Skip to content
Threat Feed
medium advisory

This rule detects changes to AWS CloudTrail configurations that could indicate a security risk, specifically disabling or altering trails, or failing a security configuration check. Such actions can significantly reduce visibility into AWS activity.

Detection coverage 3

AWS CloudTrail StopLogging or DeleteTrail Event

critical

Detects attempts to stop or delete an AWS CloudTrail, which can lead to a loss of audit visibility.

sigma tactics: defense_evasion techniques: T1562.001 sources: aws, cloudtrail

AWS CloudTrail UpdateTrail with Logging Disabled

high

Detects when an existing AWS CloudTrail's logging is disabled or reconfigured to not log, potentially indicating defense evasion.

sigma tactics: defense_evasion techniques: T1562.001 sources: aws, cloudtrail

AWS CloudTrail UpdateTrail to Exclude Global Service Events

high

Detects when an AWS CloudTrail is updated to no longer include global service events, potentially hiding activity in services like IAM.

sigma tactics: defense_evasion techniques: T1562.001 sources: aws, cloudtrail

Detection queries are available on the platform. Get full rules →