Skip to content

9.md

Latest commit

 

History

History
60 lines (48 loc) · 1.75 KB

9.md

File metadata and controls

60 lines (48 loc) · 1.75 KB

9.SOCLabs: Stop CloudTrail Trail:

https://www.soc-labs.top/en/detections/89

Goal:

Detect events where CloudTrail logging has been stopped.

Detailed Reasoning :

  1. Searched here: https://docs.aws.amazon.com/ (for: cloudtrail)
  2. Searched here: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html (for: stop)
  3. Jotted down links:

Sigma Query:

title: Stop AWS CloudTrail Trail
status: test
description: Stop AWS CloudTrail Trail
references:
    - https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopEventDataStoreIngestion.html
    - https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html
author: Soumyanil Biswas
date: 2025-10-15
modified: 2025-10-15
tags:
    - attack.xxxx
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: cloudtrail.amazonaws.com
        eventType: AwsApiCall
        
        # Why not?
        #eventName: StopEventDataStoreIngestion
        
        # Suspends the recording of AWS API calls and log file delivery for the specified trail.
        eventName: StopLogging
        
    condition: selection 
falsepositives:
    - unknown
level: high
fields:
    - eventName
    - sourceIPAddress
    - eventID
    - eventSource
    - userIdentity.arn

Query Result

image