DET0289 Detection Strategy for Disable or Modify Cloud Logs
| Item |
Value |
| ID |
DET0289 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1562.008 (Disable or Modify Cloud Logs)
Analytics
IaaS
AN0801
Cloud API events where logging services are stopped, deleted, or modified in a way that disables audit visibility. Defender view: unauthorized StopLogging, DeleteTrail, or UpdateSink operations correlated with privileged user activity.
Log Sources
Mutable Elements
| Field |
Description |
| AdminRoles |
Define which roles are authorized to stop or modify logging. |
| RegionScope |
Adjust monitoring to ensure multi-region logging tampering is caught. |
Identity Provider
AN0802
Disabling or modifying sign-in or audit log collection for user activities. Defender view: policy or configuration updates removing logging coverage for critical accounts.
Log Sources
Mutable Elements
| Field |
Description |
| CriticalAccounts |
Tune to prioritize logging changes that affect administrative or high-value accounts. |
Office Suite
AN0803
Disabling mailbox or tenant-level audit logging, often using Set-MailboxAuditBypassAssociation or downgrading license tiers. Defender view: sudden absence of mailbox activity logging for monitored users.
Log Sources
Mutable Elements
| Field |
Description |
| UserScope |
Tune alerts for users where mailbox auditing should always remain enabled. |
SaaS
AN0804
Disabling or altering security and audit logs in SaaS admin panels (e.g., Slack, Zoom, Salesforce). Defender view: API calls or admin console changes that stop event exports or logging integrations.
Log Sources
Mutable Elements
| Field |
Description |
| IntegrationScope |
Define which SaaS log integrations are required and alert if removed. |