Impair Defenses: Disable or Modify Cloud Logs `T1562.008`

Tactic: Stealth

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

Authoring guide

Patterns shared across the 67 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (59 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`data_stream.dataset`	24	`eq` 24	`aws.cloudtrail`, `azure.activitylogs`, `gcp.audit`
`event.outcome`	24	`eq` 20, `in` 4	`success`, `Success`
`EventType`	22	`eq` 16, `in` 3, `wildcard` 3	`DELETE`, `CreateTrail`, `DeleteBucketCors`, `DeleteBucketEncryption`, `DeleteBucketLifecycle`
`Provider_Name`	16	`eq` 16	`cloudtrail.amazonaws.com`, `config.amazonaws.com`, `logs.amazonaws.com`, `s3.amazonaws.com`, `bedrock.amazonaws.com`
`aws::eventName`	13	`eq` 12, `in` 2	`DeleteFlowLogs`, `DeleteTrail`, `DeleteEventBus`, `StopLogging`, `UpdateTrail`
`EventID`	11	`eq` 11	`Set-AdminAuditLogConfig`, `SetIamPolicy`, `DeleteAnalyzer`, `DeleteConfigurationRecorder`, `DeleteDeliveryChannel`
`aws::errorCode`	8	`eq` 6, `is_null` 2	`AccessDenied`
`aws::eventSource`	7	`eq` 7	`cloudtrail.amazonaws.com`, `rds.amazonaws.com`
`security_result.action`	7	`eq` 7	`ALLOW`
`operationName`	5	`eq` 4, `in` 1	`MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE`, `MICROSOFT.INSIGHTS/ACTIONGROUPS/DELETE`, `MICROSOFT.INSIGHTS/ALERTRULES/DELETE`, `MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE`, `MICROSOFT.INSIGHTS/METRICALERTS/DELETE`
`resultType`	5	`in` 5	`Succeeded`, `Success`
`azure.activitylogs.operation_name`	4	`eq` 4	`MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE`, `MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE`, `MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVEN...`, `MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE`
`event.category`	3	`eq` 3	`BACKUP_AND_RESTORE`, `NSS`
`event.errorcode`	3	`eq` 3	`None`
`event.result`	3	`eq` 3	`SUCCESS`

