Detect Disable or Modify Cloud Logs in CrowdStrike LogScale
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.008 Disable or Modify Cloud Logs
- Canonical reference
- https://attack.mitre.org/techniques/T1562/008/
LogScale Detection Query
// CrowdStrike Falcon LogScale — Cloud Logging Tampering (T1562.008)
// Requires: AWS CloudTrail, Azure Activity, and O365 log ingestion via Falcon Data Replicator or custom ingest
#type=CloudAudit
| event_action = /StopLogging|DeleteTrail|UpdateTrail|PutEventSelectors|RemoveTargets|DeleteFlowLogs|DeleteDetector|DeleteMembers|DisableOrganizationAdminAccount|MICROSOFT\.INSIGHTS\/DIAGNOSTICSETTINGS\/(DELETE|WRITE)|MICROSOFT\.SECURITY\/SECURITYCONTACTS\/DELETE|Set-MailboxAuditBypassAssociation|Set-AdminAuditLogConfig|Disable-OrganizationCustomization|Set-OrganizationConfig/
| eval severity_score = case(
event_action in ["StopLogging", "DeleteTrail", "DeleteDetector", "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"], "3",
event_action in ["UpdateTrail", "DeleteFlowLogs", "MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE", "Set-AdminAuditLogConfig"], "2",
true(), "1"
)
| groupBy(
[cloud_platform, event_action, actor_user, source_ip, cloud_region, error_code, severity_score],
function=[
count(as=event_count),
min(@timestamp, as=first_seen),
max(@timestamp, as=last_seen)
]
)
| sort(severity_score, order=desc)
| sort(last_seen, order=desc)CrowdStrike LogScale CQL query detecting cloud logging tampering events ingested via Falcon Data Replicator or custom cloud log pipelines. Groups by action and actor to surface high-frequency or multi-platform tampering patterns consistent with T1562.008.
Data Sources
Required Tables
False Positives & Tuning
- Cloud platform engineers running environment-level teardown scripts that stop CloudTrail logging in sandbox or ephemeral accounts before deletion
- Security automation bots that update CloudWatch event rules (RemoveTargets/PutEventSelectors) as part of alert routing reconfiguration
- Microsoft 365 hybrid migration tooling that calls Set-OrganizationConfig to adjust audit retention policies when onboarding new tenants
Other platforms for T1562.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS CloudTrail StopLogging Simulation
Expected signal: CloudTrail event: eventName=StopLogging, eventSource=cloudtrail.amazonaws.com. The event record includes requestParameters.name (trail name) and userIdentity (acting principal). If forwarded to Sentinel, appears in AWSCloudTrail table.
- Test 2AWS GuardDuty DeleteDetector Simulation
Expected signal: CloudTrail event: eventName=DeleteDetector, eventSource=guardduty.amazonaws.com. The requestParameters include the detectorId. This event will appear in AWSCloudTrail table in Sentinel.
- Test 3M365 Mailbox Audit Bypass via PowerShell
Expected signal: M365 Unified Audit Log: Operation=Set-MailboxAuditBypassAssociation, with Parameters showing the target mailbox and AuditBypassEnabled=True. Appears in OfficeActivity table in Sentinel.
References (8)
- https://attack.mitre.org/techniques/T1562/008/
- https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
- https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-2022
- https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings
- https://cloud.google.com/logging/docs/audit/configure-data-access
Unlock Pro Content
Get the full detection package for T1562.008 including response playbook, investigation guide, and atomic red team tests.