T1562.008 Disable or Modify Cloud Logs Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CloudTrailTampering = dynamic([
  "StopLogging", "DeleteTrail", "UpdateTrail",
  "PutEventSelectors", "RemoveTargets", "DeleteFlowLogs",
  "DeleteDetector", "DeleteMembers",
  "DisableOrganizationAdminAccount"
]);
let AzureDiagTampering = dynamic([
  "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE",
  "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE",
  "MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE"
]);
let M365AuditTampering = dynamic([
  "Set-MailboxAuditBypassAssociation",
  "Set-AdminAuditLogConfig",
  "Disable-OrganizationCustomization",
  "Set-OrganizationConfig"
]);
union
(
  AuditLogs
  | where TimeGenerated > ago(24h)
  | where OperationName has_any (AzureDiagTampering)
  | project TimeGenerated, OperationName, Identity,
           Result, TargetResources, CorrelationId
),
(
  OfficeActivity
  | where TimeGenerated > ago(24h)
  | where Operation has_any (M365AuditTampering)
  | project TimeGenerated, Operation, UserId,
           ResultStatus, ClientIP, Parameters
),
(
  AWSCloudTrail
  | where TimeGenerated > ago(24h)
  | where EventName has_any (CloudTrailTampering)
  | project TimeGenerated, EventName, UserIdentityArn,
           SourceIpAddress, AWSRegion, ErrorCode,
           RequestParameters
)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Cloud Service: Cloud Service Modification Application Log: Application Log Content User Account: User Account Modification

Required Tables

AWSCloudTrail AuditLogs OfficeActivity

False Positives

Cloud administrators legitimately reconfiguring CloudTrail to consolidate trails during an AWS Organization migration or cost optimization exercise
Azure DevOps pipelines that programmatically update diagnostic settings as part of infrastructure-as-code deployments (Terraform, Bicep)
IT administrators using Set-MailboxAuditBypassAssociation for legitimate service accounts that generate excessive audit noise (e.g., migration tools, backup agents)
Security teams temporarily modifying GuardDuty or Security Center settings during a planned penetration test with a signed rules-of-engagement

Splunk

spl

index=aws sourcetype="aws:cloudtrail"
  (eventName="StopLogging" OR eventName="DeleteTrail" OR eventName="UpdateTrail" OR eventName="PutEventSelectors" OR eventName="DeleteFlowLogs" OR eventName="DeleteDetector")
| eval action=eventName
| eval user=coalesce('userIdentity.arn', 'userIdentity.userName')
| eval src_ip=sourceIPAddress
| eval region=awsRegion
| eval error=errorCode
| eval request_params='requestParameters'
| eval IsStopLogging=if(eventName="StopLogging", 1, 0)
| eval IsDeleteTrail=if(eventName="DeleteTrail", 1, 0)
| eval IsUpdateTrail=if(eventName="UpdateTrail", 1, 0)
| eval IsDeleteFlowLogs=if(eventName="DeleteFlowLogs", 1, 0)
| eval IsDeleteDetector=if(eventName="DeleteDetector", 1, 0)
| eval SeverityScore=IsStopLogging*3 + IsDeleteTrail*3 + IsUpdateTrail*2 + IsDeleteFlowLogs*2 + IsDeleteDetector*3
| table _time, user, action, src_ip, region, error, request_params, SeverityScore
| sort - SeverityScore, - _time

high severity high confidence

Data Sources

Cloud Service: Cloud Service Modification Application Log: Application Log Content AWS CloudTrail

Required Sourcetypes

aws:cloudtrail

False Positives

Cloud administrators legitimately reconfiguring CloudTrail to consolidate trails during an AWS Organization migration or cost optimization exercise
Infrastructure-as-code pipelines (Terraform apply/destroy) that delete and recreate trails as part of normal state management
Automated cost-optimization tools that disable VPC Flow Logs on non-production accounts during off-hours
Security teams temporarily disabling GuardDuty detectors in sandbox accounts during controlled testing

