{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/log-auditing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS CloudTrail"],"_cs_severities":["high"],"_cs_tags":["cloud-security","aws","log-auditing","impact","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAdversaries often seek to impair an organization's ability to monitor their activities, and modifying logging configurations is a key tactic. This threat involves the use of the AWS CloudTrail \u003ccode\u003eUpdateTrail\u003c/code\u003e API call by malicious actors to alter existing CloudTrail configurations. These modifications can include changing the S3 bucket where logs are stored, redirecting logs to a different CloudWatch Logs log group, modifying the KMS Key ID used for encryption, or disabling critical features like multi-region logging or the inclusion of global service events. The primary goal is to reduce visibility into their actions, weaken logging integrity, and evade detection by security monitoring systems. This technique allows attackers to maintain a facade of logging while preventing crucial audit data from being captured, making it harder for defenders to trace their activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e[Attack Chain is omitted as the source only describes a single, specific API action for defense evasion, not a multi-step sequence from initial access to impact.]\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of AWS CloudTrail logs can severely degrade an organization's security posture by creating blind spots in audit trails. If an attacker successfully reconfigures CloudTrail, security teams may lose critical visibility into API calls and other events within their AWS environment, especially during a period of active compromise. This lack of logging hinders incident response, forensic analysis, and compliance efforts, potentially allowing attackers to maintain persistence, exfiltrate data, or deploy further malicious payloads undetected. The integrity of past and future audit data is compromised, making it difficult to assess the full scope of a breach or to prove compliance with regulatory requirements.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eAWS CloudTrail Log Updated\u003c/code\u003e Sigma rule to detect any modifications to CloudTrail configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts from the \u003ccode\u003eAWS CloudTrail Log Updated\u003c/code\u003e rule by examining the \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e, \u003ccode\u003euser_agent.original\u003c/code\u003e, and \u003ccode\u003esource.ip\u003c/code\u003e fields to verify if the user identity, user agent, or hostname involved in the \u003ccode\u003eUpdateTrail\u003c/code\u003e call is authorized to make such changes.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e for specific changes to \u003ccode\u003eS3BucketName\u003c/code\u003e, \u003ccode\u003eCloudWatchLogsLogGroupArn\u003c/code\u003e, \u003ccode\u003eKmsKeyId\u003c/code\u003e, \u003ccode\u003eIsMultiRegionTrail\u003c/code\u003e, or \u003ccode\u003eIncludeGlobalServiceEvents\u003c/code\u003e to understand the exact nature of the modification.\u003c/li\u003e\n\u003cli\u003eCorrelate \u003ccode\u003eUpdateTrail\u003c/code\u003e events with preceding \u003ccode\u003eStopLogging\u003c/code\u003e or subsequent \u003ccode\u003eDeleteTrail\u003c/code\u003e API calls to identify more severe attempts to disable logging entirely.\u003c/li\u003e\n\u003cli\u003eHarden your AWS environment by constraining \u003ccode\u003ecloudtrail:UpdateTrail\u003c/code\u003e permissions to only authorized roles or users and require approval workflows for any CloudTrail configuration changes. Implement AWS Config rules to monitor for unauthorized modifications to CloudTrail trails.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T14:11:44Z","date_published":"2026-07-15T14:10:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-aws-cloudtrail-updated/","summary":"Adversaries can modify AWS CloudTrail configurations via the UpdateTrail API to reduce logging visibility, change log destinations, or weaken integrity, aiming to evade detection by preventing critical audit information from being collected or stored properly.","title":"AWS CloudTrail Log Updated","url":"https://feed.craftedsignal.io/briefs/2026-07-aws-cloudtrail-updated/"}],"language":"en","title":"CraftedSignal Threat Feed - Log-Auditing","version":"https://jsonfeed.org/version/1.1"}