Cloud Service Disable

This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (StopLogging API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples:

AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities.
Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions.
Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes.
SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior.

ID: DC0090

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
AWS:CloudTrail	Stop logging for an existing CloudTrail
AWS:CloudTrail	Removal of CloudTrail trail
AWS:CloudTrail	StopLogging, DeleteTrail, or DisableSecurityService
azure:activity	az monitor diagnostic-settings delete
saas:audit	Log export integration removed or disabled

Detection Strategy

ID	Name	Technique Detected
DET0289	Detection Strategy for Disable or Modify Cloud Logs	T1562.008
DET0317	Detection Strategy for Impair Defenses Across Platforms	T1562