AWS CloudWatch Log Group Deletion

  1[metadata]
  2creation_date = "2020/05/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the deletion of an Amazon CloudWatch Log Group using the "DeleteLogGroup" API. CloudWatch log groups store
 11operational and security logs for AWS services and custom applications. Deleting a log group permanently removes all
 12associated log streams and historical log data, which can eliminate forensic evidence and disrupt security monitoring
 13pipelines. Adversaries may delete log groups to conceal malicious activity, disable log forwarding, or impede incident
 14response.
 15"""
 16false_positives = [
 17    """
 18    CloudWatch log group deletions may occur during normal maintenance or infrastructure re-deployments, especially in
 19    environments managed by IaC tools (e.g., Terraform, CloudFormation, CDK). Automation pipelines may recreate log
 20    groups as part of expected workflows. Verify that the identity, user agent, and source IP match approved
 21    administrative or automation activity. If deletions are routine for specific automation roles or CI/CD hosts,
 22    consider adding scoped exceptions.
 23    """,
 24]
 25from = "now-6m"
 26index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "AWS CloudWatch Log Group Deletion"
 30note = """## Triage and analysis
 31
 32### Investigating AWS CloudWatch Log Group Deletion
 33
 34CloudWatch Logs is foundational to AWS observability, SIEM ingestion, audit pipelines, and incident response.  
 35Log groups often contain retention-critical logs such as:
 36
 37- VPC Flow Logs  
 38- Lambda function logs  
 39- Application and container logs  
 40- Security service logs (e.g., AWS WAF, RDS logs)
 41
 42Deletion of a log group removes all historical log streams and cannot be reversed. 
 43Adversaries may leverage `DeleteLogGroup` to impair forensic visibility, disrupt monitoring, and hide evidence following malicious actions. This rule detects a successful `DeleteLogGroup` event initiated from a non–AWS Internal user agent, signalling potential defense evasion or disruption of logging pipelines.
 44
 45#### Possible investigation steps
 46
 47 **Identify the actor**
 48- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.  
 49- Determine whether this identity normally modifies CloudWatch Logs or is associated with automation.
 50
 51**Review deletion details**
 52- Inspect `aws.cloudtrail.request_parameters` to determine the exact log group deleted.  
 53- Assess whether the log group provided visibility into:
 54  - CloudTrail processing,  
 55  - Network flows (VPC Flow Logs),  
 56  - Serverless/application security logs,  
 57  - Lambda, ECS, EKS, or container workload logs.
 58
 59**Check source and context**
 60- Assess `source.ip` for unusual IPs, geolocations, VPN endpoints, or cloud provider ranges unfamiliar to your environment.  
 61- Review `user_agent.original` for unexpected tools (custom agents, unusual SDKs, attackers using CLI default agents).
 62
 63**Correlate with surrounding activity**
 64Look for preceding or subsequent CloudTrail events such as:
 65
 66- `StopLogging`, `DeleteTrail`, or CloudTrail configuration changes  
 67- IAM permission escalations (e.g., `PutUserPolicy`, `AttachRolePolicy`)  
 68- Security service suppression actions (e.g., GuardDuty detector deletion)  
 69- Lambda or application configuration updates that may indicate a compromise  
 70
 71If the deleted log group was associated with a Lambda execution role, review for suspicious code updates or rogue deployments.
 72
 73**Assess business or security impact**
 74- Identify whether the deleted log group fed:
 75  - SIEM ingestion  
 76  - Security analytics pipelines  
 77  - Compliance/audit logs  
 78  - Operational monitoring or alerting  
 79- Contact the service owner or development team to verify whether the deletion was intentional.
 80
 81**Determine compromise scope if malicious**
 82- Use CloudTrail to identify prior activity by the same user identity or IP.  
 83- Examine authentication events (IAM, STS) for signs of stolen credentials or session hijacking.  
 84- Identify resources or applications dependent on the deleted logging pipeline.
 85
 86### False positive analysis
 87
 88- **IaC-managed environments**: Tools like Terraform or CloudFormation may delete and recreate log groups during deployments.  
 89- **Automated cleanup jobs**: Some environments use automated retention cleanup workflows.  
 90- **Ephemeral testing accounts**: Development/testing accounts frequently create and destroy log groups.
 91
 92To tune noise:
 93- Add exceptions for specific automation IAM roles or trusted source IPs.
 94- Require `user_agent.original` and `source.ip` conditions for baseline-based tuning.
 95
 96### Response and remediation
 97
 98**Containment**
 99- Immediately recreate the deleted log group (if appropriate) using IaC or CloudWatch Console.  
100- Restrict the IAM identity that performed the deletion until the activity is validated.  
101- Enable or confirm CloudTrail logging in all regions to maintain broader visibility.
102
103**Investigation**
104- Review CloudTrail activity for:
105  - privilege escalation attempts,  
106  - IAM role modifications,  
107  - security service tampering (CloudTrail, Config, GuardDuty).  
108- Correlate with alerts from other services (GuardDuty, Security Hub, SIEM detections).
109
110**Recovery and hardening**
111- Enforce least privilege on `logs:DeleteLogGroup`.  
112- Configure AWS Config rules to alert on missing or modified log groups.  
113- Implement log group retention policies and IAM SCP guardrails to prevent unauthorized deletion.  
114- Document log group ownership and expected lifecycle management.
115
116### Additional information
117
118- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
119- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
120- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
121"""
122references = [
123    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
124    "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html",
125]
126risk_score = 47
127rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
128severity = "medium"
129tags = [
130    "Domain: Cloud",
131    "Data Source: AWS",
132    "Data Source: Amazon Web Services",
133    "Data Source: Amazon CloudWatch",
134    "Use Case: Log Auditing",
135    "Resources: Investigation Guide",
136    "Tactic: Defense Evasion",
137    "Tactic: Impact",
138]
139timestamp_override = "event.ingested"
140type = "query"
141
142query = '''
143event.dataset: "aws.cloudtrail" 
144  and event.provider: "logs.amazonaws.com" 
145  and event.action: "DeleteLogGroup" 
146  and event.outcome: "success"
147  and source.ip: * 
148  and not user_agent.original : "AWS Internal"
149'''
150
151
152[[rule.threat]]
153framework = "MITRE ATT&CK"
154[[rule.threat.technique]]
155id = "T1485"
156name = "Data Destruction"
157reference = "https://attack.mitre.org/techniques/T1485/"
158
159
160[rule.threat.tactic]
161id = "TA0040"
162name = "Impact"
163reference = "https://attack.mitre.org/tactics/TA0040/"
164[[rule.threat]]
165framework = "MITRE ATT&CK"
166[[rule.threat.technique]]
167id = "T1562"
168name = "Impair Defenses"
169reference = "https://attack.mitre.org/techniques/T1562/"
170[[rule.threat.technique.subtechnique]]
171id = "T1562.001"
172name = "Disable or Modify Tools"
173reference = "https://attack.mitre.org/techniques/T1562/001/"
174
175
176
177[rule.threat.tactic]
178id = "TA0005"
179name = "Defense Evasion"
180reference = "https://attack.mitre.org/tactics/TA0005/"
181
182[rule.investigation_fields]
183field_names = [
184    "@timestamp",
185    "user.name",
186    "user_agent.original",
187    "source.ip",
188    "aws.cloudtrail.user_identity.arn",
189    "aws.cloudtrail.user_identity.type",
190    "aws.cloudtrail.user_identity.access_key_id",
191    "event.action",
192    "event.outcome",
193    "cloud.account.id",
194    "cloud.region",
195    "aws.cloudtrail.request_parameters",
196]