title: Disable or Modify Cloud Logs (T1562.008)
id: df00tech-t1562-008
status: experimental
description: "An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality by removing associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user's license from an Enterprise E5 to an Enterprise E3 license."
references:
  - https://attack.mitre.org/techniques/T1562/008/
  - https://df00tech.com/detections/T1562.008
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Cloud administrators legitimately reconfiguring CloudTrail to consolidate trails during an AWS Organization migration or cost optimization exercise
  - "Azure DevOps pipelines that programmatically update diagnostic settings as part of infrastructure-as-code deployments (Terraform, Bicep)"
  - "IT administrators using Set-MailboxAuditBypassAssociation for legitimate service accounts that generate excessive audit noise (e.g., migration tools, backup agents)"
  - Security teams temporarily modifying GuardDuty or Security Center settings during a planned penetration test with a signed rules-of-engagement
level: high