SIEM × Platform · Splunk · AWS CloudTrail

Splunk detections for AWS CloudTrail

Sigma rule outputs from CloudSigma rendered into Splunk queries against the AWS CloudTrail schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
20
Production rules
20
ATT&CK techniques
8
ATT&CK tactics
Splunk
Output dialect
02 Rule index
Technique Rule Severity Log source
T1040 Network Sniffing on AWS CloudTrail medium AWS CloudTrail
T1059 Command and Scripting Interpreter on AWS CloudTrail medium AWS CloudTrail
T1078 Valid Accounts on AWS CloudTrail medium AWS CloudTrail
T1078.004 Valid Accounts: Cloud Accounts on AWS CloudTrail medium AWS CloudTrail
T1098 Account Manipulation on AWS CloudTrail medium AWS CloudTrail
T1098.001 Account Manipulation: Additional Cloud Credentials on AWS CloudTrail medium AWS CloudTrail
T1110 Brute Force on AWS CloudTrail medium AWS CloudTrail
T1190 Exploit Public-Facing Application on AWS CloudTrail medium AWS CloudTrail
T1485 Data Destruction on AWS CloudTrail medium AWS CloudTrail
T1486 Data Encrypted for Impact on AWS CloudTrail medium AWS CloudTrail
T1491 Defacement on AWS CloudTrail medium AWS CloudTrail
T1496 Resource Hijacking on AWS CloudTrail medium AWS CloudTrail
T1498 Network Denial of Service on AWS CloudTrail medium AWS CloudTrail
T1525 Implant Internal Image on AWS CloudTrail medium AWS CloudTrail
T1530 Data from Cloud Storage Object on AWS CloudTrail medium AWS CloudTrail
T1552.001 Unsecured Credentials: Credentials In Files on AWS CloudTrail medium AWS CloudTrail
T1562 Impair Defenses on AWS CloudTrail medium AWS CloudTrail
T1562.001 Impair Defenses: Disable or Modify Tools on AWS CloudTrail medium AWS CloudTrail
T1562.007 Impair Defenses: Disable or Modify Cloud Firewall on AWS CloudTrail medium AWS CloudTrail
T1562.008 Impair Defenses: Disable Cloud Logs on AWS CloudTrail medium AWS CloudTrail
03 Example rule

AWS CloudTrail Logging Stopped or Trail Deleted, generated by CloudSigma and validated against the Splunk dialect.

L1 · production verified 2026-04-24 · sha256:502c13c3beee2563 manifest → Verify in CloudSigma →
Sigma rule · CloudSigma Splunk · AWS CloudTrail · 2026-04-24 
title: AWS CloudTrail Logging Stopped or Trail Deleted
id: d4e5f6a7-b8c9-4d0e-1f2a-3b4c5d6e7f8a
status: stable
description: >
    Detects two specific CloudTrail management actions that disable
    audit logging: StopLogging (pauses event capture on an existing
    trail) and DeleteTrail (removes the trail entirely). Both are
    rare, high-impact administrative operations and a top defense-
    evasion signal in the AWS plane. Earlier versions of this rule
    also matched UpdateTrail and PutEventSelectors, which fire on
    routine trail-configuration changes during normal infrastructure
    work and overwhelm the high-fidelity signal — those are tracked
    by a separate, lower-severity rule.
author: CloudSigma
date: 2026-04-24
references:
    - https://attack.mitre.org/techniques/T1562/008/
    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-delete-trails.html
    - https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html
tags:
    - attack.defense-evasion
    - attack.t1562.008
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: cloudtrail.amazonaws.com
        eventName:
            - StopLogging
            - DeleteTrail
    condition: selection
falsepositives:
    - Decommissioning a sandbox or test account where the trail is no longer needed
    - Migration to AWS CloudTrail Lake or to an organization trail under documented change control
fields:
    - userIdentity.arn
    - userIdentity.type
    - sourceIPAddress
    - eventName
    - requestParameters.name
    - awsRegion
level: critical
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Splunk documentation, https://docs.splunk.com/
Last verified: 2026-04-24