Skip to content

google.logging.v2.ConfigServiceV2.UpdateExclusion

GCP

google.logging.v2.ConfigServiceV2.UpdateExclusion

service: GCP - Cloud Logging
techniques:

Event

Modifies a logging exclusion filter to silently drop specific log entries, hiding ongoing attacker activity.

Security Context

  • Logging exclusion filters silently discard matching log entries before they reach storage or downstream sinks, making the excluded activity completely invisible to security monitoring and forensic analysis.
  • Adversaries modify exclusion filters to suppress logs for specific API calls, service accounts, or resource types used in their attack, ensuring their ongoing activity generates no audit trail.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco modifies an existing innocuous-looking exclusion low-priority-cloudfunctions-debug (originally created by SRE to drop cloudfunctions.googleapis.com INFO-severity entries to save log-storage cost) to expand its filter to silently drop every audit log entry whose protoPayload.authenticationInfo.principalEmail matches Draco’s user. Because exclusions discard matching entries before they reach storage, every action Draco takes from this point forward is invisible — no admin activity, no data access, nothing. The exclusion-update event itself does get logged (this is the pivot), and that is the only signal defenders will see for the rest of the attack. Caveat: exclusions only apply to the _Default log bucket — the _Required bucket exempt for IAM/setup activity will still capture Draco’s actions.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.logging.exclusions.update invocation-id/90000000000000000000001111110110 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T15:55:24.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "logging.googleapis.com",
"methodName": "google.logging.v2.ConfigServiceV2.UpdateExclusion",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod/exclusions/low-priority-cloudfunctions-debug",
"permission": "logging.exclusions.update",
"granted": true,
"resourceAttributes": {
"service": "logging.googleapis.com",
"name": "projects/fantasticlogs-prod/exclusions/low-priority-cloudfunctions-debug",
"type": "logging.googleapis.com/Exclusion"
}
}
],
"resourceName": "projects/fantasticlogs-prod/exclusions/low-priority-cloudfunctions-debug",
"request": {
"@type": "type.googleapis.com/google.logging.v2.UpdateExclusionRequest",
"name": "projects/fantasticlogs-prod/exclusions/low-priority-cloudfunctions-debug",
"exclusion": {
"name": "low-priority-cloudfunctions-debug",
"description": "Suppress low-priority CloudFunctions debug entries (cost optimization)",
"filter": "(resource.type=\"cloud_function\" AND severity<=INFO) OR protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\"",
"disabled": false
},
"updateMask": "filter"
},
"response": {
"@type": "type.googleapis.com/google.logging.v2.LogExclusion",
"name": "low-priority-cloudfunctions-debug",
"description": "Suppress low-priority CloudFunctions debug entries (cost optimization)",
"filter": "(resource.type=\"cloud_function\" AND severity<=INFO) OR protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\"",
"disabled": false,
"createTime": "2026-03-01T08:14:32.123456789Z",
"updateTime": "2026-04-15T15:55:24.123456789Z"
}
},
"insertId": "evt001111110110",
"resource": {
"type": "audited_resource",
"labels": {
"project_id": "fantasticlogs-prod",
"name": "low-priority-cloudfunctions-debug"
}
},
"timestamp": "2026-04-15T15:55:24.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T15:55:24.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...