AWS EventBridge Rule Disabled or Deleted

  1[metadata]
  2creation_date = "2021/10/17"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Austin Songer", "Elastic"]
  9description = """
 10Identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules are commonly used to automate
 11operational workflows and security-relevant routing (for example, forwarding events to Lambda, SNS/SQS, or security
 12tooling). Disabling or deleting a rule can break critical integrations, suppress detections, and reduce visibility.
 13Adversaries may intentionally impair EventBridge rules to disrupt monitoring, delay response, or hide follow-on actions.
 14"""
 15false_positives = [
 16    """
 17    EventBridge rules may be disabled or deleted during legitimate maintenance, refactoring, environment teardown, or
 18    migration to new event patterns/targets. Verify whether the initiating identity, user agent, and source host are
 19    expected to administer EventBridge and whether the change aligns with an approved change window or deployment.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS EventBridge Rule Disabled or Deleted"
 27note = """## Triage and analysis
 28
 29### Investigating AWS EventBridge Rule Disabled or Deleted
 30
 31EventBridge rules define when events are matched and where they are delivered. Disabling or deleting a rule can interrupt
 32automation, break alerting pipelines, and create blind spots in detection coverage. In security-focused designs, EventBridge
 33is frequently used to forward CloudTrail findings, Config/Security Hub events, GuardDuty findings, or application security
 34signals to downstream responders.
 35
 36This rule detects successful `DisableRule` or `DeleteRule` actions. Depending on what the affected rule does, this activity
 37may indicate routine operational work or deliberate impairment of monitoring and response paths.
 38
 39### Possible investigation steps
 40
 41**Identify the actor and access path**
 42- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which principal performed the change.
 43- Review `user.name`, `user_agent.original`, and `source.ip` to understand how the action was performed (console vs CLI/SDK/automation) and from where.
 44
 45**Confirm what changed and what it impacts**
 46- Use `aws.cloudtrail.request_parameters` to identify the rule name/ARN and whether the action was `DisableRule` or `DeleteRule`.
 47- Determine what the rule was used for and assess blast radius:
 48  - Was the rule on a shared event bus or a critical account/region?
 49  - Was it a centralized “security routing” rule that aggregates events from many accounts?
 50
 51**Reconstruct timing and sequence**
 52- Correlate `@timestamp` with surrounding CloudTrail activity for the same actor and the same rule name/ARN.
 53- Look for companion actions that often occur with impairment attempts:
 54  - IAM changes that expand permissions (`PutRolePolicy`, `AttachRolePolicy`, `UpdateAssumeRolePolicy`, access key creation).
 55  - Changes that disable other telemetry or controls (CloudTrail changes, Config recorder stopped, GuardDuty/Security Hub changes).
 56  - Follow-on actions against sensitive services immediately after the rule was disabled/deleted.
 57
 58**Validate authorization and change management**
 59- Check whether the change aligns with a known deployment, infrastructure-as-code run, or approved change ticket. Confirm with the owning team whether the rule was intentionally disabled/deleted and whether there is a documented replacement.
 60
 61### False positive analysis
 62
 63- **Planned maintenance and refactoring**
 64  - Rules may be removed during redesign of event patterns, target migrations, or application decommissioning.
 65- **Infrastructure-as-code or automation**
 66  - CI/CD pipelines and IaC (Terraform/CloudFormation/CDK) can disable/delete rules during drift correction or environment rotation.
 67
 68### Response and remediation
 69
 70**Restore visibility and business function**
 71- If the rule is security- or business-critical, restore functionality immediately:
 72  - Re-enable the rule if it was disabled.
 73  - If deleted, recreate it from the last known-good baseline (IaC state, templates, or documented configuration).
 74- Validate delivery by confirming new matching events reach intended targets (for example, downstream Lambda/SNS/SQS) and that monitoring pipelines resume.
 75
 76**Contain potential compromise**
 77- If the actor is unexpected or the access path is suspicious:
 78  - Restrict the principal’s permissions to EventBridge and related services while you investigate (least-privilege containment).
 79  - Rotate/disable credentials associated with `aws.cloudtrail.user_identity.access_key_id` when applicable.
 80  - For assumed roles, investigate the originating principal and consider temporarily limiting role assumption via IAM conditions or trust policy changes.
 81
 82**Scope the incident**
 83- Pivot in CloudTrail using the same `aws.cloudtrail.user_identity.arn`, access key, and `source.ip` to identify additional EventBridge rule modifications, changes to event buses, permissions, or resource policies that could enable unauthorized routing.
 84- Determine whether the rule impairment created a monitoring gap and identify the time window of reduced visibility for retrospective review.
 85
 86**Hardening and prevention**
 87- Reduce the likelihood of silent impairment:
 88  - Restrict `events:DisableRule` and `events:DeleteRule` to a small set of administrative roles; use IAM conditions (for example, `aws:PrincipalArn`, `aws:RequestedRegion`, source VPC/IP conditions where appropriate).
 89  - Consider AWS Organizations SCP guardrails in production accounts to limit destructive EventBridge changes.
 90
 91### Additional information
 92- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 93- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 94- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
 95"""
 96references = [
 97    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html",
 98    "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html",
 99]
100risk_score = 21
101rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
102severity = "low"
103tags = [
104    "Domain: Cloud",
105    "Data Source: AWS",
106    "Data Source: Amazon Web Services",
107    "Data Source: AWS EventBridge",
108    "Tactic: Impact",
109    "Resources: Investigation Guide",
110]
111timestamp_override = "event.ingested"
112type = "query"
113
114query = '''
115event.dataset: aws.cloudtrail 
116    and event.provider: events.amazonaws.com 
117    and event.action: (DeleteRule or DisableRule) 
118    and event.outcome: success
119'''
120
121
122[[rule.threat]]
123framework = "MITRE ATT&CK"
124[[rule.threat.technique]]
125id = "T1489"
126name = "Service Stop"
127reference = "https://attack.mitre.org/techniques/T1489/"
128
129
130[rule.threat.tactic]
131id = "TA0040"
132name = "Impact"
133reference = "https://attack.mitre.org/tactics/TA0040/"
134
135[rule.investigation_fields]
136field_names = [
137    "@timestamp",
138    "user.name",
139    "user_agent.original",
140    "source.ip",
141    "aws.cloudtrail.user_identity.arn",
142    "aws.cloudtrail.user_identity.type",
143    "aws.cloudtrail.user_identity.access_key_id",
144    "event.action",
145    "event.outcome",
146    "cloud.account.id",
147    "cloud.region",
148    "aws.cloudtrail.request_parameters",
149]