AWS CloudTrail configuration modified

Goal

Detect when an attacker is trying to evade defenses by modifying CloudTrail.

Strategy

This rule detects if a user is modifying CloudTrail by monitoring the following CloudTrail API calls:

Triage and response

  1. Review the @responseElements in the {{@evt.name}} event to determine the scope of the changes.
  2. Determine if the user ARN ({{@userIdentity.arn}}) intended to make a CloudTrail modification.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.