This rule detects changes to AWS CloudTrail configurations that could indicate a security risk, specifically disabling or altering trails, or failing a security configuration check. Such actions can significantly reduce visibility into AWS activity.
Detection coverage 3
AWS CloudTrail StopLogging or DeleteTrail Event
criticalDetects attempts to stop or delete an AWS CloudTrail, which can lead to a loss of audit visibility.
AWS CloudTrail UpdateTrail with Logging Disabled
highDetects when an existing AWS CloudTrail's logging is disabled or reconfigured to not log, potentially indicating defense evasion.
AWS CloudTrail UpdateTrail to Exclude Global Service Events
highDetects when an AWS CloudTrail is updated to no longer include global service events, potentially hiding activity in services like IAM.
Detection queries are available on the platform. Get full rules →