Cloud resource logging was disabled

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-06-24
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify Cloud Logs (T1562.008)

Severity

Informational

Description

Cloud resource logging was disabled.

Attacker's Goals

  • Avoiding detection of their activities by limiting the amount of data collected.
  • This action may be preliminary to resource deletion or data exhilaration from the resource.
  • Setting the stage for further attacks, like a Ransomware Attack.

Investigative actions

  • Confirm that the identity intended to disable logging on this resource.
  • Follow further actions done by the identity.
  • Monitor other (non-disabled) activity logs related to this resource.

Variations

Cloud resource logging was disabled - failed attempt

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify Cloud Logs (T1562.008)

Severity

Informational

Description

A failed attempt to disable cloud resource logging.

Attacker's Goals

  • Avoiding detection of their activities by limiting the amount of data collected.
  • This action may be preliminary to resource deletion or data exhilaration from the resource.
  • Setting the stage for further attacks, like a Ransomware Attack.

Investigative actions

  • Confirm that the identity intended to disable logging on this resource.
  • Follow further actions done by the identity.
  • Monitor other (non-disabled) activity logs related to this resource.


Cloud resource logging was disabled on a DB/storage resource

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impair Defenses: Disable or Modify Cloud Logs (T1562.008)

Severity

Low

Description

Cloud resource logging was disabled on a DB/storage resource.

Attacker's Goals

  • Avoiding detection of their activities by limiting the amount of data collected.
  • This action may be preliminary to resource deletion or data exhilaration from the resource.
  • Setting the stage for further attacks, like a Ransomware Attack.

Investigative actions

  • Confirm that the identity intended to disable logging on this resource.
  • Follow further actions done by the identity.
  • Monitor other (non-disabled) activity logs related to this resource.