---
title: AWS EventBridge rule disabled or deleted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS EventBridge rule disabled or
  deleted
---

# AWS EventBridge rule disabled or deleted
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1089-disabling-security-tools](https://attack.mitre.org/techniques/T1089) 
## Goal{% #goal %}

Detect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.

## Strategy{% #strategy %}

This rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:

- [DeleteRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html)
- [DisableRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html)

## Triage and response{% #triage-and-response %}

1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.
1. Contact the user to see if they intended to make this API call.
1. If the user did not make the API call:
   - Rotate the credentials.
   - Investigate if the same credentials made other unauthorized API calls.

**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise](https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise) blog.

## Changelog{% #changelog %}

4 April 2022 - Updated rule query, options, and signal markdown.