AWS VPC Flow Log deleted

Classification:

attack

Tactic:

Technique:

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when one or more AWS VPC Flow Log are deleted.

Monitor CloudTrail and detect when AWS VPC FLow Logs are deleted by calling the DeleteFlowLogs API.

Determine if the API call: {{@evt.name}} should have occurred.
If the action was legitimate, consider allowing the invoking service: {{@userIdentity.invokedBy}}, user: {{@userIdentity.arn}}, or other appropriate attribute through a suppression list.
If it shouldn’t have been made:
- Contact the user: {{@userIdentity.arn}} and see if they made the API call.
If the API call was not made by the user:
- Rotate the user credentials.
- Determine what other API calls were made with the old credentials that were not made by the user.