AWS CloudTrail Management Events Disabled via PutEventSelectors

Last updated 6 days ago on 2026-07-13
Created 6 days ago on 2026-07-13

About

Detects CloudTrail PutEventSelectors calls where the legacy event selectors explicitly set includeManagementEvents to false, disabling capture of all management API calls for that trail. Unlike StopLogging or DeleteTrail — which leave an obvious trace of the trail being stopped or removed entirely — this technique leaves the trail appearing active and healthy in the console while silently blinding defenders to subsequent IAM changes, credential operations, and resource abuse. This technique is documented in Stratus Red Team as aws.defense-evasion.cloudtrail-event-selectors and is a known pre-exfiltration step.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS CloudTrailUse Case: Log AuditingTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

False Positive Examples
IaC pipelines setting event selectors during trail creation always set includeManagementEvents to true — the rule will not fire on those calls. The remaining FP vector is an administrator intentionally restricting a trail to data-events-only for cost reasons. Validate the caller, change management ticket, and confirm this is not a multi-region or organization-wide trail where the coverage impact would be severe.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and event.provider: "cloudtrail.amazonaws.com" and event.action: "PutEventSelectors" and event.outcome: "success" and aws.cloudtrail.request_parameters: *includeManagementEvents*false*

Install detection rules in Elastic Security

Detect AWS CloudTrail Management Events Disabled via PutEventSelectors in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).