CloudTrail trail config updated from malicious IP address
Suspicious activity
CloudTrail trail config updated from malicious IP address
Risk Level
Hazardous (3)
Platform(s)
Description
Orca detected that an API call to 'UpdateTrail' CloudTrail events was made from a malicious IP - {MaliciousIp.MaliciousIp}, the operation was successful. Aws CloudTrail service consists of a set of trails, each defines a different logging configuration. By calling the UpdateTrail api, logging of specific events might be disabled. The call from a malicious ip might indicates of an attempt of an attacker to avoid logging.
Recommended Mitigation
It is recommended to review the permissions which were used to make this api call. In case the trail is active, enable logging and look for a malicious activity from the malicious address.