Top indicator values (154 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.outcome`	`eq`	`success` elasticAWS Bedrock Model Invocation Logging Disabled or Modified elasticAWS CloudTrail Log Created elasticAWS CloudTrail Log Deleted elasticAWS CloudTrail Log Evasion elasticAWS CloudTrail Log Suspended elasticAWS CloudTrail Log Updated elasticAWS CloudWatch Log Group Deletion elasticAWS CloudWatch Log Stream Deletion elasticAWS Config Resource Deletion elasticAWS Configuration Recorder Stopped elasticAWS EKS Control Plane Logging Disabled elasticAWS Route 53 Resolver Query Log Configuration Deleted elasticAWS S3 Bucket Configuration Deletion elasticAWS S3 Bucket Expiration Lifecycle Configuration Added elasticAWS S3 Bucket Server Access Logging Disabled elasticAWS SQS Queue Purge elasticAWS VPC Flow Logs Deletion elasticGCP Logging Bucket Deletion elasticGCP Logging Sink Deletion elasticGCP Logging Sink Modification	20	251
`data_stream.dataset`	`eq`	`aws.cloudtrail` elasticAWS Bedrock Model Invocation Logging Disabled or Modified elasticAWS CloudTrail Log Created elasticAWS CloudTrail Log Deleted elasticAWS CloudTrail Log Evasion elasticAWS CloudTrail Log Suspended elasticAWS CloudTrail Log Updated elasticAWS CloudWatch Log Group Deletion elasticAWS CloudWatch Log Stream Deletion elasticAWS Config Resource Deletion elasticAWS Configuration Recorder Stopped elasticAWS EKS Control Plane Logging Disabled elasticAWS Route 53 Resolver Query Log Configuration Deleted elasticAWS S3 Bucket Configuration Deletion elasticAWS S3 Bucket Expiration Lifecycle Configuration Added elasticAWS S3 Bucket Server Access Logging Disabled elasticAWS SQS Queue Purge elasticAWS VPC Flow Logs Deletion	17	141
`data_stream.dataset`	`eq`	`azure.activitylogs` elasticAzure Diagnostic Settings Deleted elasticAzure Event Hub Deleted elasticAzure Kubernetes Services (AKS) Kubernetes Events Deleted elasticAzure VNet Network Watcher Deleted	4	34
`data_stream.dataset`	`eq`	`gcp.audit` elasticGCP Logging Bucket Deletion elasticGCP Logging Sink Deletion elasticGCP Logging Sink Modification	3	23
`security_result.action`	`eq`	`ALLOW` chronicleAWS CloudTrail Logging Tampered chronicleAWS Config Service Modified chronicleAWS Delete CloudWatch Log Group chronicleAWS Delete VPC Flow Logs chronicleAWS IAM Access Analyzer Deleted chronicleGCP Cloud Audit Logging Removed From All Services chronicleGCP Exempt Principals From Audit Log	7	102
`aws::errorCode`	`eq`	`AccessDenied` sigmaAttempt To Delete A CloudTrail Log sigmaAttempt To Modify CloudTrail Log Settings sigmaAttempt To Stop CloudTrail Logging sigmaCloudTrail Log Deleted sigmaCloudTrail Log Settings Modified sigmaCloudTrail Logging Stopped	6	19
`aws::eventSource`	`eq`	`cloudtrail.amazonaws.com` sigmaAttempt To Delete A CloudTrail Log sigmaAttempt To Modify CloudTrail Log Settings sigmaAttempt To Stop CloudTrail Logging sigmaCloudTrail Log Deleted sigmaCloudTrail Log Settings Modified sigmaCloudTrail Logging Stopped	6	10
`resultType`	`in`	`Succeeded` pantherAzure Action Groups Deleted pantherAzure Alert Rules Deleted pantherAzure Diagnostic Settings Deleted pantherAzure Event Hub Deleted pantherAzure Log Analytics Workspace Deleted	5	51
`resultType`	`in`	`Success` pantherAzure Action Groups Deleted pantherAzure Alert Rules Deleted pantherAzure Diagnostic Settings Deleted pantherAzure Event Hub Deleted pantherAzure Log Analytics Workspace Deleted	5	51
`Provider_Name`	`eq`	`cloudtrail.amazonaws.com` elasticAWS CloudTrail Log Created elasticAWS CloudTrail Log Deleted elasticAWS CloudTrail Log Suspended elasticAWS CloudTrail Log Updated	4	4
`Provider_Name`	`eq`	`config.amazonaws.com` elasticAWS Config Resource Deletion elasticAWS Configuration Recorder Stopped	2	2
`Provider_Name`	`eq`	`logs.amazonaws.com` elasticAWS CloudWatch Log Group Deletion elasticAWS CloudWatch Log Stream Deletion	2	2
`Provider_Name`	`eq`	`s3.amazonaws.com` elasticAWS S3 Bucket Configuration Deletion elasticAWS S3 Bucket Server Access Logging Disabled	2	14
`event.outcome`	`in`	`Success` elasticAzure Diagnostic Settings Deleted elasticAzure Event Hub Deleted elasticAzure Kubernetes Services (AKS) Kubernetes Events Deleted elasticAzure VNet Network Watcher Deleted	4	37
`event.outcome`	`in`	`success` elasticAzure Diagnostic Settings Deleted elasticAzure Event Hub Deleted elasticAzure Kubernetes Services (AKS) Kubernetes Events Deleted elasticAzure VNet Network Watcher Deleted	4	38
`aws::eventName`	`eq`	`UpdateTrail` sigmaAttempt To Modify CloudTrail Log Settings sigmaCloudTrail Log Settings Modified kustoAWSCloudTrail - Tampering to AWS CloudTrail logs	3	6
`aws::eventName`	`eq`	`DeleteTrail` sigmaAttempt To Delete A CloudTrail Log sigmaCloudTrail Log Deleted	2	5
`aws::eventName`	`eq`	`StopLogging` sigmaAttempt To Stop CloudTrail Logging sigmaCloudTrail Logging Stopped	2	5
`event.errorcode`	`eq`	`None` pantherZIA Backup Deleted pantherZIA Golden Restore Point Dropped pantherZIA Log Streaming Disabled	3	10
`event.result`	`eq`	`SUCCESS` pantherZIA Backup Deleted pantherZIA Golden Restore Point Dropped pantherZIA Log Streaming Disabled	3	10
`EventID`	`eq`	`Set-AdminAuditLogConfig` chronicleOffice 365 logging has been enabled chronicleOffice 365 logging is disabled	2	2
`EventID`	`eq`	`SetIamPolicy` chronicleGCP Cloud Audit Logging Removed From All Services chronicleGCP Exempt Principals From Audit Log	2	4
`EventType`	`eq`	`DELETE` pantherZIA Backup Deleted pantherZIA Log Streaming Disabled	2	4
`OperationName`	`eq`	`AuditLog.StreamDisabledByUser` kustoAzure DevOps Audit Stream Disabled kustoNRT Azure DevOps Audit Stream Disabled	2	2
`aws::eventName`	`in`	`DeleteEventBus` kustoAWSCloudTrail - Config Service Resource Deletion Attempts kustoAWSCloudTrail - Tampering to AWS CloudTrail logs	2	3
`aws::eventName`	`in`	`DeleteFlowLogs` kustoAWSCloudTrail - Config Service Resource Deletion Attempts kustoAWSCloudTrail - Tampering to AWS CloudTrail logs	2	4
`aws::eventName`	`in`	`DeleteTrail` kustoAWSCloudTrail - Config Service Resource Deletion Attempts kustoAWSCloudTrail - Tampering to AWS CloudTrail logs	2	5
`aws::eventName`	`in`	`StopLogging` kustoAWSCloudTrail - Config Service Resource Deletion Attempts kustoAWSCloudTrail - Tampering to AWS CloudTrail logs	2	5
`aws::eventName`	`in`	`UpdateTrail` kustoAWSCloudTrail - Config Service Resource Deletion Attempts kustoAWSCloudTrail - Tampering to AWS CloudTrail logs	2	4
`event.category`	`eq`	`BACKUP_AND_RESTORE` pantherZIA Backup Deleted pantherZIA Golden Restore Point Dropped	2	2

