Skip to main content
Lantern Home
 
 
Splunk Lantern

Disabled AWS CloudTrail logging

  1. Last updated
  2. Save as PDF

 

CloudTrail logs provide critical ground truth auditing of all AWS activity. Whether malicious or otherwise, timely detection of CloudTrail logging becoming disabled is important. Use this procedure to detect and alert when CloudTrail logs have been disabled.

Data required

AWS: CloudTrail logs

Procedure

  1. Configure the Splunk Add-on for Amazon Web Services.
  2. Ensure that your deployment is ingesting AWS data through one of the following methods:
    • Pulling the data from Splunk via AWS APIs. At small scale, pull via the AWS APIs will work.
    • Pushing the data from AWS into Splunk via Lambda/Firehose to Splunk HTTP event collector. As the size and scale of either your AWS accounts or the amount of data to be collected grows, pushing data from AWS into the Splunk platform is the easier and more scalable method.
  3. Run the following search: 
    index="<AWS index name>" sourcetype="aws:cloudtrail" eventName=StopLogging
| rename requestParameters.name AS trail_name userIdentity.arn AS who_done_it
| table _time aws_account_id region eventName trail_name who_done_it

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="<AWS index name>" sourcetype="aws:cloudtrail" Search the indexes where AWS data is stored filtered to just the AWS CloudTrail data.
eventName=StopLogging Filter the results down to the StopLogging event which is emitted when CloudTrail logging is disabled.
| rename requestParameters.name AS trail_name userIdentity.arn AS who_done_it Rename the fields as shown for better readability.
| table _time aws_account_id region eventName trail_name who_done_it Display the results in a table with columns in the order shown.

Next steps

Use the results of this search to re-enable CloudTrail logging and to take the appropriate measures to address the account that disabled it.

You might also be interested in other processes associated with the Managing an Amazon Web Services environment use case.