You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
author: Bhavin Patel, Gowthamaraj Rajendran, Splunk, PashFW, Github Community
6
6
status: production
7
7
type: TTP
8
-
description: The following analytic detects attempts to delete critical AWS security
9
-
service configurations, such as CloudWatch alarms, GuardDuty detectors, and Web
10
-
Application Firewall rules. It leverages CloudTrail logs to identify specific API
8
+
description: The following analytic detects attempts to impair or disable AWS security services by monitoring specific deletion operations across GuardDuty, AWS WAF (classic and v2), CloudWatch, Route 53, and CloudWatch Logs. These actions include deleting detectors, rule groups, IP sets, web ACLs, logging configurations, alarms, and log streams. Adversaries may perform such operations to evade detection or remove visibility from defenders. By explicitly pairing eventName values with their corresponding eventSource services, this detection reduces noise and ensures that only security-related deletions are flagged. It leverages CloudTrail logs to identify specific API
11
9
calls like "DeleteLogStream" and "DeleteDetector." This activity is significant
12
10
because it indicates potential efforts to disable security monitoring and evade
13
11
detection. If confirmed malicious, this could allow attackers to operate undetected,
@@ -22,14 +20,17 @@ data_source:
22
20
- AWS CloudTrail DeleteRuleGroup
23
21
- AWS CloudTrail DeleteLoggingConfiguration
24
22
- AWS CloudTrail DeleteAlarms
25
-
search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms")
23
+
search: |
24
+
`cloudtrail`
25
+
(eventName="DeleteDetector" AND eventSource="guardduty.amazonaws.com") OR ( eventName IN ("DeleteIPSet", "DeleteWebACL", "DeleteRuleGroup", "DeleteRule") AND eventSource IN ("guardduty.amazonaws.com", "wafv2.amazonaws.com", "waf.amazonaws.com") ) OR ( eventName="DeleteLoggingConfiguration" AND eventSource IN ("wafv2.amazonaws.com", "waf.amazonaws.com", "route53.amazonaws.com") )
26
26
| rename user_name as user
27
27
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product
how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in
30
32
your AWS Environment.
31
-
known_false_positives: While this search has no known false positives, it is possible
32
-
that it is a legitimate admin activity. Please consider filtering out these noisy
33
+
known_false_positives: Legitimate administrators may occasionally delete GuardDuty detectors, WAF rule groups, or CloudWatch alarms during environment reconfiguration, migration, or decommissioning activities. In such cases, these events are expected and benign. These should be validated against approved change tickets or deployment pipelines to differentiate malicious activity from normal operations. Please consider filtering out these noisy
0 commit comments