Exclusions (11 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`aws::errorCode`	`eq`	`AccessDenied` sigmaCloudTrail Log Deleted sigmaCloudTrail Log Settings Modified sigmaCloudTrail Logging Stopped	3
`aws::userAgent`	`eq`	`AWS Internal` elasticAWS CloudWatch Log Group Deletion elasticAWS CloudWatch Log Stream Deletion	2
`ActivityStatusValue`	`contains`	`succeeded` kustoAzure Diagnostic settings removed from a resource	1
`ActivityStatusValue`	`contains`	`success` kustoAzure Diagnostic settings removed from a resource	1
`aws::requestParameters`	`contains`	`loggingenabled` elasticAWS S3 Bucket Server Access Logging Disabled	1
`aws::userIdentity.invokedBy`	`in`	`config-conforms.amazonaws.com` elasticAWS Config Resource Deletion	1
`aws::userIdentity.invokedBy`	`in`	`controltower.amazonaws.com` elasticAWS Config Resource Deletion	1
`aws::userIdentity.invokedBy`	`in`	`fms.amazonaws.com` elasticAWS Config Resource Deletion	1
`aws::userIdentity.invokedBy`	`in`	`securityhub.amazonaws.com` elasticAWS Config Resource Deletion	1
`azure_ad::operation_name_value`	`ends_with`	`/DELETE` kustoAzure Diagnostic settings removed from a resource	1
`azure_ad::operation_name_value`	`ne`	`MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE` kustoAzure Diagnostic settings removed from a resource	1

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Impair Defenses: Disable or Modify Cloud Logs `T1562.008`

Authoring guide

Fields filtered most (59 distinct)

Top indicator values (154 distinct)

Exclusions (11 distinct)

Rules under this technique

Sigma 6 rules

Elastic 24 rules

Kusto 8 rules

YARA-L 11 rules

Panther 18 rules

Keyboard shortcuts

Search operators

Impair Defenses: Disable or Modify Cloud Logs T1562.008

Authoring guide

Fields filtered most (59 distinct)

Top indicator values (154 distinct)

Exclusions (11 distinct)

Rules under this technique

Sigma 6 rules

Elastic 24 rules

Kusto 8 rules

YARA-L 11 rules

Panther 18 rules

Impair Defenses: Disable or Modify Cloud Logs `T1562.008`