An actor may attempt to obscure their activity and prevent forensics by deleting a trail.
Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail logs.
MITRE ATT&CK Tactics
AWS Cloud Trail
1. Re-enable AWS Cloud Trail logging
2. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.