🚀Launch Week 07, January 27th - 31st, 2025🚀
Tailpipe Hub 
Hub
Plugins
turbot/aws
Overview
1
Tables
110
Queries
1
SourcesPowerpipeModsGitHub
Loading...

Query: CloudTrail Trail Logging Stopped

Description

detect when a CloudTrail trail's logging was stopped to check for unauthorized changes that could reduce visibility into critical AWS activity, potentially hindering threat detection and compliance efforts.

Query

Tables used in this query:

Detections using this query:

SQL

select
  tp_timestamp as timestamp,
  string_split(event_source, '.') [ 1 ] || ':' || event_name as operation,
  request_parameters ->> 'name' as resource,
  user_identity.arn as actor,
  tp_source_ip as source_ip,
  tp_index as account_id,
  aws_region as region,
  tp_id as source_id,
  *
from
  aws_cloudtrail_log
where
  event_source = 'cloudtrail.amazonaws.com'
  and event_name = 'StopLogging'
  and error_code is null
order by
  event_time desc;

Tags

recommended = true