PutEventSelectors
AWS
PutEventSelectors
Event
Configures which API events (management or data, read/write) a CloudTrail trail records.
Security Context
- Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.
Log Source
CloudTrail
Sample Event
Adversarial — defense impairment. Draco calls PutEventSelectors against the central fantasticlogs-org-trail to set IncludeManagementEvents: false and IncludeDataResources: []. After this, the trail records nothing — every subsequent management API call (privesc, data destruction, etc.) is invisible to the SOC. The PutEventSelectors call itself is the last thing logged. T1685.002.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T21:42:08Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:00:11Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "PutEventSelectors", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "trailName": "fantasticlogs-org-trail", "eventSelectors": [ { "readWriteType": "All", "includeManagementEvents": false, "dataResources": [], "excludeManagementEventSources": [] } ] }, "responseElements": { "trailARN": "arn:aws:cloudtrail:us-east-1:555123456789:trail/fantasticlogs-org-trail", "eventSelectors": [ { "readWriteType": "All", "includeManagementEvents": false, "dataResources": [], "excludeManagementEventSources": [] } ] }, "requestID": "90000000-0000-4000-8000-000101101010", "eventID": "90000000-0000-4000-8000-000101101011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...