Alert when any component of the critical logging infrastructure is disabled, modified, or deleted, indicating a defense evasion attempt.
Management / Logging / Controls / DEV
Detect and Alert on Log Service Tampering
CCC.Logging.CN07 · Observability
Related Capabilities
| ID | Title | Description |
|---|---|---|
| CCC.Core.CP10 | Log Publication | The service automatically publishes structured, verbose records of activities, operations, or events that occur within the service. |
| CCC.Core.CP09 | Metrics Publication | The service automatically publishes structured, numeric, time-series data points related to the performance, availability, and health of the service or its child resources. |
Related Threats
| ID | Title | Description |
|---|---|---|
| CCC.Core.TH16 | Publications are Disabled | Publication of events, metrics, and runtime logs may be disabled, leading to a lack of expected security and operational information being shared. This can impact system availability by delaying the detection of incidents while also impacting system design decisions and enforcement of operational thresholds, such as autoscaling or cost management. |
Assessment Requirements
| ID | Text | Applicability |
|---|---|---|
| CCC.Logging.CN07.AR01 | When an audit log event is recorded that corresponds to a modification of the logging service configuration such as disabling a log trail, deleting a log sink, or altering a log forwarding rule, an alert MUST be generated. | tlp-clear, tlp-green, tlp-amber, tlp-red |