T1562.008 Elastic Security · Elastic

Detect Disable or Modify Cloud Logs in Elastic Security

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.008 Disable or Modify Cloud Logs
Canonical reference
https://attack.mitre.org/techniques/T1562/008/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where event.dataset in ("aws.cloudtrail", "azure.auditlogs", "o365.audit") and (
  (event.dataset == "aws.cloudtrail" and event.action in (
    "StopLogging", "DeleteTrail", "UpdateTrail", "PutEventSelectors",
    "RemoveTargets", "DeleteFlowLogs", "DeleteDetector", "DeleteMembers",
    "DisableOrganizationAdminAccount"
  )) or
  (event.dataset == "azure.auditlogs" and event.action in (
    "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE",
    "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE",
    "MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE"
  )) or
  (event.dataset == "o365.audit" and event.action in (
    "Set-MailboxAuditBypassAssociation",
    "Set-AdminAuditLogConfig",
    "Disable-OrganizationCustomization",
    "Set-OrganizationConfig"
  ))
)
high severity high confidence

Detects cloud logging tampering across AWS CloudTrail, Azure Diagnostics, and Microsoft 365 audit systems. Covers stopping/deleting trails, disabling flow logs, removing GuardDuty detectors, wiping diagnostic settings, and bypassing mailbox auditing (T1562.008).

Data Sources

AWS CloudTrailAzure Audit LogsMicrosoft 365 Audit Logs

Required Tables

logs-aws.cloudtrail-*logs-azure.auditlogs-*logs-o365.audit-*

False Positives & Tuning

  • Authorized cloud administrators performing legitimate log rotation or diagnostic settings migration during planned maintenance windows
  • Infrastructure-as-code pipelines (Terraform, CloudFormation, Pulumi) that recreate or update CloudTrail/diagnostic settings as part of environment provisioning
  • License downgrade or role change workflows that trigger Set-OrganizationConfig or mailbox audit policy updates in O365 tenants
Download portable Sigma rule (.yml)

Other platforms for T1562.008

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS CloudTrail StopLogging Simulation

    Expected signal: CloudTrail event: eventName=StopLogging, eventSource=cloudtrail.amazonaws.com. The event record includes requestParameters.name (trail name) and userIdentity (acting principal). If forwarded to Sentinel, appears in AWSCloudTrail table.

  2. Test 2AWS GuardDuty DeleteDetector Simulation

    Expected signal: CloudTrail event: eventName=DeleteDetector, eventSource=guardduty.amazonaws.com. The requestParameters include the detectorId. This event will appear in AWSCloudTrail table in Sentinel.

  3. Test 3M365 Mailbox Audit Bypass via PowerShell

    Expected signal: M365 Unified Audit Log: Operation=Set-MailboxAuditBypassAssociation, with Parameters showing the target mailbox and AuditBypassEnabled=True. Appears in OfficeActivity table in Sentinel.

Last updated: 2026-04-21 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1562.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1078Valid AccountsT1098Account ManipulationT1530Data from Cloud StorageT1114.002Remote Email CollectionT1537Transfer Data to Cloud AccountT1578Modify Cloud Compute Infrastructure

Same Tactic: Defense Evasion

Popular Detections