Detect Disable or Modify Cloud Logs in Sumo Logic CSE
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.008 Disable or Modify Cloud Logs
- Canonical reference
- https://attack.mitre.org/techniques/T1562/008/
Sumo Detection Query
(_sourceCategory="aws/cloudtrail" OR _sourceCategory="azure/audit" OR _sourceCategory="o365/audit")
| json field=_raw "eventName" as cloud_action nodrop
| json field=_raw "operationName" as azure_action nodrop
| json field=_raw "Operation" as o365_action nodrop
| json field=_raw "userIdentity.arn" as aws_user nodrop
| json field=_raw "userIdentity.userName" as aws_user_name nodrop
| json field=_raw "sourceIPAddress" as src_ip nodrop
| json field=_raw "awsRegion" as aws_region nodrop
| json field=_raw "errorCode" as error_code nodrop
| json field=_raw "UserId" as o365_user nodrop
| json field=_raw "ClientIP" as o365_ip nodrop
| where cloud_action in ("StopLogging","DeleteTrail","UpdateTrail","PutEventSelectors","RemoveTargets","DeleteFlowLogs","DeleteDetector","DeleteMembers","DisableOrganizationAdminAccount")
OR azure_action in ("MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE","MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE","MICROSOFT.SECURITY/SECURITYCONTACTS/DELETE")
OR o365_action in ("Set-MailboxAuditBypassAssociation","Set-AdminAuditLogConfig","Disable-OrganizationCustomization","Set-OrganizationConfig")
| eval action = coalesce(cloud_action, azure_action, o365_action)
| eval actor = coalesce(aws_user, aws_user_name, o365_user, "unknown")
| eval source_ip = coalesce(src_ip, o365_ip, "unknown")
| eval severity_score = if(action in ("StopLogging","DeleteTrail","DeleteDetector"), 3, if(action in ("UpdateTrail","DeleteFlowLogs","MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE"), 2, 1))
| table _messageTime, action, actor, source_ip, aws_region, error_code, severity_score
| sort by severity_score desc, _messageTime descSumo Logic CSE query detecting cloud audit log tampering across AWS CloudTrail, Azure Diagnostics, and Microsoft 365. Scores each event by severity with destructive actions (StopLogging, DeleteTrail, DeleteDetector) ranked highest (T1562.008).
Data Sources
Required Tables
False Positives & Tuning
- DevOps teams running Terraform destroy/apply cycles that delete and recreate CloudTrail trails or Azure diagnostic settings as part of IaC workflows
- Cloud security posture management (CSPM) tools such as Prisma Cloud or Orca that enumerate and modify diagnostic settings for compliance assessment
- Microsoft 365 license management operations by IT admins that incidentally trigger audit log policy changes when adjusting user SKUs
Other platforms for T1562.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS CloudTrail StopLogging Simulation
Expected signal: CloudTrail event: eventName=StopLogging, eventSource=cloudtrail.amazonaws.com. The event record includes requestParameters.name (trail name) and userIdentity (acting principal). If forwarded to Sentinel, appears in AWSCloudTrail table.
- Test 2AWS GuardDuty DeleteDetector Simulation
Expected signal: CloudTrail event: eventName=DeleteDetector, eventSource=guardduty.amazonaws.com. The requestParameters include the detectorId. This event will appear in AWSCloudTrail table in Sentinel.
- Test 3M365 Mailbox Audit Bypass via PowerShell
Expected signal: M365 Unified Audit Log: Operation=Set-MailboxAuditBypassAssociation, with Parameters showing the target mailbox and AuditBypassEnabled=True. Appears in OfficeActivity table in Sentinel.
References (8)
- https://attack.mitre.org/techniques/T1562/008/
- https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py
- https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild/d/d-id/1341591
- https://www.mandiant.com/resources/blog/apt29-microsoft-365-2022
- https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings
- https://cloud.google.com/logging/docs/audit/configure-data-access
Unlock Pro Content
Get the full detection package for T1562.008 including response playbook, investigation guide, and atomic red team tests.