AWS CloudWatch Log Group Deletion

  1[metadata]
  2creation_date = "2020/05/18"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/13"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the deletion of an Amazon CloudWatch Log Group using the "DeleteLogGroup" API. CloudWatch log groups store
 11operational and security logs for AWS services and custom applications. Deleting a log group permanently removes all
 12associated log streams and historical log data, which can eliminate forensic evidence and disrupt security monitoring
 13pipelines. Adversaries may delete log groups to conceal malicious activity, disable log forwarding, or impede incident
 14response.
 15"""
 16false_positives = [
 17    """
 18    CloudWatch log group deletions may occur during normal maintenance or infrastructure re-deployments, especially in
 19    environments managed by IaC tools (e.g., Terraform, CloudFormation, CDK). Automation pipelines may recreate log
 20    groups as part of expected workflows. Verify that the identity, user agent, and source IP match approved
 21    administrative or automation activity. If deletions are routine for specific automation roles or CI/CD hosts,
 22    consider adding scoped exceptions.
 23    """,
 24]
 25from = "now-6m"
 26index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "AWS CloudWatch Log Group Deletion"
 30note = """## Triage and analysis
 31
 32> **Disclaimer**:
 33> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 34> While every effort has been made to ensure its quality, validate and adapt it to your operational context.
 35
 36### Investigating AWS CloudWatch Log Group Deletion
 37
 38CloudWatch Logs is foundational to AWS observability, SIEM ingestion, audit pipelines, and incident response.  
 39Log groups often contain retention-critical logs such as:
 40
 41- VPC Flow Logs  
 42- Lambda function logs  
 43- Application and container logs  
 44- Security service logs (e.g., AWS WAF, RDS logs)
 45
 46Deletion of a log group removes all historical log streams and cannot be reversed. 
 47Adversaries may leverage `DeleteLogGroup` to impair forensic visibility, disrupt monitoring, and hide evidence following malicious actions. This rule detects a successful `DeleteLogGroup` event initiated from a non–AWS Internal user agent, signalling potential defense evasion or disruption of logging pipelines.
 48
 49#### Possible investigation steps
 50
 51 **Identify the actor**
 52- Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.  
 53- Determine whether this identity normally modifies CloudWatch Logs or is associated with automation.
 54
 55**Review deletion details**
 56- Inspect `aws.cloudtrail.request_parameters` or `target.entity.id` to determine the exact log group deleted.  
 57- Assess whether the log group provided visibility into:
 58  - CloudTrail processing,  
 59  - Network flows (VPC Flow Logs),  
 60  - Serverless/application security logs,  
 61  - Lambda, ECS, EKS, or container workload logs.
 62
 63**Check source and context**
 64- Assess `source.ip` for unusual IPs, geolocations, VPN endpoints, or cloud provider ranges unfamiliar to your environment.  
 65- Review `user_agent.original` for unexpected tools (custom agents, unusual SDKs, attackers using CLI default agents).
 66
 67**Correlate with surrounding activity**
 68Look for preceding or subsequent CloudTrail events such as:
 69
 70- `StopLogging`, `DeleteTrail`, or CloudTrail configuration changes  
 71- IAM permission escalations (e.g., `PutUserPolicy`, `AttachRolePolicy`)  
 72- Security service suppression actions (e.g., GuardDuty detector deletion)  
 73- Lambda or application configuration updates that may indicate a compromise  
 74
 75If the deleted log group was associated with a Lambda execution role, review for suspicious code updates or rogue deployments.
 76
 77**Assess business or security impact**
 78- Identify whether the deleted log group fed:
 79  - SIEM ingestion  
 80  - Security analytics pipelines  
 81  - Compliance/audit logs  
 82  - Operational monitoring or alerting  
 83- Contact the service owner or development team to verify whether the deletion was intentional.
 84
 85**Determine compromise scope if malicious**
 86- Use CloudTrail to identify prior activity by the same user identity or IP.  
