IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« AWS CloudTrail Log Deleted AWS EC2 Flow Log Deletion »

› ›

AWS CloudWatch Alarm Deletion

edit

AWS CloudWatch Alarm Deletion

edit

Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.

Rule type: query

Rule indices:

filebeat-*
logs-aws*

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Cloud
AWS
Continuous Monitoring
SecOps
Monitoring

Version: 7

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

## Config

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule query

edit

event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/

« AWS CloudTrail Log Deleted AWS EC2 Flow Log Deletion »