Detect Disable or Modify Cloud Logs in Google Chronicle
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.008 Disable or Modify Cloud Logs
- Canonical reference
- https://attack.mitre.org/techniques/T1562/008/
YARA-L Detection Query
rule disable_modify_cloud_logs_t1562_008 {
meta:
author = "Argus Detection Engineering"
description = "Detects disabling or modification of cloud logging capabilities across AWS, Azure, and Microsoft 365 (MITRE ATT&CK T1562.008)"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1562.008"
reference = "https://attack.mitre.org/techniques/T1562/008/"
events:
$e.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
(
// AWS CloudTrail tampering
(
$e.metadata.product_name = "AWS CloudTrail"
and $e.metadata.product_event_type in (
"StopLogging",
"DeleteTrail",
"UpdateTrail",
"PutEventSelectors",
"RemoveTargets",
"DeleteFlowLogs",
"DeleteDetector",
"DeleteMembers",
"DisableOrganizationAdminAccount"
)
)
or
// Azure Diagnostic Settings tampering
(
$e.metadata.product_name = "Microsoft Azure"
and $e.metadata.product_event_type in (
"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE",
"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE",
"MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE"
)
)
or
// Microsoft 365 Audit tampering
(
$e.metadata.product_name = "Microsoft Office 365"
and $e.metadata.product_event_type in (
"Set-MailboxAuditBypassAssociation",
"Set-AdminAuditLogConfig",
"Disable-OrganizationCustomization",
"Set-OrganizationConfig"
)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting cloud audit logging tampering across AWS CloudTrail, Azure Diagnostic Settings, and Microsoft 365 audit policies. Fires on any event matching known log-disabling or modification actions from all three cloud platforms (T1562.008).
Data Sources
Required Tables
False Positives & Tuning
- Automated cloud governance tooling that regularly audits and remediates diagnostic settings across subscriptions, triggering WRITE events on diagnostic settings
- Scheduled decommission pipelines that stop CloudTrail logging in terminated AWS accounts as part of a formal offboarding process
- O365 tenant configuration changes by Microsoft-authorized support personnel during incident response or tenant migration activities
Other platforms for T1562.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS CloudTrail StopLogging Simulation
Expected signal: CloudTrail event: eventName=StopLogging, eventSource=cloudtrail.amazonaws.com. The event record includes requestParameters.name (trail name) and userIdentity (acting principal). If forwarded to Sentinel, appears in AWSCloudTrail table.
- Test 2AWS GuardDuty DeleteDetector Simulation
Expected signal: CloudTrail event: eventName=DeleteDetector, eventSource=guardduty.amazonaws.com. The requestParameters include the detectorId. This event will appear in AWSCloudTrail table in Sentinel.
- Test 3M365 Mailbox Audit Bypass via PowerShell
Expected signal: M365 Unified Audit Log: Operation=Set-MailboxAuditBypassAssociation, with Parameters showing the target mailbox and AuditBypassEnabled=True. Appears in OfficeActivity table in Sentinel.
References (8)
- https://attack.mitre.org/techniques/T1562/008/
- https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
- https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-2022
- https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings
- https://cloud.google.com/logging/docs/audit/configure-data-access
Unlock Pro Content
Get the full detection package for T1562.008 including response playbook, investigation guide, and atomic red team tests.