EXPLORE

← Back to Explore

T1562.008

Disable or Modify Cloud Logs

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail ...

IaaSSaaSOffice SuiteIdentity Provider

44

Detections

3

Sources

1

Threat Actors

BY SOURCE

22elastic19splunk_escu3sigma

PROCEDURES (19)

Cloud6 detections

Auto-extracted: 6 detections for cloud

Api4 detections

Auto-extracted: 4 detections for api

Service4 detections

Auto-extracted: 4 detections for service

Aws3 detections

Auto-extracted: 3 detections for aws

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Evasion3 detections

Auto-extracted: 3 detections for evasion

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Azure2 detections

Auto-extracted: 2 detections for azure

C22 detections

Auto-extracted: 2 detections for c2

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Inject2 detections

Auto-extracted: 2 detections for inject

Cloud Monitoring2 detections

Auto-extracted: 2 detections for cloud monitoring

Office1 detections

Auto-extracted: 1 detections for office

Azure1 detections

Auto-extracted: 1 detections for azure

Container1 detections

Auto-extracted: 1 detections for container

Bypass1 detections

Auto-extracted: 1 detections for bypass

Office1 detections

Auto-extracted: 1 detections for office

Container1 detections

Auto-extracted: 1 detections for container

THREAT ACTORS (1)

DETECTIONS (44)

ASL AWS Defense Evasion Delete Cloudtrail

ASL AWS Defense Evasion Delete CloudWatch Log Group

ASL AWS Defense Evasion Impair Security Services

ASL AWS Defense Evasion PutBucketLifecycle

ASL AWS Defense Evasion Stop Logging Cloudtrail

ASL AWS Defense Evasion Update Cloudtrail

AWS Bedrock Delete GuardRails

AWS Bedrock Delete Model Invocation Logging Configuration

AWS CloudTrail Important Change

AWS CloudTrail Log Created

AWS CloudTrail Log Deleted

AWS CloudTrail Log Evasion

AWS CloudTrail Log Suspended

AWS CloudTrail Log Updated

AWS CloudWatch Log Group Deletion

AWS CloudWatch Log Stream Deletion

AWS Config Disabling Channel/Recorder

AWS Config Resource Deletion

AWS Configuration Recorder Stopped

AWS Defense Evasion Delete Cloudtrail

AWS Defense Evasion Delete CloudWatch Log Group

AWS Defense Evasion Impair Security Services

AWS Defense Evasion PutBucketLifecycle

AWS Defense Evasion Stop Logging Cloudtrail

AWS Defense Evasion Update Cloudtrail

AWS GuardDuty Detector Deleted Or Updated

AWS Route 53 Resolver Query Log Configuration Deleted

AWS S3 Bucket Configuration Deletion

AWS S3 Bucket Expiration Lifecycle Configuration Added

AWS S3 Bucket Server Access Logging Disabled

AWS SQS Queue Purge

AWS VPC Flow Logs Deletion

Azure Diagnostic Settings Deleted

Azure Event Hub Deleted

Azure Kubernetes Services (AKS) Kubernetes Events Deleted

Azure VNet Network Watcher Deleted

GCP Logging Bucket Deletion

GCP Logging Sink Deletion

GCP Logging Sink Modification

GitHub Enterprise Disable Audit Log Event Stream

GitHub Enterprise Modify Audit Log Event Stream

GitHub Enterprise Pause Audit Log Event Stream

O365 Advanced Audit Disabled

O365 Email Security Feature Changed