---
title: AWS CloudTrail configuration modified
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > AWS CloudTrail configuration modified
---

# AWS CloudTrail configuration modified
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detect when an attacker is trying to evade defenses by modifying CloudTrail.

## Strategy{% #strategy %}

This rule detects if a user is modifying CloudTrail by monitoring the following CloudTrail API calls:

- [StopLogging](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html)
- [DeleteTrail](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html)
- [UpdateTrail](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html)

## Triage and response{% #triage-and-response %}

1. Review the `@responseElements` in the `{{@evt.name}}` event to determine the scope of the changes.
1. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.
1. If the user did not make the API call:
   - Rotate the credentials.
   - Investigate if the same credentials made other unauthorized API calls.