Managed Sentinel – Alert 013
| Alert ID | MS-A013 |
| Alert Name | Changes made to AWS CloudTrail logs |
| Description | An actor may attempt to obscure their activity and prevent forensics by deleting a trail. Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. This alert identifies any manipulation of AWS CloudTrail logs. |
| Severity Level | Low |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Defense Evasion |
| Log sources | AWS Cloud Trail |
| Recommendations | 1. Re-enable AWS Cloud Trail logging 2. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed. |