 87- Examine authentication events (IAM, STS) for signs of stolen credentials or session hijacking.  
 88- Identify resources or applications dependent on the deleted logging pipeline.
 89
 90### False positive analysis
 91
 92- **IaC-managed environments**: Tools like Terraform or CloudFormation may delete and recreate log groups during deployments.  
 93- **Automated cleanup jobs**: Some environments use automated retention cleanup workflows.  
 94- **Ephemeral testing accounts**: Development/testing accounts frequently create and destroy log groups.
 95
 96To tune noise:
 97- Add exceptions for specific automation IAM roles or trusted source IPs.
 98- Require `user_agent.original` and `source.ip` conditions for baseline-based tuning.
 99
100### Response and remediation
101
102**Containment**
103- Immediately recreate the deleted log group (if appropriate) using IaC or CloudWatch Console.  
104- Restrict the IAM identity that performed the deletion until the activity is validated.  
105- Enable or confirm CloudTrail logging in all regions to maintain broader visibility.
106
107**Investigation**
108- Review CloudTrail activity for:
109  - privilege escalation attempts,  
110  - IAM role modifications,  
111  - security service tampering (CloudTrail, Config, GuardDuty).  
112- Correlate with alerts from other services (GuardDuty, Security Hub, SIEM detections).
113
114**Recovery and hardening**
115- Enforce least privilege on `logs:DeleteLogGroup`.  
116- Configure AWS Config rules to alert on missing or modified log groups.  
117- Implement log group retention policies and IAM SCP guardrails to prevent unauthorized deletion.  
118- Document log group ownership and expected lifecycle management.
119
120### Additional information
121
122- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
123- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
124- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
125"""
126references = [
127    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html",
128    "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html",
129]
130risk_score = 47
131rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
132severity = "medium"
133tags = [
134    "Domain: Cloud",
135    "Data Source: AWS",
136    "Data Source: Amazon Web Services",
137    "Data Source: Amazon CloudWatch",
138    "Use Case: Log Auditing",
139    "Resources: Investigation Guide",
140    "Tactic: Defense Evasion",
141    "Tactic: Impact",
142]
143timestamp_override = "event.ingested"
144type = "query"
145
146query = '''
147event.dataset: "aws.cloudtrail" 
148  and event.provider: "logs.amazonaws.com" 
149  and event.action: "DeleteLogGroup" 
150  and event.outcome: "success"
151  and source.ip: * 
152  and not user_agent.original : "AWS Internal"
153'''
154
155
156[[rule.threat]]
157framework = "MITRE ATT&CK"
158[[rule.threat.technique]]
159id = "T1485"
160name = "Data Destruction"
161reference = "https://attack.mitre.org/techniques/T1485/"
162
163
164[rule.threat.tactic]
165id = "TA0040"
166name = "Impact"
167reference = "https://attack.mitre.org/tactics/TA0040/"
168[[rule.threat]]
169framework = "MITRE ATT&CK"
170[[rule.threat.technique]]
171id = "T1562"
172name = "Impair Defenses"
173reference = "https://attack.mitre.org/techniques/T1562/"
174[[rule.threat.technique.subtechnique]]
175id = "T1562.001"
176name = "Disable or Modify Tools"
177reference = "https://attack.mitre.org/techniques/T1562/001/"
178
179
180
181[rule.threat.tactic]
182id = "TA0005"
183name = "Defense Evasion"
184reference = "https://attack.mitre.org/tactics/TA0005/"
185
186[rule.investigation_fields]
187field_names = [
188    "@timestamp",
189    "user.name",
190    "user_agent.original",
191    "source.ip",
192    "aws.cloudtrail.user_identity.arn",
193    "aws.cloudtrail.user_identity.type",
194    "aws.cloudtrail.user_identity.access_key_id",
195    "target.entity.id",
196    "event.action",
197    "event.outcome",
198    "cloud.account.id",
199    "cloud.region",
200    "aws.cloudtrail.request_parameters",
201]