Skip to content

PutEventSelectors

AWS

PutEventSelectors

service: AWS - CloudTrail
techniques:

Event

Configures which API events (management or data, read/write) a CloudTrail trail records.

Security Context

  • Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.

Log Source

CloudTrail

Sample Event

Adversarial — defense impairment. Draco calls PutEventSelectors against the central fantasticlogs-org-trail to set IncludeManagementEvents: false and IncludeDataResources: []. After this, the trail records nothing — every subsequent management API call (privesc, data destruction, etc.) is invisible to the SOC. The PutEventSelectors call itself is the last thing logged. T1685.002.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T21:42:08Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T22:00:11Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "PutEventSelectors",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"trailName": "fantasticlogs-org-trail",
"eventSelectors": [
{
"readWriteType": "All",
"includeManagementEvents": false,
"dataResources": [],
"excludeManagementEventSources": []
}
]
},
"responseElements": {
"trailARN": "arn:aws:cloudtrail:us-east-1:555123456789:trail/fantasticlogs-org-trail",
"eventSelectors": [
{
"readWriteType": "All",
"includeManagementEvents": false,
"dataResources": [],
"excludeManagementEventSources": []
}
]
},
"requestID": "90000000-0000-4000-8000-000101101010",
"eventID": "90000000-0000-4000-8000-000101101011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...