T1562.008 IBM QRadar · QRadar

Detect Disable or Modify Cloud Logs in IBM QRadar

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.008 Disable or Modify Cloud Logs
Canonical reference
https://attack.mitre.org/techniques/T1562/008/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  logsourcename(logsourceid) AS log_source,
  "EventName" AS cloud_action,
  "awsRegion" AS aws_region,
  "errorCode" AS error_code,
  "requestParameters" AS request_params
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (347, 399, 432)
  AND (
    ("EventName" IN (
      'StopLogging', 'DeleteTrail', 'UpdateTrail', 'PutEventSelectors',
      'RemoveTargets', 'DeleteFlowLogs', 'DeleteDetector', 'DeleteMembers',
      'DisableOrganizationAdminAccount'
    ))
    OR
    ("operationName" IN (
      'MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE',
      'MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE',
      'MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE'
    ))
    OR
    ("Operation" IN (
      'Set-MailboxAuditBypassAssociation',
      'Set-AdminAuditLogConfig',
      'Disable-OrganizationCustomization',
      'Set-OrganizationConfig'
    ))
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL query detecting cloud logging tampering events across AWS CloudTrail (LOGSOURCETYPEID 347), Azure (399), and Office 365 (432) log sources. Identifies actions that disable, delete, or modify cloud audit trails and diagnostic pipelines (T1562.008).

Data Sources

AWS CloudTrailMicrosoft AzureMicrosoft Office 365

Required Tables

events

False Positives & Tuning

  • Cloud automation tools running under service accounts that manage lifecycle of CloudTrail configurations during environment teardown or rebuild
  • Security team running audit reconfiguration scripts as part of a logging architecture migration to a new SIEM or log aggregation platform
  • Microsoft 365 tenant admins using Set-OrganizationConfig to tune retention or compliance policies as part of authorized governance changes
Download portable Sigma rule (.yml)

Other platforms for T1562.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS CloudTrail StopLogging Simulation

    Expected signal: CloudTrail event: eventName=StopLogging, eventSource=cloudtrail.amazonaws.com. The event record includes requestParameters.name (trail name) and userIdentity (acting principal). If forwarded to Sentinel, appears in AWSCloudTrail table.

  2. Test 2AWS GuardDuty DeleteDetector Simulation

    Expected signal: CloudTrail event: eventName=DeleteDetector, eventSource=guardduty.amazonaws.com. The requestParameters include the detectorId. This event will appear in AWSCloudTrail table in Sentinel.

  3. Test 3M365 Mailbox Audit Bypass via PowerShell

    Expected signal: M365 Unified Audit Log: Operation=Set-MailboxAuditBypassAssociation, with Parameters showing the target mailbox and AuditBypassEnabled=True. Appears in OfficeActivity table in Sentinel.

Last updated: 2026-04-21 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1562.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1078Valid AccountsT1098Account ManipulationT1530Data from Cloud StorageT1114.002Remote Email CollectionT1537Transfer Data to Cloud AccountT1578Modify Cloud Compute Infrastructure

Same Tactic: Defense Evasion

Popular Detections