logging.projects.exclusions.create
GCP
logging.projects.exclusions.create
Event
Creates a log exclusion rule in Cloud Logging that prevents matching log entries from being ingested.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Modifications to logging and monitoring infrastructure can create blind spots that allow adversary activity to go undetected.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Sibling event to gcp-google-logging-v2-configservicev2-updateexclusion — same defense-impairment goal, different mechanism. Here, instead of amending an existing exclusion, Draco creates a fresh exclusion named low-noise-cloudfunctions whose filter silently drops all entries matching either his user account or his external attacker email. New exclusions have a fresh createTime field, which gives defenders a stronger time-correlation signal compared to amended-existing exclusions — but defenders have to be looking specifically at exclusion-create events.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.logging.exclusions.create invocation-id/90000000000000000000001111111110 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T15:51:02.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "logging.googleapis.com", "methodName": "google.logging.v2.ConfigServiceV2.CreateExclusion", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod", "permission": "logging.exclusions.create", "granted": true, "resourceAttributes": { "service": "logging.googleapis.com", "name": "projects/fantasticlogs-prod", "type": "logging.googleapis.com/Project" } } ], "resourceName": "projects/fantasticlogs-prod/exclusions/low-noise-cloudfunctions", "request": { "@type": "type.googleapis.com/google.logging.v2.CreateExclusionRequest", "parent": "projects/fantasticlogs-prod", "exclusion": { "name": "low-noise-cloudfunctions", "description": "Suppress noisy CloudFunctions debug entries", "filter": "resource.type=\"cloud_function\" AND severity<=INFO AND (protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\" OR protoPayload.authenticationInfo.principalEmail=\"draco-malfoy-666@gmail.com\")", "disabled": false } }, "response": { "@type": "type.googleapis.com/google.logging.v2.LogExclusion", "name": "low-noise-cloudfunctions", "description": "Suppress noisy CloudFunctions debug entries", "filter": "resource.type=\"cloud_function\" AND severity<=INFO AND (protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\" OR protoPayload.authenticationInfo.principalEmail=\"draco-malfoy-666@gmail.com\")", "disabled": false, "createTime": "2026-04-15T15:51:02.187654321Z", "updateTime": "2026-04-15T15:51:02.187654321Z" } }, "insertId": "evt001111111110", "resource": { "type": "logging_exclusion", "labels": { "project_id": "fantasticlogs-prod", "name": "low-noise-cloudfunctions" } }, "timestamp": "2026-04-15T15:51:02.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T15:51:02.567890123Z"}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...