Cloudtrail disable multi-region logging¶
An adversary may attempt to disable multi-region logging in order to perform actions in other regions without detection
|trailname||str||Name of the cloudtrail to be targeted||example-cloudtrail|
aws cloudtrail update-trail --name example-cloudtrail --no-is-multi-region-trail
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:UpdateTrail AND eventSource:*.cloudtrail.amazonaws.com
--- title: Cloudtrail disable multi-region logging id: 2bc6d6d1-fde2-4767-b1e3-809aa8f5c200 status: experimental author: Nick Jones date: 2023-07-01 description: An adversary may attempt to disable multi-region logging in order to perform actions in other regions without detection logsource: service: cloudtrail detection: selection_source: - eventSource: "*.cloudtrail.amazonaws.com" events: - eventName: "UpdateTrail" condition: selection_source AND events level: low tags: - attack.T1562