Analytics Story: AWS Defense Evasion

Updated Date: 2026-05-13 ID: 4e00b690-293f-434d-a9d8-bcfb2ea5fff9 Author: Gowthamaraj Rajendran, Splunk Product: Splunk Enterprise Security

Description

Identify activity and techniques associated with the Evasion of Defenses within AWS, such as Disabling CloudTrail, Deleting CloudTrail and many others.

Why it matters

Adversaries employ a variety of techniques in order to avoid detection and operate without barriers. This often involves modifying the configuration of security monitoring tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes analytics that identify activity consistent with adversaries attempting to disable various security mechanisms on AWS. Such activity may involve deleting the CloudTrail logs , as this is where all the AWS logs get stored or explicitly changing the retention policy of S3 buckets. Other times, adversaries attempt deletion of a specified AWS CloudWatch log group.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
ASL AWS Defense Evasion Delete Cloudtrail	Disable or Modify Cloud Log	TTP
AWS Defense Evasion Update Cloudtrail	Disable or Modify Cloud Log	TTP
ASL AWS Defense Evasion Stop Logging Cloudtrail	Disable or Modify Cloud Log	TTP
ASL AWS Defense Evasion Update Cloudtrail	Disable or Modify Cloud Log	TTP
AWS Defense Evasion Delete CloudWatch Log Group	Disable or Modify Cloud Log	TTP
AWS Defense Evasion Stop Logging Cloudtrail	Disable or Modify Cloud Log	TTP
ASL AWS Defense Evasion Delete CloudWatch Log Group	Disable or Modify Cloud Log	TTP
AWS Defense Evasion Delete Cloudtrail	Disable or Modify Cloud Log	TTP
AWS Defense Evasion Impair Security Services	Disable or Modify Cloud Log	TTP
ASL AWS Defense Evasion PutBucketLifecycle	Lifecycle-Triggered Deletion, Disable or Modify Cloud Log	Hunting
AWS Defense Evasion PutBucketLifecycle	Lifecycle-Triggered Deletion, Disable or Modify Cloud Log	Hunting
ASL AWS Defense Evasion Impair Security Services	Disable or Modify Cloud Log	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
ASL AWS CloudTrail	AWS	`aws:asl`	`aws_asl`
AWS CloudTrail UpdateTrail	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteLogGroup	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail StopLogging	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteTrail	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteRule	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteIPSet	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteRuleGroup	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteAlarms	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteWebACL	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteDetector	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteLoggingConfiguration	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail DeleteLogStream	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail PutBucketLifecycle	AWS	`aws:cloudtrail`	`aws_cloudtrail`

References

https://attack.mitre.org/tactics/TA0005/

Source: GitHub | Version: 2