Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)
Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1562 | Impair Defenses |
Monitor logs for API calls to disable logging. In AWS, monitor for: |
|
| .008 | Disable Cloud Logs |
Monitor logs for API calls to disable logging. In AWS, monitor for: |
||
An extracted list of cloud services (ex: AWS ECS ListServices)
An extracted list of cloud services (ex: AWS ECS ListServices)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1526 | Cloud Service Discovery |
Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment. |
|
| Enterprise | T1046 | Network Service Discovery |
Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment. |
|
Contextual data about a cloud service and activity around it such as name, type, or purpose/function
Contextual data about a cloud service and activity around it such as name, type, or purpose/function
Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)
Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1562 | Impair Defenses |
Monitor changes made to cloud services for unexpected modifications to settings and/or data. |
|
| .008 | Disable Cloud Logs |
Monitor changes made to cloud services for unexpected modifications to settings and/or data |
||