AWS EventBridge Rule Disabled or Deleted

calendar May 22, 2024 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Tactic: Impact  ·
Share on: linkedin copy

Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/10/17"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of
11visibility in applications or a break in the flow with other AWS services.
12"""
13false_positives = [
14    """
15    EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user
16    agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by
17    unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the
18    rule.
19    """,
20]
21from = "now-20m"
22index = ["filebeat-*", "logs-aws.cloudtrail-*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "AWS EventBridge Rule Disabled or Deleted"
26note = """## Setup
27
28The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
31    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html",
32]
33risk_score = 21
34rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
35severity = "low"
36tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and
42event.outcome:success
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1489"
50name = "Service Stop"
51reference = "https://attack.mitre.org/techniques/T1489/"
52
53
54[rule.threat.tactic]
55id = "TA0040"
56name = "Impact"
57reference = "https://attack.mitre.org/tactics/TA0040/"

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top