Detect Disable or Modify Cloud Logs in Splunk
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.008 Disable or Modify Cloud Logs
- Canonical reference
- https://attack.mitre.org/techniques/T1562/008/
SPL Detection Query
index=aws sourcetype="aws:cloudtrail"
(eventName="StopLogging" OR eventName="DeleteTrail" OR eventName="UpdateTrail" OR eventName="PutEventSelectors" OR eventName="DeleteFlowLogs" OR eventName="DeleteDetector")
| eval action=eventName
| eval user=coalesce('userIdentity.arn', 'userIdentity.userName')
| eval src_ip=sourceIPAddress
| eval region=awsRegion
| eval error=errorCode
| eval request_params='requestParameters'
| eval IsStopLogging=if(eventName="StopLogging", 1, 0)
| eval IsDeleteTrail=if(eventName="DeleteTrail", 1, 0)
| eval IsUpdateTrail=if(eventName="UpdateTrail", 1, 0)
| eval IsDeleteFlowLogs=if(eventName="DeleteFlowLogs", 1, 0)
| eval IsDeleteDetector=if(eventName="DeleteDetector", 1, 0)
| eval SeverityScore=IsStopLogging*3 + IsDeleteTrail*3 + IsUpdateTrail*2 + IsDeleteFlowLogs*2 + IsDeleteDetector*3
| table _time, user, action, src_ip, region, error, request_params, SeverityScore
| sort - SeverityScore, - _timeDetects AWS CloudTrail tampering events including StopLogging, DeleteTrail, UpdateTrail, PutEventSelectors, DeleteFlowLogs, and GuardDuty DeleteDetector. Assigns a severity score based on the destructiveness of each action — deletion and stop actions score highest. Extracts the IAM identity, source IP, and region to support rapid triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Cloud administrators legitimately reconfiguring CloudTrail to consolidate trails during an AWS Organization migration or cost optimization exercise
- Infrastructure-as-code pipelines (Terraform apply/destroy) that delete and recreate trails as part of normal state management
- Automated cost-optimization tools that disable VPC Flow Logs on non-production accounts during off-hours
- Security teams temporarily disabling GuardDuty detectors in sandbox accounts during controlled testing
Other platforms for T1562.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS CloudTrail StopLogging Simulation
Expected signal: CloudTrail event: eventName=StopLogging, eventSource=cloudtrail.amazonaws.com. The event record includes requestParameters.name (trail name) and userIdentity (acting principal). If forwarded to Sentinel, appears in AWSCloudTrail table.
- Test 2AWS GuardDuty DeleteDetector Simulation
Expected signal: CloudTrail event: eventName=DeleteDetector, eventSource=guardduty.amazonaws.com. The requestParameters include the detectorId. This event will appear in AWSCloudTrail table in Sentinel.
- Test 3M365 Mailbox Audit Bypass via PowerShell
Expected signal: M365 Unified Audit Log: Operation=Set-MailboxAuditBypassAssociation, with Parameters showing the target mailbox and AuditBypassEnabled=True. Appears in OfficeActivity table in Sentinel.
References (8)
- https://attack.mitre.org/techniques/T1562/008/
- https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
- https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-2022
- https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings
- https://cloud.google.com/logging/docs/audit/configure-data-access
Unlock Pro Content
Get the full detection package for T1562.008 including response playbook, investigation guide, and atomic red team tests.