AWS EventBridge Rule Disabled or Deleted

  1[metadata]
  2creation_date = "2021/10/17"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/12"
  6
  7[rule]
  8author = ["Austin Songer", "Elastic"]
  9description = """
 10Identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules are commonly used to automate
 11operational workflows and security-relevant routing (for example, forwarding events to Lambda, SNS/SQS, or security
 12tooling). Disabling or deleting a rule can break critical integrations, suppress detections, and reduce visibility.
 13Adversaries may intentionally impair EventBridge rules to disrupt monitoring, delay response, or hide follow-on actions.
 14"""
 15false_positives = [
 16    """
 17    EventBridge rules may be disabled or deleted during legitimate maintenance, refactoring, environment teardown, or
 18    migration to new event patterns/targets. Verify whether the initiating identity, user agent, and source host are
 19    expected to administer EventBridge and whether the change aligns with an approved change window or deployment.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS EventBridge Rule Disabled or Deleted"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating AWS EventBridge Rule Disabled or Deleted
 33
 34EventBridge rules define when events are matched and where they are delivered. Disabling or deleting a rule can interrupt
 35automation, break alerting pipelines, and create blind spots in detection coverage. In security-focused designs, EventBridge
 36is frequently used to forward CloudTrail findings, Config/Security Hub events, GuardDuty findings, or application security
 37signals to downstream responders.
 38
 39This rule detects successful `DisableRule` or `DeleteRule` actions. Depending on what the affected rule does, this activity
 40may indicate routine operational work or deliberate impairment of monitoring and response paths.
 41
 42### Possible investigation steps
 43
 44**Identify the actor and access path**
 45- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which principal performed the change.
 46- Review `user.name`, `user_agent.original`, and `source.ip` to understand how the action was performed (console vs CLI/SDK/automation) and from where.
 47
 48**Confirm what changed and what it impacts**
 49- Use `aws.cloudtrail.request_parameters` to identify the rule name/ARN and whether the action was `DisableRule` or `DeleteRule`.
 50- Determine what the rule was used for and assess blast radius:
 51  - Was the rule on a shared event bus or a critical account/region?
 52  - Was it a centralized “security routing” rule that aggregates events from many accounts?
 53
 54**Reconstruct timing and sequence**
 55- Correlate `@timestamp` with surrounding CloudTrail activity for the same actor and the same rule name/ARN.
 56- Look for companion actions that often occur with impairment attempts:
 57  - IAM changes that expand permissions (`PutRolePolicy`, `AttachRolePolicy`, `UpdateAssumeRolePolicy`, access key creation).
 58  - Changes that disable other telemetry or controls (CloudTrail changes, Config recorder stopped, GuardDuty/Security Hub changes).
 59  - Follow-on actions against sensitive services immediately after the rule was disabled/deleted.
 60
 61**Validate authorization and change management**
 62- Check whether the change aligns with a known deployment, infrastructure-as-code run, or approved change ticket. Confirm with the owning team whether the rule was intentionally disabled/deleted and whether there is a documented replacement.
 63
 64### False positive analysis
 65
 66- **Planned maintenance and refactoring**
 67  - Rules may be removed during redesign of event patterns, target migrations, or application decommissioning.
 68- **Infrastructure-as-code or automation**
 69  - CI/CD pipelines and IaC (Terraform/CloudFormation/CDK) can disable/delete rules during drift correction or environment rotation.
 70
 71### Response and remediation
 72
 73**Restore visibility and business function**
 74- If the rule is security- or business-critical, restore functionality immediately:
 75  - Re-enable the rule if it was disabled.
 76  - If deleted, recreate it from the last known-good baseline (IaC state, templates, or documented configuration).
 77- Validate delivery by confirming new matching events reach intended targets (for example, downstream Lambda/SNS/SQS) and that monitoring pipelines resume.
 78
 79**Contain potential compromise**
 80- If the actor is unexpected or the access path is suspicious:
 81  - Restrict the principal’s permissions to EventBridge and related services while you investigate (least-privilege containment).
 82  - Rotate/disable credentials associated with `aws.cloudtrail.user_identity.access_key_id` when applicable.
 83  - For assumed roles, investigate the originating principal and consider temporarily limiting role assumption via IAM conditions or trust policy changes.
 84
 85**Scope the incident**
 86- Pivot in CloudTrail using the same `aws.cloudtrail.user_identity.arn`, access key, and `source.ip` to identify additional EventBridge rule modifications, changes to event buses, permissions, or resource policies that could enable unauthorized routing.
 87- Determine whether the rule impairment created a monitoring gap and identify the time window of reduced visibility for retrospective review.
 88
 89**Hardening and prevention**
 90- Reduce the likelihood of silent impairment:
 91  - Restrict `events:DisableRule` and `events:DeleteRule` to a small set of administrative roles; use IAM conditions (for example, `aws:PrincipalArn`, `aws:RequestedRegion`, source VPC/IP conditions where appropriate).
 92  - Consider AWS Organizations SCP guardrails in production accounts to limit destructive EventBridge changes.
 93
 94### Additional information
 95- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 96- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 97- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 98"""
 99references = [
100    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
101    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html",
102]
103risk_score = 21
104rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
105severity = "low"
106tags = [
107    "Domain: Cloud",
108    "Data Source: AWS",
109    "Data Source: Amazon Web Services",
110    "Data Source: AWS EventBridge",
111    "Tactic: Impact",
112    "Resources: Investigation Guide",
113]
114timestamp_override = "event.ingested"
115type = "query"
116
117query = '''
118event.dataset: aws.cloudtrail 
119    and event.provider: events.amazonaws.com 
120    and event.action: (DeleteRule or DisableRule) 
121    and event.outcome: success
122'''
123
124
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1489"
129name = "Service Stop"
130reference = "https://attack.mitre.org/techniques/T1489/"
131
132
133[rule.threat.tactic]
134id = "TA0040"
135name = "Impact"
136reference = "https://attack.mitre.org/tactics/TA0040/"
137
138[rule.investigation_fields]
139field_names = [
140    "@timestamp",
141    "user.name",
142    "user_agent.original",
143    "source.ip",
144    "aws.cloudtrail.user_identity.arn",
145    "aws.cloudtrail.user_identity.type",
146    "aws.cloudtrail.user_identity.access_key_id",
147    "event.action",
148    "event.outcome",
149    "cloud.account.id",
150    "cloud.region",
151    "aws.cloudtrail.request_parameters",
152]