LoFP
/
t1562.008
t1562.008
Title
Tags
administrators might alter features for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
t1562.001
t1562.008
o365 tenant
splunk
administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
t1562.008
o365 tenant
splunk
legitimate administrators may delete guardrails as part of normal operations, such as when replacing outdated guardrails with updated versions, cleaning up test resources, or consolidating security controls. consider implementing an allowlist for expected administrators who regularly manage guardrails configurations.
t1562.008
aws account
splunk
legitimate administrators may delete model invocation logging configurations during maintenance, when updating logging policies, or when cleaning up unused resources. consider implementing an allowlist for expected administrators who regularly manage logging configurations.
t1562.008
aws account
splunk
legitimate administrators may occasionally delete guardduty detectors, waf rule groups, or cloudwatch alarms during environment reconfiguration, migration, or decommissioning activities. in such cases, these events are expected and benign. these should be validated against approved change tickets or deployment pipelines to differentiate malicious activity from normal operations. please consider filtering out these noisy events using useragent, user_arn field names.
t1562.008
aws account
splunk
valid change in a trail
t1562
t1562.008
aws
sigma
valid change in aws config service
t1562
t1562.008
aws
sigma
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
T1485.001
t1562.008
aws account
splunk
LoFP
/
t1562.008