Elastic Security (EQL)

eql

any where event.dataset in ("aws.cloudtrail", "azure.auditlogs", "o365.audit") and (
  (event.dataset == "aws.cloudtrail" and event.action in (
    "StopLogging", "DeleteTrail", "UpdateTrail", "PutEventSelectors",
    "RemoveTargets", "DeleteFlowLogs", "DeleteDetector", "DeleteMembers",
    "DisableOrganizationAdminAccount"
  )) or
  (event.dataset == "azure.auditlogs" and event.action in (
    "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE",
    "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE",
    "MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE"
  )) or
  (event.dataset == "o365.audit" and event.action in (
    "Set-MailboxAuditBypassAssociation",
    "Set-AdminAuditLogConfig",
    "Disable-OrganizationCustomization",
    "Set-OrganizationConfig"
  ))
)

high severity high confidence

Data Sources

AWS CloudTrail Azure Audit Logs Microsoft 365 Audit Logs

Required Tables

logs-aws.cloudtrail-* logs-azure.auditlogs-* logs-o365.audit-*

False Positives

Authorized cloud administrators performing legitimate log rotation or diagnostic settings migration during planned maintenance windows
Infrastructure-as-code pipelines (Terraform, CloudFormation, Pulumi) that recreate or update CloudTrail/diagnostic settings as part of environment provisioning
License downgrade or role change workflows that trigger Set-OrganizationConfig or mailbox audit policy updates in O365 tenants

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  logsourcename(logsourceid) AS log_source,
  "EventName" AS cloud_action,
  "awsRegion" AS aws_region,
  "errorCode" AS error_code,
  "requestParameters" AS request_params
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (347, 399, 432)
  AND (
    ("EventName" IN (
      'StopLogging', 'DeleteTrail', 'UpdateTrail', 'PutEventSelectors',
      'RemoveTargets', 'DeleteFlowLogs', 'DeleteDetector', 'DeleteMembers',
      'DisableOrganizationAdminAccount'
    ))
    OR
    ("operationName" IN (
      'MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE',
      'MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE',
      'MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE'
    ))
    OR
    ("Operation" IN (
      'Set-MailboxAuditBypassAssociation',
      'Set-AdminAuditLogConfig',
      'Disable-OrganizationCustomization',
      'Set-OrganizationConfig'
    ))
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

AWS CloudTrail Microsoft Azure Microsoft Office 365

Required Tables

events

False Positives

Cloud automation tools running under service accounts that manage lifecycle of CloudTrail configurations during environment teardown or rebuild
Security team running audit reconfiguration scripts as part of a logging architecture migration to a new SIEM or log aggregation platform
Microsoft 365 tenant admins using Set-OrganizationConfig to tune retention or compliance policies as part of authorized governance changes

Sumo Logic CSE

sql

(_sourceCategory="aws/cloudtrail" OR _sourceCategory="azure/audit" OR _sourceCategory="o365/audit")
| json field=_raw "eventName" as cloud_action nodrop
| json field=_raw "operationName" as azure_action nodrop
| json field=_raw "Operation" as o365_action nodrop
| json field=_raw "userIdentity.arn" as aws_user nodrop
| json field=_raw "userIdentity.userName" as aws_user_name nodrop
| json field=_raw "sourceIPAddress" as src_ip nodrop
| json field=_raw "awsRegion" as aws_region nodrop
| json field=_raw "errorCode" as error_code nodrop
| json field=_raw "UserId" as o365_user nodrop
| json field=_raw "ClientIP" as o365_ip nodrop
| where cloud_action in ("StopLogging","DeleteTrail","UpdateTrail","PutEventSelectors","RemoveTargets","DeleteFlowLogs","DeleteDetector","DeleteMembers","DisableOrganizationAdminAccount")
  OR azure_action in ("MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE","MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE","MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE")
  OR o365_action in ("Set-MailboxAuditBypassAssociation","Set-AdminAuditLogConfig","Disable-OrganizationCustomization","Set-OrganizationConfig")
| eval action = coalesce(cloud_action, azure_action, o365_action)
| eval actor = coalesce(aws_user, aws_user_name, o365_user, "unknown")
| eval source_ip = coalesce(src_ip, o365_ip, "unknown")
| eval severity_score = if(action in ("StopLogging","DeleteTrail","DeleteDetector"), 3, if(action in ("UpdateTrail","DeleteFlowLogs","MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"), 2, 1))
| table _messageTime, action, actor, source_ip, aws_region, error_code, severity_score
| sort by severity_score desc, _messageTime desc

high severity high confidence

Data Sources

AWS CloudTrail Azure Audit Logs Microsoft 365 Unified Audit Log

Required Tables

aws/cloudtrail azure/audit o365/audit

False Positives

DevOps teams running Terraform destroy/apply cycles that delete and recreate CloudTrail trails or Azure diagnostic settings as part of IaC workflows
Cloud security posture management (CSPM) tools such as Prisma Cloud or Orca that enumerate and modify diagnostic settings for compliance assessment
Microsoft 365 license management operations by IT admins that incidentally trigger audit log policy changes when adjusting user SKUs

