CloudTrail trail deleted from malicious IP address
Suspicious activity
CloudTrail trail deleted from malicious IP address
Risk Level
Imminent Compromised (2)
Platform(s)
Description
Orca detected that an API call to 'DeleteTrail' CloudTrail events was made from a malicious IP - {MaliciousIp.MaliciousIp}, the operation was successful. Aws CloudTrail service consists of a set of trails, each defines a different logging configuration. By calling the DeleteTrail api, logging in a specific trail will be disabled. The call from a malicious ip might indicates of an attempt of an attacker to avoid logging.
Recommended Mitigation
It is recommended to review the permissions which were used to make this api call. If it is possible, create a new trail and look for a malicious activity from the malicious address.