AWS CloudTrail Important Change

 1title: AWS CloudTrail Important Change
 2id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
 3status: test
 4description: Detects disabling, deleting and updating of a Trail
 5references:
 6    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 7author: vitaliy0x1
 8date: 2020/01/21
 9modified: 2022/10/09
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection_source:
18        eventSource: cloudtrail.amazonaws.com
19        eventName:
20            - StopLogging
21            - UpdateTrail
22            - DeleteTrail
23    condition: selection_source
24falsepositives:
25    - Valid change in a Trail
26level: medium

References

• Security best practices in AWS CloudTrail - AWS CloudTrail

  Learn some security best practices when using AWS CloudTrail.

  
  Read More

Related rules

• AWS GuardDuty Important Change
• ESXi Syslog Configuration Change Via ESXCLI
• Suspicious Service Installed
• Disable Exploit Guard Network Protection on Windows Defender
• Disable PUA Protection on Windows Defender