<  Back to rules search

AWS CloudTrail configuration modified

cloudtrail

Classification:

attack

Tactic:

Technique:

Framework:

cis-aws

Control:

4.5

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an attacker is trying to evade defenses by modifying CloudTrail.

Strategy

This rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using UpdateTrail API calls.

Triage and response

  1. Review the @responseElements in the UpdateTrail event to determine the scope of the changes.
  2. Determine if the user ARN ({{@userIdentity.arn}}) intended to make a CloudTrail modification.
  3. If the user did not make the API call:
  • Rotate the credentials.
  • Investigate if the same credentials made other unauthorized API calls.