
Summary
This detection rule identifies the deletion of AWS CloudWatch alarms through the `DeleteAlarms` API action. Attackers may seek to delete alarms to evade detection and cover their tracks, posing a significant risk to cloud security. The rule monitors the `aws.cloudtrail` dataset for successful delete operations on alarm configurations within the last 60 minutes. Investigative steps include verifying user activity, ensuring the legitimacy of the actions performed, and confirming with resource owners. Potential false positives should be evaluated by examining the context of the changes made and identifying any routine user behavior that may have triggered the alert. Suggested responses to triggering this rule involve initiating incident response protocols, disabling suspicious accounts, and conducting a thorough assessment of any possible impacts from the incident, including lateral movement and credential exposure. Remediation steps also suggest implementing best practices to enhance security configurations for ongoing cloud operations.
Categories
- Cloud
- AWS
Data Sources
- Cloud Service
- Logon Session
ATT&CK Techniques
- T1562
- T1562.001
Created: 2020-06-15