AWS CloudWatch log group deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a CloudWatch Log Group is deleted.

Strategy

Detect a successful @evt.name:DeleteLogGroup event.

Triage and response

  1. Ensure that the {{@requestParameters.logGroupName}} log group is not used for auditing or security purposes.
  2. If it is then:
    • Ensure that the user: {{@userIdentity.session_name}} should be making this API call to your {{env}} environment.
    • Consider adding to the allowlist the log group name: {{@requestParameters.logGroupName}} through a suppression list.
  3. If not, begin your company’s IR process and investigate.

Changelog

11 October 2022 - updated severity.