AN0801: Analytic 0801

Cloud API events where logging services are stopped, deleted, or modified in a way that disables audit visibility. Defender view: unauthorized StopLogging, DeleteTrail, or UpdateSink operations correlated with privileged user activity.

EnterpriseAN0801AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because cloud audit logging is often the evidence trail executives, SOC teams, incident responders, and auditors rely on after a cloud incident. If logging services are stopped, deleted, or changed to reduce visibility, the organization may lose the ability to reconstruct privileged activity, prove control effectiveness, or make confident containment decisions.

Executive priority

Treat this as a cloud resilience and accountability control. Leaders should ask whether IaaS audit logging changes are monitored as high-priority events, whether privileged users can disable or alter logging without rapid review, and whether compliance evidence would still exist if a logging trail or sink were deleted or modified.

Technical view

For IaaS environments, validate monitoring for cloud API events involving logging service disablement or modification, specifically operations described by ATT&CK as StopLogging, DeleteTrail, and UpdateSink. Correlate these events with privileged user activity and review whether the actor, role, source, timing, and change context are expected. Because no official detection logic is provided, detection engineering should define local allowlists for approved logging administration and alert on unexpected changes that reduce audit visibility.

Likely telemetry

Cloud control-plane API audit events
Logging service configuration change events
Privileged user, role, or service account activity
Cloud identity authentication and session context
Change management or administrative approval records

Detection direction

Alert on stopped, deleted, or modified IaaS logging services where audit visibility is reduced.
Correlate logging changes with privileged user activity, including role assumption or administrative sessions when available.
Tune for legitimate maintenance, migration, or infrastructure-as-code changes, but require evidence of authorization.
Watch for blind spots where the same logging source being changed is also the source needed to detect the change.
Validate whether events are forwarded to an independent or protected destination so deletion or modification of a local trail does not erase evidence.

Mitigation priorities

Restrict who can stop, delete, or modify cloud audit logging services.
Require change control and review for logging configuration changes.
Protect audit destinations from alteration or deletion by the same identities that manage workloads.
Maintain centralized or independent copies of audit logs where feasible.
Regularly test whether logging disablement or deletion events are visible to SOC and incident response teams.

Analyst notes and limits

This object is a detection analytic for IaaS cloud environments focused on API events that disable or weaken audit visibility. The supplied ATT&CK fields provide example operation names and a defender correlation concept, but no full detection logic, tactics, or relationship context.

No official detection text, related techniques, groups, software, or mitigations were supplied. Local cloud provider implementation details, identity model, logging architecture, and approved administrative workflows are required to turn this into precise detection content.

Official MITRE ATT&CK definition

Analytic 0801

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: b6b6fdc168c8e246...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`b6b6fdc168c8…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0801
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use