Detectionmediumtest

AWS CloudTrail Important Change

Detects disabling, deleting and updating of a Trail

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

vitaliy0x1Created Tue Jan 21Updated Sun Oct 094db60cc0-36fb-42b7-9b58-a5b53019fb74cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection_source:
        eventSource: cloudtrail.amazonaws.com
        eventName:
            - StopLogging
            - UpdateTrail
            - DeleteTrail
    condition: selection_source

False Positives

Valid change in a Trail

References

Resolving title…

docs.aws.amazon.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.008 · Disable or Modify Cloud Logs

Rule Metadata

Rule ID

4db60cc0-36fb-42b7-9b58-a5b53019fb74

Status

test

Level

medium

Type

Detection

Created

Tue Jan 21

Modified

Sun Oct 09

Author

vitaliy0x1

Path

rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml

Raw Tags

attack.defense-evasionattack.t1562.008

View on GitHub