CloudTrail Disabled Or Modified

Overview

AWS CloudTrail is a key service for logging, monitoring, and auditing events in AWS accounts. CloudTrail stores 90 days of events in its internal event history, but monitoring by other systems and persistence requires an active trail.

This detector monitors CloudTrail events to detect if a trail is disabled or modified. This could indicate that an attacker is attempting to impair defenses by disabling cloud logs.

The following events trigger this detector:

StopLogging
UpdateTrail
DeleteTrail

Vendor

AWS

Overview​

Vendor​

Severity​

Overview

Vendor

Severity