google.logging.v2.LoggingServiceV2.DeleteLog
GCP
google.logging.v2.LoggingServiceV2.DeleteLog
Event
Deletes log entries from Cloud Logging, destroying forensic evidence of attacker activity.
Security Context
- Deleting logs permanently removes audit records that document API calls, authentication events, and resource changes — eliminating the primary forensic evidence trail in GCP.
- Adversaries delete logs to destroy evidence of their activity, making incident investigation and scope assessment significantly more difficult for defenders.
Log Source
Cloud Audit Logs
Sample Event
Draco purges the cloudaudit.googleapis.com%2Fdata_access log stream from the production project to destroy forensic evidence of his earlier reads against secrets and snapshots (T1070). The deletion itself is recorded on the Admin Activity stream because activity logs are immutable in GCP.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.logging.logs.delete invocation-id/90000000000000000000000000000100 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T15:48:02.778899100Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "logging.googleapis.com", "methodName": "google.logging.v2.LoggingServiceV2.DeleteLog", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "permission": "logging.logs.delete", "granted": true, "resourceAttributes": { "service": "logging.googleapis.com", "name": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "type": "logging.googleapis.com/Log" } } ], "resourceName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "request": { "@type": "type.googleapis.com/google.logging.v2.DeleteLogRequest", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access" }, "response": { "@type": "type.googleapis.com/google.protobuf.Empty" } }, "insertId": "evt0000000100", "resource": { "type": "audited_resource", "labels": { "project_id": "fantasticlogs-prod", "name": "cloudaudit.googleapis.com/data_access" } }, "timestamp": "2026-04-15T15:48:02.667788990Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T15:48:03.001122334Z"}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...