1. Home
  2. Detection Strategies
  3. Detection Strategy for Disable or Modify Cloud Logs

Detection Strategy for Disable or Modify Cloud Logs

Technique Detected:  Disable or Modify Cloud Logs | T1562.008

ID: DET0289
Domains: Enterprise
Analytics: AN0801, AN0802, AN0803, AN0804
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0801

Cloud API events where logging services are stopped, deleted, or modified in a way that disables audit visibility. Defender view: unauthorized StopLogging, DeleteTrail, or UpdateSink operations correlated with privileged user activity.

Log Sources
Data Component Name Channel
Cloud Service Disable (DC0090) AWS:CloudTrail Stop logging for an existing CloudTrail
Cloud Service Modification (DC0069) gcp:config UpdateSink request modifying log export destinations
Mutable Elements
Field Description
AdminRoles Define which roles are authorized to stop or modify logging.
RegionScope Adjust monitoring to ensure multi-region logging tampering is caught.

AN0802

Disabling or modifying sign-in or audit log collection for user activities. Defender view: policy or configuration updates removing logging coverage for critical accounts.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) azure:policy DisableAuditLogs or ConditionalAccess logging changes
Mutable Elements
Field Description
CriticalAccounts Tune to prioritize logging changes that affect administrative or high-value accounts.

AN0803

Disabling mailbox or tenant-level audit logging, often using Set-MailboxAuditBypassAssociation or downgrading license tiers. Defender view: sudden absence of mailbox activity logging for monitored users.

Log Sources
Data Component Name Channel
User Account Modification (DC0010) m365:unified Set-MailboxAuditBypassAssociation or disabling Advanced Auditing
Mutable Elements
Field Description
UserScope Tune alerts for users where mailbox auditing should always remain enabled.

AN0804

Disabling or altering security and audit logs in SaaS admin panels (e.g., Slack, Zoom, Salesforce). Defender view: API calls or admin console changes that stop event exports or logging integrations.

Log Sources
Data Component Name Channel
Cloud Service Disable (DC0090) saas:audit Log export integration removed or disabled
Mutable Elements
Field Description
IntegrationScope Define which SaaS log integrations are required and alert if removed.