_score = 47 +rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" +severity = "medium" +tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +type = "query" + +query = ''' +event.module:googlecloud and event.dataset:googlecloud.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +