sigma-rules/rules/aws/impact_cloudwatch_log_stream_deletion.toml

[metadata]
creation_date = "2020/05/20"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/20"

[rule]
author = ["Elastic"]
description = """
Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events
with the stream.
"""
false_positives = [
    """
    A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname
    should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be
    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-20m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS CloudWatch Log Stream Deletion"
references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
    "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html",
]
risk_score = 47
rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
severity = "medium"
tags = ["AWS", "Elastic"]
type = "query"

query = '''
event.action:DeleteLogStream and event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"


[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1089"
name = "Disabling Security Tools"
reference = "https://attack.mitre.org/techniques/T1089/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"