Google Chronicle / SecOps

yaral

rule disable_modify_cloud_logs_t1562_008 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects disabling or modification of cloud logging capabilities across AWS, Azure, and Microsoft 365 (MITRE ATT&CK T1562.008)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.008"
    reference = "https://attack.mitre.org/techniques/T1562/008/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
    (
      // AWS CloudTrail tampering
      (
        $e.metadata.product_name = "AWS CloudTrail"
        and $e.metadata.product_event_type in (
          "StopLogging",
          "DeleteTrail",
          "UpdateTrail",
          "PutEventSelectors",
          "RemoveTargets",
          "DeleteFlowLogs",
          "DeleteDetector",
          "DeleteMembers",
          "DisableOrganizationAdminAccount"
        )
      )
      or
      // Azure Diagnostic Settings tampering
      (
        $e.metadata.product_name = "Microsoft Azure"
        and $e.metadata.product_event_type in (
          "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE",
          "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE",
          "MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE"
        )
      )
      or
      // Microsoft 365 Audit tampering
      (
        $e.metadata.product_name = "Microsoft Office 365"
        and $e.metadata.product_event_type in (
          "Set-MailboxAuditBypassAssociation",
          "Set-AdminAuditLogConfig",
          "Disable-OrganizationCustomization",
          "Set-OrganizationConfig"
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

AWS CloudTrail Microsoft Azure Activity Logs Microsoft Office 365 Audit Logs

Required Tables

UDM Events (USER_RESOURCE_UPDATE_CONTENT)

False Positives

Automated cloud governance tooling that regularly audits and remediates diagnostic settings across subscriptions, triggering WRITE events on diagnostic settings
Scheduled decommission pipelines that stop CloudTrail logging in terminated AWS accounts as part of a formal offboarding process
O365 tenant configuration changes by Microsoft-authorized support personnel during incident response or tenant migration activities

CrowdStrike LogScale (CQL)

cql

// CrowdStrike Falcon LogScale — Cloud Logging Tampering (T1562.008)
// Requires: AWS CloudTrail, Azure Activity, and O365 log ingestion via Falcon Data Replicator or custom ingest

#type=CloudAudit
| event_action = /StopLogging|DeleteTrail|UpdateTrail|PutEventSelectors|RemoveTargets|DeleteFlowLogs|DeleteDetector|DeleteMembers|DisableOrganizationAdminAccount|MICROSOFT\.INSIGHTS\/DIAGNOSTICSETTINGS\/(DELETE|WRITE)|MICROSOFT\.SECURITY\/SECURITYCONTACTS\/DELETE|Set-MailboxAuditBypassAssociation|Set-AdminAuditLogConfig|Disable-OrganizationCustomization|Set-OrganizationConfig/
| eval severity_score = case(
    event_action in ["StopLogging", "DeleteTrail", "DeleteDetector", "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"], "3",
    event_action in ["UpdateTrail", "DeleteFlowLogs", "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE", "Set-AdminAuditLogConfig"], "2",
    true(), "1"
  )
| groupBy(
    [cloud_platform, event_action, actor_user, source_ip, cloud_region, error_code, severity_score],
    function=[
      count(as=event_count),
      min(@timestamp, as=first_seen),
      max(@timestamp, as=last_seen)
    ]
  )
| sort(severity_score, order=desc)
| sort(last_seen, order=desc)

high severity medium confidence

Data Sources

AWS CloudTrail via Falcon Data Replicator Azure Activity Logs Microsoft 365 Audit Logs

Required Tables

CloudAudit (custom ingest or Falcon Data Replicator)

False Positives

Cloud platform engineers running environment-level teardown scripts that stop CloudTrail logging in sandbox or ephemeral accounts before deletion
Security automation bots that update CloudWatch event rules (RemoveTargets/PutEventSelectors) as part of alert routing reconfiguration
Microsoft 365 hybrid migration tooling that calls Set-OrganizationConfig to adjust audit retention policies when onboarding new tenants

Disable or Modify Cloud Logs

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections