Detect Disable or Modify Cloud Logs in Microsoft Sentinel
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.008 Disable or Modify Cloud Logs
- Canonical reference
- https://attack.mitre.org/techniques/T1562/008/
KQL Detection Query
let CloudTrailTampering = dynamic([
"StopLogging", "DeleteTrail", "UpdateTrail",
"PutEventSelectors", "RemoveTargets", "DeleteFlowLogs",
"DeleteDetector", "DeleteMembers",
"DisableOrganizationAdminAccount"
]);
let AzureDiagTampering = dynamic([
"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE",
"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE",
"MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE"
]);
let M365AuditTampering = dynamic([
"Set-MailboxAuditBypassAssociation",
"Set-AdminAuditLogConfig",
"Disable-OrganizationCustomization",
"Set-OrganizationConfig"
]);
union
(
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any (AzureDiagTampering)
| project TimeGenerated, OperationName, Identity,
Result, TargetResources, CorrelationId
),
(
OfficeActivity
| where TimeGenerated > ago(24h)
| where Operation has_any (M365AuditTampering)
| project TimeGenerated, Operation, UserId,
ResultStatus, ClientIP, Parameters
),
(
AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventName has_any (CloudTrailTampering)
| project TimeGenerated, EventName, UserIdentityArn,
SourceIpAddress, AWSRegion, ErrorCode,
RequestParameters
)
| sort by TimeGenerated descDetects attempts to disable or modify cloud logging across AWS (CloudTrail/CloudWatch/VPC Flow Logs/GuardDuty), Azure (Diagnostic Settings/Security Center), and Microsoft 365 (Mailbox Audit Bypass/Admin Audit Log). Uses a union across AWSCloudTrail, AuditLogs, and OfficeActivity tables to provide cross-cloud coverage. Identifies key API calls associated with logging disruption such as StopLogging, DeleteTrail, UpdateTrail, DeleteFlowLogs, diagnostic settings deletion, and mailbox audit bypass configuration.
Data Sources
Required Tables
False Positives & Tuning
- Cloud administrators legitimately reconfiguring CloudTrail to consolidate trails during an AWS Organization migration or cost optimization exercise
- Azure DevOps pipelines that programmatically update diagnostic settings as part of infrastructure-as-code deployments (Terraform, Bicep)
- IT administrators using Set-MailboxAuditBypassAssociation for legitimate service accounts that generate excessive audit noise (e.g., migration tools, backup agents)
- Security teams temporarily modifying GuardDuty or Security Center settings during a planned penetration test with a signed rules-of-engagement
Other platforms for T1562.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS CloudTrail StopLogging Simulation
Expected signal: CloudTrail event: eventName=StopLogging, eventSource=cloudtrail.amazonaws.com. The event record includes requestParameters.name (trail name) and userIdentity (acting principal). If forwarded to Sentinel, appears in AWSCloudTrail table.
- Test 2AWS GuardDuty DeleteDetector Simulation
Expected signal: CloudTrail event: eventName=DeleteDetector, eventSource=guardduty.amazonaws.com. The requestParameters include the detectorId. This event will appear in AWSCloudTrail table in Sentinel.
- Test 3M365 Mailbox Audit Bypass via PowerShell
Expected signal: M365 Unified Audit Log: Operation=Set-MailboxAuditBypassAssociation, with Parameters showing the target mailbox and AuditBypassEnabled=True. Appears in OfficeActivity table in Sentinel.
References (8)
- https://attack.mitre.org/techniques/T1562/008/
- https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
- https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-2022
- https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings
- https://cloud.google.com/logging/docs/audit/configure-data-access
Unlock Pro Content
Get the full detection package for T1562.008 including response playbook, investigation guide, and atomic red team tests.