Skip to content

logging.projects.exclusions.create

GCP

logging.projects.exclusions.create

service: GCP - Cloud Logging
techniques:

Event

Creates a log exclusion rule in Cloud Logging that prevents matching log entries from being ingested.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Modifications to logging and monitoring infrastructure can create blind spots that allow adversary activity to go undetected.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Sibling event to gcp-google-logging-v2-configservicev2-updateexclusion — same defense-impairment goal, different mechanism. Here, instead of amending an existing exclusion, Draco creates a fresh exclusion named low-noise-cloudfunctions whose filter silently drops all entries matching either his user account or his external attacker email. New exclusions have a fresh createTime field, which gives defenders a stronger time-correlation signal compared to amended-existing exclusions — but defenders have to be looking specifically at exclusion-create events.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.logging.exclusions.create invocation-id/90000000000000000000001111111110 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T15:51:02.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "logging.googleapis.com",
"methodName": "google.logging.v2.ConfigServiceV2.CreateExclusion",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod",
"permission": "logging.exclusions.create",
"granted": true,
"resourceAttributes": {
"service": "logging.googleapis.com",
"name": "projects/fantasticlogs-prod",
"type": "logging.googleapis.com/Project"
}
}
],
"resourceName": "projects/fantasticlogs-prod/exclusions/low-noise-cloudfunctions",
"request": {
"@type": "type.googleapis.com/google.logging.v2.CreateExclusionRequest",
"parent": "projects/fantasticlogs-prod",
"exclusion": {
"name": "low-noise-cloudfunctions",
"description": "Suppress noisy CloudFunctions debug entries",
"filter": "resource.type=\"cloud_function\" AND severity<=INFO AND (protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\" OR protoPayload.authenticationInfo.principalEmail=\"draco-malfoy-666@gmail.com\")",
"disabled": false
}
},
"response": {
"@type": "type.googleapis.com/google.logging.v2.LogExclusion",
"name": "low-noise-cloudfunctions",
"description": "Suppress noisy CloudFunctions debug entries",
"filter": "resource.type=\"cloud_function\" AND severity<=INFO AND (protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\" OR protoPayload.authenticationInfo.principalEmail=\"draco-malfoy-666@gmail.com\")",
"disabled": false,
"createTime": "2026-04-15T15:51:02.187654321Z",
"updateTime": "2026-04-15T15:51:02.187654321Z"
}
},
"insertId": "evt001111111110",
"resource": {
"type": "logging_exclusion",
"labels": {
"project_id": "fantasticlogs-prod",
"name": "low-noise-cloudfunctions"
}
},
"timestamp": "2026-04-15T15:51:02.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T15:51:02.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...