logging.sinks.update
GCP
logging.sinks.update
Event
Modifies a Cloud Logging sink’s configuration, such as its destination or log filter criteria.
Security Context
- Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Sibling event to gcp-logging-sinks-delete. Instead of deleting the niffler-archive-bigquery-export sink (which generates an obvious “sink deleted” alert), Draco updates its filter to add an exclusion clause that silently drops audit entries from his own user. The sink continues to route logs (so the destination BigQuery dataset still receives data — defenders relying on “data flowing to BQ” as a sink-health check still see green), but the filter quietly excludes Draco’s actions. This is a subtler T1685.002 variant.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.logging.sinks.update invocation-id/90000000000000000000010000000000 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T16:00:48.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "logging.googleapis.com", "methodName": "google.logging.v2.ConfigServiceV2.UpdateSink", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export", "permission": "logging.sinks.update", "granted": true, "resourceAttributes": { "service": "logging.googleapis.com", "name": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export", "type": "logging.googleapis.com/Sink" } } ], "resourceName": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export", "request": { "@type": "type.googleapis.com/google.logging.v2.UpdateSinkRequest", "sinkName": "projects/fantasticlogs-prod/sinks/niffler-archive-bigquery-export", "sink": { "name": "niffler-archive-bigquery-export", "destination": "bigquery.googleapis.com/projects/fantasticlogs-sec/datasets/audit_logs", "filter": "logName:\"cloudaudit.googleapis.com\" AND NOT protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\"", "disabled": false, "writerIdentity": "serviceAccount:p555123456789-niffler-archive-bigquery-export@gcp-sa-logging.iam.gserviceaccount.com" }, "updateMask": "filter" }, "response": { "@type": "type.googleapis.com/google.logging.v2.LogSink", "name": "niffler-archive-bigquery-export", "destination": "bigquery.googleapis.com/projects/fantasticlogs-sec/datasets/audit_logs", "filter": "logName:\"cloudaudit.googleapis.com\" AND NOT protoPayload.authenticationInfo.principalEmail=\"draco@fantasticlogs.cloud\"", "disabled": false, "writerIdentity": "serviceAccount:p555123456789-niffler-archive-bigquery-export@gcp-sa-logging.iam.gserviceaccount.com", "createTime": "2026-01-12T08:14:32.123456789Z", "updateTime": "2026-04-15T16:00:48.187654321Z" } }, "insertId": "evt010000000000", "resource": { "type": "logging_sink", "labels": { "project_id": "fantasticlogs-prod", "name": "niffler-archive-bigquery-export", "destination": "bigquery.googleapis.com/projects/fantasticlogs-sec/datasets/audit_logs" } }, "timestamp": "2026-04-15T16:00:48.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2026-04-15T16:00:48.567890123Z"}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...