Skip to content

google.logging.v2.LoggingServiceV2.DeleteLog

GCP

google.logging.v2.LoggingServiceV2.DeleteLog

service: GCP - Cloud Logging
techniques:

Event

Deletes log entries from Cloud Logging, destroying forensic evidence of attacker activity.

Security Context

  • Deleting logs permanently removes audit records that document API calls, authentication events, and resource changes — eliminating the primary forensic evidence trail in GCP.
  • Adversaries delete logs to destroy evidence of their activity, making incident investigation and scope assessment significantly more difficult for defenders.

Log Source

Cloud Audit Logs

Sample Event

Draco purges the cloudaudit.googleapis.com%2Fdata_access log stream from the production project to destroy forensic evidence of his earlier reads against secrets and snapshots (T1070). The deletion itself is recorded on the Admin Activity stream because activity logs are immutable in GCP.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.logging.logs.delete invocation-id/90000000000000000000000000000100 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T15:48:02.778899100Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "logging.googleapis.com",
"methodName": "google.logging.v2.LoggingServiceV2.DeleteLog",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"permission": "logging.logs.delete",
"granted": true,
"resourceAttributes": {
"service": "logging.googleapis.com",
"name": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"type": "logging.googleapis.com/Log"
}
}
],
"resourceName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"request": {
"@type": "type.googleapis.com/google.logging.v2.DeleteLogRequest",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access"
},
"response": {
"@type": "type.googleapis.com/google.protobuf.Empty"
}
},
"insertId": "evt0000000100",
"resource": {
"type": "audited_resource",
"labels": {
"project_id": "fantasticlogs-prod",
"name": "cloudaudit.googleapis.com/data_access"
}
},
"timestamp": "2026-04-15T15:48:02.667788990Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T15:48:03.001122334Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...