Skip to content

logging.sinks.delete

GCP

logging.sinks.delete

service: GCP - Cloud Logging
techniques:

Event

Deletes a Cloud Logging sink that was routing log entries to a destination such as Cloud Storage or BigQuery.

Security Context

  • Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco deletes the niffler-archive-bigquery-export sink, which had been routing all project audit logs to a hardened BigQuery dataset in the read-only Security project (fantasticlogs-sec) for long-term retention and SIEM ingestion. Without the sink, audit logs only persist in the project’s default _Default log bucket (30-day retention), and the security team’s BigQuery-based detections lose visibility immediately. The sink deletion itself is logged in Admin Activity (cannot be deleted), which is the only signal — but if defenders rely on the BigQuery export pipeline for alerting, they may see the deletion only after their primary view goes dark.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.logging.sinks.delete invocation-id/90000000000000000000001111111111 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T15:58:14.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "logging.googleapis.com",
"methodName": "google.logging.v2.ConfigServiceV2.DeleteSink",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export",
"permission": "logging.sinks.delete",
"granted": true,
"resourceAttributes": {
"service": "logging.googleapis.com",
"name": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export",
"type": "logging.googleapis.com/Sink"
}
}
],
"resourceName": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export",
"request": {
"@type": "type.googleapis.com/google.logging.v2.DeleteSinkRequest",
"sinkName": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export"
},
"response": {
"@type": "type.googleapis.com/google.protobuf.Empty"
}
},
"insertId": "evt001111111111",
"resource": {
"type": "logging_sink",
"labels": {
"project_id": "fantasticlogs-prod",
"name": "niffler-archive-bigquery-export",
"destination": "bigquery.googleapis.com/projects/fantasticlogs-sec/datasets/audit_logs"
}
},
"timestamp": "2026-04-15T15:58:14.123456789Z",
"severity": "NOTICE",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"receiveTimestamp": "2026-04-15T15:58:14.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...