Cloud Service Disable (ec0612c5-2644-4c50-bcac-82586974fedd)
This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (StopLogging API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples:
- AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities.
- Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions.
- Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes.
- SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior.
This data component can be collected through the following measures:
Enable and Monitor Cloud Service Logging
- Ensure logging is enabled for all cloud services, including administrative actions like StopLogging.
- Example: Use AWS Config to verify that CloudTrail is enabled and enforce logging as a compliance rule.
API Monitoring
- Use API monitoring tools to detect calls like StopLogging or equivalent service-stopping actions in other platforms.
- Example: Monitor AWS CloudWatch for specific API events such as StopLogging and flag unauthorized users.
SIEM Integration
- Collect logs and events from the cloud control plane into a centralized SIEM for real-time analysis and correlation.
- Example: Ingest AWS CloudTrail logs into Splunk or Azure Monitor logs into Sentinel.
Cloud Security Posture Management (CSPM) Tools
- Leverage CSPM tools like Prisma Cloud, Dome9, or AWS Security Hub to detect misconfigurations or suspicious activity, such as disabled logging.
- Example: Set alerts for changes to logging configurations in CSPM dashboards.
Configure Alerts in Cloud Platforms
- Create native alerts in cloud platforms to detect service stoppages.
- Example: Configure an AWS CloudWatch alarm to trigger when StopLogging is invoked.