Summary
This analytic rule detects the deletion of CloudWatch log groups in AWS by monitoring `DeleteLogGroup` events captured in CloudTrail logs. The focus is on identifying successful deletions while excluding console-based actions, which is critical as such activities may signify attempts to evade detection mechanisms (logging/monitoring). By analyzing CloudTrail logs, the detection rule aims to maintain visibility in AWS environments. If an unauthorized deletion is confirmed, it poses a risk by allowing attackers to obscure their activities, complicating the investigation of any subsequent malicious actions within the AWS account.
Categories
- Cloud
- AWS
- Infrastructure
Data Sources
- Cloud Storage
- Cloud Service
- Application Log
ATT&CK Techniques
- T1562
- T1562.008
Created: 2024-11-14