- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Detect when CloudTrail has been disabled by creating an event selector on the Trail.
This rule lets you monitor CloudTrail and detect if an attacker used the PutEventSelectors
API call to filter out management events, effectively disabling CloudTrail for the specified Trail.
See the public Proof of Concept (PoC) for this attack.
{{@userIdentity.arn}}
should have made the {{@evt.name}}
API call.aws-cli
command put-event-selectors
or use the AWS console to revert the event selector back to the last known good state.{{@userIdentity.accountId}}
are being sent to the Datadog platform.aws-cli
command put-event-selectors
or reference the AWS console documentation to revert the event selector back to the last known good state.