security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
T
Isai 534d302758 [Rule Tunings] AWS CloudWatch Deletion Rules (#5316) 
Noticed some false positives in alert telemetry leading to high alert volume. For all 3 rules I've added `source.ip:*` and excluded `user_agent.original: AWS Internal` to reduce noise from internal AWS services and backend API calls made on a user's behalf. These rules will instead stay focused on direct SDK/CLI triggered API calls.

- reduced execution window
- updated description, false positive and investigation guide sections
- added highlighted fields
- udpated tags and MITRE mapping
2025-11-24 10:49:17 -05:00

203 lines
8.1 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/05/18"
integration = ["aws"]
maturity = "production"
updated_date = "2025/11/13"
[rule]
author = ["Elastic"]
description = """
Detects the deletion of an Amazon CloudWatch Log Group using the "DeleteLogGroup" API. CloudWatch log groups store
operational and security logs for AWS services and custom applications. Deleting a log group permanently removes all
associated log streams and historical log data, which can eliminate forensic evidence and disrupt security monitoring
pipelines. Adversaries may delete log groups to conceal malicious activity, disable log forwarding, or impede incident
response.
"""
false_positives = [
"""
CloudWatch log group deletions may occur during normal maintenance or infrastructure re-deployments, especially in
environments managed by IaC tools (e.g., Terraform, CloudFormation, CDK). Automation pipelines may recreate log
groups as part of expected workflows. Verify that the identity, user agent, and source IP match approved
administrative or automation activity. If deletions are routine for specific automation roles or CI/CD hosts,
consider adding scoped exceptions.
""",
]
from = "now-6m"
index = ["filebeat-*", "logs-aws.cloudtrail-*"]
language = "kuery"
license = "Elastic License v2"
name = "AWS CloudWatch Log Group Deletion"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance.
> While every effort has been made to ensure its quality, validate and adapt it to your operational context.
### Investigating AWS CloudWatch Log Group Deletion
CloudWatch Logs is foundational to AWS observability, SIEM ingestion, audit pipelines, and incident response.
Log groups often contain retention-critical logs such as:
- VPC Flow Logs
- Lambda function logs
- Application and container logs
- Security service logs (e.g., AWS WAF, RDS logs)
Deletion of a log group removes all historical log streams and cannot be reversed.
Adversaries may leverage `DeleteLogGroup` to impair forensic visibility, disrupt monitoring, and hide evidence following malicious actions. This rule detects a successful `DeleteLogGroup` event initiated from a nonAWS Internal user agent, signalling potential defense evasion or disruption of logging pipelines.
#### Possible investigation steps
**Identify the actor**
- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
- Determine whether this identity normally modifies CloudWatch Logs or is associated with automation.
**Review deletion details**
- Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to determine the exact log group deleted.
- Assess whether the log group provided visibility into:
- CloudTrail processing,
- Network flows (VPC Flow Logs),
- Serverless/application security logs,
- Lambda, ECS, EKS, or container workload logs.
**Check source and context**
- Assess `source.ip` for unusual IPs, geolocations, VPN endpoints, or cloud provider ranges unfamiliar to your environment.
- Review `user_agent.original` for unexpected tools (custom agents, unusual SDKs, attackers using CLI default agents).
**Correlate with surrounding activity**
Look for preceding or subsequent CloudTrail events such as:
- `StopLogging`, `DeleteTrail`, or CloudTrail configuration changes
- IAM permission escalations (e.g., `PutUserPolicy`, `AttachRolePolicy`)
- Security service suppression actions (e.g., GuardDuty detector deletion)
- Lambda or application configuration updates that may indicate a compromise
If the deleted log group was associated with a Lambda execution role, review for suspicious code updates or rogue deployments.
**Assess business or security impact**
- Identify whether the deleted log group fed:
- SIEM ingestion
- Security analytics pipelines
- Compliance/audit logs
- Operational monitoring or alerting
- Contact the service owner or development team to verify whether the deletion was intentional.
**Determine compromise scope if malicious**
- Use CloudTrail to identify prior activity by the same user identity or IP.
- Examine authentication events (IAM, STS) for signs of stolen credentials or session hijacking.
- Identify resources or applications dependent on the deleted logging pipeline.
### False positive analysis
- **IaC-managed environments**: Tools like Terraform or CloudFormation may delete and recreate log groups during deployments.
- **Automated cleanup jobs**: Some environments use automated retention cleanup workflows.
- **Ephemeral testing accounts**: Development/testing accounts frequently create and destroy log groups.
To tune noise:
- Add exceptions for specific automation IAM roles or trusted source IPs.
- Require `user_agent.original` and `source.ip` conditions for baseline-based tuning.
### Response and remediation
**Containment**
- Immediately recreate the deleted log group (if appropriate) using IaC or CloudWatch Console.
- Restrict the IAM identity that performed the deletion until the activity is validated.
- Enable or confirm CloudTrail logging in all regions to maintain broader visibility.
**Investigation**
- Review CloudTrail activity for:
- privilege escalation attempts,
- IAM role modifications,
- security service tampering (CloudTrail, Config, GuardDuty).
- Correlate with alerts from other services (GuardDuty, Security Hub, SIEM detections).
**Recovery and hardening**
- Enforce least privilege on `logs:DeleteLogGroup`.
- Configure AWS Config rules to alert on missing or modified log groups.
- Implement log group retention policies and IAM SCP guardrails to prevent unauthorized deletion.
- Document log group ownership and expected lifecycle management.
### Additional information
- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
- **Security Best Practices:** [AWS Knowledge Center Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
"""
references = [
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
"https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html",
]
risk_score = 47
rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Data Source: Amazon CloudWatch",
"Use Case: Log Auditing",
"Resources: Investigation Guide",
"Tactic: Defense Evasion",
"Tactic: Impact",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: "aws.cloudtrail"
and event.provider: "logs.amazonaws.com"
and event.action: "DeleteLogGroup"
and event.outcome: "success"
and source.ip: *
and not user_agent.original : "AWS Internal"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.investigation_fields]
field_names = [
"@timestamp",
"user.name",
"user_agent.original",
"source.ip",
"aws.cloudtrail.user_identity.arn",
"aws.cloudtrail.user_identity.type",
"aws.cloudtrail.user_identity.access_key_id",
"target.entity.id",
"event.action",
"event.outcome",
"cloud.account.id",
"cloud.region",
"aws.cloudtrail.request_parameters",
]
Reference in New Issue View Git Blame Copy Permalink