AWS EventBridge Rule Disabled or Deleted

 1[metadata]
 2creation_date = "2021/10/17"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of
11visibility in applications or a break in the flow with other AWS services.
12"""
13false_positives = [
14    """
15    EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user
16    agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by
17    unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the
18    rule.
19    """,
20]
21from = "now-20m"
22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS EventBridge Rule Disabled or Deleted"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating AWS EventBridge Rule Disabled or Deleted
32
33AWS EventBridge is a serverless event bus service that enables applications to respond to changes in data. Disabling or deleting rules can disrupt event-driven workflows, potentially masking malicious activities. Adversaries might exploit this by halting security alerts or data flows. The detection rule monitors successful disable or delete actions on EventBridge rules, flagging potential misuse that could impact system visibility and integrity.
34
35### Possible investigation steps
36
37- Review the CloudTrail logs to identify the user or role associated with the DeleteRule or DisableRule action by examining the user identity information in the event logs.
38- Check the event time and correlate it with other activities in the AWS account to determine if there are any related suspicious actions or patterns.
39- Investigate the specific EventBridge rule that was disabled or deleted to understand its purpose and the potential impact on workflows or security monitoring.
40- Assess the permissions and roles of the user who performed the action to determine if they had legitimate access and reasons for modifying the EventBridge rule.
41- Look for any recent changes in IAM policies or roles that might have granted new permissions to the user or role involved in the action.
42- Contact the user or team responsible for the action to verify if the change was intentional and authorized, and document their response for future reference.
43
44### False positive analysis
45
46- Routine maintenance or updates by administrators can lead to the disabling or deletion of EventBridge rules. To manage this, create exceptions for known maintenance windows or specific user actions that are documented and approved.
47- Automated scripts or tools used for infrastructure management might disable or delete rules as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific user or role identifiers.
48- Testing environments often involve frequent changes to EventBridge rules, including disabling or deleting them. Exclude actions within these environments by filtering based on environment tags or specific resource identifiers.
49- Scheduled tasks that involve disabling rules temporarily for performance reasons can be a source of false positives. Document these schedules and configure the detection rule to ignore actions during these periods.
50- Changes made by trusted third-party services or integrations that manage EventBridge rules should be reviewed and, if deemed non-threatening, excluded by identifying the service accounts or API keys used.
51
52### Response and remediation
53
54- Immediately re-enable or recreate the disabled or deleted EventBridge rule to restore the intended event-driven workflows and ensure continuity of operations.
55- Conduct a review of CloudTrail logs to identify the user or service account responsible for the action, and verify if the action was authorized and legitimate.
56- If unauthorized activity is detected, revoke access for the compromised account and initiate a password reset or key rotation for the affected credentials.
57- Notify the security operations team to assess the potential impact on system visibility and integrity, and to determine if further investigation is required.
58- Implement additional monitoring and alerting for changes to EventBridge rules to detect similar activities in the future.
59- Escalate the incident to the incident response team if there is evidence of malicious intent or if the activity aligns with known threat patterns, such as those described in MITRE ATT&CK technique T1489 (Service Stop).
60- Review and update IAM policies to ensure that only authorized users have the necessary permissions to modify EventBridge rules, reducing the risk of unauthorized changes.
61
62## Setup
63
64The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
65references = [
66    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
67    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html",
68]
69risk_score = 21
70rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
71severity = "low"
72tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact", "Resources: Investigation Guide"]
73timestamp_override = "event.ingested"
74type = "query"
75
76query = '''
77event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and
78event.outcome:success
79'''
80
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1489"
86name = "Service Stop"
87reference = "https://attack.mitre.org/techniques/T1489/"
88
89
90[rule.threat.tactic]
91id = "TA0040"
92name = "Impact"
93reference = "https://attack.mitre.org/tactics/TA0040/"