Managed Sentinel – Alert 013
|Alert Name||Changes made to AWS CloudTrail logs|
|Description||An actor may attempt to obscure their activity and prevent forensics by deleting a trail. |
Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail logs.
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Defense Evasion|
|Log sources||AWS Cloud Trail|
|Recommendations||1. Re-enable AWS Cloud Trail logging |
2. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.