<  Back to rules search

AWS CloudTrail configuration modified

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Framework:

cis-aws

Control:

4.5

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when an attacker is trying to evade defenses by modifying CloudTrail.

Strategy

This rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using UpdateTrail API calls.

Triage and response

  1. Review the @responseElements in the UpdateTrail event to determine the scope of the changes.
  2. Determine if the user ARN ({{@userIdentity.arn}}) intended to make a CloudTrail modification.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.