AWS Disable Cloudtrail with event selectors

Goal

Detect when CloudTrail has been disabled by creating an event selector on the Trail.

Strategy

This rule lets you monitor CloudTrail and detect if an attacker used the PutEventSelectors API call to filter out management events, effectively disabling CloudTrail for the specified Trail.

See the public Proof of Concept (PoC) for this attack.

Triage and response

  1. Determine if {{@userIdentity.arn}} should have made the {{@evt.name}} API call.
  2. If the API call was not made legitimately by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Remove the event selector using the aws-cli command put-event-selectors or use the AWS console to revert the event selector back to the last known good state.
  1. If the API call was made legitimately by the user:
  • Determine if the user was authorized to make that change.
  • If Yes, work with the user to ensure that CloudTrail logs for the affected account {{@userIdentity.accountId}} are being sent to the Datadog platform.
  • If No, remove the event selector using the aws-cli command put-event-selectors or reference the AWS console documentation to revert the event selector back to the last known good state.

Changelog

  • 17 October 2022 - Updated tags.