added aws_cloudtrail_disable_logging.yml

2020-01-21 15:06:44 +02:00
parent ffcc2dc049
commit 17c00d8a11
1 changed files with 23 additions and 0 deletions
@@ -0,0 +1,23 @@
+title: CloudTrail's Trail important change
+id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
+status: experimental
+author: vitaliy0x1
+description: Detects disabling, deleting and updating of a Trail
+references:
+  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+logsource:
+  service: CloudTrail
+detection:
+  selection_source:
+    - eventSource: cloudtrail.amazonaws.com
+  events:
+    - eventName:
+        - StopLogging
+        - UpdateTrail
+        - DeleteTrail
+  condition: selection_source AND events
+level: high
+falsepositives:
+    - Valid change in a Trail
+tags:
+  - attack.t1089