LoFP
/
T1562.008
T1562.008
Title
Tags
administrators might alter features for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
t1562.001
T1562.008
o365 tenant
splunk
administrators might temporarily disable the advanced audit for troubleshooting, performance reasons, or other administrative tasks. filter as needed.
T1562.008
o365 tenant
splunk
legitimate administrators may delete guardrails as part of normal operations, such as when replacing outdated guardrails with updated versions, cleaning up test resources, or consolidating security controls. consider implementing an allowlist for expected administrators who regularly manage guardrails configurations.
T1562.008
aws account
splunk
legitimate administrators may delete model invocation logging configurations during maintenance, when updating logging policies, or when cleaning up unused resources. consider implementing an allowlist for expected administrators who regularly manage logging configurations.
T1562.008
aws account
splunk
while this search has no known false positives, it is possible that it is a legitimate admin activity. please consider filtering out these noisy events using useragent, user_arn field names.
T1485.001
T1562.008
aws account
splunk
LoFP
/
T1562.008