diff --git a/include/check3x b/include/check3x
index 6809ed9e..5b75d315 100644
--- a/include/check3x
+++ b/include/check3x
@@ -15,11 +15,12 @@ check3x(){
   local CHECK_CROSS_ACCOUNT_WARN
 
   DESCRIBE_TRAILS_CACHE=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION")
-  CLOUDWATCH_GROUPS=$(echo $DESCRIBE_TRAILS_CACHE | jq -r '.trailList[]|@base64')
+  TRAIL_LIST=$(echo $DESCRIBE_TRAILS_CACHE | jq -r '.trailList[]|@base64')
   CURRENT_ACCOUNT_ID=$($AWSCLI sts $PROFILE_OPT get-caller-identity --region "$REGION" --query Account --output text)
+  CLOUDWATCH_LOGGROUP=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region "$REGION" --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text| tr '\011' '\012' | awk -F: '{print $7}')
 
-  if [[ $CLOUDWATCH_GROUPS != "" ]]; then
-    for group_obj_enc in $CLOUDWATCH_GROUPS; do
+  if [[ $CLOUDWATCH_LOGGROUP != "" ]]; then
+    for group_obj_enc in $TRAIL_LIST; do
       group_obj_raw=$(echo $group_obj_enc | decode_report)
       CLOUDWATCH_LOGGROUP_NAME=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[6]')
       CLOUDWATCH_LOGGROUP_REGION=$(echo $group_obj_raw | jq -r '.CloudWatchLogsLogGroupArn|split(":")[3]')