Managed Sentinel – Alert 013

Alert IDMS-A013
Alert NameChanges made to AWS CloudTrail logs
DescriptionAn actor may attempt to obscure their activity and prevent forensics by deleting a trail.
Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail logs.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsDefense Evasion
Log sourcesAWS Cloud Trail
Recommendations1. Re-enable AWS Cloud Trail logging
2. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.