Detection coverage in DCV across AWS, Azure and GCP for Impair Defenses: Disable Cloud Logs, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.
For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality, for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files. In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.
Platforms: IaaS, SaaS, Office Suite, Identity Provider.
DCV maps 94 detections across 3 cloud providers to T1562.008. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 35 | 0.83 |
| AWS Config Rules | AWS | 29 | 0.62 |
| Microsoft Defender for Cloud | Azure | 8 | 0.88 |
| GCP Security Command Center | GCP | 7 | 0.89 |
| Azure Policy | Azure | 6 | 0.92 |
| Azure Regulatory Compliance | Azure | 6 | 0.94 |
| AWS GuardDuty | AWS | 3 | 0.93 |
CloudSigma ships 4 production-ready Sigma rules that detect T1562.008 across 4 platforms. Every rule below is validated against its source SIEM dialect before publication.
title: AWS CloudTrail Logging Stopped or Trail Deleted
id: d4e5f6a7-b8c9-4d0e-1f2a-3b4c5d6e7f8a
status: stable
description: >
Detects two specific CloudTrail management actions that disable
audit logging: StopLogging (pauses event capture on an existing
trail) and DeleteTrail (removes the trail entirely). Both are
rare, high-impact administrative operations and a top defense-
evasion signal in the AWS plane. Earlier versions of this rule
also matched UpdateTrail and PutEventSelectors, which fire on
routine trail-configuration changes during normal infrastructure
work and overwhelm the high-fidelity signal — those are tracked
by a separate, lower-severity rule.
author: CloudSigma
date: 2026-04-24
references:
- https://attack.mitre.org/techniques/T1562/008/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-delete-trails.html
- https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html
tags:
- attack.defense-evasion
- attack.t1562.008
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: cloudtrail.amazonaws.com
eventName:
- StopLogging
- DeleteTrail
condition: selection
falsepositives:
- Decommissioning a sandbox or test account where the trail is no longer needed
- Migration to AWS CloudTrail Lake or to an organization trail under documented change control
fields:
- userIdentity.arn
- userIdentity.type
- sourceIPAddress
- eventName
- requestParameters.name
- awsRegion
level: critical