<  Back to rules search

AWS FlowLogs removed

cloudtrail

Classification:

attack

Tactic:

Technique:

Goal

Detect when an attacker is removing a FlowLogs collector.

Strategy

This rule lets you monitor this EC2 API call:

Triage and response

  1. Determine if arn: {{@userIdentity.arn}} should make this API call.
  2. Contact the user to see if they intended to make this API call.
  3. If the user did not make the API call:
  • Rotate the credentials.
  • Investigate if the same credentials made other unauthorized API calls.

Changelog

4 April 2022 - Rule query and signal message updated.