<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Log-Auditing - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/log-auditing/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 14:10:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/log-auditing/feed.xml" rel="self" type="application/rss+xml"/><item><title>AWS CloudTrail Log Updated</title><link>https://feed.craftedsignal.io/briefs/2026-07-aws-cloudtrail-updated/</link><pubDate>Wed, 15 Jul 2026 14:10:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-aws-cloudtrail-updated/</guid><description>Adversaries can modify AWS CloudTrail configurations via the UpdateTrail API to reduce logging visibility, change log destinations, or weaken integrity, aiming to evade detection by preventing critical audit information from being collected or stored properly.</description><content:encoded><![CDATA[<p>Adversaries often seek to impair an organization's ability to monitor their activities, and modifying logging configurations is a key tactic. This threat involves the use of the AWS CloudTrail <code>UpdateTrail</code> API call by malicious actors to alter existing CloudTrail configurations. These modifications can include changing the S3 bucket where logs are stored, redirecting logs to a different CloudWatch Logs log group, modifying the KMS Key ID used for encryption, or disabling critical features like multi-region logging or the inclusion of global service events. The primary goal is to reduce visibility into their actions, weaken logging integrity, and evade detection by security monitoring systems. This technique allows attackers to maintain a facade of logging while preventing crucial audit data from being captured, making it harder for defenders to trace their activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>[Attack Chain is omitted as the source only describes a single, specific API action for defense evasion, not a multi-step sequence from initial access to impact.]</p>
<h2 id="impact">Impact</h2>
<p>Successful modification of AWS CloudTrail logs can severely degrade an organization's security posture by creating blind spots in audit trails. If an attacker successfully reconfigures CloudTrail, security teams may lose critical visibility into API calls and other events within their AWS environment, especially during a period of active compromise. This lack of logging hinders incident response, forensic analysis, and compliance efforts, potentially allowing attackers to maintain persistence, exfiltrate data, or deploy further malicious payloads undetected. The integrity of past and future audit data is compromised, making it difficult to assess the full scope of a breach or to prove compliance with regulatory requirements.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>AWS CloudTrail Log Updated</code> Sigma rule to detect any modifications to CloudTrail configurations.</li>
<li>Investigate all alerts from the <code>AWS CloudTrail Log Updated</code> rule by examining the <code>aws.cloudtrail.user_identity.arn</code>, <code>user_agent.original</code>, and <code>source.ip</code> fields to verify if the user identity, user agent, or hostname involved in the <code>UpdateTrail</code> call is authorized to make such changes.</li>
<li>Review the <code>aws.cloudtrail.request_parameters</code> for specific changes to <code>S3BucketName</code>, <code>CloudWatchLogsLogGroupArn</code>, <code>KmsKeyId</code>, <code>IsMultiRegionTrail</code>, or <code>IncludeGlobalServiceEvents</code> to understand the exact nature of the modification.</li>
<li>Correlate <code>UpdateTrail</code> events with preceding <code>StopLogging</code> or subsequent <code>DeleteTrail</code> API calls to identify more severe attempts to disable logging entirely.</li>
<li>Harden your AWS environment by constraining <code>cloudtrail:UpdateTrail</code> permissions to only authorized roles or users and require approval workflows for any CloudTrail configuration changes. Implement AWS Config rules to monitor for unauthorized modifications to CloudTrail trails.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cloud-security</category><category>aws</category><category>log-auditing</category><category>impact</category><category>defense-evasion</category></item></channel></rss>