AWS CloudTrail Important Change
Detects disabling, deleting and updating of a Trail
Sigma rule (View on GitHub)
1title: AWS CloudTrail Important Change
2id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
3status: test
4description: Detects disabling, deleting and updating of a Trail
5references:
6 - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
7author: vitaliy0x1
8date: 2020-01-21
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection_source:
18 eventSource: cloudtrail.amazonaws.com
19 eventName:
20 - StopLogging
21 - UpdateTrail
22 - DeleteTrail
23 condition: selection_source
24falsepositives:
25 - Valid change in a Trail
26level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility
- Azure Kubernetes Events Deleted