Skip to main content

Cloud Logging Sink Modified

This alert occurs when Lacework detects a change in a logging sink, a mechanism that exports logs from Google Cloud services to external destinations such as BigQuery, Cloud Storage, or Pub/Sub.

Related policy: LW_AT_RESOURCE_174: Cloud Logging Sink Modified

Why this alert is important

This alert indicates that someone has changed your logging configuration, which could impact your logs' availability, integrity, and confidentiality.

For example, an attacker may try to modify your logging sink to redirect logs to their malicious destination, making it harder for you to detect their activities. Similarly, a misconfiguration in the logging sink could result in logs being lost or not captured properly, making it difficult to investigate incidents or troubleshoot issues.

Investigation

Follow these steps to investigate the alert:

  1. Review the logs to identify any changes made to the logging sink. You can filter the logs by severity, resource, or time range to narrow down the results.
  2. Use the Audit Logs to identify who modified the logging sink, when, and from which IP address.
  3. Review the Identity and Access Management (IAM) roles and permissions for the users and service accounts that can modify the logging sink. Ensure only authorized users have the necessary permissions to make changes to the logging configuration.
  4. Check the destination to which the logs are being sent to ensure it is a legitimate service or location. If the logs are being sent to a malicious destination, modify the logging configuration to send the logs to a trusted destination or disable the logging sink until further investigation.

Resolution

Use the following steps to resolve an unauthorized modification in the cloud logging sink:

  1. Disable the logging sink to prevent other logs from being sent to the unauthorized destination. You can do this by removing the logging sink or modifying the configuration to send logs to a trusted destination.
  2. Review the logs to identify the type and amount of data that may have been sent to the unauthorized destination. This will help you determine the severity of the breach and the actions you need to take to mitigate any potential damage.
  3. Determine how the unauthorized modification occurred. This could be due to a compromised account, a misconfiguration, or a vulnerability in the logging system. Identifying the root cause will help you prevent similar incidents in the future.
  4. If the breach was caused by compromised credentials or unauthorized access to the Google Cloud console or API, reset the credentials and access control of all affected accounts to prevent further unauthorized access.
  5. To prevent future breaches, implement preventive measures such as enabling multi-factor authentication, enforcing least privilege access, and implementing security best practices.