FINOS-CCC/CCC.Logging.TH@v2026.06-rc3

Digest	Media type	Size
074ef16fb998…	application/vnd.gemara.artifact.v1+yaml	8.2 KiB

CCC Logging Threats

Threats for Logging technologies, as defined by the FINOS Common Cloud Controls project.

ID: CCC.Logging.TH
Version: v2026.06-rc3
Gemara version: v1.2.0
Author: FINOS Common Cloud Controls

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

CCC.Logging.TH01 Log Ingestion Performance Degradation
The logging service's ingestion pipeline experiences performance degradation due to overwhelming log volumes, network bottlenecks, or inefficient processing, leading to delayed availability of log data for analysis and potential log loss if buffers overflow.
Capabilities
- CCC.Logging.Capabilities
  - CCC.Logging.CP03 — Real-Time Log Ingestion
  - CCC.Logging.CP04 — Centralised Log Collection
  - CCC.Logging.CP06 — Log Filtering & Transformation
CCC.Logging.TH03 Log Schema or Format Drift
Changes in source application or cloud service log formats, schemas, or underlying data structures lead to parsing failures, incomplete log ingestion, or render existing queries and dashboards ineffective, hindering comprehensive analysis.
Capabilities
- CCC.Logging.Capabilities
  - CCC.Logging.CP05 — Custom Log Format Support
  - CCC.Logging.CP06 — Log Filtering & Transformation
  - CCC.Logging.CP11 — Log-based Metrics
CCC.Logging.TH04 Inadequate Log Anonymization/Masking
Sensitive data (e.g., PII, secrets, authentication tokens) is ingested into logs without proper anonymization, masking, or redaction at source or during ingestion. This creates a significant data exposure risk, particularly for data not intended for broad log access.
Capabilities
- CCC.Logging.Capabilities
  - CCC.Logging.CP06 — Log Filtering & Transformation
  - CCC.Logging.CP08 — Retention Policies
CCC.Logging.TH05 Log Retention Policy Evasion or Misconfiguration
Log data is deleted prematurely or retained longer than legally required due to misconfigured retention policies, manual overrides, or evasion tactics. This can lead to non-compliance with regulatory requirements or loss of critical forensic evidence.
Capabilities
- CCC.Logging.Capabilities
  - CCC.Logging.CP07 — Immutable Storage
  - CCC.Logging.CP08 — Retention Policies
  - CCC.Logging.CP12 — Log Archiving
CCC.Logging.TH07 Insufficient Logging
If security-critical actions are not logged, it becomes more difficult to detect threats and conduct post-incident analysis.
Capabilities
- CCC.Core.Capabilities
  - CCC.Core.CP10 — Logging
- CCC.Logging.Capabilities
  - CCC.Logging.CP01 — Service Log Capture
  - CCC.Logging.CP02 — Application Log Ingestion

Data Resilience

The Data Resilience group covers entries related to ensuring data availability, integrity, and sovereignty across its lifecycle. This includes replication, backup, recovery, region restrictions, and protection against data loss or corruption.

CCC.Logging.TH02 Unauthorized Data Transfer Out of a Trusted Boundary
Sensitive log data, including PII, financial transaction details, or system vulnerabilities, is exfiltrated directly from the logging service's query or API interfaces by authorized but malicious insiders or compromised accounts exploiting legitimate access.
Capabilities
- CCC.Core.Capabilities
  - CCC.Core.CP06 — Access Control
  - CCC.Core.CP14 — API Access
  - CCC.Core.CP22 — Location Lock-In

Ingestion

The Ingestion group covers entries related to how a service receives or retrieves data, inputs, or commands for processing. This includes both active (pull-based) and passive (push-based) ingestion patterns.

CCC.Logging.TH06 Log Injection
User-supplied data such as scripts, control characters, escape sequences, or code fragments may be written to logs without proper encoding or sanitization. This can result in malformed or unexpected log entries that could disrupt or compromise systems that process or display these logs, including log viewers or downstream services.
Capabilities
- CCC.Core.Capabilities
  - CCC.Core.CP10 — Logging
- CCC.Logging.Capabilities
  - CCC.Logging.CP01 — Service Log Capture
  - CCC.Logging.CP02 — Application Log Ingestion

FINOS-CCC/CCC.Logging.TH Threat Catalog

Install

Provenance

CCC Logging Threats

Observability

CCC.Logging.TH01 Log Ingestion Performance Degradation

Capabilities

CCC.Logging.TH03 Log Schema or Format Drift

Capabilities

CCC.Logging.TH04 Inadequate Log Anonymization/Masking

Capabilities

CCC.Logging.TH05 Log Retention Policy Evasion or Misconfiguration

Capabilities

CCC.Logging.TH07 Insufficient Logging

Capabilities

Data Resilience

CCC.Logging.TH02 Unauthorized Data Transfer Out of a Trusted Boundary

Capabilities

Ingestion

CCC.Logging.TH06 Log Injection

Capabilities