From 17c00d8a11d58e25ef5ba2e98e66d7a4ee2c5ac3 Mon Sep 17 00:00:00 2001
From: vitaliy0x1 <vvpls@yandex.ru>
Date: Tue, 21 Jan 2020 15:06:44 +0200
Subject: [PATCH] added aws_cloudtrail_disable_logging.yml

---
 .../cloud/aws_cloudtrail_disable_logging.yml  | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/cloud/aws_cloudtrail_disable_logging.yml

diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml
new file mode 100644
index 000000000..c09c19388
--- /dev/null
+++ b/rules/cloud/aws_cloudtrail_disable_logging.yml
@@ -0,0 +1,23 @@
+title: CloudTrail's Trail important change
+id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
+status: experimental
+author: vitaliy0x1
+description: Detects disabling, deleting and updating of a Trail
+references:
+  - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+logsource:
+  service: CloudTrail
+detection:
+  selection_source:
+    - eventSource: cloudtrail.amazonaws.com
+  events:
+    - eventName:
+        - StopLogging
+        - UpdateTrail
+        - DeleteTrail
+  condition: selection_source AND events
+level: high
+falsepositives:
+    - Valid change in a Trail
+tags:
+  - attack.t1089
\ No newline at end of file