
Summary
This rule detects a specific AWS CloudTrail misconfiguration intended as a defense-evasion technique: a PutEventSelectors call that explicitly disables includeManagementEvents, which stops logging of all management API calls for a trail while the trail remains visible as active in the console. This evasion can conceal IAM changes, credential operations, and other high-impact activity, potentially enabling abuse before detection. The rule triggers on CloudTrail events where event.action is PutEventSelectors, event.provider is cloudtrail.amazonaws.com, the event outcome is success, and aws.cloudtrail.request_parameters contains includeManagementEvents set to false. It maps to MITRE ATT&CK T1562 (Impair Defenses) with subtechnique T1562.008 (Disable or Modify Cloud Logs). Investigation fields capture relevant context such as user identity, region, account, and the exact request parameters to assess intent and scope. False positives may arise when IaC pipelines deliberately configure selectors to true during legitimate deployments, or when administrators restrict only certain data events for cost controls; further checks should verify caller identity, scope (single-region vs multi-region vs organization-wide), and corroborating activity. Triage should confirm whether the change was part of a sanctioned deployment, whether other trails in use provide coverage, and whether any dangerous IAM or credential actions occur shortly after the change. Remediation involves restoring includeManagementEvents to true across selectors, validating trail logging status (IsLogging: true), auditing subsequent activity to identify IAM changes or credential usage, and applying principle-of-least-privilege controls to PutEventSelectors (break-glass roles and SCP enforcement).
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
ATT&CK Techniques
- T1562
- T1562.008
Created: 2026-07-13