From f1ce6ba6ad776d9128fc7da55570031737729fd9 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 29 Jan 2020 20:22:34 +0100
Subject: [PATCH] Lowering level

Lowering level to medium for events that can have a legitimate cause
---
 rules/cloud/aws_cloudtrail_disable_logging.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/cloud/aws_cloudtrail_disable_logging.yml b/rules/cloud/aws_cloudtrail_disable_logging.yml
index c09c1938..d399a1e8 100644
--- a/rules/cloud/aws_cloudtrail_disable_logging.yml
+++ b/rules/cloud/aws_cloudtrail_disable_logging.yml
@@ -6,7 +6,7 @@ description: Detects disabling, deleting and updating of a Trail
 references:
   - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
 logsource:
-  service: CloudTrail
+  service: cloudtrail
 detection:
   selection_source:
     - eventSource: cloudtrail.amazonaws.com
@@ -16,8 +16,8 @@ detection:
         - UpdateTrail
         - DeleteTrail
   condition: selection_source AND events
-level: high
+level: medium
 falsepositives:
     - Valid change in a Trail
 tags:
-  - attack.t1089
\ No newline at end of file
+  - attack.t1089