AWS CloudWatch log group deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a CloudWatch Log Group is deleted.

Strategy

Detect a successful @evt.name:DeleteLogGroup event.

Triage and response

  1. Ensure that the {{@requestParameters.logGroupName}} log group is not used for auditing or security purposes.
  2. If it is then:
    • Ensure that the user: {{@userIdentity.session_name}} should be making this API call to your {{env}} environment.
    • Consider adding to the allowlist the log group name: {{@requestParameters.logGroupName}} through a suppression list.
  3. If not, begin your company’s IR process and investigate.

Changelog

11 October 2022 - updated severity.