trail deletions may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS CloudTrail Log Deleted

source: elastic
technicques:
- T1562

Description

Detects deletion of an AWS CloudTrail trail via DeleteTrail API. Removing trails is a high-risk action that destroys an audit control plane and is frequently paired with other destructive or stealthy operations. Validate immediately and restore compliant logging.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "cloudtrail.amazonaws.com"
    and event.action: "DeleteTrail"
    and event.outcome: "success"